Applies To:

Show Versions Show Versions

Supplemental Document: Release Information: Hotfixes: BIG-IP 11.6.0

Original Publication Date: 05/24/2017

BIG-IP Hotfix Release Information

Version: BIGIP-11.6.0
Build: 482.0
Hotfix Rollup: 8

Cumulative fixes from BIG-IP v11.6.0 Hotfix 7 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 6 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 5 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 4 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 3 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v11.6.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
600662-4 CVE-2016-5745 SOL64743453 CGNAT: NAT64 vulnerability CVE-2016-5745
599168-4 CVE-2016-5700 SOL35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
598983-4 CVE-2016-5700 SOL35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
580596-9 CVE-2013-0169 CVE-2016-6907 SOL14190 SOL39508724 TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907
569467-11 CVE-2016-2084 SOL11772107 BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Description
596603-11 2-Critical AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.
547047 2-Critical Older cli-tools unsupported by AWS
595874-4 3-Major Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.
556277-6 3-Major Config Sync error after hotfix installation (chroot failed rsync error)
499537-3 3-Major Qkview may store information in the wrong format


Local Traffic Manager Fixes

ID Number Severity Description
557645-5 3-Major Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.



Cumulative fixes from BIG-IP v11.6.0 Hotfix 7 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Description
591857 1-Blocking 10-core vCMP guest with ASM may not pass traffic



Cumulative fixes from BIG-IP v11.6.0 Hotfix 6 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
532522-3 CVE-2015-1793 SOL16937 CVE-2015-1793
536984 CVE-2015-8240 SOL06223540 Ensure min_path_mtu is functioning as designed.
536481-9 CVE-2015-8240 SOL06223540 F5 TCP vulnerability CVE-2015-8240
534630-5 CVE-2015-5477 SOL16909 Upgrade BIND to address CVE 2015-5477
530829 CVE-2015-5516 SOL00032124 UDP traffic sent to the host may leak memory under certain conditions.
529509-5 CVE-2015-4620 SOL16912 BIND Vulnerability CVE-2015-4620
527799-9 CVE-2015-4000 CVE-2015-1792 CVE-2015-1791 CVE-2015-1790 CVE-2015-1789 CVE-2015-1788 CVE-2014-8176 SOL16674 SOL16915 SOL16914 OpenSSL library in APM clients updated to resolve multiple vulnerabilities
527630-1 CVE-2015-1788 SOL16938 CVE-2015-1788 : OpenSSL Vulnerability
506034-3 CVE-2014-9297 CVE-2014-9298 CVE-2014-9750 CVE-2014-9751 SOL16393 NTP vulnerabilities (CVE-2014-9297,CVE-2014-9298)
540849-5 CVE-2015-5986 SOL17227 BIND vulnerability CVE-2015-5986
540846-5 CVE-2015-5722 SOL17181 BIND vulnerability CVE-2015-5722
520466-2 CVE-2015-3628 SOL16728 Ability to edit iCall scripts is removed from resource administrator role
516618-5 CVE-2013-7424 SOL16472 glibc vulnerability CVE-2013-7424
526514-1 CVE-2016-3687 SOL26738102 Open redirect via SSO_ORIG_URI parameter in multi-domain SSO
513382-1 CVE-2015-0286 CVE-2015-0287 CVE-2015-0289 CVE-2015-0293 CVE-2015-0209 CVE-2015-0288 SOL16317 Resolution of multiple OpenSSL vulnerabilities
522878-1 CVE-2016-3686 SOL82679059 Hide the cleartext Session ID (MRHSessionCookie) visible as part of URL query param to prevent unauthorized access.
515345-1 CVE-2015-1798 SOL16505 NTP Vulnerability


Functional Change Fixes

ID Number Severity Description
502443-4 2-Critical After enabling a blade/HA member, pool members are marked down because monitoring starts too soon.
520705-5 3-Major Edge client contains multiple duplicate entries in server list
498992-6 3-Major Troubleshooting enhancement: improve logging details for AWS failover failure.
224903-5 3-Major CounterBasedGauge64 MIB values do not work with Network Management Systems. The MIB should be Gauge32.


TMOS Fixes

ID Number Severity Description
544980-3 1-Blocking BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle.
535806-2 1-Blocking Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE
507312-1 1-Blocking icrd segmentation fault
477218-5 1-Blocking Simultaneous stats query and pool configuration change results in process exit on secondary.
473033-5 1-Blocking Datastor Now Uses Syslog-ng
529510-2 2-Critical Multiple Session ha state changes may cause TMM to core
523434 2-Critical mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object
513454-3 2-Critical An snmpwalk with a large configuration can take too long, causing snmpd or mcpd restarts
510979-1 2-Critical Password-less SSH access after tmsh load of UCS may require password after install.
509503-4 2-Critical tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration
507602-1 2-Critical Data packet over IPsec tunnel might be looping between cores after rekey if IPsec lifebyte is enabled
506199-4 2-Critical VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles
504496-3 2-Critical AAA Local User Database may sync across failover groups
497078-1 2-Critical Modifying an existing ipsec policy configuration object might cause tmm to crash
493791-2 2-Critical iApps do not support FQDN nodes
479460-5 2-Critical SessionDb may be trapped in wrong HA state during initialization
473105 2-Critical FastL4 connections reset with pva-acceleration set to guaranteed
471860-3 2-Critical Disabling interface keeps DISABLED state even after enabling
470813-1 2-Critical Memory corruption in f5::rest::CRestServer::g_portToServerMap
468473-2 2-Critical Monitors with domain username do not save/load correctly
464870-7 2-Critical Datastor cores and restarts.
438674-5 2-Critical When log filters include tamd, tamd process may leak descriptors
429018-2 2-Critical tmipsecd cores when deleting a non-existing traffic selector
420107-2 2-Critical TMM could crash when modifying HTML profile configuration
364978-1 2-Critical Active/standby system configured with unit 2 failover objects
544888-5 3-Major Idle timeout changes to five seconds when using PVA full or Assisted acceleration.
534251-1 3-Major Live update with moving config breaks password-less ssh access
533458-4 3-Major Insufficient data for determining cause of HSB lockup.
533257-2 3-Major tmsh config file merge may fail when AFM security log profile is present in merged file
530773 3-Major per-request policy logs frequently in apm logs
529640 3-Major Improvements in building Cloud images
528881 3-Major NAT names with spaces in them do not upgrade properly
528310 3-Major Upgrade failure when CertKeyChain exists in non-Common partition
527537 3-Major CGNAT experiences increased CPU utilization with a high concurrent connection load and persistence enabled
527145-4 3-Major On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
527094-1 3-Major iControl REST: the records collection in tm/ltm/data-group/internal/ may show wrong partition and subPath metadata.
527021-1 3-Major BIG-IQ iApp statistics corrected for empty pool use cases
526419-1 3-Major Deleting an iApp service may fail
524791-3 3-Major non_blocking_send/receive do not correctly handle EINTR situation for poll() == 0
524753-1 3-Major IPsec interface is not forwarding TCP flow to the host when the destination is tunnel self-ip
524490-4 3-Major Excessive output for tmsh show running-config
524326-4 3-Major Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips
523922-4 3-Major Session entries may timeout prematurely on some TMMs
523125 3-Major Disabling/enabling blades in cluster can result in inconsistent failover state
520640-2 3-Major The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method.
519510-3 3-Major Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware
519372 3-Major vCMP guest memory growth due to large number of /var/run/tmstats-rsync.* files.
519068-3 3-Major device trust setup can require restart of devmgmtd
518283 3-Major Cookie rewrite mangles 'Set-Cookie' headers
518039-1 3-Major BIG-IQ iApp statistics corrected for partition use cases
517580-3 3-Major OPT-0015 on 10000-series appliance may cause bcm56xxd restarts
517178-2 3-Major BIG-IP system as SAML Service Provider cannot process some messages from SimpleSAMLphp under certain conditions
516669-1 3-Major Rarely occurring SOD core causes failover.
515667-4 3-Major Unique truncated SNMP OIDs.
514726-4 3-Major Server-side DSR tunnel flow never expires
514724-1 3-Major crypto-failsafe fail condition not cleared when crypto device restored
513916-5 3-Major String iStat rollup not consistent with multiple blades
513294-8 3-Major LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances
510159-1 3-Major Outgoing MAP tunnel statistics not updated
510119-4 3-Major HSB performance can be suboptimal when transmitting TSO packets.
509782-3 3-Major TSO packets can be dropped with low MTU
509504-5 3-Major Excessive time to save/list a firewall rule-list configuration
509037-1 3-Major BIG-IP systems allows creating wild-card IPIP tunnels with the same local-address and tunnel-type
507853-1 3-Major MCP may crash while performing a very large chunked query and CPU is highly loaded
507575-1 3-Major An incorrectly formated NAPTR creation via iControl can cause an error.
506041-2 3-Major Folders belonging to a device group can show up on devices not in the group
505045-1 3-Major MAP implementation not working with EA bits length set to 0.
504494-2 3-Major Upgrading to 11.5.0 and later might associate a disabled HA group to traffic groups.
502238-3 3-Major Connectivity and traffic interruption issues caused by a stuck HSB transmit ring
501437-3 3-Major rsync daemon does not stop listening after configsync-ip set to none
500234-4 3-Major TMM may core during failover due to invalid memory access in IPsec components
499260-3 3-Major Deleting trust-domain fails when standby IP is in ha-order
497564-2 3-Major Improve High Speed Bridge diagnostic logging on transmit/receive failures
497304-1 3-Major Unable to delete reconfigured HTTP iApp when auto-sync is enabled
495526-1 3-Major IPsec tunnel interface causes TMM core at times
493246-2 3-Major SNMP error: Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot
493213-1 3-Major RBA eam and websso daemons segfaulting while provisioning
491716-2 3-Major SNMP attribute type incorrect for certain OIDs
491556-7 3-Major tmsh show sys connection output is corrected
489084-1 3-Major Validation error in MCPD for FQDN nodes
484706-2 3-Major Incremental sync of iApp changes may fail
483104-3 3-Major vCMP guests report platform type as 'unknown'
481648-8 3-Major mib-2 ipAddrTable interface index does not correlate to ifTable
480679-1 3-Major The big3d daemon does not receive config updates from mcpd
473348-6 3-Major SNMP hbInterval value not set to 300 sec after upgrade from 11.2.x to 11.3.0 or later
473088-4 3-Major Virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile
470756-6 3-Major snmpd cores or crashes with no logging when restarted by sod
468837-5 3-Major SNAT translation traffic group inheritance does not sync across devices
464252-2 3-Major Possible tmm crash when modifying html pages with HTML profile.
464024-4 3-Major File descriptor leak when running some TMSH commands through scriptd
458104-3 3-Major LTM UCS load merge trunk config issue
455264-3 3-Major Error messages are not clear when adding member to device trust fails
442871-1 3-Major BIG-IP VE instances created using OpenStack interfaces may fail to detect the KVM hypervisor
441297-3 3-Major Trunk remains down and interface's status is 'uninit' after mcpd restart
416388-1 3-Major vCMPD will not reattach to guest
410398-3 3-Major sys db tmrouted.rhifailoverdelay does not seem to work
405752-1 3-Major Monitors sourced from specific source ports can fail
383784-5 3-Major Remote Auth user names containing blank space cannot login through TMSH.
362267-3 3-Major Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors
359774-6 3-Major Pools in HA groups other than Common
355661-3 3-Major sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address
524606-1 4-Minor SElinux violations prevent cpcfg from touching /service/mcpd/forceload
524185 4-Minor Unable to run lvreduce
523863-2 4-Minor istats help not clear for negative increment
492163-3 4-Minor Applying a monitor to pool and pool member may cause an issue.
475647-2 4-Minor VIPRION Host PIC firmware version 7.02 update
473163-2 4-Minor RAID disk failure and alert.conf log message mismatch results in no trap
465675-3 4-Minor Invalid MAX-ACCESS clause for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable.
465317-1 4-Minor Failure notice from '/usr/bin/set-rsync-mgmt-fw close' seen on each boot.
464043-3 4-Minor Integration of Firmware for the 2000 Series Blades
443298-2 4-Minor FW Release: Incorporate VIPRION 2250 LOP firmware v1.20
356658-2 5-Cosmetic Message logged when remote authenticated users do not have local account login


Local Traffic Manager Fixes

ID Number Severity Description
522784-2 1-Blocking After restart, system remains in the INOPERATIVE state
420341-6 1-Blocking Connection Rate Limit Mode when limit is exceeded by one client also throttles others
552937-1 2-Critical HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.
539344-1 2-Critical SPDY child flow aborted while stalled leaves freed SPDY stream in SPDY stalled list
538255 2-Critical SSL handshakes on 4200/2200 can cause TMM cores.
533388-1 2-Critical tmm crash with assert "resume on different script"
531576-1 2-Critical tmm memory leak in traffic handling
530963-4 2-Critical BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms
528432-2 2-Critical Control plane CPU usage reported too high
523079-2 2-Critical Merged may crash when file descriptors exhausted
514108-1 2-Critical TSO packet initialization failure due to out-of-memory condition.
510837-2 2-Critical Server initiated renegotiation fails with dhe_dss/ecdhe_ecdsa and ecdh_ecdsa ciphers. bigip sends bad client key exchange.
509346-2 2-Critical netHSM caused timout may trigger chassis failover which may fail all blades
506304-2 2-Critical UDP connections may stall if initialization fails
505331-1 2-Critical SASP Monitor may core
505222-2 2-Critical DTLS drops egress packets when traffic is large
503343-7 2-Critical TMM crashes when cloned packet incorrectly marked for TSO
499422-1 2-Critical An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm.
497299-5 2-Critical Thales install fails if the BIG-IP system is also configured as the RFS
492352-3 2-Critical Mismatch ckcName between GUI and TMSH can cause upgrade failure
481677-2 2-Critical A possible TMM crash in some circumstances.
481162-2 2-Critical vs-index is set differently on each blade in a chassis
474601-5 2-Critical FTP connections are being offloaded to ePVA
450814-10 2-Critical Early HTTP response might cause rare 'server drained' assertion
431283-7 2-Critical iRule binary scan may core TMM when the offset is large
426328-8 2-Critical Updating iRule procs while in use can cause a core
402412-8 2-Critical FastL4 tcp handshake timeout is not honored, connection lives for idle timeout.
551612 3-Major BIG-IP SSL does not support sending multiple certificate verification requests to the hardware accelerator at the same time in 11.6.0.
530431 3-Major FQDN nodes: ephemeral nodes not being created for resolved FQDN hosts
526810-5 3-Major Crypto accelerator queue timeout is now adjustable
525557 3-Major FQDN ephemeral nodes not re-populated after deleted and re-created
524666-3 3-Major DNS licensed rate limits might be unintentionally activated.
522147-2 3-Major 'tmsh load sys config' fails after key conversion to FIPS using web GUI
521774-3 3-Major Traceroute and ICMP errors may be blocked by AFM policy
521538-2 3-Major Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known
521522-3 3-Major Traceroute through BIG-IP may display destination IP address at BIG-IP hop
521408-3 3-Major Incorrect configuration in BigTCP Virtual servers can lead to TMM core
520540-1 3-Major Specific iRule commands may generate a core file
518020-11 3-Major Improved handling of certain HTTP types.
517790-1 3-Major When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped
517556-3 3-Major DNSSEC unsigned referral response is improperly formatted
516598-1 3-Major Multiple TCP keepalive timers for same Fast L4 flow
516320-2 3-Major TMM may have a CPU spike if match cross persist is used.
515817-2 3-Major TMM may not reset connection when receiving an ICMP error
515322-1 3-Major Intermittent TMM core when using DNS cache with forward zones
515072-4 3-Major Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased
514246-3 3-Major connflow_precise_check_begin does not check for NULL
512383-3 3-Major Hardware flow stats are not consistently cleared during fastl4 flow teardown.
512148-1 3-Major Self IP address cannot be deleted when its VLAN is associated with static route
512062-2 3-Major A db variable to disable verification of SCTP checksum when ingress packet checksum is zero
510921-1 3-Major Database monitors do not support IPv6 nodes
510720-1 3-Major iRule table command resumption can clear the header buffer before the HTTP command completes
510638-1 3-Major [DNS] Config change in dns cache resolver does not take effect until tmm restart
507529-1 3-Major Active crash with assert: tmm failed assertion, non-zero ha_unit required for mirrored flow
506282-1 3-Major GTM DNSSEC keys generation is not sychronized upon key creation
505059-1 3-Major Some special characters are not properly handled for username and password fields in TCL monitors
504899-2 3-Major Duplicated snat-translation addresses are possible (a named and an anonymous (created by snatpool) one)
504306-2 3-Major https monitors might fail to re-use SSL sessions.
504105-4 3-Major RRDAG enabled UDP ports may be used as source ports for locally originated traffic
503979-1 3-Major High CPU usage when DNS cache resolver sends a large number of DNS queries to the backend name server.
503384-1 3-Major SMTP monitor fails on multi line greeting banner in SMTP server
501516-5 3-Major If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted.
497742-3 3-Major Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address
496758-5 3-Major Monitor Parameters saved to config in a certain order may not construct parameters correctly
495836-2 3-Major SSL verification error occurs when using server side certificate.
495557-1 3-Major Ephemeral node health status may report as 'unknown' rather than the expected 'offline'
490713-3 3-Major FTP port might occasionally be reused faster than expected
490429-2 3-Major The dynamic routes for the default route might be flushed during operations on non-default route domains.
488600-2 3-Major iRule compilation fails
488581 3-Major The TMM process may restart and produce a core file when using the SSL::disable clientside iRule command within a HTTP_REQUEST event
485472-3 3-Major iRule virtual command allows for protocol mismatch, resulting in crash
479674-1 3-Major bigd crash on improper monitor configuration (timeout less than the interval) for Tcl monitors.
478617-6 3-Major Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
478439-6 3-Major Unnecessary re-transmission of packets on higher ICMP PMTU.
478257-7 3-Major Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed
476097-1 3-Major TCP Server MSS option is ignored in verified accept mode
474356-1 3-Major Client SSL on partition other than /Common does not load if no key/cert/inherit-certkeychain
471059-4 3-Major Malformed cookies can break persistence
465607-7 3-Major TMM cores with TMM log error 'Assertion "flow in use" failed.' when isuing FastHTTP.
465590-9 3-Major Mirrored persistence information is not retained while flows are active
465052-6 3-Major Some HTTP::cookie iRule commands can cause TMM to core if required arguments are missing
462714-2 3-Major Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server
460627-3 3-Major SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists
447874-5 3-Major TCP zero window suspends data transfer
447043-3 3-Major Cannot have 2 distinct 'contains' conditions on the same LTM policy operand
422107-8 3-Major Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set
422087-5 3-Major Low memory condition caused by Ram Cache may result in TMM core
375887-4 3-Major Cluster member disable or reboot can leak a few cross blade trunk packets
374339-4 3-Major HTTP::respond/redirect might crash TMM under low-memory conditions
364994-7 3-Major TMM may restart or disabled connections may be reused when a OneConnect profile is configured and OneConnect reuse is disabled be an iRule.
352925-2 3-Major Updating a suspended iRule and TMM process restart
348000-1 3-Major HTTP response status 408 request timeout results in error being logged.
342013-6 3-Major TCP filter doesn't send keepalives in FIN_WAIT_2
226892-13 3-Major Packet filter enabled, default action discard/reject and IP fragment drop
486485-1 4-Minor TCP MSS is incorrect after ICMP PMTU message.
454692-4 4-Minor Assigning 'after' object to a variable causes memory leaks
442647-5 5-Cosmetic IP::stats iRule command reports incorrect information past 2**31 bits


Global Traffic Manager Fixes

ID Number Severity Description
515797-1 2-Critical Using qos_score command in RULE_INIT event causes TMM crash
513464-1 2-Critical Some autodiscovered virtuals may be removed from pools.
471819-2 2-Critical The big3d agent restarts periodically when upgrading the agent on a v11.4.0 or prior system and Common Criteria mode is enabled.
517083-1 3-Major Some autodiscovered virtuals may be removed from pools.
516685-2 3-Major ZoneRunner might fail to load valid zone files.
516680-2 3-Major ZoneRunner might fail when loading valid zone files.
515033 3-Major [ZRD] A memory leak in zrd
515030-1 3-Major [ZRD] A memory leak in Zrd
496775-3 3-Major [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for bigip monitor
479142-1 3-Major Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD)
465951-2 3-Major If net self description size =65K, gtmd restarts continuously
479084-1 4-Minor ZoneRunner can fail to respond to commands after a VE resume.
353556-4 4-Minor big3d https monitor is unable to correctly monitor the web server when SSL protocol is changed


Application Security Manager Fixes

ID Number Severity Description
524428-1 2-Critical Adding multiple signature sets concurrently via REST
524004-1 2-Critical Adding multiple signatures concurrently via REST
520280-1 2-Critical Perl Core After Apply Policy Action
513822-1 2-Critical ASM REST: Expected Content Value Is Not Set When Setting The responseActionType For A Response Page
511196-1 2-Critical UMU memory is not released when remote logger can't reach its detination
532030-3 3-Major ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI
531539-1 3-Major The NTLM login is not recognized as failed login.
527861 3-Major When Many entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen, the Configuration utility becomes unresponsive.
526856-1 3-Major "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency
523261-1 3-Major ASM REST: MCP Persistence is not triggered via REST actions
523260-1 3-Major Apply Policy finishes with coapi_query failure displayed
523201-2 3-Major Expired files are not cleaned up after receiving an ASM Manual Synchronization
520585-2 3-Major Changing Security Policy Application Language Is Not Validated or Propagated Properly
519053-1 3-Major Request is forwarded truncated to the server after answering challenge on a big request
516522-1 3-Major After upgrade from any pre-11.4.x to 11.4.x through 12.0.0, the configured redirect URL location is empty.
486829-1 3-Major HTTP Protocol Compliance options should not be modified during import/upgrade
467930-1 3-Major Searching ASM Request Log for requests with specific violations
514117-1 4-Minor Store source port higher than 32767 in Request Log record


Application Visibility and Reporting Fixes

ID Number Severity Description
531526-2 3-Major Missing entry in SQL table leads to misleading ASM reports
530356-2 3-Major Some AVR tables that hold ASM statistics are not being backed up in upgrade process.
525708-1 3-Major AVR reports of last year are missing the last month data
519022-2 3-Major Upgrade process fails to convert ASM predefined scheduled-reports.
518663-1 3-Major Client waits seconds before page finishes load
499315-1 3-Major Added "Collect full URL" functionality.
485251-1 3-Major AVR core witch include tmstat backtrace
479334-5 3-Major monpd/ltm log errors after Hotfix is applied
472117-2 3-Major Analytics scheduled report: "predefinedReportName" and "multiLeveledReport" are mutually exclusive


Access Policy Manager Fixes

ID Number Severity Description
492149-3 1-Blocking Inline JavaScript with HTML entities may be handled incorrectly
488736-5 1-Blocking Fixed problem with iNotes 9 Instant Messaging
482266-3 1-Blocking Windows 10 support for Network Access / BIG-IP Edge Client
482241-1 1-Blocking Windows 10 cannot be properly detected
439880-2 1-Blocking NTLM authentication does not work due to incorrect NetBIOS name
405769-3 1-Blocking APM Logout page is not protected against CSRF attack.
532340-1 2-Critical When FormBased SSO or SAML SSO are configured, tmm may restart at startup
526754-2 2-Critical F5unistaller.exe crashes during uninstall
525562-1 2-Critical Debug TMM Crashes During Initialization
523313-1 2-Critical aced daemon might crash on exit
520298-2 2-Critical Java applet does not work
520145-3 2-Critical [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy
519864-3 2-Critical Memory leak on L7 Dynamic ACL
518260-1 2-Critical Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message
517988-2 2-Critical TMM may crash if access profile is updated while connections are active
514220-1 2-Critical New iOS-based VPN client may fail to create IPv6 VPN tunnels
509490-2 2-Critical [IE10]: attachEvent does not work
507681-5 2-Critical Window.postMessage() does not send objects in IE11
506223-2 2-Critical A URI in request to cab-archive in iNotes is rewritten incorrectly
502269-1 2-Critical Large post requests may fail using form based SSO.
493993-6 2-Critical TMM crashes on the standby when starting up in HA config and Active processing traffic in APM module
492287-1 2-Critical Support Android RDP client 8.1.3 with APM remote desktop gateway
480272-6 2-Critical During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID
540778-3 3-Major Multiple SIGSEGV with core and failover with no logged indicator
539013-6 3-Major DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases
537614-1 3-Major Machine certificate checker fails to use Machine cert check service if Windows has certain display languages
537000-2 3-Major Installation of Edge Client can cause Windows 10 crash in some cases
534755-1 3-Major Deleting APM virtual server produces ERR_NOT_FOUND error
533566-1 3-Major Support for View HTML5 client v3.5 shipped with VCS 6.2
532761 3-Major APM fails to handle compressed ICA file in integration mode
532096-2 3-Major Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used
531910-1 3-Major apmd, apd, localmgr random crash
531883-2 3-Major Windows 10 App Store VPN Client must be detected by BIG-IP APM
531541-1 3-Major Support Citrix Receiver 4.3 for Windows in PNAgent mode
531529-1 3-Major Support for StoreFront proxy
531483-2 3-Major Copy profile might end up with error
530800-1 3-Major Messages can't be sent from OWA2010 via Portal Access if form-based SSOv2 is in use.
530697-2 3-Major Windows Phone 10 platform detection
529392-2 3-Major Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script
528768-1 3-Major Relaxing validation against "_" character for ActiveDirectory server FQDN for NTLM authentication
528727-1 3-Major In some cases HTML body.onload event handler is not executed via portal access.
528726-3 3-Major AD/LDAP cache size reduced
528675-2 3-Major BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired
526677-1 3-Major VMware Horizon HTML5 View access client can not connect when using View Connection Server running version 6.1.1
526617-1 3-Major TMM crash when logging a matched ACL entry with IP protocol set to 255
526578-1 3-Major Network Access client proxy settings are not applied on German Windows
526492-2 3-Major DNS resolution fails for Static and Optimized Tunnels on Windows 10
526275-1 3-Major VMware View RSA/RADIUS two factor authentication fails
526084-3 3-Major Windows 10 platform detection for BIG-IP EDGE Client
525384-2 3-Major Networks Access PAC file now can be located on SMB share
524909-2 3-Major Windows info agent could not be passed from Windows 10
523431-2 3-Major Windows Cache and Session Control cannot support a period in the access profile name
523390-2 3-Major Minor memory leak on IdP when SLO is configured on bound SP connectors.
523327-2 3-Major In very rare cases Machine Certificate service may fail to find private key
523305-1 3-Major Authentication fails with StoreFront protocol
523222-6 3-Major Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.
521835-2 3-Major [Policy Sync] Connectivity profile with a customized logo fails
521773-2 3-Major Memory leak in Portal Access
521506-2 3-Major Network Access doesn't restore loopback route on multi-homed machine
520642-3 3-Major Rewrite plugin should check length of Flash files and tags
520390-1 3-Major Reuse existing option is ignored for smtp servers
520205-3 3-Major Rewrite plugin could crash on malformed ActionScript 3 block in Flash file
520118-2 3-Major Duplicate server entries in Server List.
519966-2 3-Major APM "Session Variables" report shows user passwords in plain text
519415-3 3-Major apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual )
519198-3 3-Major [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user
518981-2 3-Major RADIUS accounting STOP message may not include long class attributes
518583-2 3-Major Network Access on disconnect restores redundant default route after looped network roaming for Windows clients
518573 3-Major The -decode option should be added to expressions in AD and LDAP group mapping.
518432 3-Major [Mac][Linux][NA] TLS tunnel freezes on Mac and Linux in case of SSL renegotiation
517564-1 3-Major APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port
517441-5 3-Major apd may crash when RADIUS accounting message is greater than 2K
516839-3 3-Major Add client type detection for Microsoft Edge browser
516462-2 3-Major Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines
515943-2 3-Major "Session variables" report may show empty if session variable value contains non-English characters
514912-3 3-Major Portal Access scripts had not been inserted into HTML page in some cases
513969-3 3-Major UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running
513953-1 3-Major RADIUS Auth/Acct might fail if server response size is more than 2K
513706-2 3-Major Incorrect metric restoration on Network Access on disconnect (Windows)
513545-1 3-Major '-decode' option produce incorrect value when it decodes a single value
513283-1 3-Major Mac Edge Client doesnt send client data if access policy expired
513098-1 3-Major localdb_mysql_restore.sh failed with exit code
512345-2 3-Major Dynamic user record removed from memcache but remains in MySQL
512245-7 3-Major Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname
511854-4 3-Major Rewriting URLs at client side does not rewrite multi-line URLs
510709-1 3-Major Websso start URI match fails if there are more than 2 start URI's in SSO configuration.
509722-1 3-Major BWC traffic blocked
509677-1 3-Major Edge-client crashes after switching to network with Captive Portal auth
504031-1 3-Major document.write()/document.writeln() redefinition does not work
501494-1 3-Major if window.onload is assigned null, then null should be retrieved
500938-3 3-Major Network Access can be interrupted if second NIC is disconnected
500450-1 3-Major ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso.
495336-1 3-Major Logon page is not displayed correctly when 'force password change' is on for local users.
494637-2 3-Major localdbmgr process in constant restart/core loop
494565-4 3-Major CSS patcher crashes when a quoted value consists of spaces only
493023-3 3-Major Export of huge policies might ends up with 'too many pipes opened' error
492701-3 3-Major Resolved LSOs are overwritten by source device in new Policy Sync with new LSO
492305-1 3-Major Recurring file checker doesn't interrupt session if client machine has missing file
490830-4 3-Major Protected Workspace is not supported on Windows 10
488105-3 3-Major TMM may generate core during certain config change.
483792-5 3-Major when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources
483501-1 3-Major Access policy v2 memory leak during object deletion in tmm.
483286-3 3-Major APM MySQL database full as log_session_details table keeps growing
483020-1 3-Major [SWG] Policy execution hang when using iRule event in VPE
482699-4 3-Major VPE displaying "Uncaught TypeError"
482269-8 3-Major APM support for Windows 10 out-of-the-box detection
482251-3 3-Major Portal Access. Location.href(url) support.
481987-6 3-Major Allow NTLM feature to be enabled with APM Limited license
481663-5 3-Major Disable isession control channel on demand.
480761-1 3-Major Fixed issue causing TunnelServer to crash during reconnect
478751-6 3-Major OAM10g form based AuthN is not working for a single/multiple domain.
478492-7 3-Major Incorrect handling of HTML entities in attribute values
475735-4 3-Major Failed to load config after removing peer from sync-only group
475403-2 3-Major Tunnel reconnect with v2.02 does not occur
474779-1 3-Major EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails.
473488-6 3-Major In AD Query agent, resolving of nested groups may cause apd to spin
473255-3 3-Major Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement.
472256-3 3-Major tmsh and tmctl report unusually high counter values
472062-3 3-Major Unmangled requests when form.submit with arguments is called in the page
471117-4 3-Major iframe with JavaScript in 'src' attribute not handled correctly in IE11
468137-6 3-Major Network Access logs missing session ID
466745-3 3-Major Cannot set the value of a session variable with a leading hyphen.
462514-1 3-Major Support for XMLHttpRequest is extended
461189-5 3-Major Generated assertion contains HEX-encoded attributes
458450-2 3-Major The ECA process may produce a core file when processing HTTP headers
457760-5 3-Major EAM not redirecting stdout/stderr from standard libraries to /var/log/apm
452010-3 3-Major RADIUS Authentication fails when username or password contain non-ASCII characters
446860-4 3-Major APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348
442698-10 3-Major APD Active Directory module memory leak in exception
431467-1 3-Major Mac OS X support for nslookup and dig utilities to use VPN DNS
426209-2 3-Major exporting to a CSV file may fail and the Admin UI is inaccessible
423282-8 3-Major BIG-IP JavaScript includes can be improperly injected in case of conditional commment presence
408851-7 3-Major Some Java applications do not work through BIG-IP server
402793-12 3-Major APM Network Accces tunnel slows down and loses data in secure renegotiation on Linux and Mac clients
340406-10 3-Major Localization of BIG-IP Edge Clientâ„¢ for Macintosh
533723-4 4-Minor [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag.
524756 4-Minor APM Log is filled with errors about failing to add/delete session entry
523158-2 4-Minor In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails
517872-1 4-Minor Include proxy hostname in logs in case of name resolution failure
513201-6 4-Minor Edge client is missing localization of some English text in Japanese locale
510459-1 4-Minor In some cases Access does not redirect client requests
507321-3 4-Minor JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields
497627-3 4-Minor Tmm cores while using APM network Access and no leasepool is created on bigip.
486661-3 4-Minor Network Access should provide client IP address on reconnect log records
482145-3 4-Minor Text in buttons not centered correctly for higher DPI settings
478658-6 4-Minor Window.postMessage() does not send objects
478261-2 4-Minor WinInet handle leak in Edge Client on Windows
473685-1 4-Minor Websso truncates cookie domain value


WebAccelerator Fixes

ID Number Severity Description
522231-3 3-Major TMM may crash when a client resets a connection
521455-2 3-Major Images transcoded to WebP format delivered to Edge browser


Wan Optimization Manager Fixes

ID Number Severity Description
497389-1 3-Major Extraneous dedup_admin core
485182-2 3-Major wom_verify_config does not recognize iSession profile in /Common sub-partition
480910 3-Major A TCP profile with 'Rate Pace" or 'Tail Loss Probe' enabled fails to successfully establish a connection.
442884-1 3-Major TMM assert "spdy pcb initialized" in spdy_process()


Service Provider Fixes

ID Number Severity Description
521556-1 2-Critical Assertion "valid pcb" in TCP4 with ICAP adaptation
516057-3 2-Critical Assertion 'valid proxy' can occur after a configuration change with active IVS flows.
503652-4 2-Critical Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit.
480311-1 3-Major ADAPT should be able to work with OneConnect
489957-5 4-Minor RADIUS::avp command fails when AVP contains multiple attribute (VSA).
478920 4-Minor SIP::discard is not invoked for all request messages


Advanced Firewall Manager Fixes

ID Number Severity Description
524748-1 2-Critical PCCD optimization for IP address range
506286-1 2-Critical TMSH reset of DOS stats
534886-1 3-Major AFM Security checks were not being done for DNS over TCP
532022-1 3-Major tmm can crash when the reply pkt to a service flow request is a DoS pkt
531761-1 3-Major Web navigation flow may be reset when main page responds with non-HTML content
530865-2 3-Major AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists)
526774 3-Major Search in FW policy disconnects GUI users
526277-1 3-Major AFM attack may never end on AVR dos overview page in a chassis based BIGIP
525522 3-Major Redirect loop when Proactive Bot Defense is enabled and deployment has multiple domains
523465-2 3-Major Log an error message when firewall rule serialization fails due to maximum blob limit being hit.
521763-1 3-Major Attack stopped and start messages should not have source/dst ip addresses in log messages
515112-1 3-Major Delayed ehash initialization causes crash when memory is fragmented.
510224-2 3-Major All descriptions for address-list members are flushed after the address-list was updated
509934-1 3-Major Blob activation fails due to counter revision
509919-2 3-Major Incorrect counter for SelfIP traffic on cluster
509600-1 3-Major Global rule association to policy is lost after loading config.
481706-2 3-Major AFM DoS Sweep Vector could log attack detected msgs from a non-attacking src IP
533808-1 4-Minor Unable to create new rule for virtual server if order is set to "before"/"after"
533336-2 4-Minor Display 'description' for port list members
528499 4-Minor AFM address lists are not sorted while trying to create a new rule.
510226-2 4-Minor All descriptions for ports-list's members are flushed after the port-list was updated
491165-1 4-Minor Legal IP addresses sometimes logged in Attack Started/Stopped message.
495432-2 5-Cosmetic Add new log messages for AFM rule blob load/activation in datapath.


Policy Enforcement Manager Fixes

ID Number Severity Description
545558-1 1-Blocking Send RAA when RAR is sent by PCRF and session is deleted immediately after its created.
533929 1-Blocking PEM::subscriber info irule command can cause tmm core
525175-1 1-Blocking Fix a crash issue when querying SSP with multi-ip.
524780-1 1-Blocking TMM crash when quering the session information
522933-1 1-Blocking diam_app_process_async_lookup may cause TMM crash
534490 2-Critical Fixed TMM crash when IRULE configuration is modified.
534018-1 2-Critical Memory leak while running some of PEM::session and PEM::subscriber commands.
533734-1 2-Critical DHCPv6 packets arriving via tunnel are not forwarded to backend server on VIPRION
533203 2-Critical TMM may core on resuming iRule if the underlying flow has been deleted.
528715-1 2-Critical rare tmm crash when ipother irule parks
527016-1 2-Critical CLASSIFICATION_DETECTED irule event results in tmm core
524374-1 2-Critical TMM may crash if PEM report format script with iRule are executed on top of existing parked iRule
523296-1 2-Critical TMM may core when using iRule custom actions in PEM policies
519506-1 2-Critical Flows dropped with initiate data from sever on virtual servers with HTTP
491771-2 2-Critical Parking command called from inside catch statement
541592-1 3-Major PEM : Diameter virtual reconfiguration might stop CCR-I/U/T going out for subscriber sessions
537034 3-Major PEM: CPU spike seen when irule is used to update non existent sessions
534323-1 3-Major Session will be replaced rather than re-created when we update a new IP addr along with the existing IP addr.
533513-1 3-Major Data plane Listener summary does not show LSN translation correctly
529414-1 3-Major PEM: After Diameter Fatal-Grace time expiry, Some subscriber sessions might be deleted very soon
528787-1 3-Major PEM: RAR after session being deleted from Radius/TMSH when connection down will return RAA with success code.
528247-1 3-Major PEM: New Requested units empty for when used units matches granted service units
528238-1 3-Major Quota Policy Added multiple times will lead to reset of Subscriber flows
527725-1 3-Major BigIP crash caused by PSC::ip_address iRule is fixed
527292-1 3-Major BigIP crash caused by PSC::user_name iRule is fixed
527289-1 3-Major TMM crashes with core when PSC::ip_address iRule is used to list IPs
527076-1 3-Major TMM crashes with core when PSC::policy iRule is used to set more than 32 policies
526786-1 3-Major Session lookup fails
526368-1 3-Major The number of IPv4 addresses per Gx session exceeds the limit of 1
526295-3 3-Major BigIP crashes in debug mode when using PEM irule to create session with calling-station-id and called-station-id
525860-2 3-Major PEM: Duplicate sessions formed with same IP
525633-1 3-Major Configurable behavior if PCRF returns unknown session ID in middle of session.
525416-1 3-Major List of IPs in "tmsh show pem sessiondb subscriber-id " may be reversed.
524409-1 3-Major Fix TMSH show and reset-stats commands for multi-ip sessions defect.
524198-1 3-Major PEM: Invalid HSL log generated when when session with static subscriber deleted.
522934 3-Major Provide and option to encode subscription ID in CCR-U/CCR-T messages over Gx/Gy
522579-1 3-Major TMM memory leak when RAR messages received from PCRF to delete for a non-existing sessions in PEM
522141-1 3-Major Tmm cores while changing properties of PEM policies and rules.
522140-1 3-Major Multiple IP is not added through iRule after setting the state of a session to provision by iRule
521683-1 3-Major PEM: Session is not replaced by third and subsequent RADIUS start messages containing specific multiple IPs
521655-2 3-Major Session hangs when trying to switch state to provisioned
504627-1 3-Major Valid RADIUS sessions deleted on no session inactivity if no subscriber traffic exists during session timeout period.
499778-1 3-Major A static subscriber's session is not deleted if master-IP is deleted from the subscriber's list of IPs
471926-1 3-Major Static subscriber sessions lost after bigstart restart
539677-1 4-Minor The file /etc/wr_urldbd/bcsdk.cfg needs to be included in the .ucs file


Carrier-Grade NAT Fixes

ID Number Severity Description
533562-1 2-Critical Memory leak in CGNAT can result in crash
515646-1 2-Critical TMM core when multiple PPTP calls from the same client
509108-1 2-Critical CGNAT PBA may log port-block allocation and port-block release log messages for a port-block which is already allocated to a different subscriber
494743-1 2-Critical Port exhaustion errors on VIPRION 4800 when using CGNAT
494122-2 2-Critical Deterministic NAT state information from HSL is not usable on VIPRION B4300 blades
490893-4 2-Critical Determinstic NAT State information incomplete for HSL log format
505097-1 3-Major lsn-pool backup-member not propagated to route table after tmrouted restart
504021-1 3-Major lsn-pool member routes not properly propagated to routing table when lsn-pool routing-advertisement is enabled
500424-2 3-Major dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error
486762-1 3-Major lsn-pool connection limits may be invalid when mirroring is enabled
480119-2 3-Major Vague error - Error ERR_BOUNDS connflow ... processing pullup of control message.
455020-1 3-Major RTSP profile idle timeout is not applied if it is longer than the TCP profile timeout


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
514236-1 3-Major [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses


Device Management Fixes

ID Number Severity Description
525595 1-Blocking Memory leak of inbound sockets in restjavad.
509273 2-Critical hostagentd consumes memory over time
533307 3-Major Increasing memory usage due to continual creation of authentication tokens
521272 3-Major Fixed memory leak in restjavad's Authentication Token worker


iApp Technology Fixes

ID Number Severity Description
495525-1 4-Minor iApps fail when using FQDN nodes in pools



Cumulative fixes from BIG-IP v11.6.0 Hotfix 5 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
523032-6 CVE-2015-3456 SOL16620 qemu-kvm VENOM vulnerability CVE-2015-3456
513034-1 CVE-2015-4638 SOL17155 TMM may crash if Fast L4 virtual server has fragmented packets
511651-3 CVE-2015-5058 SOL17047 CVE-2015-5058: Performance improvement in packet processing.
477278-5 CVE-2014-6032 SOL15605 XML Entity Injection vulnerabilities CVE-2014-6032 and CVE-2014-6033
476157-3 CVE-2014-4341 CVE-2014-4342 SOL15547 MIT Kerberos 5 vulnerability CVE-2014-4342
507842-2 CVE-2015-1349 SOL16356 Patch for BIND Vulnerability CVE-2015-1349
485917-3 CVE-2004-1060 SOL15792 BIG/IP is vulnerable to Path MTU discovery attack (CVE-2004-1060)
476738-1 CVE-2007-6199 SOL15549 rsync daemon may be configured to listen on a public port
430799-3 CVE-2010-5107 SOL14741 CVE-2010-5107 openssh vulnerability


Functional Change Fixes

ID Number Severity Description
500303-3 2-Critical Virtual Address status may not be reliably communicated with route daemon
499947 2-Critical Improved performance loading thousands of Virtual Servers
497433-2 2-Critical SSL Forward Proxy server side now supports all key exchange methods.
487552-3 2-Critical triplets-not-allowed threshold too high because LTM minimum requirements for 6G guests are coming from 8G table
361367-3 2-Critical Create 8 MB-aligned partitions/volumes for VE images to improve disk I/O.
523803 3-Major Support two-factor authentication for Citrix Receivers in StoreFront proxy mode
512016-1 3-Major DB variable added to determine DNS UDP truncation behavior.
504348-1 3-Major iRules in event ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT cannot see modified headers
502770-2 3-Major clientside and serverside command crashes TMM
495273-1 3-Major LDAP extended error info only available at debug log level which could affect Branch rules
480811-2 3-Major qkview will not collect lib directories.
474465-3 3-Major Analysis processes appear to use high CPU though not affecting data plane


TMOS Fixes

ID Number Severity Description
510393-1 1-Blocking TMM may occasionally restart with a core file when deployed VCMP guests are stopped
504490-1 1-Blocking The BIG-IP system sometimes takes longer on boot up to become Active.
468175-8 1-Blocking IPsec interop with Cisco systems intermittent outages
520349 2-Critical iControl portal restarts
509475 2-Critical SPDY profile with activation-mode always may not load on upgrade to 11.6.0 or later
509276-4 2-Critical VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on standby device
507487-1 2-Critical ZebOS Route not withdrawn when VAddr/VIP down and no default pool
505323-1 2-Critical NSM hangs in a loop, utilizing 100% CPU
502675-1 2-Critical Improve reliability of LOP/LBH firmware updates
501343-3 2-Critical In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle
495335-1 2-Critical BWC related tmm core
492458-1 2-Critical BIOS initial release
487233-1 2-Critical vCMP guests are unable to access NTP or RSYNC via their management network.
484733-4 2-Critical aws-failover-tgactive.sh doesn't skip network forwarding virtuals
477281-4 2-Critical Improved XML Parsing
474751-1 2-Critical IKEv1 daemon crashes when flushing SAs
474323 2-Critical ePVA IPv6 feature is not available
467646 2-Critical IDE DMA timeouts can result in stuck processes
467196-5 2-Critical Log files limited to 24 hours
466266-1 2-Critical In rare cases, an upgrade (or a restart) can result in an Active/Active state
460730-7 2-Critical On systems with multiple blades, large queries can cause TMM to restart
452293-4 2-Critical Tunneled Health Monitor traffic fails on Standby device
445911-6 2-Critical TMM fast forwarded flows are offloaded to ePVA
430323-4 2-Critical VXLAN daemon may restart when 8000 VXLAN tunnels are configured
422460-8 2-Critical TMM may restart on startup/config-load if it has too many objects to publish back during config load
376120-4 2-Critical tmrouted restart after reconfiguration of previously deleted route domain
519877 3-Major External pluggable module interfaces not disabled correctly.
516073 3-Major Revised AWS Setup Guide
514450-4 3-Major VXLAN: Remote MAC address movement does not trigger ARL updates across TMMs.
512485-3 3-Major Forwarding of flooded VXLAN-encapsulated unicast frames may introduce additional forwarding
510597-3 3-Major SNAT Origin Address List is now stored correctly when first created
507461-6 3-Major Net cos config may not persist on HA unit following staggered restart of both HA pairs.
507327-1 3-Major Programs that read stats can leak memory on errors reading files
506281 3-Major F5 Internal tool change to facilitate creating Engineering Hotfixes.
505878 3-Major Configuration load failure on secondary blades may occur when the chassis is rebooted
504572-4 3-Major PVA accelerated 3WHS packets are sent in wrong hardware COS queue
503875-1 3-Major Configure bwc policy category max rate
503604-3 3-Major Tmm core when switching from interface tunnel to policy based tunnel
501953-2 3-Major HA failsafe triggering on standby device does not clear next active for that device.
501371-4 3-Major mcpd sometimes exits while doing a file sync operation
495862-1 3-Major Virtual status becomes yellow and gets connection limit alert when all pool members forced down
494978-1 3-Major The hostagentd daemon should not be running in non-vcmp mode.
494367-2 3-Major HSB lockup after HiGig MAC reset
491791-3 3-Major GET on non-existent pool members does not show error
490414-1 3-Major /shared/vmisolinks present on systems running versions where block-devices are not present
489750-3 3-Major Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config
488916 3-Major CIDR can now be used for SNAT Origin Address List
488374-2 3-Major Mismatched IPsec policy configuration causes racoon to core after failed IPsec tunnel negotiation
486512-7 3-Major audit_forwarder sending invalid NAS IP Address attributes
485939-1 3-Major OSPF redistributing connected subnets that are configured in the network element with infinity metric in a HA pair.
485833-7 3-Major The mcpd process may leak memory when using tmsh to modify user attributes
484861-5 3-Major A standby-standby state can be created when auto failback acts in a CRC disagreement scenario
483762-3 3-Major Overlapping vCMP guest MAC addresses
483751-1 3-Major Internal objects can have load failures on restarted blades
483699-1 3-Major No Access error when trying to access iFile object in Local Traffic :: iRules : iFile list
483683-3 3-Major MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error
482434 3-Major Possible performance degradation in AWS cloud
481082-2 3-Major Software auto update schedule settings can be reset during a full sync
478761-1 3-Major load sys config default does not work with iCR
477859-1 3-Major ZebOS config load may fail if password begins with numeric character
477789-4 3-Major SSL Certificate can accommodate & (ampersand) in the Common Name, Organization Name, Division and SAN.
476288-1 3-Major Tmrouted restarted after a series of creating/deleting route domains and adding/deleting protocols due to seg fault
473200-2 3-Major Renaming a virtual server causes unexpected configuration load failure
473037-1 3-Major BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP
472365-4 3-Major The vCMP worker-lite system occasionally stops due to timeouts
471496-2 3-Major Standby node sends a summary LSA for the default route into a stub area with the same metric value as that of Active node.
468517-5 3-Major Multi-blade systems can experience active/standby flapping after both units rebooted
464132-2 3-Major Serverside SSL cannot be disabled if Rewrite profile is attached
463715-3 3-Major syscalld logs erroneous and benign timeout messages
447075-1 3-Major CuSFP module plugged in during links-down state will cause remote link-up
440346-5 3-Major Monitors removed from a pool after sync operation
440154-3 3-Major When IKEv2 is in use, user can only associate one Traffic Selector object with the IKE Peer object
439343 3-Major Client certificate SSL authentication unable to bind to LDAP server
436682-5 3-Major Optical SFP modules shows a higher optical power output for disabled switch ports
431634-6 3-Major tmsh: modify gtm server 'xxx' virtual-servers replace-all-with 'yyy' fails
420204-3 3-Major FIPS key deletion by-handle does not post an error if corresponding key object exists but the keyname is more than 32 characters long
416292-1 3-Major MCPD can core as a result of another component shutting down prematurely
394236-3 3-Major MCP unexpectedly exits, "failure has occurred, There is no active database transaction, status: 0 -
510049 4-Minor Revised BIG-IP CGNAT Implementations content
493223-3 4-Minor syscalld core dumps now keep more debugging information
490171-1 4-Minor Cannot add FQDN node if management route is not configured
477111-5 4-Minor Dual management routes in the main routing table
475592-2 4-Minor Per-core and system CPU usage graphs do not match
473517-2 4-Minor 'OID not increasing error' during snmpwalk
463959-1 4-Minor stpd attempts to connect to slots in a chassis that are empty
492422-4 5-Cosmetic HTTP request logging reports incorrect response code
466116-3 5-Cosmetic Intermittent 'AgentX' warning messages in syslog/ZebOS log files


Local Traffic Manager Fixes

ID Number Severity Description
514216 1-Blocking Internal unit test issue found by F5 testing prior to release.
511873 1-Blocking TMM core observed during SSL cert-related tmsh execution.
507490-1 1-Blocking Invalid HTTP/2 input can cause the TMM to hang
507139-1 1-Blocking Invalid HTTP/2 input can cause the TMM to hang
504225-2 1-Blocking Virtual creation with the multicast IPv6 address returns error message
488931-1 1-Blocking TMM may restart when MPTCP traffic is being handled.
520413 2-Critical Aberrant behavior with woodside TCP congestion control
516408-1 2-Critical SSL reports certificate verification OK even verification returns failure for pcm=request.
516179-1 2-Critical Woodside falsely detects congestion
514521 2-Critical Rare TMM Cores with TCP SACK and Early Retransmit
509310-5 2-Critical Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances
503620-3 2-Critical ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later
495875-2 2-Critical Connection limit on nodes causes TMM infinite loop and heartbeat failure with heavy traffic
495030-1 2-Critical Segfault originating from flow_lookup_nexthop.
494319-1 2-Critical Proxy SSL caused tmm to core by dereferencing a null pointer
491030-6 2-Critical Nitrox crypto accelerator can sometimes hang when encrypting SSL records
489796-2 2-Critical TMM cores when Woodside congestion control is used.
488908-1 2-Critical In client-ssl profile which serves as server side, BIG-IP SSL does not initialize in initialization function.
486450-2 2-Critical iApp re-deployment causes mcpd on secondaries to restart
485189-3 2-Critical TMM might crash if unable to find persistence cookie
480699-2 2-Critical HA mirroring can overflow buffer limits on larger platforms
480370-6 2-Critical Connections to virtual servers with port-preserve property will cause connections to leak in TMM
480299-1 2-Critical Delayed update of Virtual Address might not always happen.
480113-4 2-Critical Install of FIPS exported key files (.exp) causes device-group sync failure
479171-3 2-Critical TMM might crash when DSACK is enabled
478983-1 2-Critical TMM core during certificate verification against CRL
478592-1 2-Critical When using the SSL forward proxy feature, clients might be presented with expired certificates.
476683-2 2-Critical Suspended DNS_RESPONSE events are not resumed
476599-4 2-Critical TMM may panic when resuming DNS_REQUEST iRule event
475408-1 2-Critical SSL persistence profile does not find the server certificate.
475231-5 2-Critical TCP::close in CLIENTSSL_CLIENTCERT iRule event may result in tmm crash
474974-3 2-Critical Fix ssl_profile nref counter problem.
474388-3 2-Critical TMM restart, SIGSEGV messages, and core
472585-3 2-Critical tmrouted crashes after a series configuration changes
470191-2 2-Critical Virtual with FastL4 with loose initiation and close enabled might result in TMM core
417068-6 2-Critical Key install or deletion failure on FIPS key names longer than 32 chars on some platforms
517124 3-Major HTTP::retry incorrectly converts its input
516292-1 3-Major Incorrect handling of repeated headers
515482 3-Major Multiple teardown conditions can cause crash
514604-1 3-Major Nexthop object can be freed while still referenced by another structure
513243-1 3-Major Improper processing of crypto error condition might cause memory issues.
512490-3 3-Major Increased latency during connection setup when using FastL4 profile and connection mirroring.
511517-1 3-Major Request Logging profile cannot be configured with HTTP transparent profile
511130-3 3-Major TMM core due to invalid memory access while handling CMP acknowledgement
509416 3-Major Suspended 'after' commands may result in unexpected behaviors
508716-4 3-Major DNS cache resolver drops chunked TCP responses
507127-2 3-Major DNS cache resolver is inserted to a wrong list on creation.
506702-4 3-Major TSO can cause rare TMM crash.
506290-4 3-Major MPI redirected traffic should be sent to HSB ring1
505964 3-Major Invalid http cookie handling can lead to TMM core
505056-5 3-Major BIG-IP system might send an egress packet with a priority different from that of ingress packet on the same flow.
504633-1 3-Major DTLS should not update 'expected next sequence number' when the record is bad.
503741-2 3-Major DTLS session should not be closed when it receives a bad record.
503214-3 3-Major Under heavy load, hardware crypto queues may become unavailable.
503118-2 3-Major clientside and serverside command crashes TMM
502959-2 3-Major Unable get response from virtual server after node flapping
502683-3 3-Major Traffic intermittently dropped in syncookie mode, especially when hardware syncookie is on
502149-3 3-Major Archiving EC cert/key fails with error 'EC keys are incompatible for Webserver/EM/iQuery.'
501690-3 3-Major TMM crash in RESOLV::lookup for multi-RR TXT record
499950-5 3-Major In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs
499946-3 3-Major Nitrox might report bad records on highly fragmented SSL records
499478-2 3-Major Fix bug 464651 which introduced change-in-behavior for SSL server cert chains by not including the root certificate
499280-1 3-Major Client side or server side SSL handshake may fail if it involves SHA512-signed certificates in TLS1.2
499150-3 3-Major OneConnect does not reuse existing connections in VIP targeting VIP configuration
498334-2 3-Major DNS express doesn't send zone notify response
498269-1 3-Major 5200 does not forward STP BPDUs across VLAN groups when in PASSTHRU mode
497584-2 3-Major The RA bit on DNS response may not be set
496950-1 3-Major Flows may not be mirrored successfully when static routes and gateways are defined.
496588-1 3-Major HTTP header that is larger than 64K can be analyzed incorrectly, leading to TMM crash
495574-3 3-Major DB monitor functionality might cause memory issues
495443-4 3-Major ECDH negotiation failures logged as critical errors.
495253-1 3-Major TMM may core in low memory situations during SSL egress handling
494322-6 3-Major The HTTP_REQUEST iRule event may cause the TMM to crash if the explicit proxy is used
493673-2 3-Major DNS record data may have domain names compressed when using iRules
493140-1 3-Major Incorrect persistence entries are created when invoking cookie hash persistence within an iRule using offset and length parameters.
493117-6 3-Major Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted
491518-2 3-Major SSL persistence can prematurely terminate TCP connection
491454-6 3-Major SSL negotiation may fail when SPDY profile is enabled
490817-1 3-Major SSL filter might report codec alerts repeatedly
490480-3 3-Major UCS load may fail if the UCS contains FIPS keys with names containing dot
490129-1 3-Major SMTP monitor could not create socket on IPv6 node address
488598-1 3-Major SMTP monitor on non-default route domain fails to create socket
487757 3-Major Hybrid higig/front panel port packet discard (Ingress back-pressure v.s. Egress queue discard) counts can be expected during bursty or severe MMU traffic congestion on B4300/B2200/10000/12000-family platforms.
487592 3-Major Change in the caching duration of OCSP response when there is an error
487587-2 3-Major The allowed range of 'status-age' in OCSP Stapling Parameters (for clientSSL OCSP Stapling) might not be wide enough for some of the scenarios
487554-2 3-Major System might reuse TCP source ports too quickly on the server side.
486724-3 3-Major After upgrading from v10 to v11 in a FIPS HA setup, config-sync fails
484305-2 3-Major Clientside or serverside command with parking command crashes TMM
483539-1 3-Major With fastL4, incorrect MSS value might be used if SYN has options without MSS specified
483353-1 3-Major HTTP compression might cause TMM crash in low-memory conditions
481880-5 3-Major SASPD monitor cores
481216-1 3-Major Fallback may be attempted incorrectly in an abort after an Early Server Response
480686-7 3-Major Packet loop in VLAN Group
480443-1 3-Major Internal misbehavior of the SPDY filter
479682-4 3-Major TMM generates hundreds of ICMP packets in response to a single packet
479176-1 3-Major TMM hangs and receives SIGABRT due to race condition during DNS db load
478840-1 3-Major Cannot delete keys in subfolders using the BIG-IP GUI
478734-5 3-Major Incorrect 'FIPS import for failed for key' failure when operation actually succeeds
478195-4 3-Major Installation of FIPS .exp key files sets incorrect public exponent.
477375-5 3-Major SASP Monitor may core
475791-4 3-Major Ramcache profile may dispatch internal messages out-of-order leading to assert
475322-2 3-Major cur_conns number different in tmstat and snmp output.
474584-2 3-Major igbvf driver leaks xfrags when partial jumbo frame received
474226-2 3-Major LB_FAILED may not be triggered if persistence member is down
474002-4 3-Major Server SSL profile unable to complete SSL handshake when server selects DHE-based key exchange, and is configured with 2048-bit or larger DH keys
473759-1 3-Major Unrecognized DNS records can cause mcpd to core during a DNS cache query
472148-7 3-Major Highly fragmented SSL records can result in bad record errors on Nitrox based systems
471821-1 3-Major Compression.strategy "SIZE" is not working
471625-8 3-Major After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM
470394-2 3-Major Priority groups may result in traffic being load balanced to a single pool member.
469705-4 3-Major TMM might panic when processing SIP messages due to invalid route domain
469115-3 3-Major Management client-ssl profile does not support multiple key/cert pair.
468472-7 3-Major Unexpected ordering of internal events can lead to TMM core.
467868-3 3-Major Leak due to monitor status reporting
464651-2 3-Major Multiple root certificates with same 'subject' and 'issuer' may cause the tmm to core.
464163-3 3-Major Customized cert-key-chain of a client ssl profile might be reverted to its parent's.
457934-4 3-Major SSL Persistence Profile Causing High CPU Usage
456763-5 3-Major L4 forwarding and TSO can cause rare TMM outages
456413-5 3-Major Persistence record marked expired though related connection is still active
455840-7 3-Major EM analytic does not build SSL connection with discovered BIG-IP system
449891-7 3-Major Fallback source persistence entry is not used when primary SSL persistence fails
447272-2 3-Major Chassis with MCPD audit logging enabled will sync updates to device group state
444710-6 3-Major Out-of-order TCP packets may be dropped
443006-1 3-Major In low memory situations initializing the HTTP parser will cause the TMM to crash
438792-5 3-Major Node flapping may, in rare cases, lead to inconsistent persistence behavior
428163-3 3-Major Removing a DNS cache from configuration can cause TMM crash
384451-6 3-Major Duplicated cert/keys/chain might cause SIGABRTs and low-memory conditions
503560-2 4-Minor Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server.
498597-5 4-Minor SSL profile fails to initialize and might cause SSL operation issues
481820-1 4-Minor Internal misbehavior of the SPDY filter
480888-2 4-Minor Tcl parks during HTTP::collect, and serverssl is present, data can be truncated
469739-4 4-Minor ConfigSync may fail if HA pair has dissimilar cert-key-chain sub-object names within an SSL profile
463696-5 4-Minor FIPS keys might not be recoverable from UCS
451224-3 4-Minor IP packets that are fragmented by TMM, the fragments will have their DF bit


Performance Fixes

ID Number Severity Description
476144-1 1-Blocking TMM generates a core file when dynamically loading a shared library.
497619-6 3-Major TMM performance may be impacted when server node is flapping and persist is used
426939-5 3-Major APM Polices does not work in VIPRION 4800 chassis if there is no slot1


Global Traffic Manager Fixes

ID Number Severity Description
477240-2 2-Critical iQuery connection resets every 24 hours
468519-1 3-Major BIG-IP DNS configuration load failure from invalid bigip_gtm.conf file.
491554-2 4-Minor [big3d] Possible memory leakage for auto-discovery error events.


Application Security Manager Fixes

ID Number Severity Description
488306-1 1-Blocking Requests not logged locally on the device
478674-1 1-Blocking ASM internal parameters for high availability timeout was not handled correctly
516523-2 2-Critical Full ASM Config Sync was happening too often in a Full Sync Auto-Sync Device Group
515433-1 2-Critical BD crash on specific signature sets configuration.
512616-1 2-Critical BD crash during brute force attack on cluster environement
508908-1 2-Critical Enforcer crash
507919-1 2-Critical Updating ASM through iControl REST does not affect CMI sync state
506372 2-Critical XML validation files related errors on upgrade
504182-1 2-Critical Enforcer cores after upgrade upon the first request
503169-1 2-Critical XML validation files are broken after upgrade
493401-2 2-Critical Concurrent REST calls on a single endpoint may fail
492978-1 2-Critical All blades in a cluster remain offline after provisioning ASM or FPS
487420-1 2-Critical BD crash upon stress on session tracking
486323-1 2-Critical The datasyncd process may keep restarting during the first 30 minutes following a hotfix installation
481476-5 2-Critical MySQL performance
517245-2 3-Major A request that should be blocked was forwarded to the server
515449-1 3-Major bd agent listens on all addresses instead of the localhost only
515190-2 3-Major Event Logs -> Brute Force Attacks can't show details after navigating to another page
514093-1 3-Major Allow request logs to be filtered by destination IP
513763 3-Major Slow response from GUI when listing Event Logs
512668-1 3-Major ASM REST: Unable to Configure Clickjacking Protection via REST
512001-1 3-Major Using REST API to Update ASM Attack Signatures Fails
512000-1 3-Major Event Log Filter using Policy Group isn't accurate
511947-1 3-Major Policy auto-merge of Policy Diff
511488-1 3-Major Correlation restarting on a multi-bladed vCMP guest
511477-2 3-Major Manage ASM security policies from BIG-IQ
510499-2 3-Major System Crashes after Sync in an ASM-only Device Group.
509968-3 3-Major BD crash when a specific configuration change happens
509873-1 3-Major Rare crash and core dump of TMM or bd after rebooting a device or joining a trust domain.
509495 3-Major A TMM memory leak when HTTP protocol security enabled profile and no AFM license
508519-4 3-Major Performance of Policy List screen
508338-1 3-Major Under rare conditions cookies are enforced as base64 instead of clear text
507905 3-Major Saving Policy History during UCS load causes DB deadlock/timeout
507902-1 3-Major Failure and restart of mcpd in secondary blade when cluster is part of a trust domain.
507289-3 3-Major User interface performance of Web Application Security Editor users
506407 3-Major Certain upgrade paths to 11.6.x lose the redirect URL configuration for Alternate Response Pages
506386-2 3-Major Automatic ASM sync group remains stuck in init state when configured from tmsh
506355-1 3-Major Importing an XML file without defined entity sections
506110-1 3-Major Log flood within datasyncd.log in clustered environment
504973-1 3-Major Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead
504718-2 3-Major Policy auto-merge of Policy Diff
502852-2 3-Major Deleting an in-use custom policy template
501612-4 3-Major Spurious Configuration Synchronizations
500544-1 3-Major XML validation files are not correctly imported/upgraded
498708-1 3-Major Errors logged in bd.log coming from the ACY module
498189-3 3-Major ASM Request log does not show log messages.
497769 3-Major Policy Export: BIG-IP does not export redirect URL for "Login Response Page"
496565-1 3-Major Secondary Blades Request a Sync
496264-1 3-Major SOAP Methods Were Not Being Validated For WSDL Based XML Profiles
490284-3 3-Major ASM user interface extremely slow to respond (e.g. >2 minutes to render policy list)
489648-1 3-Major Empty violation details for attack signatures
485764-5 3-Major WhiteHat vulnerability assessment tool is configured but integration does not work correctly
484079-1 3-Major Change to signature list of manual Signature Sets does not take effect.
482915-1 3-Major Learning suggestion for the maximum headers check violation appears only for blocked requests
475819-4 3-Major BD crash when trying to report attack signatures
471103-1 3-Major Ignoring null values for parameters with different content types


Application Visibility and Reporting Fixes

ID Number Severity Description
508544-1 3-Major AVR injects CSPM JavaScript when the payload does not contain an HTML <head> tag
504414-1 3-Major AVR HTTP External log - missing fields
503683 3-Major Configuration upgrade failure due to change in an ASM predefined report name
503471-1 3-Major Memory leak can occur when there is a compressed response, and abnormal termination of the connection
500457-1 3-Major Synchronization problem in AVR lookups that sometimes causes TMM and other daemons, such as the Enforcer, to crash
500034-1 3-Major [SMTP Configuration] Encrypted password not shown in GUI
497681-1 3-Major Tuning of Application DoS URL qualification criteria
497376-1 3-Major Wrong use of custom XFF headers when there are multiple matches
488713-1 3-Major Corrupt memory


Access Policy Manager Fixes

ID Number Severity Description
497662-3 1-Blocking BIG-IP DoS via buffer overflow in rrdstats
517146-1 2-Critical Log ID 01490538 may be truncated
516075-6 2-Critical Linux command line client fails with on-demand cert
513795-1 2-Critical HTML5 client is not available on APM Full Webtop when using VMware Horizon 6.1
507782-1 2-Critical TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data
506235-2 2-Critical SIGSEGV caused by access_redirect_client_to_original_uri
497436-4 2-Critical Mac Edge Client behaves erratically while establishing network access connection
496894-1 2-Critical TMM may restart when accessing SAML resource under certain conditions.
495901-3 2-Critical Tunnel Server crash if probed on loopback listener.
493360-1 2-Critical Fixed possible issue causing Edge Client to crash during reconnect
489328-9 2-Critical When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash.
473092-1 2-Critical Transparent Proxy + On-Demand Cert Auth will reset
431980-1 2-Critical SWG Reports: Overview and Reports do not show correct data.
515387 3-Major Update EPSEC package to latest verified in 11.6.0 branch
514636-1 3-Major SWG Category Lookup using Subject.CN results in a crash if the certificate presented does not have a Subject.CN.
514277-1 3-Major Provide a way to enable connection bar for Citrix desktops only
513646-1 3-Major APM(ACCESS)/SWG filter might process SessionDB replies after flow has been aborted resulting in orphaned timer
512999-1 3-Major LDAP Query may fail if user belongs to a group from foreign domain
512378-1 3-Major Changing per request policy in the middle of data traffic can cause TMM to crash
511961-1 3-Major BIG-IP Edge Client does not display logon page for FirePass
511648-2 3-Major On standby TMM can core when active system sends leasepool HA commands to standby device
511441-3 3-Major Memory leak on request Cookie header longer than 1024 bytes
509956-4 3-Major Improved handling of cookie values inside SWG blocked page.
509758-2 3-Major EdgeClient shows incorrect warning message about session expiration
509010 3-Major Adding/Deleting a local user takes 30 seconds to complete
508719-1 3-Major APM logon page missing title
508630-4 3-Major The APM client does not clean up DNS search suffixes correctly in some cases
507899 3-Major Custom APM report - Assigned IP field shows 'IPv4' instead of assigned IP value
507318-3 3-Major JS error when sending message from DWA new message form using Chrome
507116-1 3-Major Web-application issues and/or unexpected exceptions.
506349-4 3-Major BIG-IP Edge Client for Mac identified as browser by APM in some cases
505797-1 3-Major Citrix Receiver for Android fails to authenticate with APM configured as StoreFront proxy and Access Gateway
505755-3 3-Major Some scripts on dynamically loaded html page could be not executed.
504880-2 3-Major TMM may crash when RDP client connects to APM configured as Remote Desktop Gateway
504606-3 3-Major Session check interval now has minimum value
503319-4 3-Major After network access is established browser sometimes receives truncated proxy.pac file
502441-5 3-Major Network Access connection might reset for large proxy.pac files.
502016-4 3-Major MAC client components do not log version numbers in log file.
501498-1 3-Major APM CTU doesn't pick up logs for Machine Certificate Service
499620-6 3-Major BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated.
499427-1 3-Major Windows File Check does not work if the filename starts with an ampersand
498993-1 3-Major it is possible to get infinite loop in LDAP Query while resolving nested groups
498782-2 3-Major Config snapshots are deleted when failover happens
498469-5 3-Major Mac Edge Client fails intermittently with machine certificate inspection
497455-1 3-Major MAC Edge client crashed during routine Network Access.
497325-1 3-Major New users cannot log in to Windows-based systems after installing BIG-IP EDGE client in certain deployment
496817-1 3-Major Big-IP Edge client for Windows fails to connect to Firepass server if tunnel is established through a proxy
495702-4 3-Major Mac Edge Client cannot be downloaded sometimes from management UI
495319-3 3-Major Connecting to FP with APM edge client is causing corporate network to be inaccessible
495265-1 3-Major SAML IdP and SP configured in same access profile not supported
494176-5 3-Major Network access to FP does not work on Yosemite using APM Mac Edge Client.
494088-4 3-Major APD or APMD should not assert when it can do more by logging error message before exiting.
490844-4 3-Major Some controls on a web page might stop working.
490681-1 3-Major Memcache entry for dynamic user leaks
490675-1 3-Major User name with leading or trailing spaces creates problems.
489382-7 3-Major Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert
487170-1 3-Major Enahnced support for proxy servers that resolve to multiple IP addresses
486597-1 3-Major Fixed Network Access renegotiation procedure
486268-1 3-Major APM logon page missing title
485355-3 3-Major Click-to-Run version of Office 2013 does not work inside PWS (Protected WorkSpace)
484582-2 3-Major APM Portal Access is inaccessible.
483526-1 3-Major Rarely seen Edge Client for Mac crash on session disconnect
480817-3 3-Major Added options to troubleshoot client by disabling specific features
480242-5 3-Major APD, APMD, MCPD communication error failure now reported with error code
477898-1 3-Major Some strings on BIG-IP APM EDGE Client User Interface were not localized
477795-1 3-Major SSL profile passphrase may be displayed in clear text on the Dashboard
476038-1 3-Major Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name
475505-6 3-Major Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system.
474698-2 3-Major BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions.
474582-3 3-Major Add timestamps to logstatd logs for Policy Sync
473697-6 3-Major HD Encryption check should provide an option to choose drive
473386-11 3-Major Improved Machine Certificate Checker matching criteria for FQDN case
473129-5 3-Major httpd_apm access_log remains empty after log rotation
471421-5 3-Major Ram cache evictions spikes with change of access policy leading to slow webtop rendering
471331-2 3-Major APM::RBA reset due to a leaked HUDEVT_REQUEST_DONE
460715-5 3-Major Changes in captive portal probe URL
452464-4 3-Major iClient does not handle multiple messages in one payload.
452416-1 3-Major tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values
437744-4 3-Major SAML SP service metadata exported from APM may fail to import.
437743-6 3-Major Import of Access Profile config that contains ssl-cert is failing
436201-6 3-Major JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11
433972-13 3-Major New Event dialog widget is shifted to the left and Description field does not have action widget
433847-1 3-Major APD crashes with a segmentation fault.
432900-9 3-Major APM configurations can fail to load on newly-installed systems
431149-6 3-Major APM config snapshot disappears and users see "Access Policy configuration has changed on gateway"
416115-14 3-Major Edge client continues to use old IP address even when server IP address changed
410089-2 3-Major Linux client hangs after receiving the application data
403991-8 3-Major Proxy.pac file larger than 32 KB is not supported
510596-6 4-Minor Broken DNS resolution on Linux client when "DNS Default Domain Suffix" is empty
505662-1 4-Minor Signed SAML IdP/SP exported metadata contains some elements in wrong order
504461-2 4-Minor Logon Page agent gets empty user input in clientless mode 3 when a Variable Assign agent resides in front of it.
485202-1 4-Minor LDAP agent does not escape '=' character in LDAP DN
482134-1 4-Minor APD and APMD cores during shutdown.
471452-2 4-Minor Access policy in progress with multiple tabs, landing URL set to the tab in which policy is completed.
465012-4 4-Minor Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access
464992-7 4-Minor Mac Edge fails to pass machine certificate inspection if domain component is included in search criteria
461597-11 4-Minor MAC edge client doesn't follow HTTP 302 redirect if new site has untrusted self-signed certificate
460427-2 4-Minor Address collision reported when the Primary blade goes down or its TMM crashes in an Chassis IntraCluster environment.
456911-3 4-Minor Add BIG-IP hostname to system's static DNS host entries
493385-6 5-Cosmetic BIG-IP Edge Client uses generic icon set even if F5 icon set is configured


WebAccelerator Fixes

ID Number Severity Description
514838-1 1-Blocking TMM Crash on Relative URL
514785-2 1-Blocking TMM crash when processing AAM-optimized video URLs
486346-3 2-Critical Prevent wamd shutdown cores
447254-1 2-Critical Core in parked transaction due to evicted stand-in document
511534-1 3-Major A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load,
481431-1 3-Major AAM concatenation set memory leak on configuration change
467633-5 3-Major WAM CSS minification can add spaces to the output, potentially coring TMM (in rare cases)
488917-2 4-Minor Potentially confusing wamd shutdown error messages


Service Provider Fixes

ID Number Severity Description
486356-1 2-Critical unable to configure a virtual with stats profile and sip profile in 11.6.0
482436-1 2-Critical BIG-IP processing of invalid SIP request may result in high CPU utilization
478442-5 2-Critical Core in sip filter due to sending of HUDEVT message while processing of HUDCTL message
477318-1 2-Critical Fixes possible segfault
466761-4 2-Critical Heartbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss.
455006-7 2-Critical Invalid data is merged with next valid SIP message causing SIP connection failures
512054-1 3-Major CGNAT SIP ALG - RTP connection not created after INVITE
511326-2 3-Major SIP SUBSCRIBE message not forwarded by BIG-IP when configured as SIP ALG with translation.
507143-1 3-Major Diameter filter may process HUDCTL_ABORT message before processing previously queued events leading to tmm assertion
503676-4 3-Major SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events
500365-3 3-Major TMM Core as SIP hudnode leaks
499701-1 3-Major SIP Filter drops UDP flow when ingressq len limit is reached.
472376-3 3-Major A SIP virtual server may crash while trying to send a message if the connection is in the process of shutting down
448493-10 3-Major SIP response from the server to the client get dropped


Advanced Firewall Manager Fixes

ID Number Severity Description
515562-1 2-Critical Sweep and flood may crash if it is enabled when AFM is not licensed or provisioned.
513403-1 2-Critical TMM asserts when certain ICMP packets (e.g multicast echo) are classified by AFM and match rules at Global and Route Domain context with logging enabled for these rules and also log-translations is enabled in AFM Logging configuration.
512609 2-Critical Firewall rules specifying wildcard IPv6 addresses match IPv4 addresses
503541-2 2-Critical Use 64 bit instead of 10 bit for Rate Tracker library hashing.
501480-3 2-Critical AFM DoS Single Endpoint Sweep and Flood Vectors crash TMM under heavy traffic.
500925-3 2-Critical Introduce a new sys db variable to control number of merges per second of Rate Tracker library.
517019-1 3-Major AVR-HTTP (and Application DoS): Detection of pool-member is sometimes incorrect
515187-2 3-Major Certain ICMP packets are evaluated twice against Global and Route Domain ACL rules.
513565-1 3-Major AFM Kill-on-the-fly does not re-evaluate existing flows against any Virtual/SelfIP ACL policies if a Global or Route-Domain rule action is modified from Accept-Decisively to Accept.
511406-1 3-Major Pagination issue on firewall policy rules page
505624-1 3-Major Remote logger will continue to get DoS L7 messages after it was removed from the virtual server configuration
503085-3 3-Major Make the RateTracker threshold a constant
502414-2 3-Major Make the RateTracker tier3 initialization number less variant.
501986-3 3-Major Add a sys db tunable to make Sweep and Flood vectors be rate-limited per TMM process
496278-2 3-Major Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name
500449 4-Minor "Any IPv4 or IPv6" choice in sweep attack has atypical definition
497311 4-Minor Can't add a ICMPv6 type and code to a FW rule.


Policy Enforcement Manager Fixes

ID Number Severity Description
519407-1 2-Critical PEM session lookup by subscriber ID in TMSH fails if same IP is being used to create session with different subscriber ID
518967-1 2-Critical Possible error when parsing for certain URL categorization input.
508051-1 2-Critical DHCP response may return to wrong DHCP client.
506734 2-Critical Cloud lookup stress condition
506283 2-Critical 100% TPS drop when webroot cloud lookup is enabled under stress condition
505529 2-Critical wr_urldbd restarts continuously on VIPRION chassis with webroot lookup enabled.
505069 2-Critical Webroot cloud lookup granularity
503381-2 2-Critical SSL persistence may cause connection resets
500219-1 2-Critical TMM core if identical radius starts messages received
496976-2 2-Critical Crash when receiving RADIUS message to update PEM static subscriber.
484278-4 2-Critical BIG-IP crash when processing packet and running iRule at the same time
480544-1 2-Critical Secondary IP flows are not forwarded in multiple IP session
473680-1 2-Critical Multiple DHCP solicit packets may not succeed.
515638 3-Major 5% drop in Webroot cloud lookup performance with mixed upper/lowercase URLs
512734 3-Major Socket error when Webroot cloud lookup is enabled under stress condition
511064-1 3-Major Repeated install/uninstall of policy with usage monitoring stops after second time
510811-1 3-Major PEM::info irule does not take effect if used right after PEM::session config policy irule
510721-1 3-Major PEM::enable / PEM::disable iRule errors out with an error message
509105-1 3-Major TMM cores sometimes if provisioning hold time is set to non-zero.
507753 3-Major URL categorization missed if HTTP1.0 header does not have HOST
507549-1 3-Major PEM may ignore a RAR if the target session is in the Provision-Pending state
506578 3-Major Webroot cloud lookup does not yield a category.
505986 3-Major Extra Webroot cloud lookup requests when cache is full
504028-1 3-Major Generate CCR-T first and then CCR-I if session being replaced
495913-2 3-Major TMM core with CCA-I policy received with uninstall
488166-1 3-Major Provide an option to delete the session if IP class address Limit reached when new IP being added and create a new one instead.
484095 3-Major RADIUS accounting message with multiple IPv6 prefix causes TMM crash
467106-1 3-Major Loading ucs file after install 11.6.0 on top of 11.5.0 failed when Gx reporting is enabled.
512663 4-Minor Added urlcatblindquery iRule command
489767 4-Minor Webroot cloud lookup support
478399-2 4-Minor PEM subscriber sessions are created without PEM licensed, if "radiusLB-subscriber-awre" profile is configured.


Carrier-Grade NAT Fixes

ID Number Severity Description
519723 2-Critical dnatutil utility needs update because DAG changed.
494280-3 2-Critical TMM crashes when PPTP finds a redirected flow when checking for an existing tunnel
493807-5 2-Critical TMM might crash when using PPTP with profile logging enabled
482202-1 3-Major Very long FTP command may be ignored.


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
499719-1 3-Major Order Zones statistics would cause database error
475549-3 3-Major improve security from javascript injection
475092 3-Major Viewing DNS::Zones:Zones:Zones List:Statistics in the GUI generates error.
494305-3 4-Minor [GUI] [GTM] Cannot remove the first listed dependent virtual server from dependency list.


Anomaly Detection Services Fixes

ID Number Severity Description
461949 2-Critical Virtual server with Portal Access and DOS profile resets connection


Traffic Classification Engine Fixes

ID Number Severity Description
513215 2-Critical Only one of the TMMs load the classification library after an IM package upgrade
508660-1 2-Critical Intermittent TMM crash in classification library
484483-2 2-Critical TCP and UDP was classified as Unknown by classification library



Cumulative fixes from BIG-IP v11.6.0 Hotfix 4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
503237-8 CVE-2015-0235 SOL16057 CVE-2015-0235 : glibc vulnerability known as Ghost
496849-1 CVE-2014-9326 SOL16090 F5 website update retrievals vulnerability
494078-4 CVE-2014-9326 SOL16090 Update Check feature can be target of man-in-middle-attack
492368-5 CVE-2014-8602 SOL15931 Unbound vulnerability CVE-2014-8602
492367-4 CVE-2014-8500 SOL15927 BIND vulnerability CVE-2014-8500
489323-1 CVE-2015-8098 SOL43552605 Out-of-bounds memory access when 'remotedesktop' profile is assigned to a virtual server.
485812-2 CVE-2014-3660 SOL15872 libxml2 vulnerability CVE-2014-3660
484635-10 CVE-2014-3513 CVE-2014-3567 CVE-2014-3566 CVE-2014-3568 SOL15722 OpenSSL DTLS SRTP Memory Leak CVE-2014-3513, OpenSSL vulnerability CVE-2014-3567, and OpenSSL vulnerability CVE-2014-3568.
477274-8 CVE-2014-6031 SOL16196 Buffer Overflow in MCPQ
500088-1 CVE-2014-3571 SOL16123 OpenSSL Vulnerability (January 2015) - OpenSSL 1.0.1l update
497719-1 CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296, SOL15934 NTP vulnerability CVE-2014-9293, NTP vulnerability CVE-2014-9294, NTP vulnerability CVE-2014-9295, and NTP vulnerability CVE-2014-9296
496845-1 CVE-2014-9342 SOL15933 We fixed a vulnerability in the Tree View screen
474757-15 CVE-2014-3508 CVE-2014-5139 CVE-2014-3509 CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3510 CVE-2014-3511 CVE-2014-3512 SOL15573 OpenSSL DTLS vulnerabilities CVE-2014-3505, CVE-2014-3506, and CVE-2014-3507, OpenSSL vulnerability CVE-2014-3508, OpenSSL vulnerability CVE-2014-3510, TLS vulnerability CVE-2014-3511.
471014-14 CVE-2014-2970 CVE-2014-5139 SOL15567 OpenSSL vulnerability CVE-2014-5139


Functional Change Fixes

ID Number Severity Description
480583-1 2-Critical Support SIP/DNS DOS only for UDP packets and SIP DOS does not drop packets but count drops
477524 3-Major Enable ssh for admin account and disable ssh for root account for Amazon deployments


TMOS Fixes

ID Number Severity Description
493275-3 1-Blocking Restoring UCS file breaks auto-sync requiring forced sync.
483436-1 1-Blocking Update 11.5.0 license files for "hourly billing" with production licenses.
482943-1 1-Blocking Cannot upgrade because of lack of root/admin access.
476126-1 1-Blocking Adding SR-IOV and VLAN tagging in the F5 VE with Emulex NIC
475829-1 1-Blocking AWS - VE is locked out after live install on 2nd slot.
499880 2-Critical boot menu titles might not contain volume suffix
487567-4 2-Critical Addition of a DoS Profile Along with a Required Profile May Fail
486137-3 2-Critical License activation may not proceed if MCPD is not fully operational
484399-2 2-Critical Virtual Edition second installation slot and VMWare
478896 2-Critical Hourly Billing AMIs for 11.6.0 contain internal instead of production license
477031-2 2-Critical Deleting multiple VXLAN tunnels with flooding type multipoint can cause TMM restart
473641-1 2-Critical Missing a tunnel FDB endpoint configuration in VXLAN tunnels could result in memory leak
497870-1 3-Major PEM configured with BWC doing pem policy changes could trigger leak
497062-1 3-Major PEM configured with BWC doing PEM policy changes could trigger leak
492809-4 3-Major Small but continuous mcpd memory leak associated with statistics.
485352-1 3-Major TMM dumps core file when loading configuration or starting up
483228-3 3-Major The icrd_child process generates core when terminating
479359-1 3-Major Loading a UCS file with no-platform-check stalls at platform check
479302-3 3-Major Error message in ltm log: bcm56xxd: reading L2 entry Operation failed bs_arl.cpp.
479152-5 3-Major Hardware parity error mitigation on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades
474172 3-Major BIG-IQ at times cannot discover BIG-IP running TMOS 11.6.0 - 11.6.0 HF3, failure reason: Failed getting time zone.
474166-4 3-Major ConfigSync operation failing with rarely occurring sFlow error
473409-1 3-Major Route domain stats can not be reset by using F5-BIGIP-LOCAL-MIB::ltmRouteDomainStatResetStats
468514-4 3-Major Receiving several ConfigSync requests in a short period of time may cause the mcpd process to restart and produce a core file
468021-3 3-Major UCS file from earlier version may not load into 11.5.0 or later image
481135-1 4-Minor The pool members of a wide IP in Link Controller can not be modified once created
441512-4 4-Minor ConfigSync failing with sFlow error


Local Traffic Manager Fixes

ID Number Severity Description
490225-3 2-Critical Duplicate DNSSEC keys can cause failed upgrade.
484948-1 2-Critical UDP connflow may aborted from parked iRule in server_closed.
478812-2 2-Critical DNSX Zone Transfer functionality preserved after power loss
502174-4 3-Major DTLS fragments do not work for ClientHello message.
484429-4 3-Major After updating a key/certificate in place and synchronizing the configuration, TMM may log critical-level messages that it could not load a key, certificate, or chain.
483974-2 3-Major Unrecognized EDNS0 option may be considered malformed.
483328-4 3-Major Client SSL profiles might fail to complete handshake, system logs critical-level error '01260000:2: Profile name-of-profile: could not load key/certificate'
477924-1 3-Major System can crash referencing compression provider where selection of provider has been deferred
477394-1 3-Major LTM might reset and cause out-of-ports
476281 3-Major tmm crash on uninitialized variable
475055-3 3-Major Core caused by incorrect accounting of I/O flows
472944-3 3-Major SMTPS race condition after STARTTLS may cause incorrect SMTP responses
463902-3 3-Major Hardware Compression in CaveCreek may cause excessive memory consumption.
437627-5 3-Major TMM may crash if fastl4 vs has fragmeneted pkt
492780-1 4-Minor Elliptic Curves Extension in ServerHello might cause failed SSL connection.


Application Security Manager Fixes

ID Number Severity Description
504232-1 2-Critical Attack signatures are not blocked after signature/set change
489705-2 2-Critical Running out of memory while parsing large XML SOAP requests
478876-2 2-Critical BIGIP with many active ASM accounts after a restart
478672-1 2-Critical Enforcer memory leak
477432-6 2-Critical Roll forward from 11.3.0 with iApp configured fails to load correctly and causes bd to core
475856-1 2-Critical BD may crash when enabling Base64 Decoding on Wildcard cookie
496011-1 3-Major Resets when session awareness enabled
492570-1 3-Major JavaScript error during CSRF protection
481792-1 3-Major BD may crash within HTTP payload parser.
476191-1 3-Major Bypass unicode validation on XML and JSON profiles by internal parameter
476179-1 3-Major Brute Force end attack operation mode reported as blocking while it was actually in transparent mode
475861-1 3-Major Session Awareness: Requests are reset
474430-1 3-Major Rare issue: client session might not be restored by fingerprint in the Web Scraping mitigation.
473410-1 3-Major Policy Diff on merging missing URLs
470779-1 3-Major The Enforcer should exclude session awareness violations when counting illegal requests.
469786-1 3-Major Web Scraping Mitigation: Display of request status when configuration includes an ASM iRule
450241-3 3-Major iControl error when discover ASM from EM
441239-1 3-Major Event Correlation is not enabled on vCMP guests if the disk is SSD.
438809-6 3-Major Brute Force Login


Application Visibility and Reporting Fixes

ID Number Severity Description
480350-1 2-Critical AVR and APM: TMM crashes
476336 2-Critical TMM and other daemons, such as the Enforcer, crash
475439-1 2-Critical Synchronization problem in AVR lookups sometimes causes TMM and other daemons, such as the Enforcer, to crash
474251-1 2-Critical IP addresses are not properly cleaned from lookup tables, so there might be no room for new IP addresses to be collected.
472969-1 2-Critical If you try to create more than 264 AVR profiles, avrd might crash.
499036 3-Major Rare cases of errors when loading data into mysql
496560-1 3-Major AVR and APM: TMM crashes (additional fixes for ID 480350)
493825-1 3-Major Upgrade failure from version 11.4.0 due to incorrect configuration being saved
489682-1 3-Major Configuration upgrade failure due to change in an ASM predefined report name
481541-1 3-Major Memory leak in monpd when LTM and AVR or ASM are provisioned
472607 3-Major VCMP: Warning messages in AVR log
467945-3 3-Major Error messages in AVR monpd log


Access Policy Manager Fixes

ID Number Severity Description
488986-2 1-Blocking Access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and edge client.
504060 2-Critical iOS and Mac receivers cannot create account on Citrix StoreFront in proxy mode
494098-6 2-Critical PAC file download mechanism race condition
485906 2-Critical TMM may core when an APM virtual server has a OneConnect profile attached to the virtual server
485465-3 2-Critical TMM might restart under certain conditions when executing SLO.
484454-3 2-Critical Users not able to log on after failover
482833 2-Critical apd crash for missing db variable
479524-5 2-Critical If a "refresh" response header should not be rewritten, it can crash the rewrite plugin or be improperly rewritten
477540-1 2-Critical 'ACCESS::policy evaluate' iRule command causes crash of apmd daemon
476736-2 2-Critical APM IPv6 Network Access connection may fail in some cases
475049-1 2-Critical Missing validation of disallowing empty DC configuration list
474532-5 2-Critical TMM may restart when SLO response is received on SLO request URL (.../post/sls)
474392-1 2-Critical OS X 10.10 Yosemite support
474058-5 2-Critical When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions
471874-1 2-Critical VDI plugin crashes when trying to respond to client after client has disconnected
469960-1 2-Critical Managing apd connection from tmm
458928-5 2-Critical APMD cores in Kerberos authentication, when the agent tries to derefence a null authparam session variable.
455284-4 2-Critical Monitor traffic rejected with ICMP message, causing node down
496449-1 3-Major APM does not support using session variables for the destination address in Citrix and VMware View remote desktop resources.
496447-1 3-Major APM does not apply route domain configured in visual policy editor to Citrix/VMware View connections when their backends are specified as hostname/IP address.
496441-1 3-Major APM does not apply route domain configured in visual policy editor to Java AppTunnel connections.
496440-1 3-Major APM does not apply route domain configured in visual policy editor to Java RDP connections.
494284-3 3-Major Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status.
494189-1 3-Major Poor performance in clipboard channel when copying
493487-3 3-Major Function::call() and Function::apply() wrapping does not work as expected
493164-3 3-Major flash.net.NetConnection::connect() has an erroneous security check
492238-6 3-Major When logging out of Office 365 TMM may restart
492153-2 3-Major Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated.
491887-1 3-Major Changing the ending of a macro in Access Policy crashes TMM.
491478-1 3-Major EAM is a CMP plugin and spins up one thread per TMM.
491233-1 3-Major Rare deadlock in CustomDialer component
490811-5 3-Major Proxy configuration might not to be restored correctly in some rare cases
490482-1 3-Major Applying Access Policy with an unused macro crashes TMM.
488892-3 3-Major JavaRDP client disconnects
487859-1 3-Major Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI.
485948-5 3-Major Machine Info Agent should have a fallback branch
485396 3-Major Online help about persistent cookies does not specify supported use
484847-2 3-Major DTLS cannot be disabled on Edge Client for troubleshooting purposes
484298-2 3-Major The aced process may restart in a loop
483601 3-Major APM sends a logout Bookmarked Access whitelist URL when session is expired.
483379-1 3-Major High CPU consumption and unresponsive interface of the menubar icon after 20-30 minutes
482710-4 3-Major SSLv3 protocol disabled in APM clients
482260-4 3-Major Location of Captive portal configuration registry entry in 64 bit windows is incorrect
482046-1 3-Major Old password is not verified during password change from View client.
481257-5 3-Major Information on "OPSWAT Integration Libraries V3" is missing from CTU report
481210-1 3-Major Active Directory Query doesn't populate all values of multi-value attributes
481203-5 3-Major User name case sensitivity issue
481046-5 3-Major F5_Inflate_text(o, incr, v) wrapper need to be fixed for case when o is script tag
481020-1 3-Major Traffic does not flow through VPN tunnel in environements where proxy server is load balanced
480995-1 3-Major APM client components are not using extended logging by default.
480247-5 3-Major Modifying edge client application folder causes gatekeeper to throw warning
480047-1 3-Major BIG-IP Edge Client for Windows does not enable you to generate a client troubleshooting report from the user interface.
479451-1 3-Major Different Outlook users with same password and client IP are tied to a single APM session when using Basic auth
478491 3-Major Microsoft RDP client for iOS doesn't work against F5 APM for versions >= 8.1.0
478333 3-Major Edge-Client client shows an error about corrupted config file, when User's profile and temp folders located on different partitions
478285-2 3-Major [MAC][NA] Routing table is not restored correctly in multi-homed environment if server settings disallow local subnet access
478214-1 3-Major APM Native RDP Proxy does not allow users to authenticate without specifying a domain name.
478115-5 3-Major The action attribute value of a form HTML tag is not properly rewritten in the Minimal Content Rewriting mode when it starts with "/"
477841-1 3-Major Safari 8 does not use Network Access proxy.
477642-5 3-Major Portal Access rewriting leads to page reload in Firefox
477474-3 3-Major Wrong HTML rewriting at client side for very special case
477445-1 3-Major APM client improved to support 2 interface connected to the same network segment
476133-1 3-Major In APM OAM authentication, ObSSOCookie _lastUseTime was not updated.
476033-1 3-Major APM does not support Microsoft Remote Desktop 8.0.8 client for iOS to work using APM as RD Gateway.
476032-1 3-Major BIG-IP Edge Client may hang for sometime when disconnecting from Firepass server
475770-1 3-Major Fixed routing table management for cases when 2 or more interfaces are used
475682-6 3-Major APM OAM should be sending a single Cookie header with the cookies delimited by semi-colon.
475650-5 3-Major The TMM may restart when processing single logout (SLO) messages.
475363-6 3-Major Empty or invalid configuration, or during exception in NTLM, handling might not work as expected.
475360-6 3-Major Edge client remembers specific virtual server URI after it is redirected
475262-1 3-Major In some cases Edge Client for Windows does not re-resolve server hostname while reconnecting
475163-5 3-Major Submitting an HTML form that does not have an action attribute is a 404 error and 'null' in the request URL.
475148-1 3-Major Microsoft RDP Client for Mac OS X ver. 8.0.9 does not work correctly with BIG-IP APM.
475143 3-Major CATEGORY::filetype command may cause tmm to crash and restart
474730-5 3-Major Incorrect handling of form if it contains a tag with id=action
474231-5 3-Major RAM cache evictions spikes with change of access policy which may lead to slow webtop rendering
473728-3 3-Major Incorrect HTML form handling.
473344-6 3-Major Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.
472825-2 3-Major The Dashboard charts may dip when a blade is rebooted.
471825-3 3-Major Add 'Date:' header in email message generated by APM Email agent to comply with RFC 5322.
471772-1 3-Major APM does not support VMware View application remoting.
471714-1 3-Major Certain SMTP servers (Windows) do not receive complete email due to missing CRLF header terminator in Emails generated by APM Email agent.
471125 3-Major Fixed issue causing EdgeClient to work improperly behind environment with CaptivePortal.
470414-4 3-Major Portal Access rewrite daemon may crash while processing some Flash files
470225-4 3-Major Machine Certificate checker now correctly works in Internet Explorer 11
470205-2 3-Major /config/.../policy_sync_d Directory Is 100% Full
469100-5 3-Major JavaScript index expressions with a comma are not properly rewritten
468478-5 3-Major APM Portal Access becomes unresponsive.
467849-6 3-Major In some cases user cannot go to external sites through proxy when vpn is connected
466877-6 3-Major When BIG-IP is used as SAML SP, signatures created by IBM Tivoli Federated Identity Manager may fail validation
466325-6 3-Major Continuous policy checks on windows might fail incorrectly in some cases
463776-2 3-Major VMware View client freezes when APM PCoIP is used and user authentication fails against VCS 5.3
463230-1 3-Major Aced service does not recover if child process dies.
462727-1 3-Major TMM crash when processing ACCESS::session iRule without an attached Access Policy
456403-2 3-Major Citrix Storefront native protocol
454493-1 3-Major VMWare View applications are not available on BIG-IP APM webtops
447013-4 3-Major The Citrix Client Detection process may incorrectly prompt for the installation of client software.
441355-1 3-Major Enable change password within vmview client when password doesn't meet the AD policy requirements
439518-3 3-Major Portal access resource item modifications are not synced
438730-5 3-Major DNS Filtering driver causes crash/BSOD
432102-6 3-Major HTML reserved characters not supported as part of SAML RelayState
431810-5 3-Major APMD process core due to missing exception handling in execute agents
428387-2 3-Major SAML SSO could fail if SAML configuration contains special XML characters (&,<,>,",')
418850-1 3-Major Do not restrict AD to be the last auth agent for View Client
407350-4 3-Major Client side checks on Windows Phone 8
400726-4 3-Major No support for multi-valued attributes inside SAML assertion.
398657-8 3-Major Active Session Count graph underflow
503924-1 4-Minor Citrix receivers cannot authenticate
492844-1 4-Minor Office365 generated SAML SLO message causes browser connection to be reset.
489888-1 4-Minor Configuring VDI profile when APM is not provisioned, but does not.
489364-1 4-Minor Now web VPN client correctly minimizes IE window to tray
485760-1 4-Minor Tag <NameIDFormat> in SAML metadata may contain wrong attributes
480827-1 4-Minor Logging might show unnecessary messages when Citrix Receiver connects to Storefront: err tmm[20105]: 01490563:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND).
480360-5 4-Minor Edge Client for Mac blocks textexpander application's functionality
478397-1 4-Minor Memory leak in BIG-IP APM Edge Client Windows API.
477138-1 4-Minor Only one of several VMware View Desktop/Application pools with the same display name can be launched from APM Webtop
473377-5 4-Minor BIG-IP as IdP may rejects AuthnRequest with specific NameID format
472216-2 4-Minor Duration counter for customized Edge Client
466797-6 4-Minor Added warning message when maximum session timeout is reached
464547-1 4-Minor Show proper error message when VMware View client sends invalid credentials to APM
450033-5 4-Minor Sometimes VMware View client 2.3 for Windows can't launch desktops via APM
447302-3 4-Minor APM incorrectly supports 'redirect' ending in an access policy for web browser clients when deployed for Citrix Web Interface in proxy mode.
432423-5 4-Minor Need proactive alerts for APM license usage
421901-2 4-Minor The 'Restore down' button can be hidden for full-screen RDP resources.
503673-1 5-Cosmetic APM sets MRHSession cookie on /cgi/login request from Citrix Receivers
486344-2 5-Cosmetic French translation does not properly fit buttons in BIG-IP Edge client on Windows
484856-1 5-Cosmetic Citrix remote desktop visible even if the user cannot access it


Wan Optimization Manager Fixes

ID Number Severity Description
479889-5 1-Blocking Memory leaks when iSession and iControl are configured
480305-1 4-Minor tmm log flood: isession_handle_evt: bad transition:7


Service Provider Fixes

ID Number Severity Description
476886-3 3-Major When ICAP cuts off request payload, OneConnect does not drop the connection
472092-3 3-Major ICAP loses payload at start of request in response to long execution time of iRule


Advanced Firewall Manager Fixes

ID Number Severity Description
496036 1-Blocking GUI throws an error in some situations when an ASM policy is assigned to virtual server
484245-1 1-Blocking Delete firewall rule in GUI changes port settings in other rules to 'any'
498227-2 2-Critical Incorrect AFM firewall rule counter update after pktclass-daemon restarts.
497342 2-Critical TMM crash while executing FLOW_INIT event (with multiple commands that abort the connection) in an iRule attached to an AFM firewall rule.
480903-1 2-Critical AFM DoS ICMP sweep mitigation performance impact
478644 2-Critical dwbld race with mcpd causes core.
477769-1 2-Critical TMM crash (panic) in AFM pktclass code (Assertion 'classifier ref non-zero' failed.) when virtual server has SPDY or HTTP Prefetching enabled along with AFM Rules.
469512-2 2-Critical TMM aborted by SOD due to heartbeat failure when trying to load huge firewall policies.
500640-1 3-Major TMM core could be seen if FLOW_INIT iRule attached to Virtual server
497732-2 3-Major Enabling specific logging may trigger other unrelated events to be logged.
497667-2 3-Major Configuring of ICMPv4/ICMPv6 ip-protocol in mgmt port ACL Rules generated error
497263-1 3-Major Global whitelist count exhausted prematurely
496498-3 3-Major Firewall rule compilation will fail in certain scenario when there are multiple scheduled AFM rules and one of the non scheduled AFM rule is modified.
495928-5 3-Major APM RDP connection gets dropped on AFM firewall policy change
495698-3 3-Major iRule can be deleted even though it exists in a rule-list
493234-1 3-Major Device version in AFM log message could be empty
485787-1 3-Major Firewall ACL counters for staged policy attached to a Virtual/SelfIP are not incremented when a policy with a similar rule to drop/reject packets is enforced by the Global or Route Domain context
485771-1 3-Major TMM crashes while executing multiple FLOW_INIT events and one of the event triggers an abort.
480826 3-Major IPs can be added for infinite duration
478816 3-Major Fastl4 TCP connection trasitions are not logged
477576-1 3-Major Valid iRule command FLOWTABLE::limit gets rejected when virtual server or route domain name is not specified
474896-1 3-Major Remote logs without attack ID and mitigation fields
442535-5 3-Major Time zone changes do not apply to log timestamps without tmm restart
429885-6 3-Major Traffic that does not match any virtual or Self IP is dropped silently (without any logs or statistics)
498785 4-Minor Black List Classes/Black List Categories terminology inconsistency
481189-2 4-Minor Change the default value of pccd.hash.load.factor to 25
480623 4-Minor Category defaulted to whitelist when a valid category was not specified
480196 4-Minor Packets not counted in tmctl ip_intelligence_stat on accept-decisively ACL match
478631 4-Minor No validation for Shun TTL lengths


Policy Enforcement Manager Fixes

ID Number Severity Description
489754-1 2-Critical Flow based reporting attribute mismatch between TMUI and TCL
483798-1 2-Critical TMM crashes if iRule PSC::ip_address is used after RADIUS Authentication of DHCP discovery.
481373-1 2-Critical TMM might core when deleting an entry for a user in a Radius AAA cache
472860-3 2-Critical RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
482137-1 3-Major Adding TCP iRules to PEM space
479917-1 3-Major TMM crashes if new IP address is added to a session through radius interim update message.
476705-1 3-Major TMM can crash if receiving radius start or stop messages with multiple IP but no subscriber ID.
474638-1 3-Major PEM: Session policy list may be lost if there is an radius update of custom attributes
453959-3 3-Major UDP profile improvement for flexible TTL handling
481950-1 4-Minor DHCP: Need an upgrade script for DHCPRELAY virtuals for BIG-IP version 11.5 and 11.4
476904-2 4-Minor App type 0 session Update Failed on PEMDB: ERR_INPROGRESS


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
482442-5 4-Minor [GTM] [GUI] Changes to a single wideip Propagates to All WIPs


Traffic Classification Engine Fixes

ID Number Severity Description
487512-1 2-Critical Enable Bittorrent classification in Qosmos by default
479450 2-Critical SSL traffic is not forwarded to destination



Cumulative fixes from BIG-IP v11.6.0 Hotfix 3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
451218-2 CVE-2014-8730 SOL15882 TLS1.x padding vulnerability CVE-2014-8730.


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Description
478791-1 1-Blocking Hardware compression test fails on 5000 series, 7000 series, 10000 series platforms


Local Traffic Manager Fixes

ID Number Severity Description
488208-1 2-Critical openssl v1.0.1j.
485188-1 3-Major Support for TLS_FALLBACK_SCSV


Global Traffic Manager Fixes

ID Number Severity Description
487808-3 3-Major End of Life announcement for inbound and outbound cost-based link load balancing and inbound link path-based load balancing.



Cumulative fixes from BIG-IP v11.6.0 Hotfix 2 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Description
476475 1-Blocking SSL accelerator card does not function on the BIG-IP 12250 platform.
479374-5 2-Critical Setting appropriate TX driver settings for 40 GB interfaces.
478948 2-Critical DC PSU reported as AC
477676 2-Critical HSB v2.3.12.1 bitsteam integrated to fix HSB firmware issues
473772 3-Major SNMP reports the incorrect product name for the BIG-IP 10350 NEBS platform.
473210 3-Major Chassis Temperature Status not showing Nitrox3x3 temperatures
472767-1 3-Major Adding slots to running guests with host-iso can become stuck
467693-1 3-Major sysObjectID SNMP OID returns 'linux' instead of BIG-IP platform.
410101-3 3-Major HSBe2 falls off the PCI bus


Local Traffic Manager Fixes

ID Number Severity Description
477571-1 2-Critical HTTP/2 support.



Cumulative fixes from BIG-IP v11.6.0 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
480931-1 CVE-2014-6271 CVE-2014-7169 CVE-2014-7187 CVE-2014-7186 CVE-2014-6277 CVE-2014-6278 SOL15629 Multiple BASH vulnerabilities - ShellShock


Functional Change Fixes

None


Cumulative fix details for BIG-IP v11.6.0 Hotfix 8 that are included in this release

600662-4 : CGNAT: NAT64 vulnerability CVE-2016-5745

Vulnerability Solution Article: SOL64743453


599168-4 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Vulnerability Solution Article: SOL35520031


598983-4 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Vulnerability Solution Article: SOL35520031


596603-11 : AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.

Component: TMOS

Symptoms:
When deploying BIG-IP VE in AWS with c4.8xlarge instance type, the system never boots and remains in "Stopped" state after briefly trying to start-up.

Conditions:
BIG-IP VE is deployed with c4.8xlarge instance type in AWS.

Impact:
c4.8xlarge instance type are not supported for BIG-IP VE in AWS.

Workaround:
Choose c4.4xlarge or other instance types in AWS.

Fix:
Issue corrected so that BIG-IP VE will work with c4.8xlarge instance type AWS.


595874-4 : Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) instances that use the Amazon Web Services (AWS) hourly billing license model may fail when upgrading to version 12.1.0.

As a result of this issue, you may encounter the following symptom:

After upgrading to version 12.1.0, the BIG-IP VE instance license is invalid.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have BIG-IP VE instances that use the hourly billing licensing model.
-- Your BIG-IP VE instances are running 11.5.x or 11.6.x software versions.
-- Your BIG-IP VE instances are running within the AWS EC2 environment.
-- You upgrade the BIG-IP VE instance using the liveinstall method.

Impact:
BIG-IP VE instance licenses are not valid after upgrading to software version 12.1.0.

Workaround:
To work around this issue, you can use the liveinstall method on the hotfix image directly (instead of installing the base software image and then the hotfix image). To do so, perform the following procedure:

Impact of workaround: Performing the following procedure requires rebooting the system and should be performed only during a maintenance window.

Download the BIGIP-12.1.0.0.0.1434.iso and Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso files to your workstation. For more information about downloading software, refer to SOL167: Downloading software and firmware from F5.
Copy the downloaded files from your workstation to the /shared/images directory on the VE instance.
To perform the installation by using the liveinstall method, and reboot the BIG-IP VE instance to the volume running the new software, use the following command syntax:

tmsh install sys software hotfix Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso volume <volume-number> reboot

For example, to install the hotfix to volume HD1.3 and reboot to the volume running the newly installed software, type the following command:

tmsh install sys software hotfix Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso volume HD1.3 reboot
 
Verify the installation progress by typing the following command:
tmsh show sys software

Output appears similar to the following example:

Sys::Software Status
Volume Product Version Build Active Status
----------------------------------------------------------------
HD1.1 BIG-IP 12.0.0 0.0.606 yes complete
HD1.2 BIG-IP 12.1.0 0.0.1434 no complete
HD1.3 BIG-IP 12.1.0 0.0.1434 no installing 6.000 pct

Fix:
BIG-IP VE instances that use the AWS hourly billing license model now complete successfully when upgrading to version 12.1.0.


591857 : 10-core vCMP guest with ASM may not pass traffic

Component: TMOS

Symptoms:
The TMM plugin manager does not expect/support an ASM guest configuration of 10 cores, thus its calculations as to the number of devices required and numbering does not match the existing number of threads/devices.

Conditions:
11.6.0 HF6
ASM provisioned on a vCMP guest
10 CPU cores allocated to an ASM guest

Impact:
System may not start or may exhibit intermittent failures.

Workaround:
Change the number of cores on the ASM guest to use either 8 CPU cores or 12 CPU cores.

Fix:
This issue was partially fixed in 11.6.0 HF6, but the tmplugin RPM was incorrect. This fix includes the proper RPM.


580596-9 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907

Vulnerability Solution Article: SOL14190 SOL39508724


569467-11 : BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.

Vulnerability Solution Article: SOL11772107


557645-5 : Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.

Component: Local Traffic Manager

Symptoms:
Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.

Conditions:
VIPRION 2200 and 2400 platforms with more than one blade.

Multiple devices in an HA configuration.

TMM incorrectly identifies which TMM should handle host connections from an HA peer.

The host connection will be reset after the SYN retransmits are exceeded between TMM and the host process.

Impact:
Periodic reported failures in host-to-host communication. This could affect config sync, and other HA related communication.

Workaround:
None.

Fix:
Host communication on VIPRION 2200 and 2400 platforms behaves the same as host communication on non-VIPRION 2200 and 2400 platforms, as expected.


556277-6 : Config Sync error after hotfix installation (chroot failed rsync error)

Component: TMOS

Symptoms:
Once an installation has been booted into, applying a hotfix over that installation does not change the SELinux policy, but instead uses the previously installed SELinux policy.

Conditions:
This affects installations of a later hotfix atop an earlier hotfix, or onto a base build of the same software version. Installation onto a new volume is unaffected.

To determine whether the configuration will experience this issue, use md5sum to see whether the following have the same checksums:
-- /etc/selinux/targeted/modules/active/modules/f5_mcpd.pp
-- /usr/share/selinux/targeted/f5_mcpd.pp.

If the checksums are the same, the system will use the SELinux policy installed with the previous hotfix, and this issue will occur.

Impact:
Sync of file objects might fail with an error similar to the following:

01071488:3: Remote transaction for device group [name] to commit id [number] failed with error 01070712:3: Caught configuration exception (0), verify_sync_result:() :Failed to sync files. - sys/validation/FileObject.cpp, line 6276..

Workaround:
Instead of installing the hotfix over an existing installation of the base build of that version (or an earlier hotfix), install the base ISO (for example 11.5.4) into a volume, and then install the hotfix onto that volume, without booting the volume in between.

Fix:
Installing a hotfix over an existing base install now rebuilds the SELinux policy as expected.


552937-1 : HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.

Component: Local Traffic Manager

Symptoms:
An iRule that calls HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the TMM to core on the next pipelined request.

Conditions:
HTTP::respond or HTTP::redirect used in a non-HTTP iRule event. A pipelined request follows the request that triggers the iRule response.

Impact:
TMM core.

Workaround:
Add the close header to the HTTP::response, and the connection will be automatically closed.

Fix:
The TMM will no longer core due to not being able to handle the next pipelined request after a HTTP::respond or HTTP::redirect is used in a non-HTTP iRule event.


551612 : BIG-IP SSL does not support sending multiple certificate verification requests to the hardware accelerator at the same time in 11.6.0.

Component: Local Traffic Manager

Symptoms:
When SSL sends multiple certificate verification requests at the same time, the handshake is disconnected with 'bad certificate'.

Conditions:
SSL simultaneously sends multiple certificate verification requests.

Impact:
BIG-IP SSL does not support this case and the SSL handshake is disconnected with "bad certificate".

Workaround:
None.

Fix:
BIG-IP SSL now supports sending multiple certificate verification requests at the same time.


547047 : Older cli-tools unsupported by AWS

Component: TMOS

Symptoms:
Older EC2 tools stopped working in some AWS regions.

Conditions:
This can happen in some AWS regions.

Impact:
BIG-IP high availability configurations may stop working in some AWS regions.

Workaround:
None.

Fix:
F5 Networks added the latest available version (1.7.5.1) of EC2 tools in this release/hotfix.


545558-1 : Send RAA when RAR is sent by PCRF and session is deleted immediately after its created.

Component: Policy Enforcement Manager

Symptoms:
BIGIP does not send RAA for certain sessions.

Conditions:
If session is created , CCR-I is send, CCA-I received and session is deleted immediately then RAA for RAR update from the PCRF for the session is not sent.

Impact:
PCRF has no way of knowing why RAA was not received for the session.

Workaround:
No workaround and this is extremely remote scenario where radius start and stop are received almost at the same time.


544980-3 : BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle.

Component: TMOS

Symptoms:
The size of /var volume is 500 MB instead of 3 GB for BETTER and BEST license bundles.

Conditions:
BIG-IP VE BETTER and BEST vm_bundle images.

Impact:
Not enough space in /var.

Workaround:
In the current volume:

1. Modify global_attributes file.
* The global_attributes file is located at /shared/.tmi_config, so modify global_attributes file by using vi command.

From:
{"TMI_VOLUME_FIX_VAR_MIB":"500","TMI_VOLUME_FIX_CONFIG_MIB":"500"}

To:
{"TMI_VOLUME_FIX_VAR_MIB":"3000","TMI_VOLUME_FIX_CONFIG_MIB":"500"}

2. Install version.

3. Modify global_attributes file to back original value.

4. Switchboot to newly installed volume.

5. To change /var to 3 GB and from tmsh, run the following command:
modify /sys disk directory /var new-size 3145728

6. Reboot.

Fix:
BIG-IP Virtual Edition now has 3GB of disk space for the /var software partition when deploying from OVA for the Better or Best license bundle


544888-5 : Idle timeout changes to five seconds when using PVA full or Assisted acceleration.

Component: TMOS

Symptoms:
When FastL4 performs hardware acceleration during the TCP handshake, the FastL4 handshake timeout is not updated to match the profile timeout value after the connection is established.

Conditions:
Accelerated, established TCP flows with no traffic for more than five seconds.

Impact:
TCP flows in the established state are dropped if they have more than five seconds of inactivity.

Workaround:
Disable embedded Packet Velocity Acceleration (ePVA) acceleration.

Fix:
Once the TCP connection reaches established state, the idle timeout is now set to the value found in the associated profile. By default the profile timeout value is 300 seconds.


541592-1 : PEM : Diameter virtual reconfiguration might stop CCR-I/U/T going out for subscriber sessions

Component: Policy Enforcement Manager

Symptoms:
Radius Start, Stop does not trigger any diameter traffic except DWR/DWA.

Conditions:
Diameter virtual reconfiguration and possibly any virtual configuration change might trigger this behavior.

Impact:
Subscriber sessions created by radius are not provisioned by the PCRF. Sessions that are deleted are also not reported to PCRF or Usage reports are also not reported.

Workaround:
Restarting TMM is the only work around for now.

Fix:
Issue has been fixed now. Even if diameter configuration is changed there should be no impact on CCR-I/U/T being stopped.


540849-5 : BIND vulnerability CVE-2015-5986

Vulnerability Solution Article: SOL17227


540846-5 : BIND vulnerability CVE-2015-5722

Vulnerability Solution Article: SOL17181


540778-3 : Multiple SIGSEGV with core and failover with no logged indicator

Component: Access Policy Manager

Symptoms:
A multimodule HA pair under high load experiences 3 failover events.

Conditions:
Configure HA pair for GBB multimodule testing (AFM, ASM, APM, GTM, LTM) and apply high concurrent load.

Impact:
Instability in HA. The current HA config under test has not had a unit remain active for more than ~12 hours.

Workaround:
None.

Fix:
Fix to free memory with same length as used for alloc using umem_alloc.


539677-1 : The file /etc/wr_urldbd/bcsdk.cfg needs to be included in the .ucs file

Component: Policy Enforcement Manager

Symptoms:
/etc/wr_urldbd/bcsdk.cfg is not included in the .ucs file when saving the configuration.

Conditions:
using tmsh to save sys ucs <file_name>. The /etc/wr_urldbd/bcsdk.cfg is not saved in the file

Impact:
URLcat webroot configuration is not included in the ucs

Workaround:
no workaround

Fix:
After the fix, now tmsh save ucs command will save the /etc/wr_urldbd/bcsdk.cfg in the .ucs file


539344-1 : SPDY child flow aborted while stalled leaves freed SPDY stream in SPDY stalled list

Component: Local Traffic Manager

Symptoms:
The Traffic Management Microkernel (TMM) process may produce a core file and restart when processing SPDY traffic.

As a result of this issue, you may encounter one or more of the following symptoms:

- The BIG-IP system fails over to the standby system if configured as a high-availability pair.
- The BIG-IP system generates a TMM core file to the /shared/core directory.

Conditions:
This issue occurs when all of the following conditions are met:

- You associate a virtual server with a SPDY profile.
- The virtual server processes a SPDY client connection with more than two concurrent streams.
- The SPDY client connection stalls and is subsequently aborted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.

Fix:
TMM process no longer produces a core file and restart when processing SPDY traffic issue that occurred when a virtual server processed a SPDY client connection with more than two concurrent streams, and the SPDY client connection stalled and was subsequently aborted.


539013-6 : DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases

Component: Access Policy Manager

Symptoms:
DNS resolution stops working on a Windows 10 desktop when the VPN connection is established.

Conditions:
This occurs when the client system meets all of the following conditions:
- Running BIG-IP software version Hotfix-BIGIP-11.5.3.1.47.167-HF1-ENG.iso.
- Running Microsoft Windows version 10.
- Has multiple NICs and one of them is in the disconnected state, with a statically assigned IPv4 configuration.

Impact:
User cannot access resources by DNS name.

Workaround:
Disable disconnected NICs that have a statically assigned IPv4 configuration.

Fix:
After VPN connection has been established, DNS resolution works, in the case of a Windows 10 desktop with multiple NICs and one of them is in a disconnected state and has a statically assigned IPv4 configuration.


538255 : SSL handshakes on 4200/2200 can cause TMM cores.

Component: Local Traffic Manager

Symptoms:
When processing SSL handshakes in the crypto acceleration hardware, a BIG-IP 2000 or 4000 platform might experience a TMM core.

Conditions:
This can occur when processing SSL handshakes in the crypto acceleration hardware. The issue is very unlikely to be seen other than on BIG-IP version 11.6.0 HF5 or on version 12.0.0 base install.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.

Fix:
The crypto acceleration hardware driver for the 2200/4200 has been fixed to avoid memory corruption.


537614-1 : Machine certificate checker fails to use Machine cert check service if Windows has certain display languages

Component: Access Policy Manager

Symptoms:
Machine certificate checker agent fails to use machine certificate checker service for Windows if it has certain display language, for example Polish.

In failed case logs contain:
2015-08-04,18:37:59:042, 924,756,, 1, , 330, CCertCheckCtrl::CheckPrivateKey, EXCEPTION caught: CCertCheckCtrl::CheckPrivateKey - EXCEPTION
2015-08-04,18:38:00:618, 924,756,, 1, \RPCConnector.cpp, 85, UCredMgrService::RpcConnect, EXCEPTION - Failed to set binding handle's authentication, authorization and security QOS info (RPC_STATUS: 1332)
2015-08-04,18:38:00:618, 924,756,, 1, \RPCConnector.cpp, 88, RPCConnector::Connect, EXCEPTION caught: UCredMgrService::RpcConnect - EXCEPTION
2015-08-04,18:38:00:618, 924,756,, 1, \MCClient.h, 86, MCClient::Verify, Failed to perform PRC-call:error=1702

Conditions:
Windows with non-english display language
Machine certificate checker is supposed to use Machine Certificate Checker service

Impact:
Machine certificate checker cannot be passed using Machine cert service.

Workaround:
Switch display language to English.

Fix:
Machine certificate checker service works now with a display language other than English.


537034 : PEM: CPU spike seen when irule is used to update non existent sessions

Component: Policy Enforcement Manager

Symptoms:
CPU spikes seen and remains high which will lead to TMM core eventually.

Conditions:
Irule is used to update session with policies for a session which are non existent.

Impact:
CPU Spike, TMM going down will cause service down time.

Workaround:
Make sure Irule are not used to update session for which session not existent.

Fix:
Issue is fixed now. No more CPU spike seen even if irule exists to update non existent sessions.


537000-2 : Installation of Edge Client can cause Windows 10 crash in some cases

Component: Access Policy Manager

Symptoms:
connecting to an APM box which has support for Windows 10 can cause the OS to crash. After reboot the next attempt will be successful

Conditions:
- Windows 10
- APM box supporting Windows 10
- user installed F5 VPN driver from an APM box, not supporting Windows 10

Impact:
User can lose some data

Workaround:
Before connecting old VPN driver instances must be manually removed using Device Manager

Fix:
Installation of BIG-IP Edge Client on Windows 10 does not cause system crash anymore.


536984 : Ensure min_path_mtu is functioning as designed.

Vulnerability Solution Article: SOL06223540


536481-9 : F5 TCP vulnerability CVE-2015-8240

Vulnerability Solution Article: SOL06223540


535806-2 : Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE

Component: TMOS

Symptoms:
Not enough free disk space for live install of 12.0.0.

Conditions:
Initial install of BIG-IP VE GOOD 11.5.3. Upgrade to 12.0.0

Impact:
Unable to install 12.0.0 on 2nd slot.

Workaround:
Grow the virtual disk before installing 12.0.0.

Fix:
Increased the size of virtual disk so that there is enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE.


534886-1 : AFM Security checks were not being done for DNS over TCP

Component: Advanced Firewall Manager

Symptoms:
We had disabled DNS Query Filtering and DNS DoS checks for DNS over TCP.

Conditions:
DNS over TCP and either DNS DoS configured or DNS Query filtering configured.

Impact:
Query Filtering and DNS DoS feature was not present for DNS over TCP.

Workaround:
Use DNS over UDP.

Fix:
We have now enabled DNS Query filtering and DNS DoS checks regardless of the L4 protocol.


534755-1 : Deleting APM virtual server produces ERR_NOT_FOUND error

Component: Access Policy Manager

Symptoms:
When a APM virtual server is deleted on the active, the following error message will be seen in the APM log on the standby.

"Failed to delete profile stats namespaces"

Conditions:
This issue happens when a APM virtual is deleted on the active and the change is subsequently synced to the standby

Impact:
There is no functional impact.

Fix:
Access Filter now ignores the ERR_NOT_FOUND error when deleting the profile stats namespace.


534630-5 : Upgrade BIND to address CVE 2015-5477

Vulnerability Solution Article: SOL16909


534490 : Fixed TMM crash when IRULE configuration is modified.

Component: Policy Enforcement Manager

Symptoms:
IRULE configuration modification may result in TMM crash.

Conditions:
When IRULE configuration is modified.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Fixed TMM crash when IRULE configuration is modified.


534323-1 : Session will be replaced rather than re-created when we update a new IP addr along with the existing IP addr.

Component: Policy Enforcement Manager

Symptoms:
Session will be deleted and re-created when we update a new IP addr along with the original IP addr in the session.

Conditions:
It happens when we try to update a new IP addr with the existing IP addr for an existing session.

Impact:
Session replaced when updating a new IP along with the existing IP address.

Fix:
Session will be replaced rather than re-created when we update a new IP addr along with the existing IP addr.


534251-1 : Live update with moving config breaks password-less ssh access

Component: TMOS

Symptoms:
Authorized_keys file changed with link to /var/ssh/admin/authorized_keys but file in /var/ssh/... not created.

Conditions:
Use clean tmos-bugs-staging based VM. Do Live install.
Do change boot location via GUI with 'Install Configuration' = 'Yes'

Impact:
breaks password-less ssh access

Workaround:
If save and load sys ucs before live install then file will be created in /var/.. and successfully moved to new volume.


534018-1 : Memory leak while running some of PEM::session and PEM::subscriber commands.

Component: Policy Enforcement Manager

Symptoms:
When running an irule that has PEM::session info commands, it was observed that the memory consumption by the PEM module kept going up till and the system eventually ran out of memory.

Conditions:
Create an irule that has PEM::session info commands that run asynchronously and attach it to one of the virtuals in use.

Impact:
System runs out of memory.

Fix:
The memory leak while executing the commands - <PEM::session info /PEM::subscriber info/PEM::session config policy/PEM::subscriber config policy> has been fixed. The leak only occurs when these commands run asynchronously.


533929 : PEM::subscriber info irule command can cause tmm core

Component: Policy Enforcement Manager

Symptoms:
Running an irule script that contains the PEM::subscriber info command can result in a tmm core. If the command runs synchronously, the core will not be observed.

Conditions:
The core occurs only if the PEM::subscriber info command runs asynchronously.

Impact:
Traffic disrupted while tmm restarts.

Fix:
PEM::subscriber info commands no longer cause tmm to core.


533808-1 : Unable to create new rule for virtual server if order is set to "before"/"after"

Component: Advanced Firewall Manager

Symptoms:
Not able to create a new rule for virtual server when the order is set to "before"/"after".

Conditions:
Happens only when the order is set to "before"/"after"

Impact:
Unable to create a new rule from the virtual server page


533734-1 : DHCPv6 packets arriving via tunnel are not forwarded to backend server on VIPRION

Component: Policy Enforcement Manager

Symptoms:
Packet traces show DHCPv6 packets arriving via IP6 IP4 tunnel, are forwarded to the VIP but the packet is not forwarded to the backend server on VIPRION.

Conditions:
DHCPv6 packets arriving via IPv6 Ipv4 tunnel interface on
a multi-blade VIPRION system.

Impact:
The DHCP packet is not forwarded to the backend server

Workaround:
Use single blade system

Fix:
The fix is to process DHCP packet at local blade if it comes from tunnel interface instead of dropping them.


533723-4 : [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag.

Component: Access Policy Manager

Symptoms:
The client-side HTML rewriter rewrites content within the "textarea" tag.

Conditions:
Web-application dynamically creates HTML content on the client side that contains the textarea tag.

Impact:
Web-application misfunction is possible.

Workaround:
There is no workaround at this time

Fix:
Content rewriting is suppressed on the client side for the textarea tag.


533566-1 : Support for View HTML5 client v3.5 shipped with VCS 6.2

Component: Access Policy Manager

Symptoms:
The upcoming release of VMware Horizon View Connection Server 6.2 introduces a few changes to the View HTML5 client.
This fix catches up with those changes to provide seamless support at APM side.

Conditions:
BIG-IP APM configured as PCoIP proxy and set up against VMware VCS 6.2 with HTML5 client installed.

Impact:
Launching View HTML5 client from APM webtop may not work properly.

Fix:
Added support for View HTML5 client v3.5 shipped with View Connection Server 6.2.


533562-1 : Memory leak in CGNAT can result in crash

Component: Carrier-Grade NAT

Symptoms:
tmm leaks cmp memory, resulting in crash.

'tmctl memory_usage_stat' reports very high cmp memory utilization.

Conditions:
Configure hairpin mode or inbound connection handling set to automatic.

Impact:
BIG-IP system might run out of memory and crash.

Workaround:
Avoid hairpin mode or inbound connection handling set to automatic.

Fix:
Fixed CGNAT memory leak that occurred when configured for hairpin mode or when inbound connection handling is set to automatic.


533513-1 : Data plane Listener summary does not show LSN translation correctly

Component: Policy Enforcement Manager

Symptoms:
When configuring a new data plane virtual server group, and CGNAT is licensed, you have the ability to select an address translation value of LSN, and then select an LSN pool. This is accepted and configured correctly, but when viewing the data plane group after this point, the address translation type shows as "{{renderSnatValue(listenerVs}}", and should show as "LSN"

Conditions:
Create a CGNAT LSN pool. Create a new PEM data plane listener, set the address translation to LSN, select the pool, save, then view the resulting group summary .

Impact:
Data plane Listener summary does not show LSN translation correctly

Workaround:
none

Fix:
Correct the UI so that it handles the LSN address translation type correctly.


533458-4 : Insufficient data for determining cause of HSB lockup.

Component: TMOS

Symptoms:
When an HSB lockup occurs only the HSB registers are dumped into the TMM log files for diagnosing the failure. There is no core file containing stats and the state of the HSB driver when the failure occurred to help diagnose the failure.

Conditions:
When an HSB lockup occurs.

Impact:
There is limited data is available for root cause analysis.

Workaround:
None.

Fix:
On HSB lockup, the system now generate a core file, which contains stats and the state of the HSB driver when the failure occurred to help diagnose the failure.


533388-1 : tmm crash with assert "resume on different script"

Component: Local Traffic Manager

Symptoms:
In a rare race condition involving stalled server-side TCP connections on which a RST is received and a asynchronously executing client-side iRule for event CLIENT_CLOSED the tmm can crash with assert "resume on different script".

Conditions:
The conditions under which this assert/crash is triggered are hard to reproduce.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid asynchronously executing CLIENT_CLOSED iRules (e.g. those that use 'after' or 'table' or 'session' commands - this is not an exhaustive list).

Fix:
tmm no longer crashes with assert "resume on different script"


533336-2 : Display 'description' for port list members

Component: Advanced Firewall Manager

Symptoms:
Descriptions for port list's members are not displayed in GUI

Conditions:
Create a port list with 'description' set for its members (using tmsh).

When the portlist list page is accessed from GUI, the description set for the members (on tmsh) is not displayed.

Impact:
Users will not be able to see the description

Workaround:
Use tmsh to view the description for portlist members on tmsh

Fix:
Descriptions for port list members are now displayed in the GUI.


533307 : Increasing memory usage due to continual creation of authentication tokens

Component: Device Management

Symptoms:
The AuthTokenWorker creates new indexed state objects. Some are unable to be deleted because they are shared between instances. Generations of tokens build up, however the generational scavenger only runs when disk space is tight. Restjavad can run out of memory before the scavenger ever gets to run.

Conditions:
Tokens shared between instances

Impact:
Generations of tokens build up

Workaround:
N/A

Fix:
Add another trigger to the generational scavenger such that it also triggers when memory is tight as well as when disk space is tight.


533257-2 : tmsh config file merge may fail when AFM security log profile is present in merged file

Component: TMOS

Symptoms:
A config file merge into an existing config may fail with "unknown-property" message.

Conditions:
This can occur when you are doing a config file merge. The error encountered was with a parameter called "built-in enabled".

Impact:
All releases and modules are affected.

Workaround:
The offending parameter may be deleted from the merge file, however this may result in the value for the deleted parameter not set correctly in the existing config.

Fix:
Fixed a problem with tmsh config file merge failing when AFM security log profile is present in merged file.


533203 : TMM may core on resuming iRule if the underlying flow has been deleted.

Component: Policy Enforcement Manager

Symptoms:
TMM may core

Conditions:
A flow is deleted (RST from the other end is one way) while an iRule operating on that flow is parked. On resumption, the iRule accesses freed memory.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use iRules that may cause parking.

Fix:
Don't forward any messages if the connflow is aborted while the irule is parked.
Also set the pem pcb to NULL after being freed


532761 : APM fails to handle compressed ICA file in integration mode

Component: Access Policy Manager

Symptoms:
Citrix application or desktop cannot be started in integration mode with Citrix StoreFront 3.0

Conditions:
APM is configured for StoreFront 3.0 proxy and HTTP compression is enabled on the StoreFront server.

Impact:
Citrix application or desktop cannot be started.

Fix:
Now APM supports Citrix StoreFront 3.0 in integration mode with HTTP compression enabled on the StoreFront server.


532522-3 : CVE-2015-1793

Vulnerability Solution Article: SOL16937


532340-1 : When FormBased SSO or SAML SSO are configured, tmm may restart at startup

Component: Access Policy Manager

Symptoms:
Under unlikely circumstances, tmm threads may run into synchronization issue at startup initialization, causing BIG-IP Failover

Conditions:
- SAML SSO or Form Based SSO are configured.
- TMM is in process of starting (during reboot or for any other reason).

Impact:
Impact is BIG-IP will failover at start time.
If tmm has successfully started - no further impact will be observed.

Workaround:
Remove Form Based SSO, and SAML objects from configuration.

Fix:
A thread synchronization issue that caused tmm startup issues has been fixed.


532096-2 : Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used

Component: Access Policy Manager

Symptoms:
Machine Certificate Checker (client side) is not backward compatible with BIG-IP 11.4.1 and earlier when MatchFQDN rule is used

Conditions:
Machine Certificate checker agent uses MatchFQDN rule in Access Policy of BIG-IP version 11.4.1 and earlier.
New BIG-IP Edge Client (version greater than 11.4.1) is used against old BIG-IP.

Impact:
Machine Certificate checker agent may fail. Policy goes wrong way.

Fix:
Fixed issue causing Machine Certificate checker agent backward incompatibility.


532030-3 : ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI

Component: Application Security Manager

Symptoms:
When importing a policy that utilizes a custom signature set, ASM checks whether that signature set is already exists on the system. If it does not exist, then it creates a new set.

When a set is created via REST it does not correctly set an internal field that does get set via creation by the GUI or XML import.

This causes unexpected behavior and extra signatures being created when a REST client, such as BIG-IQ, attempts to co-ordinate changes across devices utilizing import via XML and REST calls.

Conditions:
A Custom filter-based signature set is created by the GUI and then attached to a security policy.
The security is exported in XML format.

On a different device an identical signature set is created via REST.
The security policy is then imported on that device.

Impact:
Extraneous signature sets are created, and false differences appear with regards to which signature sets are attached to which policies across multiple devices.

Workaround:
As a workaround, custom filter-based signature sets should be created only via REST or only via GUI across multiple devices.

Fix:
Custom filter-based signature sets created using REST or the Configuration utility now have the same internal settings and match for XML security policy export/import.


532022-1 : tmm can crash when the reply pkt to a service flow request is a DoS pkt

Component: Advanced Firewall Manager

Symptoms:
tmm can crash

Conditions:
If a service flow (or any flow which does not have a listener) sends a request out and we get back a packet which needs to be counted towards a network DoS vector, it can cause the tmm to crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Don't configure AFM DoS vectors.

Fix:
A crash bug in DoS protection has been fixed.


531910-1 : apmd, apd, localmgr random crash

Component: Access Policy Manager

Symptoms:
APMD, APD, and localmgr crash upon invalid mcpd request with certain DB variables.

Conditions:
This problem rarely happens: mcpd sends null db variables conncrtl.

Impact:
APMD, APD, and localmgr will crash.

Workaround:
There is no workaround.

Fix:
The problem was fixed by variable protection in related modules.


531883-2 : Windows 10 App Store VPN Client must be detected by BIG-IP APM

Component: Access Policy Manager

Symptoms:
Windows 10 App Store VPN Client is not detected by BIG-IP APM out of the box via client type agent

Conditions:
Windows 10 App Store VPN Client, BIG-IP APM , client type agent

Impact:
Windows 10 App Store VPN Client is not detected by BIG-IP APM out of the box

Fix:
Windows 10 App Store VPN Client is now detected by BIG-IP APM out of the box using the Client Type agent.


531761-1 : Web navigation flow may be reset when main page responds with non-HTML content

Component: Advanced Firewall Manager

Symptoms:
In some web applications, the navigation flow may break (connection reset) if a main URL (login page, for example) is responding with a content that is not an HTML one, or if the response is dynamic, and occasionally not an HTML one.

Conditions:
Proactive Bot Defense is enabled on a DOS profile that is attached to a Virtual Server, and one of the main URLs of the web application (login page, home page, etc.) occasionally responds with a non-HTML content, blank content, or redirect response with no body.

Impact:
Users may experience a connection reset while navigating through the website, usually after several minutes.

Fix:
Connection resets are no longer experienced on normal web navigation of a site that is protected by the Proactive Bot Defense mechanism, and one of the main pages of the web application occasionally responds with a non-HTML content.


531576-1 : tmm memory leak in traffic handling

Component: Local Traffic Manager

Symptoms:
In certain scenarios TMM may suffer from a memory leak while handling certain types of TCP traffic.

Conditions:
Undisclosed conditions for packet processing.

Impact:
TMM will leak memory.

Fix:
TMM no longer leaks memory while processing certain types of TCP traffic.


531541-1 : Support Citrix Receiver 4.3 for Windows in PNAgent mode

Component: Access Policy Manager

Symptoms:
Citrix Receiver for Windows 4.3 fails to authenticate in PNAgent mode in both integration and replacement configurations.

Conditions:
APM is configured for Citrix integration or replacement and Citrix Receiver for Windows 4.3 is used in PNAgent mode.

Impact:
Citrix Receiver for Windows 4.3 fails to authenticate.

Workaround:
Use Citrix Receiver for Windows 4.1 or 4.2.
Launch applications from Web.

Fix:
Now APM supports Citrix Receiver 4.3 for Windows in PNAgent mode.


531539-1 : The NTLM login is not recognized as failed login.

Component: Application Security Manager

Symptoms:
The NTLM login is not recognized as failed login.

Conditions:
-- A NTLM configured login page.
-- The username arrives in UTF-16 (as curl sends it) or in another encoding that cannot be converted.
-- The login fails.

Impact:
The brute force mitigation will not work in this case.

Workaround:
None.

Fix:
This release fixes an issue regarding login pages with the NTLM authentication type.


531529-1 : Support for StoreFront proxy

Component: Access Policy Manager

Symptoms:
Citrix Receivers fail to auth when APM is configured in the integration mode against Citrix StoreFront 3.0 in ICA patching mode

Conditions:
APM configured in the integration mode

Impact:
Storefront responds with "error-bad-request" error on ExplicitForms request from APM

Workaround:
N/A

Fix:
Support Citrix StoreFront 3.0 in ICA patching proxy mode


531526-2 : Missing entry in SQL table leads to misleading ASM reports

Component: Application Visibility and Reporting

Symptoms:
Some reports of ASM violations were generated with missing activity.

Conditions:
When there are many entities to report and some are getting aggregated, then the aggregated activity was not reported.

Impact:
Misleading reports of ASM activity.

Workaround:
None.

Fix:
Aggregated activity is now reported even when there are many entities to report and some are aggregated.


531483-2 : Copy profile might end up with error

Component: Access Policy Manager

Symptoms:
Copy profile might end up with error about two items are sharing the same agent

Conditions:
Very rare - long policy names, similar name parts

Impact:
Minor - you would need to choose different name for new policy

Fix:
Issue resolved.


530963-4 : BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms

Component: Local Traffic Manager

Symptoms:
The BIG-IP does not verify every byte in the Finished message of an TLS handshake but does properly validate the MAC of the Finished message.

Conditions:
* The BIG-IP platform contains a Cavium SSL accelerator card but the affected TLS connection is not accelerated by the Cavium SSL accelerator card.

The following list some examples when a TLS connection is not accelerated by the Cavium card:

* The ciphers used by the TLS connection are not fully accelerated in the Cavium card. For more information about ciphers that are fully hardware accelerated, refer to SOL13213: SSL ciphers that are fully hardware accelerated on BIG-IP platforms (11.x)

* The BIG-IP platform does not contain a Cavium SSL accelerator card. The following list the BIG-IP platforms that do not contain a Cavium SSL accelerator card:
* BIG-IP 2000 platforms
* BIG-IP 4000 platforms
* BIG-IP Virtual Edition

Impact:
F5 believes the reported behavior does not have security implications at this time.

Workaround:
None.

Fix:
BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms. F5 does not consider this behavior a vulnerability.


530865-2 : AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists)

Component: Advanced Firewall Manager

Symptoms:
Due to a related change in AFM ACL handling, global and route domain rule's were being logged (incorrectly) by the virtual server's AFM log profile (if it exists).

This is incorrect since the behavior has always been that Global and Route Domain AFM rule logging is controlled by global-network log profile only.

Conditions:
Global or Route Domain AFM ACL rule matches and logging is enabled. Also, the matched virtual server has a logging profile attached to it.

Impact:
This causes a regression (and inadvertent change in behavior) for Global and Route Domain AFM rule logging.

Workaround:
None

Fix:
With the fix, global and route domain AFM rule logging is controlled by global-network log profile (as has been the case since inception).


530829 : UDP traffic sent to the host may leak memory under certain conditions.

Vulnerability Solution Article: SOL00032124


530800-1 : Messages can't be sent from OWA2010 via Portal Access if form-based SSOv2 is in use.

Component: Access Policy Manager

Symptoms:
OWA displays error message when trying to send new email.
POST request size is more than 300Kb and POST data contains large "SCRIPT id=F5_helperDataStringsId" tag.
Due to this issue request data becomes large enough to be affected by Bug502269 in SSOv2. Therefore if SSOv2 is enabled in this Access Policy, request content will be corrupted and OWA server will respond with '400 Bad Request' code instead of sending email.

Impact:
Users can't send messages in some versions of OWA.

Fix:
Fixed an issue where extra data was added to some OWA2010 requests making it impossible to send messages in configuration with Form-based SSOv2.


530773 : per-request policy logs frequently in apm logs

Component: TMOS

Symptoms:
Many logs from per-request policy execution framework are seen in APM logs

Conditions:
SWG is licensed and provisioned and response analytics agent is part of per-request policy.

Impact:
Many logs in APM and excessive logging might impact the performance too.

Workaround:
Remove /Common/All-Images from Response analytics agent in per-request policy.

Fix:
Correctly fixed the issue for excluded contents in response analytics agent, so these logs are not written frequently to APM logs.


530697-2 : Windows Phone 10 platform detection

Component: Access Policy Manager

Symptoms:
Windows Phone 10 platform is not currently detected

Conditions:
Windows Phone 10 platform , BIG-IP APM system

Impact:
Windows Phone 10 platform is not detected correctly by BIG-IP

Fix:
Windows Phone 10 platform is detected correctly now.


530431 : FQDN nodes: ephemeral nodes not being created for resolved FQDN hosts

Component: Local Traffic Manager

Symptoms:
After upgrading to 11.6.0 HF5 the ephemeral fqdn node lists are no longer auto-populating.

Conditions:
Use the fqdn nodes feature.
Have correctly configured dns name-servers, and upgrade to 11.6.0 HF5

Impact:
The fqdn nodes feature is unusable and possible upgrades must be rolled back.

Workaround:
This issue has no workaround at this time.

Fix:
FQDN node lists now correctly auto-populate.


530356-2 : Some AVR tables that hold ASM statistics are not being backed up in upgrade process.

Component: Application Visibility and Reporting

Symptoms:
Some AVR tables that hold ASM statistics are not being backed up in the upgrade process when upgrading to a new version with ASM data present in AVR stat tables.

Conditions:
Upgrading to new version.

Impact:
Some ASM data is lost after upgrade.

Fix:
We now correctly back up AVR tables that hold ASM statistics that were previously not backed up when upgrading to a new version.


529640 : Improvements in building Cloud images

Component: TMOS

Symptoms:
Improvements in building Cloud images.

Conditions:
Building Cloud images.

Impact:
Internal

Workaround:
N/A

Fix:
Improvements in building Cloud images.


529510-2 : Multiple Session ha state changes may cause TMM to core

Component: TMOS

Symptoms:
The cause of the crash is due to multiple session ha state changes in session_ha_peer_status in a very short period of time. On the active unit when the peer comes back up the session ha state changes to SESSION_HA_RESEND_NEEDED. This state change requires a call to session_ha_marker_reset to prevent the session sweeper from queueing the session ha marker when it is already in the session ha marker queue. Queueing the marker when it’s already queued results in corruption of the queue which is caught by the QUEUEDEBUG_TAILQ_INSERT_TAIL macro.

Conditions:
Multiple session HA state changes

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Remove session ha maker when peer comes back up.


529509-5 : BIND Vulnerability CVE-2015-4620

Vulnerability Solution Article: SOL16912


529414-1 : PEM: After Diameter Fatal-Grace time expiry, Some subscriber sessions might be deleted very soon

Component: Policy Enforcement Manager

Symptoms:
Some subscriber sessions getting deleted as soon they are created even if there is no trigger to delete these sessions

Conditions:
Fatal-grace time too low and PCRF connection going down for a long period of time and then coming up later.

Impact:
Subscribers traffic is not policed as the corresponding sessions are deleted as soon as they are created.

Workaround:
Make sure Fatal-grace timer is disabled.

Fix:
Issue is fixed now. Fatal Grace time expiry will not cause sessions to be deleted as soon as they are created.


529392-2 : Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script

Component: Access Policy Manager

Symptoms:
Windows 10 and Internet Explorer 11 is not determined in case of DIRECT rule is used to connect to BIG-IP in proxy autoconfig script configured locally.

Conditions:
Local proxy autoconfig scrip, DIRECT rule for BIG-IP virtual server, Internet Explorer 11.

Impact:
Internet Explorer 11 is not detected properly.

Fix:
Internet Explorer 11 on Microsoft Windows 10 is detected correctly now if local proxy autoconfig script is configured with DIRECT rule for BIG-IP.


528881 : NAT names with spaces in them do not upgrade properly

Component: TMOS

Symptoms:
When upgrading to an affected version, if a NAT has a name with spaces in it, the upgraded configuration does not load.

Conditions:
The BIG-IP system must be configured with NATs that have spaces in their names. When an upgrade is performed to 11.5.0 through 11.5.3 or to 11.6.0 this can be triggered.

Impact:
The configuration does not load on the upgraded system.

Workaround:
Remove spaces in NAT names before upgrading. Specifically: the initial letter must be a letter, underscore ( _ ), or forward slash ( / ), and subsequent characters may be letters, numbers, periods ( . ), hyphens ( - ), underscores ( _ ), or forward slashes ( / ).

Fix:
NAT names with spaces in them now upgrade properly.


528787-1 : PEM: RAR after session being deleted from Radius/TMSH when connection down will return RAA with success code.

Component: Policy Enforcement Manager

Symptoms:
PEM responds with RAA with DIAMETER_SUCCESS code even though session has been deleted.

Conditions:
Diameter virtual is down, then RADIUS sessions are deleted via tmsh, then the Diameter virtual is brought back up

Impact:
PCRF might be misled as it thinks session exists.

Workaround:
Make sure PCRF sends RAR with at least 1 policy and the PEM will responds with RAA with unable to comply

Fix:
PEM will send RAA with UNABLE_TO_COMPLY code if session is marked for deleted.


528768-1 : Relaxing validation against "_" character for ActiveDirectory server FQDN for NTLM authentication

Component: Access Policy Manager

Symptoms:
The BIG-IP system applies standard fully qualified domain name (FQDN) validation for Active Directory server FQDN. Unfortunately, Microsoft allows non-standard FQDN as well. (https://technet.microsoft.com/en-us/library/cc959336.aspx)
At Non RFC strictness level, Active Directory allows additional "_" characters to be used everywhere in the DNS name. AD server that has "_" in its DNS name cannot be used for domain join operation for creating machine account or for authentication AD server for NTLM authentication.

Both Multibyte and Any Character strictness level predictably can cause problem to our internal code; we do not support them.

Conditions:
AD server DNS name contains "_".

Impact:
Cannot be used for domain join for machine account creation or for target authentication server for NTLM authentication.

Workaround:
To work around the problem, you can rename the Active Directory server.

Fix:
Now an Active Directory server DNS name that contains an underscore (_) can be used for a machine account and NTLM authentication.


528727-1 : In some cases HTML body.onload event handler is not executed via portal access.

Component: Access Policy Manager

Symptoms:
Internet Explorer 7 (and any newer version in compatibility mode) ignores inline body.onload event handler if it is already assigned in previously executed script. This may prevent execution of user-defined body.onload event handler in some cases if the page is accessed using Portal Access.

Conditions:
The problem occurs under these conditions:
Internet Explorer version 7 or newer in compatibility mode, and HTML page with inline body.onload event handler _and_ <script> or <meta> tags before <body> tag.

Impact:
Web application may work incorrectly.

Workaround:
It is possible to change the HTML page in an iRule converting inline body.onload event handler into an explicit JavaScript function assigned to the body.onload event using the attachEvent() call.

Fix:
Now HTML inline body.onload event handler is executed correctly in all cases if the page is accessed through Portal Access.


528726-3 : AD/LDAP cache size reduced

Component: Access Policy Manager

Symptoms:
When AD or LDAP Query module built a group cache, that cache contained an unnecessary attribute that was never used.

Conditions:
AD/LDAP Query module is configured with option that requires building of a local group cache.

Impact:
apd process size grows significantly after group cache is built. If several different caches are maintained at the same time, the process size can hit the 4 GB limit.

Fix:
Removed an unnecessary attribute from cache. As a result, the group cache size and APD process size have been reduced.


528715-1 : rare tmm crash when ipother irule parks

Component: Policy Enforcement Manager

Symptoms:
TMM System may crash under rare condition for traffic that goes through IPOther virtual with an iRule script that parks the data flow. This occurs rarely, and it will only happen if a data flow that goes through IPOther VIP is aborted when an iRule is parked on the same flow. When the iRUle resumes, the IPOther VIP forward the original packet and tmm may crash when PEM uses the freed data of the flow that is already freed.

Conditions:
With PEM licensed/enalbed, associate an iRule script with iRule command that will park (e.g., the table command) against the IPOther virtual. At last, the data traffic that goes through PEM IPOther virtual get aborted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
A possible workaround is not to use iRule command that will park in the iRule script that is attached to IPOther virtual. For example, there are information that could be retrieved by PEM::session command instead of using table command. If iRule command that will cause parking must be used, then this fix along with the fix of bug 484278.

Fix:
The crash has been fixed and the should no longer be observed.


528675-2 : BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired

Component: Access Policy Manager

Symptoms:
Edge Client can stuck in "disconnecting..." state if connected through with captive portal session and captive portal session expired. This happens when BIG-IP EDGE client keep HTTP connection to captive portal probe URL alive.

Conditions:
BIG-IP EDGE Client for Windows connecting to BIG-IP APM on network with active captive portal.
Captive portal session expired before user terminate active Network Access connection.

Impact:
When user run into this condition BIG-IP EDGE client for Windows cannot connect to BIG-IP APM server without restart.

Workaround:
User can exit and restart BIG-IP EDGE client.

Fix:
Captive portal detection request modified to properly close HTTP connection.


528499 : AFM address lists are not sorted while trying to create a new rule.

Component: Advanced Firewall Manager

Symptoms:
AFM address lists are not sorted while trying to create a new rule.

Conditions:
Seen only in the rule creation page.

Impact:
AFM address lists are not sorted in the rule creation page.

Workaround:
none

Fix:
AFM address lists are now sorted in the rule creation page.


528432-2 : Control plane CPU usage reported too high

Component: Local Traffic Manager

Symptoms:
The system CPU usage is reported as the higher of the data plane averaqe and the control plane average. In certain cases, the control plane average was being calculated at about double.

Conditions:
When the data plane CPU usage was lower than the control plane CPU usage. This can occur when there is little client traffic flowing through the BIG-IP but the control plane is busy, say installing software.

Impact:
Typically, since client traffic drives data plane CPU usage, control plane CPU usage is less than data plane CPU usage at normal client loads.

Workaround:
This can safely be ignored at low data plane usage and will not be evident when data plane usage increases.

Fix:
The calculation of the control plane CPU usage no longer includes other CPUs.


528310 : Upgrade failure when CertKeyChain exists in non-Common partition

Component: TMOS

Symptoms:
Pre-11.6.0 configuration may fail to load on a BIG-IP system running version 11.6.0 (or greater).

Conditions:
Configuration contains a SSL profile with an explicit Certificate Key Chain in a non-Common partition.

Impact:
This issue leads to a configuration load failure.

Workaround:
This issue has no workaround at this time.

Fix:
Certificate Key Chain will inherit its partition from the parent SSL profile on creation.


528247-1 : PEM: New Requested units empty for when used units matches granted service units

Component: Policy Enforcement Manager

Symptoms:
Requested Service Units field in CCR-U message in Gy will be empty for certain rating group requests in MSCC AVP

Conditions:
If used Service units matches exactly with granted service units. (Extremely rare!)

Impact:
RSU being empty might trigger OCS allocating incorrect granted service unit for the rating group

Workaround:
Work around is to ignore Requested service Unit AVP if zero by the OCS or just use used service units AVP since RSU is empty.

Fix:
This issue is fixed now. RSU will be not be empty even if used service units matches Granted service units AVP.


528238-1 : Quota Policy Added multiple times will lead to reset of Subscriber flows

Component: Policy Enforcement Manager

Symptoms:
Subscriber flows getting reset when session is provisioned to do Gy quota management.

Conditions:
If a same policy with quota management action is added multiple times to the session through RAR (or CCA-u) then after 32 installs, any flow for the session is reset.

Impact:
Flows getting reset means subscribers having issue with using service.

Workaround:
PCRF should make sure that for the session same policy is not being added to multiple times.

Fix:
Issue has been fixed now. Even is same Policy is added multiple Times for the subscriber, flows are not reset.


527861 : When Many entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen, the Configuration utility becomes unresponsive.

Component: Application Security Manager

Symptoms:
When around 500 entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen, the Configuration utility becomes unresponsive.

Conditions:
When around 500 entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen.

Impact:
The Configuration utility becomes unresponsive.

Workaround:
None.

Fix:
We limited the number of entities displayed on the "Illegal Meta Character in Value" manual traffic learning screen to a realistic limit in order to prevent the Configuration utility from becoming unresponsive.


527799-9 : OpenSSL library in APM clients updated to resolve multiple vulnerabilities

Vulnerability Solution Article: SOL16674 SOL16915 SOL16914


527725-1 : BigIP crash caused by PSC::ip_address iRule is fixed

Component: Policy Enforcement Manager

Symptoms:
When using PSC::ip_address iRule to get the ip list for DHCP-based subscriber discovery and RADIUS Authentication message, BigIP crashed and restarted.

Conditions:
Using PSC::ip_address iRule to get ip address list in DHCP-based subscriber discovery and RADIUS Authentication messages

Impact:
Causing bigip tmm to restart


527630-1 : CVE-2015-1788 : OpenSSL Vulnerability

Vulnerability Solution Article: SOL16938


527537 : CGNAT experiences increased CPU utilization with a high concurrent connection load and persistence enabled

Component: TMOS

Symptoms:
Elevated CPU with CGNAT when carrying the same load between 11.5 and 11.6

Conditions:
CGNAT lsn-pools
high number of concurrent connections
persistence = address-port and/or
inbound enabled

Impact:
Elevated CPU = reduced capacity

Fix:
Change the sessionDB sweeper to reduce the amount of work it does managing large bins.


527292-1 : BigIP crash caused by PSC::user_name iRule is fixed

Component: Policy Enforcement Manager

Symptoms:
When using PSC::user_name iRule to get user name for DHCP-based subscriber discovery and RADIUS Authentication messages, BigIP crashed and restarted. And the log is also showing garbage information.

Conditions:
Using PSC::user_name iRule to get user name in DHCP-based subscriber discovery and RADIUS Authentication messages

Impact:
Causing bigip tmm to restart

Fix:
After the fix, no more crash when using PSC::user_name iRule


527289-1 : TMM crashes with core when PSC::ip_address iRule is used to list IPs

Component: Policy Enforcement Manager

Symptoms:
TMM crashes with core when trying to readPSC::ip_address list

Conditions:
iRule is used to list IPs after setting it with the same iRule

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Fix crash caused by PSC::ip_address PSC::user_name iRules


527145-4 : On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.

Component: TMOS

Symptoms:
Occasionally SOD core dumps on shutdown during memory cleanup.

Conditions:
System shutdown. Cannot reproduce the issue reliably, so conditions for the crash are unknown.

Impact:
Minimal additional impact on services because a shutdown was already in process.

Workaround:
None.

Fix:
Daemon no longer cores on shutdown due to internal processing error.


527094-1 : iControl REST: the records collection in tm/ltm/data-group/internal/ may show wrong partition and subPath metadata.

Component: TMOS

Symptoms:
GET on tm/ltm/data-group/internal/dg-name might show the following record entries -

...
"records": [
...
    {
      "name": "triple",
      "partition": "single",
      "subPath": "double",
      "data": "three"
    },
...
  ]
}

In actuality, the identifiers of the record are not pathed, and hence the 'partition' and 'subPath' properties do not make any sense.

Conditions:
Performing a GET operation on a device group, for example: GET tm/ltm/data-group/internal/dg-name.

Impact:
Misinformation in the API output. This is a cosmetic issue only. Ignore the 'partition' and 'subPath' properties.

Workaround:
None.

Fix:
iControl REST: the records collection in tm/ltm/data-group/internal/ now returns the correct data for the "name" object, and no longer returns the "partition" and "subPath" objects.


527076-1 : TMM crashes with core when PSC::policy iRule is used to set more than 32 policies

Component: Policy Enforcement Manager

Symptoms:
iRules used to set 32 or more polices

Conditions:
iRule containing 32 or more polices

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Check added to validate number of policies contained in iRule.


527021-1 : BIG-IQ iApp statistics corrected for empty pool use cases

Component: TMOS

Symptoms:
BIG-IQ statistics gathering fails for HTTP iApps. The stats are collected periodically by an iCall script. A bug in the script causes a failure when the pool member count = 0.

Conditions:
The virtual has an empty pool (a common use case in SDN).

Impact:
Causes out-of-memory errors in scriptd.

Fix:
BIG-IP iApps now correctly provide statistics to BIG-IQ in empty-pool use cases.


527016-1 : CLASSIFICATION_DETECTED irule event results in tmm core

Component: Policy Enforcement Manager

Symptoms:
If an irule script which uses the CLASSIFICATION_DETECTED is used, then it may result in a tmm core.

Conditions:
Configure an ltm irule with CLASSIFICATION_DETECTED event, and the body of the script contains atleast one irule command that runs asynchronously.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Using the CLASSIFICATION_DETECTED irule event does not cause tmm to core.


526856-1 : "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency

Component: Application Security Manager

Symptoms:
"Use of uninitialized value" appears as a warning rarely upon UCS installation due to ASM signature inconsistency.

Conditions:
UCS file is installed with internal ASM signature inconsistency.

Impact:
"Use of uninitialized value" warning appears in output.

Fix:
"Use of uninitialized value" warning no longer appears upon UCS install.


526810-5 : Crypto accelerator queue timeout is now adjustable

Component: Local Traffic Manager

Symptoms:
In order to diagnose crypto queue stuck errors, the timeout value for stuck crypto accelerator queues may now be adjusted using the crypto.queue.timeout DB variable.

The timeout value may be specified in milliseconds using the crypto.queue.timeout DB variable. The default value is 100 milliseconds.

Conditions:
This is only needed if you are getting errors in /var/log/ltm with this signature: crit tmm1[9829]: 01010025:2: Device error: crypto codec qa-crypto0-1 queue is stuck.

Impact:
Adjusting the queue timeout may help in certain configurations where SSL acceleration is the performance bottleneck.

Fix:
The crypto accelerator queue timeout may now be specified in milliseconds using the crypto.queue.timeout DB variable.


526786-1 : Session lookup fails

Component: Policy Enforcement Manager

Symptoms:
1. Existing session S1 is created with IP1 and IP2

2. Session get replaced by S2 with IP1 and IP2 address. Delete being called for S1.

3. IP1 will be master so IP2 will be forwarded to remote TMM to set mapping.

4. Remote TMM will lookup for existing mapping for IP2, find session S2. Tries to lookup for Session S2.

5. Before lookup is complete, S2 gets deleted

6.Now callback for S2 lookup will be a failure

Conditions:
Remote TMM will lookup for existing mapping for IP2, find session S2. Tries to lookup for Session S2.

Impact:
Callback fails

Workaround:
N/A

Fix:
Fix IP mapping set when session being replaced gets deleted


526774 : Search in FW policy disconnects GUI users

Component: Advanced Firewall Manager

Symptoms:
GUI disconnects due to a timeout when doing search on the active rules page with a large number of context objects.

Conditions:
wildcard search in active rules page with lots of objects causes GUI to hang

Impact:
Makes the BOX unusable

Workaround:
The query to search for matches was optimized to omit context objects that did not have any rules.

Fix:
The query to search for matches was optimized to omit context objects that did not have any rules.


526754-2 : F5unistaller.exe crashes during uninstall

Component: Access Policy Manager

Symptoms:
f5unistaller.exe crashes, dmp points to a double free in SGetRegistryAsString function

Conditions:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\*\DisplayName contains 0 length data

Impact:
f5unistaller crashes

Workaround:
Using the crash dump created. PD can determine the value of * from there if data is placed into the DisplayName key - it will no longer trigger this defect


526677-1 : VMware Horizon HTML5 View access client can not connect when using View Connection Server running version 6.1.1

Component: Access Policy Manager

Symptoms:
When an APM & Horizon v6.1.1 deployment is configured to use an APM Full Webtop, the HTML5 client will not correctly launch. A new tab will open and the user will see a HTTP 405 error on that page.

Conditions:
View Connection Server backend is running version 6.1.1.

Impact:
HTML5 Client access will stop working.

Fix:
Starting with the 6.1.1 release of View Connection Server, the communication protocol used by the View HTML5 client has changed.
 
This change breaks BIG-IP APM's HTML5 View client implementation. As such, APM users cannot use this client to access their View Desktop.

This fix implements the new View communication protocol to support launching of the View HTML5 client from an APM Full Webtop.


526617-1 : TMM crash when logging a matched ACL entry with IP protocol set to 255

Component: Access Policy Manager

Symptoms:
When TMM finds a matching ACL entry while enforcing the ACL, and that ACL entry is configured to produce a log entry as well, and the IP protocol for that packet is 255, then TMM crashes.

Conditions:
1. Log is enabled for that ACL entry.
2. IP protocol is set to 255

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable ACL logging

Fix:
TMM no longer crashes when logging a matching ACL entry for IP datagram with protocol set to 255.


526578-1 : Network Access client proxy settings are not applied on German Windows

Component: Access Policy Manager

Symptoms:
Network Access client proxy settings are not applied on German Windows with Internet Explorer 10 under obscure conditions.
If APM address is not in the Trusted Sites List, then this issue has good reproducibility.
Windows shows empty fields in proxy settings UI of Internet Explorer.

Conditions:
Client machine has Windows with German localization.
Client machine has Internet Explorer 10.
APM is not in trusted sites list or other obscure conditions.

Impact:
Network Access works in unexpected way: client ignores proxy settings.

Workaround:
Run IE under administrator
Update to IE11

Fix:
Now proxy settings are correctly applied on client machine with German localization and Internet Explorer 10. However, Windows still shows empty fields in proxy settings GUI of Internet Explorer.


526514-1 : Open redirect via SSO_ORIG_URI parameter in multi-domain SSO

Vulnerability Solution Article: SOL26738102


526492-2 : DNS resolution fails for Static and Optimized Tunnels on Windows 10

Component: Access Policy Manager

Symptoms:
When Static and Optimized Tunnels are used on Windows 10 desktop, accessing a backend server by hostname will fail.

Conditions:
1. Windows 10 desktop
2. Static or Optimized Tunnels are used

Impact:
No access to backend servers using hostnames.

Workaround:
none

Fix:
DNS resolution is successful for static and optimized tunnels on Microsoft Windows 10.


526419-1 : Deleting an iApp service may fail

Component: TMOS

Symptoms:
Deleting an iApp service may fail with an error message like this:

01070712:3: Can't load node: 839 type: 4

Conditions:
Unknown.

Impact:
You can't delete an iApp.

Workaround:
Save the configuration. Edit the relevant configuration file to remove the iApp service. Reload the configuration.

Fix:
Deleting an iApp service formerly could fail with an error message like this:

01070712:3: Can't load node: 839 type: 4

This is no longer possible.


526368-1 : The number of IPv4 addresses per Gx session exceeds the limit of 1

Component: Policy Enforcement Manager

Symptoms:
TMM may crash when it detects the number of IPv4 addresses per Gx session exceeds the limit of 1.

Conditions:
Number of IPv4 addresses per Gx session exceeds the limit of 1

Impact:
TMM crash

Workaround:
N/A

Fix:
Reprovision session only if PPE session ID set


526295-3 : BigIP crashes in debug mode when using PEM irule to create session with calling-station-id and called-station-id

Component: Policy Enforcement Manager

Symptoms:
When using PEM irule to create session with calling-station-id and called-station-id, BigIP will crash in debug mode

Conditions:
1. PEM is provisioned.
2. Bigip is running in debug mode
3. PEM iRule is used to create session with calling-station-id and called-station-id

Impact:
Causing the bigip to crash

Workaround:
Creating PEM session with irules that do not have calling-station-id and called-station-id. And add the two attributes using separately using PEM info iRule

Fix:
With the fix, the problematic irule is now working as expected and does not cause any crash.


526277-1 : AFM attack may never end on AVR dos overview page in a chassis based BIGIP

Component: Advanced Firewall Manager

Symptoms:
In a BIGIP chassis, it is possible that the AFM "attack started" event and "attack stopped" event happen on two different slots of the chassis. In that case avrd is not able to detect and report "attack stopped" event and the user would continue to see "attack ongoing" in the DoS Overview Page.

Conditions:
This will only happen in a BIGIP chassis based system with multiple slots, and if the AFM DoS "attack started" and "attack stopped" events are given to different slots.

Impact:
User will get confused when he see that the AFM DoS Overview Page still shows the attack as ongoing when it has actually stopped.

Workaround:
No workaround

Fix:
With this change the bug has been fixed and now the AFM DoS Overview Page will always know when a attack has stopped.


526275-1 : VMware View RSA/RADIUS two factor authentication fails

Component: Access Policy Manager

Symptoms:
VMware View client fails to authenticate with APM configured for RSA/RADIUS two factor authentication.

Conditions:
APM is configured for VMWare View proxy with RSA or RADIUS two factor authentication and VMware View client is used.

Impact:
User sees a confusing error message.

Workaround:
Click "OK" on an error message "The username or password is not correct. Please try again.". Enter valid AD credentials and login again.

Fix:
Now APM correctly handles VMware View RSA/RADIUS two factor authentication.


526084-3 : Windows 10 platform detection for BIG-IP EDGE Client

Component: Access Policy Manager

Symptoms:
The session.client.platform variable contains "Win8.1" for BIG-IP Edge Client on Windows 10.

Conditions:
n/a

Impact:
n/a

Workaround:
n/a

Fix:
BIG-IP APM was enhanced to report session.client.platform session variable for BIG-IP Edge Client on Windows 10.


525860-2 : PEM: Duplicate sessions formed with same IP

Component: Policy Enforcement Manager

Symptoms:
For a single IP address we see 2 sessions in the system when we do pem_sessiondump --list.

Conditions:
Create a static subscriber configuration without the IP address and send radius start to create session with 2 IP address. Delete the master IP (first one) and send radius start with same IP.

Impact:
Duplicate sessions creates confusion as to which session is the active one used for an IP.

Workaround:
Make sure radius stop is received for both the IP addresses before sending a new one.

Fix:
Issues has been fixed now. No more duplicate sessions for the same IP address.


525708-1 : AVR reports of last year are missing the last month data

Component: Application Visibility and Reporting

Symptoms:
Reports are missing the latest data collected for them. Each report-type is missing a different portion of the data which is relative to the report-type. This issue becomes very noticeable when creating long-term reports. For example, a 'last-year' report might omit the last month data, 'last-month' report might omit the last week data, and so on.

Conditions:
Every report that is done on a long history time range.

Impact:
The presented data can be confusing and misleading.

Fix:
A new data aggregation mechanism was inserted, so that all reports include activity up to the last hour.
There is an option to make it available even for the last 5 minutes, although that might lead to too much CPU and disk load every 5 minutes.
There is also an option to turn off this new aggregation mechanism if you are not interested in accurate long-history reports, and the aggregation task that takes place once an hour is too heavy for this machine.


525633-1 : Configurable behavior if PCRF returns unknown session ID in middle of session.

Component: Policy Enforcement Manager

Symptoms:
If PEM sends CCR-U, and PCRF responds with CCA-U (PCRF lost session), PEM ignores the response and sends CCR-U.

Conditions:
PCRF lost session (reboot/failover) and responds to session update requests with unknown session ID.

Impact:
Session remains for a long period of time with PCRF not acknowledging.

Workaround:
To enable PCRF can get the context back, it is recommended that you delete the session on the PEM end (configurable), and also recreate the same session (configurable).

When PCRF indicates that the session ID unknown, set the following Sys db variable to TRUE to have PEM delete the session: tmm.pem.diameter.application.trigger.delete.onPeer.failure.

To have PEM recreate the session, set the following Sys db variable to TRUE: tmm.pem.session.ppe.recreate.afterPeerFailure.

Fix:
PCRF no longer returns unknown session ID in middle of session.


525595 : Memory leak of inbound sockets in restjavad.

Component: Device Management

Symptoms:
restjavad might run out of memory due to inactive sockets piling up in memory. The symptom will be 'Out of memory' messages in the /var/logrestjavad.0.log and any new rest calls will fail. The URL that fails is random.

Conditions:
Occurs after a few hours of use.

Impact:
Memory leak of inbound sockets in restjavad. restjavad becomes inoperative.

Workaround:
Restart restjavad with the following command:
bigstart restart restjavad.
Note: You can run the command periodically from a cron script.

Fix:
Inbound sockets in restjavad no longer causes a memory leak.


525562-1 : Debug TMM Crashes During Initialization

Component: Access Policy Manager

Symptoms:
Debug version of TMM (tmm.debug) generates core file and fails to start up.

Conditions:
This issue happens when running debug version of TMM on a multi-blade chassis/vCMP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Revert to use default version of TMM (tmm.default)

Fix:
Removed unnecessary debug assert statements from TMM.


525557 : FQDN ephemeral nodes not re-populated after deleted and re-created

Component: Local Traffic Manager

Symptoms:
Under certain circumstances, ephemeral nodes that are force deleted may not repopulate as expected.

Conditions:
This issue occurs when there is a Sync group and multiple FQDNs resolve to the same IP address.

Impact:
Ephemeral nodes may not repopulate as expected.

Workaround:
This issue has no workaround at this time.

Fix:
FQDN ephemeral nodes are now repopulated after force deletion.


525522 : Redirect loop when Proactive Bot Defense is enabled and deployment has multiple domains

Component: Advanced Firewall Manager

Symptoms:
A redirect loop may happen for some users, when the Proactive Bot Defense feature is enabled, and the deployment consists of multiple domains.

Conditions:
Proactive Bot Defense is enabled on a DOS profile that is assigned to a Virtual Server, and the deployment consists of multiple domains.

Impact:
Some users may occasionally be blocked from accessing certain URLs of a website due a redirect loop that could happen. In most cases, a page-refresh attempted by the user will load the page properly.

Workaround:
Applying the following iRule will workaround the problem:

when HTTP_REQUEST {
   if { [HTTP::cookie exists "TSPD_101_R0"] } {
      if { [HTTP::cookie exists "TSPD_101"] } {
         HTTP::cookie remove "TSPD_101"
      }
   }
}

Fix:
Occasional redirect loops caused by the Proactive Bot Defense mechanism no longer occur when multiple domains are deployed.


525416-1 : List of IPs in "tmsh show pem sessiondb subscriber-id " may be reversed.

Component: Policy Enforcement Manager

Symptoms:
IPs show up in an order that is not expected.

Conditions:
Occurs always

Impact:
Nothing functional.

Workaround:
None

Fix:
Added code to display the IP addresses in the order they were added to the session.


525384-2 : Networks Access PAC file now can be located on SMB share

Component: Access Policy Manager

Symptoms:
Network Access web components or Edge Client fail to download PAC file if it is located on SMB share as
file:////pac.file.hoster.local/config.pac.

Conditions:
Network Access with Client Proxy Settings Enabled,
PAC file path is set to somewhere on SMB share.

Impact:
Impossible to configure Network Access with PAC file located on SMB share.

Workaround:
Put PAC file to HTTP server, configure Network Access accordingly.

Fix:
Now Network Access components can obtain PAC file from SMB share.


525175-1 : Fix a crash issue when querying SSP with multi-ip.

Component: Policy Enforcement Manager

Symptoms:
TMM crash when querying SSP with multi-ip configured.

Conditions:
TMM crash when querying SSP with multi-ip configured.

Impact:
TMM crash

Workaround:
N/A

Fix:
Fix TMM crash when querying SSP with multi-ip configured.


524909-2 : Windows info agent could not be passed from Windows 10

Component: Access Policy Manager

Symptoms:
APM endpoint check action "Windows Info agent" was not able to detect Windows 10 clients.

Conditions:
n/a

Impact:
n/a

Workaround:
n/a

Fix:
Now BIG-IP APM support Windows Info action on Windows 10 clients.


524791-3 : non_blocking_send/receive do not correctly handle EINTR situation for poll() == 0

Component: TMOS

Symptoms:
Interrupted poll() function in RemoteMcpConn.cpp functions non_blocking_receive and send is not properly handled.

Conditions:
Run a script processing async transactions in parallel with a script running basic REST calls.

Impact:
Either icrd_child will lock up or various calls will fail with 'operation canceled' response messages.

Workaround:
none


524780-1 : TMM crash when quering the session information

Component: Policy Enforcement Manager

Symptoms:
TMM crash when quering the session information using "tmsh show pem sessiondb subscriber-id "

Conditions:
Using tmsh show pem sessiondb subscriber-id to query session information

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Restore the display order of the multiple IP based on the order they are added


524756 : APM Log is filled with errors about failing to add/delete session entry

Component: Access Policy Manager

Symptoms:
APM log is filled with the following error when the issue occurs:

May 21 16:34:16 bigip4013mgmt err tmm2[20158]: 01490558:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND)

Conditions:
If a session times out before it completes policy evaluation, APM will still attempt to delete its marker from the established session namespace and, hence, results in ERR_NOT_FOUND error

Impact:
There is no functional impact. However, APM log may become useless if the volume of the error is big.

Fix:
Access Filter now skips session marker deletion if the timed-out session is not in established state.


524753-1 : IPsec interface is not forwarding TCP flow to the host when the destination is tunnel self-ip

Component: TMOS

Symptoms:
IPsec tunnel interface presents IPsec service via the regular network interface. Inherently, the self-IP address should allow external hosts to connect to the BigIP via TCP/UDP to this IP address. However, the connection is hairpinned back to the IPsec tunnel interface.

Conditions:
Create IPsec tunnel interface and assigned a self-IP with "allow-service all" so that the self-IP may accept external connections. At the other end of the IPsec tunnel, try TCP connection using "telnet", observe the "telnet" command fail.

Impact:
BigIP cannot accomplish certain services provided on the BigIP host, such as BGP over TCP.

Workaround:
A iRule can be created to forward the external connection on the IPsec tunnel self-IP to the host IP 127.0.0.1. Example,

ltm virtual http_host {
    destination 10.99.0.11:80
    ip-forward
    ip-protocol tcp
    mask 255.255.255.255
    profiles {
        fastl4_stateless { }
    }
    rules {
        local_node
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
}
ltm rule local_node {
    when CLIENT_ACCEPTED {
         node 127.0.0.1 80
    }
}

10.99.0.11 is the self-IP of the IPsec tunnel interface.

Fix:
BigIP can properly handle TCP/UDP connections to the BigIP over IPsec interface using its tunnel self-IP.


524748-1 : PCCD optimization for IP address range

Component: Advanced Firewall Manager

Symptoms:
Pccd blob size grow too big with large scale policy configuration. Which cause slow compilation and serialization.

Conditions:
large scale policy configuration.

Impact:
Slow compilation/serialization and large pccd blob.

Workaround:
N/A

Fix:
With PCCD ip address range optimization, PCCD will reduce it's compilation/serialization time and blob size.


524666-3 : DNS licensed rate limits might be unintentionally activated.

Component: Local Traffic Manager

Symptoms:
DNS licensed rate limits might be unintentionally activated.

Conditions:
This might occur with a license in which DNS services is unlimited, but BIG-IP DNS (formerly GTM) is limited.

Impact:
DNS licensed rate limits might be unintentionally activated. Rate counters will activate, even though rates are unlimited, which unnecessarily uses CPU cycles. Also, features that indirectly look at rate flags such as hardware DNS, might deactivate improperly even though rates are unlimited.

Workaround:
None.

Fix:
DNS licensed rate limits are now handled as expected.


524606-1 : SElinux violations prevent cpcfg from touching /service/mcpd/forceload

Component: TMOS

Symptoms:
'cpcfg' fails when copying configurations to an adjacent boot location.

Conditions:
11.5.3 and 11.6.0 installed on two boot locations

Impact:
'cpcfg' cannot be used

Workaround:
re-install software to target volume. configuration will be properly rolled forward as final step in software installation

Fix:
Corrected parameter count mismatch


524490-4 : Excessive output for tmsh show running-config

Component: TMOS

Symptoms:
The tmsh show running-config displays many default configuration items. Although the output does display the user-configuration items as expected, it is not expected to include default configuration items in the output.

Conditions:
tmsh show sys running-config.

Impact:
The presence of excessive default configuration items makes the tmsh show running-config output parsing difficult.

Workaround:
None.

Fix:
tmsh show sys running-config shows minimal default configuration.


524428-1 : Adding multiple signature sets concurrently via REST

Component: Application Security Manager

Symptoms:
Adding multiple ASM signature sets concurrently in REST actions causes deadlock.

Conditions:
Multiple ASM signature sets are added concurrently using REST.

Impact:
Some signature set REST add actions will fail due to deadlock.

Workaround:
Wait until signature set add action has completed in REST before issuing the next add.

Fix:
Multiple signature sets can be added concurrently using REST.


524409-1 : Fix TMSH show and reset-stats commands for multi-ip sessions defect.

Component: Policy Enforcement Manager

Symptoms:
TMSH show and reset-stats commands doesn't work properly for multi-ip sessions.

Conditions:
Sessions are multi-ip sessions with at least on ipv6 addr.

Impact:
reset-stats does not clear individual IP stats

Workaround:
N/A

Fix:
Fix TMSH pem sessiondb show and reset-stats commands with all-properties option.
The pem_session_mult_ip_data_stats struct doesn't include the ipv6 prefix length information.


524374-1 : TMM may crash if PEM report format script with iRule are executed on top of existing parked iRule

Component: Policy Enforcement Manager

Symptoms:
TMM may crash under race condition, that if there is PEM flow reporting with format script that contains iRules accessing info from/to different TMMs gets executed when there is already an iRule executed and access different iRules on top of a connection/flow, and the connection/flow is reset.

The fix will not execute the format script if it sees an irule is already parked for that flow. As a result, no log message will be sent in this case. In the versions before the fix, the user may have seen a log with stale info, or might see duplicate logs. After the fix, no log will be sent out in the situation described above.

Conditions:
1. PEM flow reporting is enabled with format script that contains iRules access info from/to different TMMs
2. an iRule script that will access info from/to different TMM (that is, it will be parked on the connection/flow) is being executed and parked on the connection/flow
3. the connect/flow is reset
4. the PEM flow reporting with format script in #1 gets executed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
A patch will be needed for such tmm crash under race condition, when PEM flow reporting with format script are required along with iRules.

Fix:
The issue is fixed by making sure that PEM flow reporting with format script will not be executed if it detects another iRule script is already parked on the flow. However, given this is quite rare race condition, the PEM flow reporting with format script will be triggered again when reporting condition (volume or time based) is met and there is no concurrent iRule scripted parked.


524326-4 : Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips

Component: TMOS

Symptoms:
Current configuration validation will allow a user to delete the last (only remaining) IP address on a GTM server. However, since a GTM server cannot be created/loaded without at least one IP address, the configuration will fail to load.

Conditions:
User has deleted the last IP address on a GTM server.

Impact:
Configuration load will fail. If the GTMs are in a sync group, this will also break sync because the config change cannot be loaded by any GTM.

Workaround:
User must either delete the server from the config if it has no more valid IPs, or must add at least one IP to the server's IP address list.

Fix:
Extended MCPD validation to ensure any deleted GTM link/GTM server addresses do not leave parent objects without addresses.


524198-1 : PEM: Invalid HSL log generated when when session with static subscriber deleted.

Component: Policy Enforcement Manager

Symptoms:
Invalid HSL logs generated when static subscriber session is deleted

Conditions:
HSL logging configured in the subscriber policy and static subscriber session is deleted.

Impact:
Invalid HSL log lines will create discrepancy.

Workaround:
Manually filter out these lines from HSL logs.

Fix:
Issues has been fixed now. NO more extra lines in HSL logs.


524185 : Unable to run lvreduce

Component: TMOS

Symptoms:
Unable to run lvreduce command due to missing program 'blockdev'. (The missing program 'blockdev' is part of the util-linux-extras package.)

Conditions:
Attempting to reallocate disk resources when upgrading a vCMP system.

Impact:
Cannot reallocate the vmdisks app volume.

Workaround:
Acquire the /sbin/blockdev executable from a different BIG-IP device running version 11.6.0-HF6 or 12.x, and install it on the BIG-IP device affected by this issue.

Note: If the receiving system is a multi-blade VIPRION, you must install the file on each blade.

If you do not have a suitable donor device available, you can contact F5 Support, who will be able to supply the executable to you.

Note: Using a blockdev executable from another source is not recommended.

Fix:
The blockdev utility is now present, so you can run the lvreduce command to reallocate the vmdisks app volume.


524004-1 : Adding multiple signatures concurrently via REST

Component: Application Security Manager

Symptoms:
Adding multiple ASM signatures concurrently in REST actions causes deadlock.

Conditions:
Multiple ASM signatures are added concurrently using REST.

Impact:
Some signature REST add actions will fail due to deadlock.

Workaround:
Wait until signature add action has completed in REST before issuing the next add.

Fix:
Multiple signatures can be added concurrently using REST.


523922-4 : Session entries may timeout prematurely on some TMMs

Component: TMOS

Symptoms:
In certain scenarios, session entries may not be refreshed when the TMM that owns the entry is used to process the connection.

Conditions:
When the TMM owning the session entry is a different one to the TMM handling the connection and the entry is retrieved, for example via irule, "session lookup uie"; the timeout will be extended.

When the TMM owning the entry and the one handling the connection is the same, then the entry may not have its timeout changed and lead to premature removal.

Impact:
Different TMMs may behave differently and cause confusion when using the session table.

Workaround:
None

Fix:
Session table entries now consistently get their timeout values touched in all scenarios.


523863-2 : istats help not clear for negative increment

Component: TMOS

Symptoms:
The help for the istats command line tool was not clear on how to specify a negative increment for a gauge iStat.

Conditions:
Try to increment a gauge iStat by a negative amount using the istats command line tool.

Impact:
Bash shell would print a cryptic error and the help did not clarify how to make it work

Workaround:
Research bash shell options for the cryptic error.

Fix:
The help for the istats command line was augmented to clearly state that the double-dash option should be specified before the negative number.


523803 : Support two-factor authentication for Citrix Receivers in StoreFront proxy mode

Component: Access Policy Manager

Symptoms:
Citrix Receivers do not detect 2-factor authentication when connecting to APM.

Conditions:
APM is configured as StoreFront proxy and 2-factor authentication is used.

Impact:
Citrix Receivers do not detect 2-factor authentication.

Workaround:
To enable 2-factor authentication, put a Variable Assign agent in front of the Logon Page in VPE with the following expression: session.citrix.client_auth_type = expr {"1"}.

Fix:
Added support for two-factor authentication for Citrix Receivers in StoreFront proxy mode.

Behavior Change:
Two-factor RSA+AD auth for Citrix Receiver clients now requires a new VPE configuration when APM is configured in StoreFront Integration mode. Note: To avoid a potential issue, if Citrix Receiver was already configured against APM, the Receiver accounts must be recreated.


523465-2 : Log an error message when firewall rule serialization fails due to maximum blob limit being hit.

Component: Advanced Firewall Manager

Symptoms:
Prior to fix, if AFM rule serialization fails due to OOM condition in pktclass-daemon, it's not identifiable if the failure is due to Out of Memory condition or the Max Blob limit being reached. Both the errors were logged as OOM in /var/log/ltm

Conditions:
AFM rule serialization fails due to max blob limit

Impact:
Hard to isolate the problem that serialization failed due to max blob limit

Workaround:
None

Fix:
With the fix, AFM rule serialization failure due to max blob limit is logged appropriately in /var/log/ltm making it easier to identify the cause of the failure.


523434 : mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object

Component: TMOS

Symptoms:
mcpd on secondary blades may restart and log an error of the following form: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_http_virtual_data_source) object ID (44). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_http_virtual_data_source status:13)... failed validation with error 17237812.

Conditions:
The exact conditions under which this occurs are not well understood. The immediately triggering event is a change in the cluster's primary blade.

Impact:
All services on an affected blade restart.

Workaround:
None.

Fix:
mcpd on secondary blades may restart and log an sflow_http_virtual_data_source error after a change in the cluster's primary blade.


523431-2 : Windows Cache and Session Control cannot support a period in the access profile name

Component: Access Policy Manager

Symptoms:
An access profile name containing a period will not work when using Windows Cache and Session Control. For example '/Common/test.profile' will not work. When evaluating the access policy, an end-user will be redirected to an error page.

Conditions:
Applies to any APM with Windows Cache and Session Control.

Impact:
Access Profile names cannot include a dot.
Invalid name: '/Common/profile.name'
Valid name: '/Common/profile_name'

Fix:
One of the PHP files for cache control has a regex that looks for invalid access profile names. This regex had previously flagged any profile name with a period to be invalid. The regex has been updated to allow periods.


523390-2 : Minor memory leak on IdP when SLO is configured on bound SP connectors.

Component: Access Policy Manager

Symptoms:
Several bytes of memory are leaked when SAML SSO is executed on BIG-IP system, configured as an Identity Provider (IdP), when the Service Provider (SP) connector has single logout (SLO) configured.

Conditions:
BIG-IP is used as Identity Provider, and SLO is configured for bound SP Connector.

Impact:
Several bytes of memory are leaked.

Workaround:
To work around the problem, disable SLO on SP connectors.

Fix:
Fixed memory leaks in SAML Identity Provider (IdP) when when SLO is configured in a Service Provider (SP) connector.


523327-2 : In very rare cases Machine Certificate service may fail to find private key

Component: Access Policy Manager

Symptoms:
Non-elevated client component is able to find certificate but not the key, while machine cert service/F5 Elevation Helper fails to find certificate.

f5certhelper.txt (helper) or logterminal.txt (in windows\temp folder for service) contains:
1, , 0, , EXCEPTION - CCertInfo::FindCertificateInStore: CertFindCertificateInStore failed with error code: 80092004

Conditions:
IE/Edge Client is not running under Admin user.
Special certificate is used.

Impact:
User fails to pass access policy.

Workaround:
Run IE/BIG-IP Edge Client under administrator.

Fix:
Now both service and elevation helper can find those specific certificates.


523313-1 : aced daemon might crash on exit

Component: Access Policy Manager

Symptoms:
When the aced process is going to exit (daemon shutdown/restart), it might generate a core file intermittently.

Conditions:
This issue occurs when aced daemon shuts down.

Impact:
This causes a core file to be generated.

Workaround:
This issue has no workaround at this time.

Fix:
The aced process no longer intermittently generates a core file.


523305-1 : Authentication fails with StoreFront protocol

Component: Access Policy Manager

Symptoms:
Wyse fails to authenticate through APM

Conditions:
Wyse fails to auth through APM when it configured for SF proxy protocol

Impact:
Authentication fails

Workaround:
N/A

Fix:
Support StoreFront Protocol for Wyse client


523296-1 : TMM may core when using iRule custom actions in PEM policies

Component: Policy Enforcement Manager

Symptoms:
TMM shall core

Conditions:
When using custom iRule actions in a PEM policy, triggering a use of the action or modifying the action will cause the TMM to reset.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid using custom iRule actions in PEM policies.

Fix:
Freeing of memory for storing the custom action was done to a different pool than whence it was allocated; used the correct free routine.


523261-1 : ASM REST: MCP Persistence is not triggered via REST actions

Component: Application Security Manager

Symptoms:
Some REST calls that affect Security policies should be persistent to bigip config files after their completion (create, delete, association to virtual servers, and changing language encoding), but are not.

Conditions:
REST API is being used to manage Security Policies.

Impact:
If the device is restarted configuration may be lost.

Workaround:
Any other action that will persist configuration (like an ASM config change through the GUI, or any LTM configuration change).

Fix:
Configuration is now correctly persisted when required after ASM REST actions.


523260-1 : Apply Policy finishes with coapi_query failure displayed

Component: Application Security Manager

Symptoms:
GUI actions to apply policy appear to fail with an error message regarding coapi_query.

Conditions:
Unknown.

Impact:
The policy is correctly applied locally, the coapi_query error message occurs after the commit.
This error, however, prevents correct behavior for device group synchronization of the change.

Workaround:
Use REST API to apply the policy:

POST https://<MGMT_IP>/mgmt/tm/asm/tasks/apply-policy
{
  "policy": {
        "fullPath": "/Common/<POLICY_NAME>"
    }
}

Fix:
This release fixes an error that intermittently caused the Apply Policy action to fail.


523222-6 : Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.

Component: Access Policy Manager

Symptoms:
Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.

If an access policy has Redirect ending, the Citrix HTML5 client will fail to start with HTTP 400 error.

Conditions:
Citrix Storefront configured in integration mode through APM.

Impact:
HTML5 client not usable for this sort of integration

Fix:
Fixed Citrix HTML5 handling code so that it works fine with the Redirect endings in access policies.


523201-2 : Expired files are not cleaned up after receiving an ASM Manual Synchronization

Component: Application Security Manager

Symptoms:
If a device only receives full ASM sync files from its peers, it never performs cleanup of files that are no longer needed.

Conditions:
An ASM manual synchronization device group is being used.

Impact:
May eventually lead to disk space exhaustion.

Workaround:
None.

Fix:
Files are now correctly cleaned up after loading a new configuration.


523158-2 : In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails

Component: Access Policy Manager

Symptoms:
In rare case when dn is returned with cn= in lower case VPE is failing to match groupnames

Conditions:
Server that returns cn in low case

Impact:
Group mapping doesn't work

Workaround:
No workaround.

Fix:
Fixed to support CN in both upper & lower cases.


523125 : Disabling/enabling blades in cluster can result in inconsistent failover state

Component: TMOS

Symptoms:
Not all blades in the cluster agree about the high availability (HA) status.

Conditions:
Disabling and enabling blades in a chassis that is configured to use HA Groups can sometimes result in a blade staying in standby even though the other blades in the chassis have gone active.

Impact:
When the blades disagree about active/standby state, traffic might be disrupted.

Workaround:
None.

Fix:
Disabling/enabling blades in cluster no longer results in inconsistent failover state.


523079-2 : Merged may crash when file descriptors exhausted

Component: Local Traffic Manager

Symptoms:
The merged daemon crashes.

Conditions:
The limit on file descriptors is exceeded.

Impact:
Merged crashes leaving a core file. The collection of system stats and merging of blade stats will not work until merged restarts.

Workaround:
Monitor the system file descriptor use and avoid exceeding the limit.

Fix:
Fixed a crash bug in Merged.


523032-6 : qemu-kvm VENOM vulnerability CVE-2015-3456

Vulnerability Solution Article: SOL16620


522934 : Provide and option to encode subscription ID in CCR-U/CCR-T messages over Gx/Gy

Component: Policy Enforcement Manager

Symptoms:
Some PCRF's require subscription ID in all CCR messages over Gx/Gy for easier session management.

Impact:
Some PCRF's will not work properly with PEM if subscription ID is not specified in CCR-u and CCR-T messages.

Workaround:
Set sys db varaible Tmm.diameter.application.encode.subscriber.id.in.all.ccr to True to see Subscription ID in CCR-u and CCR-T messages as well. By default it is set to True.


522933-1 : diam_app_process_async_lookup may cause TMM crash

Component: Policy Enforcement Manager

Symptoms:
TMM may crash

Conditions:
TMM may crash with diam_app_process_async_lookup when the traffic is triggered to the virtual which has gx profile

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Fix double free for serdes message


522878-1 : Hide the cleartext Session ID (MRHSessionCookie) visible as part of URL query param to prevent unauthorized access.

Vulnerability Solution Article: SOL82679059


522784-2 : After restart, system remains in the INOPERATIVE state

Component: Local Traffic Manager

Symptoms:
After restarting, it is normal for the system to remain in some state other than "Green/Active" for a few minutes while the system daemons complete their initialization.

During this time the following advanced shell command may produce one or more lines of output:

# bigstart status | grep waiting

However, if this condition persists for more than five minutes after access to the root shell via the management interface is available, then you may be experiencing this defect.

Conditions:
BIG-IP versions 11.5.x, 11.6.x or 12.0.x that have received the fix for bug 502443 but *not* 522784, may experience this issue. There are no officially supported BIG-IP releases that have this condition.

Impact:
As long as the system remains in the INOPERATIVE state, neither LTM nor ASM will function.

Workaround:
In order to work around this problem, de-provision ASM.

Fix:
Resolves a deadlock at startup, when LTM and ASM are provisioned, that may occur as a result of the fix for 502443.


522579-1 : TMM memory leak when RAR messages received from PCRF to delete for a non-existing sessions in PEM

Component: Policy Enforcement Manager

Symptoms:
TMM memory leak. Memory consumption of TMM increases constantly and never reduces.

Conditions:
RAR messages with session-release cause received from PCRF for sessions where PEM does not have.

Impact:
Memory leak and eventually TMM will have to be restarted.

Workaround:
Make sure RAR messages are not sent for sessions which are non-existent in PEM

Fix:
This issues has been fixed now. No more memory leaks when RAR messages with session-release AVP set for non-existent sessions in PEM


522231-3 : TMM may crash when a client resets a connection

Component: WebAccelerator

Symptoms:
When a client resets a connection while AAM is preparing to serve a response from cache TMM may crash causing failover and restart of AAM. A profile on a virtual from another BIG-IP module (other than AAM and LTM) may contribute to the issue.

Conditions:
1) AAM must be provisioned.
2) A response to the requested URL must be cached and fresh.
3) Client resets a connection immediately after the request is done and the response has not started to serve.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Install the fix.

Fix:
Fix removes the condition when AAM starts to serve the response to the already aborting connection.


522147-2 : 'tmsh load sys config' fails after key conversion to FIPS using web GUI

Component: Local Traffic Manager

Symptoms:
Web GUI does not save config after key conversion to FIPS

Conditions:
On a Cavium-FIPS BIG-IP, create a normal key and then covert to FIPS using web GUI

Impact:
'tmsh load sys config' fails

Workaround:
Two possible workarounds:
1) Run 'tmsh save sys config' after the key conversion to FIPS using web GUI
2) Convert normal key to FIPS using tmsh instead of web GUI

Fix:
Web GUI is now fixed to properly save config after key conversion to FIPS


522141-1 : Tmm cores while changing properties of PEM policies and rules.

Component: Policy Enforcement Manager

Symptoms:
If a policy with session reporting is configured on the bigip, and the policy is changed to remove this action, then a tmm core is observed rarely.

Conditions:
This core only occurs when session reporting is configured, and while traffic is being processed, this policy is modified to remove the session reporting action.

Impact:
This core occurs rarely, and hence would not have a significant impact.

Fix:
Deleting a session reporting action will not cause a tmm core.


522140-1 : Multiple IP is not added through iRule after setting the state of a session to provision by iRule

Component: Policy Enforcement Manager

Symptoms:
Provisioning an iRule may not add multiple IP's when state is set to provisioned

Conditions:
iRule with multiple IP's may not get added when provisioned

Impact:
IP's not present in the session

Workaround:
N/A

Fix:
Release the call back ctx connflow after setting session state asynchronously.


521835-2 : [Policy Sync] Connectivity profile with a customized logo fails

Component: Access Policy Manager

Symptoms:
Policy sync failed with a customized logo in connectivity profile.

Conditions:
Configure a customized logo on the connectivity profile.
Associate the profile with the access profile through a virtual server.
Start a policy sync.

Impact:
Policy Sync fails.

Workaround:
Keep the default logo for connectivity profile. After syncing to target, customize directly on the devices.

Fix:
A user can include a customized logo in a connectivity profile and sync it.


521774-3 : Traceroute and ICMP errors may be blocked by AFM policy

Component: Local Traffic Manager

Symptoms:
ICMP error packets for existing connections can be blocked by AFM policy. Diagnostics that use ICMP error messages, such as traceroute, may fail to display information beyond the AFM device.

Conditions:
The AFM policy has a rule to drop or reject that can match the IP header of ICMP messages going from a router IP address back to the client or server IP address that sent the original packet.

Impact:
Network diagnostics such as traceroute through an AFM device will not display information from routers between the AFM device and the destination IP address.

Workaround:
If possible and allowed, create an AFM rule matching the affected ICMP packets with an action of accept-decisively.


521773-2 : Memory leak in Portal Access

Component: Access Policy Manager

Symptoms:
Memory consumption of "rewrite.*" processes is growing constantly.
On manually taken core file, result of following command is large (more than 100000).
zcat <core-file.gz> | strings -n 15 | grep "^/f5-w-" | wc -l

Conditions:
Memory leaks in cases when POST request content could be modified by Portal Access (for example, xml).

Impact:
Rewrite processes may use all available memory on the box and then cause 'Out of memory' condition and failover.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed a memory leak of request urls in rewrite plug-in.


521763-1 : Attack stopped and start messages should not have source/dst ip addresses in log messages

Component: Advanced Firewall Manager

Symptoms:
We don't want attack and stop messages to have srcip/dstip in DoS logging but in the code we were printing that.

Conditions:
dstip/srcip were getting logged when the attack was started/stopped in DoS AFM code.

Impact:
Attack start and stop log messages in DoS will not have srcip and destip.

Workaround:
None

Fix:
Attack stopped and start messages are logged as NULL


521683-1 : PEM: Session is not replaced by third and subsequent RADIUS start messages containing specific multiple IPs

Component: Policy Enforcement Manager

Symptoms:
PEM session is not replaced with a new one when for the subscriber

Conditions:
When the same radius start message is sent 3 times and more.

Impact:
Session not being replaced will still be applying old policy for the session.

Workaround:
Make sure radius stop is being for the subscriber before a new radius start is sent.

Fix:
Issue has been fixed now. Session should be replaced when any number of radius start messages are received associated to the subscriber,


521655-2 : Session hangs when trying to switch state to provisioned

Component: Policy Enforcement Manager

Symptoms:
iRule sessions may hang when switching state

Conditions:
Applying iRule to a client data virtual may cause state to hang

Impact:
Session state will hang

Workaround:
N/A

Fix:
Release the call back ctx connflow after setting session state asynchronously


521556-1 : Assertion "valid pcb" in TCP4 with ICAP adaptation

Component: Service Provider

Symptoms:
TMM crashes with assertion "valid pcb" in tcp4.c

Conditions:
Virtual server with request-adapt or response-adapt profile.
Congested client or TCP small window (flow-control is active).
Multiple HTTP requests in a single client connection.
More likely with iRules that park.

Impact:
Intermittent crash under load.

Fix:
Assertion "valid pcb" does not occur.


521538-2 : Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known

Component: Local Traffic Manager

Symptoms:
After failover of an L4 flow that is using keep-alive, the keep-alive transmissions do not resume after traffic has flowed through the BIG-IP system.

Conditions:
Using HA mirroring of L4 connections, with keep-alive enabled on the profile for TCP. After a failover, there was traffic before the flow timed out, then the traffic becomes idle. If there is no traffic after failover, the correct sequence numbers are unknown, then this is expected behavior: the flow times out due to inactivity. If there is traffic after failover, the correct TCP sequence numbers are known; if there is traffic after failover, and then the flow becomes idle, keep-alive transmissions should resume.

Impact:
Flows after failover with TCP keep-alive age out and expire even if traffic is available to set the sequence numbers. Depending on the configuration options, subsequent packets may reset or transparently create a new flow (if TCP loose initiation is enabled).

Workaround:
None.

Fix:
Keep-alive transmissions now resume after failover of flows on an L4 virtual, when the sequence number is known


521522-3 : Traceroute through BIG-IP may display destination IP address at BIG-IP hop

Component: Local Traffic Manager

Symptoms:
When performing traceroute through a BIG-IP device, the traceroute utility may display the destination IP in place of the hop where BIG-IP is located, instead of a Self IP address of the BIG-IP device at that hop.

Conditions:
No return route for the client IP address exists on the BIG-IP device.

Impact:
There is no impact to the performance of traffic through the BIG-IP device. The impact occurs only when reading and interpreting the results of a traceroute utility.

Workaround:
If possible and allowed, add route entry for the traceroute client subnet.

Fix:
Traceroute through BIG-IP now displays a Self IP address of the BIG-IP device at that hop. This is correct behavior.


521506-2 : Network Access doesn't restore loopback route on multi-homed machine

Component: Access Policy Manager

Symptoms:
Network Access on Windows doesn't restore loopback route for one adapter on multi-homed (Ethernet + Wi-Fi) machine.

Conditions:
This issue happens if:
1. Network Access was established via Ethernet
2. Ethernet cable was unplugged
3. Network Access reconnects using Wi-Fi
4. Ethernet cable is plugged in back

Impact:
Minor routing issues may occur if one special loopback is removed. To restore this route affected adapter should be disabled and enabled.

Fix:
Fixed issues causing improper routing table management.


521455-2 : Images transcoded to WebP format delivered to Edge browser

Component: WebAccelerator

Symptoms:
The Microsoft Edge browser does not support, and cannot render WebP format images. The AAM image optimization framework improperly classifies the Edge browser as being capable of supporting WebP and delivers WebP-transcoded images to such clients.

Conditions:
The AAM system's image optimization as well as the "optimize for client" setting must both be enabled, and the associated acceleration policy and application associated with one or more virtual servers.

Impact:
Some images will fail to render on the Edge browser.

Workaround:
Disable the "optimize for client" attribute in the applicable policies' acceleration assembly settings.

Fix:
Transcoded WebP images are no longer served to the Edge browser.

By default, transcoded JPEG-XR is also no longer served to the Edge browser, but the db variable ccdb.allow.edge.jpegxr may be used to override this.


521408-3 : Incorrect configuration in BigTCP Virtual servers can lead to TMM core

Component: Local Traffic Manager

Symptoms:
An incorrect configuration on an irule associated to a BigTCP virtual server can lead to TMM to core.

Conditions:
The following circumstances are needed:
   - BigTCP Virtual server
   - FastL4 profile with syncookies enabled.
   - Invalid iRule that will fail to execute, on LB_FAILED
   - Syncookie currently activated in that moment.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Correct or remove the irule event and coring will no longer occur.

Fix:
TMM now correctly handles the specific scenario to no longer core.


521272 : Fixed memory leak in restjavad's Authentication Token worker

Component: Device Management

Symptoms:
There is a memory leak that causes the Authentication Token worker to run Out of Memory after approximately 27,000 token requests, when running with 96 MB image on a BIG-IP system. Any service might receive the OutOfMemory exception, so the external symptoms might vary (e.g., Socket failure, Bad Gateway, and others). To identify this issue, check for Out Of Memory exceptions in /var/log/restjavad.0.log.

Conditions:
This usually occurs when scripting against the rest interface. On a vCMP guest, guestagentd generates an authentication token every 90 seconds so that hostagentd on the vCMP hypervisor can make periodic REST calls to the guest. This info is used to populate the 'tmsh show vcmp health' stats.

Impact:
It takes a long time to log in 27,000 times, when logons come in through the GUI.

Workaround:
Restart restjavad after 10,000 tokens. To stop auth token generation on vCMP guests, on the hypervisor run the commands: -- tmsh modify vcmp guest all capabilities add { stats isolated-mode }. -- bigstart restart hostagentd

Fix:
Fixes a memory leak in Authentication Token mechanism in restjavad.


520705-5 : Edge client contains multiple duplicate entries in server list

Component: Access Policy Manager

Symptoms:
Edge client contains multiple duplicate entries in the server list.

Conditions:
Edge client with duplicate entries in connectivity profile.

Impact:
Edge client shows duplicate entries.

Workaround:
Do not create duplicate entries in connectivity profile

Fix:
BIG-IP Edge Client for Mac doesn't show duplicate entries in the servers list.

Behavior Change:
BIG-IP Edge Client for Mac no longer shows duplicate entries in the servers list.


520642-3 : Rewrite plugin should check length of Flash files and tags

Component: Access Policy Manager

Symptoms:
Portal Access Flash patcher could crash or apply incorrect modifications on some malformed Flash files.

Conditions:
This occurs when a Flash file is truncated or contains incorrect length value in file or tag headers.

Impact:
It may cause a crash and restart of Portal Access services.

Fix:
Rewrite plugin now correctly processes Adobe Flash files with invalid length in file or tag header.


520640-2 : The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method.

Component: TMOS

Symptoms:
Using the string returned in the options_seq field by the iControl Management.Zone.get_zone method in the Management.Zone.set_zone_option method can result in an 'Invalid zone option syntax...' error.

Conditions:
Use of the string returned by the iControl Management.Zone.get_zone method in the Management.Zone.set_zone_option() method.

Impact:
Strings returned in the options_seq field by the iControl Management.Zone.get_zone method cannot be used in the Management.Zone.set_zone_option() method unless they are reformatted consistent with the format expected by the Management.Zone.set_zone_option() method.

Workaround:
Use the GUI to set the zone options. Alternatively, modify the strings returned in the options_seq field by the iControl Management.Zone.get_zone method to a format consistent with those expected by the Management.Zone.set_zone_option() method. For example, modify options_seq to have each option as a single string (rather than the masters string, which is returned as 3 separate options strings).

Fix:
The iControl Management.Zone.get_zone_v2() method returns a value in the options_seq field in a format that is consistent with the format expected by the Management.Zone.set_zone_option() method.


520585-2 : Changing Security Policy Application Language Is Not Validated or Propagated Properly

Component: Application Security Manager

Symptoms:
After changing the Application Language for a Security Policy and pushing the changes over a manual sync device group, the CMI device group's status immediately returns to "Changes Pending".

Additionally calls through the REST interface erroneously allowed a client to change the language for a policy where it was already set.

Conditions:
A Security Policy was set to "Auto-Detect" the Application Language, and then set to a specific encoding.
Or an application language is already set and is changed through the REST API.

Issue is seen most prominently in CMI when ASM sync is enabled on a Manual Sync Failover Group

Impact:
1) The change to encoding is not seen if looking at the result in tmsh.

2) In a manual sync group, after the change has been pushed to its peers, the change is correctly written to the MCP configuration when it is loaded. This appears as a new pending change from the peer device, and the device group appears out of sync again.

Workaround:
Push another sync from the peer to the original device.

Fix:
Changes to Language encoding are now validated and propagated correctly.


520540-1 : Specific iRule commands may generate a core file

Component: Local Traffic Manager

Symptoms:
Accessing the information within a HTTP Authorization header via the HTTP::username, HTTP::password (or other method), may cause the TMM to generate a core file on some requests.

Conditions:
iRule that makes use of the HTTP::username, HTTP::password commands, or the sflow feature.

Impact:
Traffic disrupted while TMM generates a core file.

Workaround:
Modify iRule to manually truncate the size of the HTTP Authorization header.

Fix:
HTTP::username, HTTP::password iRule commands, and the sflow feature no longer generate a core file.


520466-2 : Ability to edit iCall scripts is removed from resource administrator role

Vulnerability Solution Article: SOL16728


520413 : Aberrant behavior with woodside TCP congestion control

Component: Local Traffic Manager

Symptoms:
Potential tmm core.

Conditions:
Woodside congestion control along with multiple profile options enabled and certain traffic may cause an issue where tmm may core.

Impact:
With woodside and other necessary options, TMM may core. Without woodside, or the other necessary options, which has negative performance implications and might trigger other unexpected behaviors.

Workaround:
Switching from woodside to illinois congestion control avoids issue.

Fix:
Woodside congestion control along with multiple profile options enabled and certain traffic no longer causes an issue where tmm may core.


520390-1 : Reuse existing option is ignored for smtp servers

Component: Access Policy Manager

Symptoms:
If policy is imported with reuse existing objects option and there is appropriate SMTP server, the newly imported policy would create and use a new one instead reusing the existing one.

Conditions:
Always

Impact:
Minor - easy to fix after import

Workaround:
Open assignment and reuse existing SMTP server, then delete old one.

Fix:
Reuse existing option works properly for SMTP servers.


520349 : iControl portal restarts

Component: TMOS

Symptoms:
iControl portal can restart during EM discovery.

Conditions:
EM discovery/device refresh

Impact:
iControl portal restarts causing an outage of using iControl


520298-2 : Java applet does not work

Component: Access Policy Manager

Symptoms:
Web applications may work incorrectly through Portal Access if they use Java applets.

Conditions:
Website uses Java applet that is loaded with deprecated <applet> HTML tag.

Impact:
Websites can't use Java applets.

Fix:
Java applets now work correctly through Portal Access.


520280-1 : Perl Core After Apply Policy Action

Component: Application Security Manager

Symptoms:
Apply policy causes a perl core
Further apply policy do not work

Conditions:
ASM provisioned.
LTM provisioned.
An ASM policy exists that is referenced by an LTM (L7) policy which is not assigned to any LTM virtual server.

Impact:
Apply policy causes a perl core and ASM config event dispatcher crash.
ASM config event dispatcher then is not restarted and remains down.
Further apply policy do not work.

Workaround:
Make sure that if an ASM policy exists that is referenced by an LTM (L7) policy then such LTM (L7) policy is assigned to some LTM virtual server.
one can create a dummy LTM virtual server for that purpose.

Fix:
Perl no longer cores and crashes ASM config event dispatcher in the case of an apply policy to an ASM policy that is referenced by an LTM (L7) policy which is not assigned to any LTM virtual server.


520205-3 : Rewrite plugin could crash on malformed ActionScript 3 block in Flash file

Component: Access Policy Manager

Symptoms:
The rewrite plugin crashes. The following log message is in the log:
../fm_patchers/abc/abcScanner.cpp:70: void abc::abcScanner::has(size_t): Assertion `GetRemaining() >= (ssize_t)l' failed.

Conditions:
Input file is truncated or contains invalid bytecode instructions at the end of doabc/doabcdefine tag.

Impact:
Portal Access services restart.

Fix:
Rewrite plugin no longer crashes on truncated or malformed Adobe Flash files with incorrect ActionScript 3 method body blocks.


520145-3 : [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy

Component: Access Policy Manager

Symptoms:
Policy sync fails with out-of-memory error on target device with big and complex policy.

Conditions:
Profile of big size, for example, excessive use of ACL resource.

Impact:
Policy Sync fails.

Fix:
APM allows a user to sync a large and complex policy.


520118-2 : Duplicate server entries in Server List.

Component: Access Policy Manager

Symptoms:
There are multiple entries in the server list, possibly with different connection strings.

Conditions:
Client ends up with duplicate entries in the server list if it connects to different virtual servers that have the same aliases in the connectivity profile.

Impact:
Duplicate server entries in Server List.

Workaround:
Avoid duplicate aliases across connectivity profiles on servers that client connects to.

Fix:
Single entry in the server list.


519966-2 : APM "Session Variables" report shows user passwords in plain text

Component: Access Policy Manager

Symptoms:
APM Session Variables report shows user passwords in plain text.

Conditions:
Has password session variable.

Impact:
It is not safe to show users' password in plain text.

Fix:
APM Session Variables report masks user passwords, displaying ************ instead.


519877 : External pluggable module interfaces not disabled correctly.

Component: TMOS

Symptoms:
External pluggable module interface may show link UP status, when administratively disabled.

Conditions:
Disable any external pluggable module interface that is connected to an enabled peer interface.

Impact:
Disabled external pluggable module interface may link UP and potentially pass traffic.

Fix:
Software fix prevents disabled external pluggable module interface from being re-enabled, as a result of periodic linkscan operations.


519864-3 : Memory leak on L7 Dynamic ACL

Component: Access Policy Manager

Symptoms:
There is a memory leak on Dynamic ACL with regard for HTTP related configuration such as HTTP host name, and HTTP URI path in ACL entry. The leaks occurs for every session as these entries are generated per session bases.

Conditions:
This occurs when using L7 Dynamic Access Control Lists.

Impact:
TMM memory usage increases.

Workaround:
Use static ACL whenever possible.

Fix:
L7 Dynamic ACL is no longer leaking memory.


519723 : dnatutil utility needs update because DAG changed.

Component: Carrier-Grade NAT

Symptoms:
dnatutil utility needs update because DAG changed.

Conditions:
CGNAT configured

Impact:
STDERR: dnatutil: Newer version of the utility is required to process the data (required daglib id: 5666df06f3570ad26976e607e02f71f7).

Workaround:
None

Fix:
dnatutil utility has been updated because DAG changed.


519510-3 : Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware

Component: TMOS

Symptoms:
TCP throughput might be severely impacted for traffic traversing a tagged VLAN and BCM57800/BCM57810 NIC on BIG-IP VEs.

The 'rxbadsum' counts increase as received LRO'd traffic is ignored by TMM.

Conditions:
1. Traffic traverses a tagged VLAN.

2. This issue might be related to systems using Broadcom BCM57800 or BCM57810 NICs. However in general, the required condition is reception of packets with VLAN header are received in uNIC driver.

Impact:
Potential throughput drop during a high volume of data transfer.

Workaround:
You can use either of the following workarounds:

1. Avoid using tagged VLANs.

2. Run the following commands on the ESX hypervisor to disable LRO/GRO system-wide, followed by a reboot.

-- esxcli system settings advanced set -o /Net/Vmxnet2HwLRO -i 0.
-- esxcli system settings advanced set -o /Net/Vmxnet3HwLRO -i 0.
-- esxcli system settings advanced set -o /Net/Vmxnet2SwLRO -i 0.
-- esxcli system settings advanced set -o /Net/Vmxnet3SwLRO -i 0.
-- esxcli system settings advanced set -o /Net/VmxnetSwLROSL -i 0.

Fix:
Change in L4 packet header offset, resulting from VLAN header insertion, is being accounted for to verify checksum.


519506-1 : Flows dropped with initiate data from sever on virtual servers with HTTP

Component: Policy Enforcement Manager

Symptoms:
Accepted Events held when HTTP is present on the hudchain

Conditions:
HTTP present on on hudchain

Impact:
Data flows dropped

Workaround:
N/A

Fix:
Enable checking of HTTP state and pass Accepted events


519415-3 : apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual )

Component: Access Policy Manager

Symptoms:
If you want to change timeout values for server-side initiated flows inside Network Access tunnels, ephemeral listeners ignore irules.
There seems to be a workaround for this through tmsh (not ui) by attaching iRules (related-rules) to main virtual that gets run on ephemeral listeners. (These ephemeral listeners are created by Network Access tunnels for lease-pool IPs.) The command for this is (for example):
 tmsh modify ltm virtual vs_dtls related-rules { idle_time }

The problem here was APM Network Access used to ignore the related-rules on main virtual and the rules weren't triggered.

Conditions:
APM Network access use case.

Impact:
Related rules on main virtual are not applied to ephmeral listeners; (these ephemeral listeners are created by Network Access tunnels for lease-pool IPs).

Workaround:
none.

Fix:
iRules get executed on Ephemeral listeners.


519407-1 : PEM session lookup by subscriber ID in TMSH fails if same IP is being used to create session with different subscriber ID

Component: Policy Enforcement Manager

Symptoms:
IF an existing session is being replaced by new session with same IP address but different subscriber ID then if we try to lookup the session based on new subscriber ID from tmsh, then lookup will fail.

Conditions:
Existing session replaced by new session with same IP and different subscriber ID.

Impact:
Lookup for new session fails and replacing of new session will fail too.

Fix:
This issue has been fixed and should work as expected.


519372 : vCMP guest memory growth due to large number of /var/run/tmstats-rsync.* files.

Component: TMOS

Symptoms:
Extremely large and increasing number of files present, of the form /var/run/tmstats-rsync.*. This is a memory-backed directory, and these files are never automatically moved or deleted, hence the vCMP guest may eventually experience swap and out of memory conditions.

Conditions:
vCMP guests upload statistics to the VCMP host periodically. In a small percentage of vCMP guests which have large configurations, these statistics take up an unusually high amount of space. This is not an error, but it exceeds the 6 MB limit that the host accepts. The host's refusal to accept the file triggers behavior in the guest that logs the condition to /var/run/tmstats-rsync.*. If the file size never decreases, this happens repeatedly and indefinitely.

Impact:
In swap and low memory conditions, the vCMP guest suffers performance problems and instability.

Workaround:
To work around this issue, you can disable guest health statistic collection on the vCMP host. To do so, perform one of the following procedures: Disabling statistic collection for the tmsh show vcmp health command.

Impact of workaround: This procedure affects values returned by the tmsh show vcmp health stats command.

1. Log in to the command line of the vCMP host. If the device is a VIPRION, ensure you are logged in to the primary blade.
2. To disable statistic collection, type the following command: tmsh modify vcmp guest all capabilities add { stats-isolated-mode }.

Fix:
The /var/run/tmstats-rsync.* files are no longer generated. Instead, statistics are kept in the vCMP guest to track failures to send stats to the host. You can see these by running the following command in the guest: tmctl -d blade vcmpd/rsync_stat. If the guest is a multi-slot guest on a VIPRION platform, this command shows separate stats for each slot it's run on.


519198-3 : [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user

Component: Access Policy Manager

Symptoms:
Failed to sync a policy in non-Common partition as a non-default admin user.

Conditions:
Log in as different admin user than the default "admin".
Sync a policy that was created in a non-Common partition..

Impact:
Policy Sync fails

Workaround:
Log in as default "admin" user.

Fix:
APM allows a user to log in as any admin user to sync policy in any partition.


519068-3 : device trust setup can require restart of devmgmtd

Component: TMOS

Symptoms:
Depending on the order of operations, the device trust might enter a state in which the device trust connections between devices are continuously reset and messaging about self-signed certificates.

Conditions:
This occurs when devices are being added to and deleted from the device trust.

Impact:
This prevents devices from being able to communicate with each other. The device trust goes to Disconnected and cannot synchronize.

Workaround:
A restart of the devmgmtd daemon clears any stale cached information that it has. However, the administrator may still need to reset the device trust (remove devices from the trust and re-add them).

Fix:
The system now correctly resets device trust when devices are being added to and deleted from the device trust.


519053-1 : Request is forwarded truncated to the server after answering challenge on a big request

Component: Application Security Manager

Symptoms:
Large requests (over 5K) arrive truncated to the server when web scraping bot detection is enabled, or a brute force/session opening attack is ongoing with client-side mitigation.

Conditions:
The request size is between 5k-10k.
Web scraping bot detection is turned on, or a brute force/session opening attack is ongoing with client-side mitigation.

Impact:
The client side challenge mechanism causes a truncation of the request forwarded to the server. Only the first 5k of the request arrives to the server.

Workaround:
Change the internal parameter size max_raw_request_len to 10000.

Fix:
The system’s client-side challenge mechanism no longer truncates large requests (those over 5K) forwarded to the server.


519022-2 : Upgrade process fails to convert ASM predefined scheduled-reports.

Component: Application Visibility and Reporting

Symptoms:
Upgrade from versions prior to 11.5 fail, if the scheduled report is using the predefined settings named: Top alerted and blocked policies.

Conditions:
There is a scheduled report that is using the predefined settings named: Top alerted and blocked policies. It can be triggered on upgrade to versions prior to 11.5.4, 11.6.1, and 12.0.0

Impact:
Upgrade process fails.

Workaround:
None.

Fix:
A scheduled report using the predefined settings named: 'Top alerted and blocked policies' no longer causes upgrades from versions prior to 11.5 to fail. The upgrade process now renames the predefined report-type to the correct one and thus the upgrade process does not fail anymore.


518981-2 : RADIUS accounting STOP message may not include long class attributes

Component: Access Policy Manager

Symptoms:
The class attribute should be sent back to RADIUS server unmodified.
However, if the RADIUS server is configured to send lots of long class attributes, the BIG-IP system might drop them when sending accounting stop message.

Conditions:
The BIG-IP system is configured with an Access Policy that contains RADIUS Acct agent. The
RADIUS server is configured to send class attributes with total size of greater than 512bytes.

Impact:
RADIUS Accounting server doesn't receive STOP message when user session is over.

Fix:
Previously, the BIG-IP system would not send an accounting stop message if class attributes were more than 512 bytes total size. Now, BIG-IP system sends the accounting stop message, but does not include class attributes.


518967-1 : Possible error when parsing for certain URL categorization input.

Component: Policy Enforcement Manager

Symptoms:
The system might encounter an error when parsing for certain URL categorization input.

Conditions:
Enable PEM URL categorization to categorize the URLs from traffic processed by PEM virtual servers.

Impact:
TMM restart, with potential service interruption during the TMM restart.

Workaround:
None.

Fix:
The parsing mechanism for the URL input has been fixed to handle multiple corner cases of the URL categorization.


518663-1 : Client waits seconds before page finishes load

Component: Application Visibility and Reporting

Symptoms:
If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR will "promise" to the client a CSPM injection in the response by adding to the Content-length header.
If the response contains no <html> tag, AVR will "change its mind" and won't inject the JavaScript, causing the client to wait for the missing bytes until timeout.

Conditions:
Page-load-time is enabled in the AVR profile,

Impact:
Client waits many seconds until timeout.

Fix:
If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR will "promise" to the client a CSPM injection in the response by adding to the Content-length header.
If no <html> tag is found in the response, the system now injects empty spaces to fill in the missing bytes in order to prevent the client from timing out.


518583-2 : Network Access on disconnect restores redundant default route after looped network roaming for Windows clients

Component: Access Policy Manager

Symptoms:
Windows Network Access restores redundant default route if client roaming from networks in loop e.g.:
NetworkA -> NetworkB -> NetworkA.

Conditions:
* Connect NIC to NetworkA
* Connect to VPN
* Roam to another wifi network SSID (NetworkB)
* Roam back to the original wifi SSID in step #1 (NetworkA)

Impact:
Incorrect default route may cause routing issues on client machine if metric of interfaces connected to NetworkB is lower than metric of interfaces connected to NetworkA

Workaround:
N/A

Fix:
Fixed issue causing redundant default route under described conditions.


518573 : The -decode option should be added to expressions in AD and LDAP group mapping.

Component: Access Policy Manager

Symptoms:
-decoded option is needed.

Conditions:
upgrade to 11.6.0

Impact:
in 11.6.0, if you create a rule to match an AD group in an "AD group resource assign" it will create something like this in the bigip.conf:
expression "expr { [mcget -decode {session.ad.last.attr.memberOf}] contains \"CN=TEST,\" }"

Prior to 11.6.0 the generated config was:
expression "expr { [mcget {session.ad.last.attr.memberOf}] contains \"CN=TEST,\" }"

The upgrade script does not take care of adding the "-decode" option which result in no groups being displayed in the VPE after an upgrade to 11.6.0

Workaround:
No workaround

Fix:
issue resolved, the -decode and lower string comparison added to expressions in AD and LDAP Group Mapping during upgrade.


518432 : [Mac][Linux][NA] TLS tunnel freezes on Mac and Linux in case of SSL renegotiation

Component: Access Policy Manager

Symptoms:
TLS tunnel freezes on Mac and Linux in case of SSL renegotiation.

Conditions:
TLS tunnel on Mac and Linux and SSL renegotiation happens

Impact:
Tunnel freezes and user cannot pass data traffic.

Workaround:
Restart session with BIG-IP

Fix:
Tunnel no longer freezes on SSL renegotiation on MAC and Linux.


518283 : Cookie rewrite mangles 'Set-Cookie' headers

Component: TMOS

Symptoms:
'Set-Cookie' headers are syntactically invalid.

Conditions:
Rewrite profile and 'Set-Cookie' header has 'Expires' attribute before 'Path' attribute.

Impact:
'Set-Cookie' headers in the client side become syntactically invalid (two 'Path' values that can be contradictory, plus a broken 'Expires' string).

Workaround:
Put the 'Path' attribute before 'Expires' attribute.

Fix:
The 'Expires' attribute is now properly parsed.


518260-1 : Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message

Component: Access Policy Manager

Symptoms:
NTLMSSP_TARGET_INFO flag is set on NTLMSSP_CHALLENGE message that is generated by ECA, although Target Info attribute itself is included. Certain NTLM clients may ignore the target info attribute due to this issue, and fall back to use NTLM v1 authentication. With ActiveDirectory default configuration this is not an issue. However, if you had specifically required NTLMv2 in your policy, then the authentication will never succeed due to mismatch of the protocol.

Conditions:
This occurs when NTLMv2 is set to required and NTLMv1 is denied in your ActiveDirectory policy.

Impact:
Users cannot authenticate.

Fix:
NTLM client that depends on NTLMSSP_TARGET_INFO flag can complete NTLM authentication using NTLMv2 protocol.


518039-1 : BIG-IQ iApp statistics corrected for partition use cases

Component: TMOS

Symptoms:
When the f5.http iApp is deployed in a partition, the icall script fails to get stats because it assumes the application is in /Common.

Conditions:
iApps are running in an administrative partition.

Impact:
BIG-IQ customers fail to get statistics from iApps running on BIG-IP.

Fix:
Certain iApps deployed by BIG-IQ now provide statistics.


518020-11 : Improved handling of certain HTTP types.

Component: Local Traffic Manager

Symptoms:
Improperly formatted HTTP connection through BIG-IP may cause the connection to hang and eventually timeout.

Conditions:
If the HTTP version token in the request is improperly crafted, BIG-IP ends up treating the request as HTTP 0.9. Hence any data after the first CRLF is held back by BIG-IP due to pipeline handling, and is not passed to the backend server.

If the backend server is Apache or IIS, this improperly crafted HTTP request line causes the request to be treated as 1.1, and both the servers wait for the Host header and CRLFs. Since no data is forthcoming, the connection hangs and the backend servers timeout the connection a few seconds later.

F5 Networks would like to acknowledge Eitan Caspi, Security Researcher of Liacom Systems, Israel for bringing this to our attention.

Impact:
This has the potential to exhaust the number of connections at the backend.

Workaround:
Mitigations:
1) iRule that can drop the connections after a specified amount of idle time.
2) iRule to validate the request line in an iRule and fix it.
3) Tuning of profile timeouts
4) ASM prevents this issue.

Fix:
This release has improved handling of certain HTTP types, so that an HTTP request with a version token that is not properly crafted is no longer treated as HTTP 0.9. This has the effect of all of the request data being forwarded to the backend.


517988-2 : TMM may crash if access profile is updated while connections are active

Component: Access Policy Manager

Symptoms:
The BIG-IP system has a virtual server with an access profile. There is live traffic using that virtual. If the access profile is updated, enforcement of certain behaviors on the live traffic may end up accessing stale profile data, and result in a crash.

Conditions:
If an access profile is attached to a virtual server, and the profile is updated while the virtual has active connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
(These are untested...)

Without HA, (1) disable virtuals using access profile, (2) delete any active connections on the virtuals, (3) update access profile, and, (4) enable virtuals.

With HA, (1) update access profile on standby, (2) failover to the standby, and (3) sync the configuration.

Fix:
Upon access profile update, cleanup of the previous profile data is deferred until there are no active connections referencing it.


517872-1 : Include proxy hostname in logs in case of name resolution failure

Component: Access Policy Manager

Symptoms:
It's hard to troubleshoot cases when proxy name resolution failure happens.

Conditions:
Troubleshooting is required in proxy name resolution area.

Impact:
Network Engineer has problems with identifying root cause.

Fix:
Now proxy hostname is printed to logfile when resolution fails.


517790-1 : When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped

Component: Local Traffic Manager

Symptoms:
Non-HTTP traffic can have the server-side send data outside the usual request-response pairing. (Either before a request, or extra data after a response is complete.)

If so, HTTP will reject the connection as the server state is now unknown. However, if HTTP is acting as a Transparent proxy, switching to pass-through mode and disabling HTTP may be a better course of action.

Conditions:
Non-HTTP data sent to the server-side not belonging to a response.

Impact:
Banner protocols, where the a server will respond before seeing any data will not pass through the Transparent HTTP proxy.

Non-HTTP protocols that start with a pseudo-HTTP response, followed by extra data will reject the connection when the extra data is seen.

Workaround:
It may be possible to use HTTP::disable to disable the HTTP filter when some signature of the non-HTTP protocol is seen.

Fix:
The transparent HTTP profile's passthrough-pipeline option now allows unexpected server-side ingress to switch the Transparent HTTP proxy into pass-through mode.


517580-3 : OPT-0015 on 10000-series appliance may cause bcm56xxd restarts

Component: TMOS

Symptoms:
Changing configuration (enable/disable/auto-negotiation) on copper SFPs on 10000-series appliance might cause an internal bus to hang. Symptoms are bcm56xxd process restarts, and the interfaces may show as unknown.

Conditions:
Only copper SFPs OPT-0015 on 10000-series appliances exhibit this problem.

Impact:
The bcm56xxd process restarts, and the interfaces may show as unknown.

Workaround:
To work around this issue, follow these steps:
1) Force the system offline.
2) Reboot the system.
3) Release the system's offline status.

Fix:
The bcm56xxd daemon detects a bus problem and resets the bus to recover communications with SFP transceivers.


517564-1 : APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port

Component: Access Policy Manager

Symptoms:
Starting from BIG-IP APM 11.6.0, there is a new feature called LDAP Group Resource Assign agent. The agent relies on a group list that is retrieved at AAA > LDAP Server > Groups configuration page.
AAA LDAP Server fails to update the group list when the backend LDAP server is configured to use a port other than 389 (the default port).

Conditions:
Backend LDAP server is configured to use a non-default port (a port other than 389).
LDAP Group Resource Assign agent is added to an Access Policy.

Impact:
It is impossible to update group list from LDAP server.
LDAP Group Resource Assign agent does not provide a list of LDAP groups for easy configuration.

Fix:
LDAP groups can now be retrieved from an LDAP server that uses a non-default port (a port other than 389).


517556-3 : DNSSEC unsigned referral response is improperly formatted

Component: Local Traffic Manager

Symptoms:
When DNSSEC signs an unsigned referral response, the contained NSEC3 resource record has an empty type bitmap. Type bitmap should contain an NS type.

Conditions:
DNSSEC processing an unsigned referral response from DNS server.

Impact:
DNSSEC referral response is not RFC compliant.

Workaround:
None.

Fix:
NS type added to NSEC3 type bitmap, so that DNSSEC unsigned referral response is properly formatted.


517441-5 : apd may crash when RADIUS accounting message is greater than 2K

Component: Access Policy Manager

Symptoms:
If the RADIUS Acct agent is configured for an access policy, and there are a lot of attributes with total size greater than 2K, apd may crash.

Conditions:
RADIUS Acct agent is configured and an AP
with numerous attributes in RADIUS Acct request

Impact:
service becomes unavailable while restarting apd process

Fix:
The maximum size of RADIUS packet is now set to 4K (RFC2865).
If the total size of attributes is greater than 4K, the packet will be truncated to 4K.


517245-2 : A request that should be blocked was forwarded to the server

Component: Application Security Manager

Symptoms:
A request that should be blocked is forwarded to to the server.

Conditions:
The following conditions -
1. The "do nothing" header content profile on the request URL OR the request is longer than the max buffer size. while the exceed buffer length violation is turned off. (both cases causes an ignore payload state).
2. An irule or session tracking is assigned on the virual server.

Impact:
In case the request should have been blocked, it will arrive to the server.

Workaround:
N/A

Fix:
We fixed a scenario where a request that should have been blocked still reached the server.


517178-2 : BIG-IP system as SAML Service Provider cannot process some messages from SimpleSAMLphp under certain conditions

Component: TMOS

Symptoms:
When the BIG-IP system is used as Service Provider with SimpleSAMLphp as Identity Provider, processing of signed artifact response messages from IdP may fail with following error: Digest of SignedInfo mismatch.

Conditions:
- BIG-IP system is configured as SP.
- Artifact binding is used for SSO.
- Artifact response message from IdP is signed.

Impact:
User SSO may not work.

Workaround:
Use POST binding instead of Artifact.

Fix:
The BIG-IP system configured as SAML Service Provider can now correctly process messages from SimpleSAMLphp so that user SSL works as expected.


517146-1 : Log ID 01490538 may be truncated

Component: Access Policy Manager

Symptoms:
Log ID 01490538 may appear truncated in /var/log/apm. It is supposed to say "Configuration snapshot deleted by Access".

Conditions:
Access profile snapshots are timing out and being deleted by the system.

Impact:
Most likely just corrupted log messages. A very slight chance of a crash, due to the string terminator being written to the wrong location in memory.

Workaround:
No workaround.

Fix:
Log ID 01450538 prints correctly to /var/log/apm now.


517124 : HTTP::retry incorrectly converts its input

Component: Local Traffic Manager

Symptoms:
The HTTP::retry iRule converts its input into UTF8. If the input is a bytearray using some other locale, then bytes with the high-bit set may be corrupted.

The resulting corrupted request will then be sent to the server as the retried request.

Conditions:
The input to HTTP::retry is a TCL bytearray rather than a TCL string. The output from some commands i.e. HTTP::payload is a bytearray. Strings are in the UTF8 format, Bytearrays are not.

Impact:
Non-ascii characters may be corrupted when HTTP::retry is used.

Fix:
The HTTP::retry command no longer corrupts input that isn't in the UTF8 format.


517083-1 : Some autodiscovered virtuals may be removed from pools.

Component: Global Traffic Manager

Symptoms:
As part of a larger effort to refine Virtual Server Auto Discovery and monitoring, several changes were made to improve cross version interoperability and Virtual Server matching.

As part of these fixes, an error was introduced which caused some virtual servers to be deleted and rediscovered. This removed them from the Pool they were assigned to, which can cause load balancing errors.

Conditions:
This can occur with Virtual Servers that were originally specified on a pre-folder aware version of BIGIP, such as 10.2.x.

When they are discovered by a folder aware version, they may be deleted from the GTM config and re-added with "/Common/" prepended to the name.

Impact:
Some virtual servers will be removed from Pools. The virtual server will be deleted and recreated, but not added back to the pool.

This will result in incorrect load balancing decisions.

Workaround:
Changing the GTM config to add the virtual servers back to the pool will resolve the issue.

Fix:
The discovery and monitoring of virtual servers has been made more robust to deal with cases of multiple GTM VSes pointing at the same LTM virtual, as well as naming/folderization issues.


517019-1 : AVR-HTTP (and Application DoS): Detection of pool-member is sometimes incorrect

Component: Advanced Firewall Manager

Symptoms:
AVR sometimes detects the incorrect BIG-IP module that created a response to an HTTP transaction.

Conditions:
Using AVR HTTP profile or Application DoS, and having a transaction that was responded to by a BIG-IP modules, such as DoS, Cache, iRules, and so on.

Impact:
1. AVR report an incorrect module.
2. Application DoS is using this information for its decisions, and thus can choose a mitigation action that is different from the desired one.

Workaround:
None.

Fix:
The detection of the internal module is done correctly, so that the correct mitigation action is chosen.


516839-3 : Add client type detection for Microsoft Edge browser

Component: Access Policy Manager

Symptoms:
Microsoft Edge browser cannot be detected by Client Type action item agent in access policy.

Conditions:
Microsoft Edge browser, Client Type action item agent in access policy on BIG-IP APM.

Impact:
Microsoft Edge browser is not detected by Client Type action item and the webtop might not display properly or might display resources that are not supported.

Fix:
Improvement: Microsoft Edge browser is now detected properly and only supported resources are shown on the webtop now. All components that require ActiveX are not supported.


516685-2 : ZoneRunner might fail to load valid zone files.

Component: Global Traffic Manager

Symptoms:
ZoneRunner might fail to load valid zone files which contain two or more consecutive lines which are $TTL directives, blank lines, comment-only lines, or some combination of the above.

Conditions:
DNS : Zones : Zonerunner : Zone List: Create. Select 'Load from File' in Records Creation Method.

Impact:
The user cannot load a zone file via the GUI.

Workaround:
Workaround 1: Remove consecutive blank lines, and comment-only lines from the zone file before uploading it to the GUI. Specify the domain in the line following any $ directive lines before uploading the zone file to the GUI.

Workaround 2: 1. Freeze zones, stop zrd. 2. Copy zone file from donor GTM to new GTM. 3. Check and adjust chown of zone file. 4. Start zrd, thaw zones. 5. Restart named.

Fix:
ZoneRunner now successfully loads zone files that contain $TTL directives, blank lines, comment-only lines, or some combination of the above.


516680-2 : ZoneRunner might fail when loading valid zone files.

Component: Global Traffic Manager

Symptoms:
ZoneRunner might fail to load valid zone files which contain two or more consecutive lines which are $TTL directives, blank lines, comment-only lines, or some combination of the above.

Conditions:
DNS : Zones : Zonerunner : Zone List: Create. Select 'Load from File' in Records Creation Method.

Impact:
The user cannot load a zone file via the GUI.

Workaround:
Workaround 1: Remove consecutive blank lines, and comment-only lines from the zone file before uploading it to the GUI. Specify the domain in the line following any $ directive lines before uploading the zone file to the GUI.

Workaround 2: 1. Freeze zones, stop zrd. 2. Copy zone file from donor GTM to new GTM. 3. Check and adjust chown of zone file. 4. Start zrd, thaw zones. 5. Restart named.

Fix:
ZoneRunner will no longer crash when parsing zone files containing $TTL directives, blank lines, comment-only lines, or some combination of the above.


516669-1 : Rarely occurring SOD core causes failover.

Component: TMOS

Symptoms:
Spontaneous failover occurs rarely due to a SOD core dump.

Conditions:
Cannot reproduce the issue reliably, so conditions for the crash are unknown.

Impact:
When SOD cores, all traffic groups fail over to another device. Non-mirrored flows will be interrupted.

Workaround:
None.

Fix:
Errors in handling memory have been fixed to prevent allocation failure.


516618-5 : glibc vulnerability CVE-2013-7424

Vulnerability Solution Article: SOL16472


516598-1 : Multiple TCP keepalive timers for same Fast L4 flow

Component: Local Traffic Manager

Symptoms:
Multiple TCP keepalive timers for same Fast L4 flow.

Conditions:
Fast L4 profile with TCP Keepalive option enabled.

Impact:
TMM core.

Workaround:
Disable TCP Keepalive option from the Fast L4 profile.

Fix:
Prevent starting multiple TCP keepalive timer for the same fastL4 flow


516523-2 : Full ASM Config Sync was happening too often in a Full Sync Auto-Sync Device Group

Component: Application Security Manager

Symptoms:
ASM is only supposed to request a Full Sync if there has been a Manual Full Sync request, or if an incremental / auto sync indicates that the state is inconsistent with that of its peers.

The system was mistakenly requesting a Full Sync on every config change in an Auto-Sync, Full Sync group even when it was in a consistent state.

Conditions:
A Device Group is configured with Auto-Sync, Full Sync, and ASM enabled.

Impact:
Noise on the network, extra CPU usage, Policy Builder restarting on receiving peer.

Workaround:
Disable "Full Sync" on the device group

Fix:
The system no longer requests a Full ASM Configuration Sync on every full auto sync in a device group.


516522-1 : After upgrade from any pre-11.4.x to 11.4.x through 12.0.0, the configured redirect URL location is empty.

Component: Application Security Manager

Symptoms:
After upgrade from any pre-11.4.x to 11.4.x through 12.0.0, the configured redirect URL location is empty.

Conditions:
1) ASM is provisioned and there is a redirect URL configured on any pre-11.4.x.
2) Upgrade to 11.4.x, 11.5.3, or 11.6.0. This does not occur in 11.5.4, 11.6.1, or 12.0.0 and beyond.

Impact:
The configured redirect URL location is empty.

Workaround:
None.

Fix:
The configured redirect URL location is now preserved after upgrade from any pre-11.4.x to 11.4.x through 12.0.0.


516462-2 : Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines

Component: Access Policy Manager

Symptoms:
Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines.

Conditions:
Client Windows machine roams between different networks (Wi-Fi or Ethernet) when the BIG-IP system has configured split-tunneling.

Impact:
Excluded address space routes are not applied.

Fix:
Fixed reason causing this issue; now excluded address routes are applied correctly even if a client machine roams between different networks.


516408-1 : SSL reports certificate verification OK even verification returns failure for pcm=request.

Component: Local Traffic Manager

Symptoms:
When peer certificate mode (PCM) is configured as request, even if the certificate is invalid (certificate verification returns failure), SSL returns OK.

Conditions:
Client authenticate is configured with pcm=request.

Impact:
SSL returns the incorrect verification result.

Workaround:
None.

Fix:
Client authentication is configured with peer certificate mode (PCM) is configured as request, SSL now returns the correct verification result.


516320-2 : TMM may have a CPU spike if match cross persist is used.

Component: Local Traffic Manager

Symptoms:
TMM may have a CPU spike.
A few(very few) connections may fail.

Conditions:
1) Match cross persist is used.
2) Long idle time out makes the symptom worse.
3) Persist HA makes the symptom worse.

Impact:
TMM may have a CPU spike.
A few(very few) connections may fail.

Workaround:
Avoid using match across persist.

Fix:
Match across persistence no longer causes CPU spike.


516292-1 : Incorrect handling of repeated headers

Component: Local Traffic Manager

Symptoms:
If a http/2 request, forwarded to an http/1.1, produces a response that has the same header occurring more than once, the http/2 response would be encoded incorrectly and can't be processed by the http/2 browser.

Conditions:
Responses that contain the same header (with possibly different values) more than once.

Impact:
Browser fail to process responses.

Workaround:
For the set-cookie header there is no work-around because each cookie requires its own header. For other headers, an iRule could potentially be used to concatenate the values of repeated headers.

Fix:
The http/2 protocol handling now correctly encodes repeated headers.


516179-1 : Woodside falsely detects congestion

Component: Local Traffic Manager

Symptoms:
The TCP profile Congestion Control Woodside falsely detect congestion and might reduce its own performance.

Conditions:
High-bandwidth, low-delay connections (i.e., a large congestion window).

Impact:
Performance impact when using the Woodside congestion control algorithm, and TMM might crash.

Workaround:
Use a TCP profile Congestion Control other than Woodside.

Fix:
The Woodside congestion control algorithm now correctly detects congestion without false alarms.


516075-6 : Linux command line client fails with on-demand cert

Component: Access Policy Manager

Symptoms:
Linux command line client fails with On-Demand Cert Auth.

Conditions:
End user needs to be running Linux command line client and the On-Demand Cert Auth agent.

Impact:
Depending upon the access policy, the user might fail to log in and establish a Network Access connection.

Workaround:
none

Fix:
Linux command line client works with On-Demand Cert Auth now.


516073 : Revised AWS Setup Guide

Component: TMOS

Symptoms:
tmsh is now the default shell for AWS VE.
Documentation revised to remove "tmsh" from all tmsh command line entries.

Conditions:
Log in to an SSH session with the AWS VE. Initiate any tmsh command by starting the entry with "tmsh."

The result is a syntax error.

Impact:
No tmsh commands can be executed. Without the ability to revise the AWS virtual machine (VM) password using tmsh, the VM can not be used.

Workaround:
Omit the word "tmsh" from command entries.

Fix:
Documentation revised to clarify tmsh command entries.


516057-3 : Assertion 'valid proxy' can occur after a configuration change with active IVS flows.

Component: Service Provider

Symptoms:
When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), and a new connection is initiated during the update, the TMM can assert 'valid proxy' and crash.

If there were are no preexisting active connections, the assertion does not occur, but connections initiated during the configuration update might be in a bad state and cause unpredictable effects.

Conditions:
1. Active flows exist on an internal virtual server (IVS). Necessary to trigger the assertion.
2. A configuration update or sync affecting that IVS is in
progress.
3. A new connection is initiated to that IVS during the update.

Impact:
This is intermittent and rarely encountered. When all preexisting connection flows on this IVS tear down, a 'valid proxy' assertion can trigger and cause a TMM crash and restart, resulting in lost connections across the BIG-IP system or blade. New IVS connection flows initiated during the configuration update might be in a bad state and exhibit unpredictable effects, even if there is no crash.

Workaround:
Try to avoid configuration changes affecting any IVS while connections are active. This is intermittent so most likely will not manifest, even with active connections.

Fix:
When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), new connections fail and log an error message indicating that the IVS is not ready for connections. If the connections are to an ICAP server, the BIG-IP system performs the service-down-action configured in the request-adapt or response-adapt profile of the virtual server that attempted to initiate the connection. There are no assertions or unpredictable effects. Any new connections that failed for this reason may be retried after the configuration update is complete.


515943-2 : "Session variables" report may show empty if session variable value contains non-English characters

Component: Access Policy Manager

Symptoms:
"Session variables" report may show empty if session variable value contains non-English characters

Conditions:
For active session only.

Impact:
User cannot see the Session Variable information for active session.

Workaround:
Use English characters for network configuration, such as host name, user name...

Fix:
"Session variables" report shows correct information for any language characters.


515817-2 : TMM may not reset connection when receiving an ICMP error

Component: Local Traffic Manager

Symptoms:
Connection is not reset after receiving an ICMP error

Conditions:
TMM receives an ICMP error after sending a TCP/SYN on a FastL4 virtual

Impact:
Delayed shutdown of connection

Fix:
TMM will now reset FastL4 connections when receiving an ICMP error in response to TCP/SYN.


515797-1 : Using qos_score command in RULE_INIT event causes TMM crash

Component: Global Traffic Manager

Symptoms:
TMM crashes when the iRule with qos_score command in RULE_INIT event is added to a wide IP.

Conditions:
Configured iRule with qos_score command in RULE_INIT event that is added to a wide IP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Mitigation: Do not use qos_score command in RULE_INIT event.

Fix:
qos_score command is disallowed in RULE_INIT event.


515667-4 : Unique truncated SNMP OIDs.

Component: TMOS

Symptoms:
When a BIG-IP generates SNMP OID-required truncation in order to stay within the OID max length limit of 128, the truncated OID is not always consistent or unique.

Conditions:
An SNMP table has a unique index (key) consisting of one or more table attributes of various types. String type index attributes with values lengths approaching or exceeding 128 characters expose this truncation issue.

Impact:
SNMP get, get-next, and set commands might fail or even operate on incorrect data when the target OID is not consistent or unique.

Workaround:
The long string values triggering this issue are typically identified as user-supplied names that were introduced as part of BIG-IP configuration. Often these names can be reconfigured to a shorter length.

Fix:
Truncated OIDs are now appended with a unique check-sum value that remains unchanged from one query to the next.


515646-1 : TMM core when multiple PPTP calls from the same client

Component: Carrier-Grade NAT

Symptoms:
TMM can core when there are multiple PPTP calls arrive from the same client.

Conditions:
PPTP ALG VS with CGNAT.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when multiple PPTP calls arrives from the same client.


515638 : 5% drop in Webroot cloud lookup performance with mixed upper/lowercase URLs

Component: Policy Enforcement Manager

Symptoms:
When Webroot cloud lookup is enabled, and URL inputs cannot be categorized by the local Webroot database managed on the BIG-IP system because the URLs contain a mix of upper/lowercase characters, there may be 5% drop in the Webroot cloud lookup performance.

Conditions:
If Webroot cloud lookup is enabled, and all URLs are unknown to the local databasedand consist of a mix of upper/lowercase letters.

Impact:
There could be 5% drop for Webroot cloud lookup performance in this case. This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.

Workaround:
None.

Fix:
The issue has been fixed by improving/optimizing URL normalization prior to Webroot cloud lookup.


515562-1 : Sweep and flood may crash if it is enabled when AFM is not licensed or provisioned.

Component: Advanced Firewall Manager

Symptoms:
When AFM is not not licensed or provisioned, the user might still be able to enable Sweep and Flood.

Conditions:
Enable Sweep and Flood vector when AFM is not not licensed or provisioned.

Impact:
TMM might crash.

Workaround:
Avoid configuring Sweep and Flood vectors when AFM is not licensed or provisioned

Fix:
Sweep and flood may crash if it is enabled when AFM is not licensed or provisioned, user should avoid configuring sweep and flood vectors when AFM is not licensed or provisioned.


515482 : Multiple teardown conditions can cause crash

Component: Local Traffic Manager

Symptoms:
When iRules direct the teardown of a TCP connection after some delay, another event might tear down the connection during the delay. When the iRule-directed abort finally arrives, the system crashes.

Conditions:
(1) An iRule or other cross-layer message can trigger a ABORT after teardown.

(2) The TCP profile has settings that invoke the correct TCP implementation:
(a) 11.5.x: mptcp is enabled
(b) 11.6.x: mptcp, rate-pace, or tail-loss-probe are enabled, OR TCP uses Vegas, Illinois, Woodside, CHD, CDG, Cubic, or Westwood congestion control.

Impact:
TMM crashes.

Workaround:
Suspend iRules with this behavior.

Fix:
When receiving ABORT commands, TCP catches cases where the connection is already closed.


515449-1 : bd agent listens on all addresses instead of the localhost only

Component: Application Security Manager

Symptoms:
bd agent listens on all addresses instead of the localhost only.

Conditions:
ASM provisioned.

Impact:
bd agent might crash in reponse to a simple telnet request from an external connection.

Workaround:
None.

Fix:
bd agent now listens on localhost only.


515433-1 : BD crash on specific signature sets configuration.

Component: Application Security Manager

Symptoms:
A BD crash, failover and/or traffic interruption.

Conditions:
Two different signature sets with different sizes (i.e, number of signatures in a set) are assigned to two different security policies. The issue relates to a scenario where there is traffic that generates a lot of violations/staging or suggestions.

Impact:
A BD crash, a failover, and/or traffic interruption.

Workaround:
Assign the same set(s) to all the security policies.

Fix:
Crash issue that is related to a specific configuration was fixed.


515387 : Update EPSEC package to latest verified in 11.6.0 branch

Component: Access Policy Manager

Symptoms:
EPSEC was out of date and we are updating to the latest.

Impact:
EPSEC contains old package and some endpoint security checks like machine cert, antivirus, firewall might fail.

Fix:
11.6.0 branch contains most recent verified EPSEC package.


515345-1 : NTP Vulnerability

Vulnerability Solution Article: SOL16505


515322-1 : Intermittent TMM core when using DNS cache with forward zones

Component: Local Traffic Manager

Symptoms:
TMM can intermittently crash when using the DNS cache resolver.

Conditions:
When a cache configuration is "removed" there are conditions where a refcount is not properly managed that would lead to memory being deleted before the last user is done with it.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
TMM will no longer intermittently core when using the DNS cache resolver.


515190-2 : Event Logs -> Brute Force Attacks can't show details after navigating to another page

Component: Application Security Manager

Symptoms:
After using the pagination mechanism on the Brute Force Attacks screen, the user is unable to open the attack details.

Conditions:
Navigate to another page on Event Logs -> Brute Force Attacks

Impact:
The user is unable to see the brute force attack details.

Workaround:
N/A

Fix:
The pagination mechanism was fixed on the Brute Force Attacks screen.


515187-2 : Certain ICMP packets are evaluated twice against Global and Route Domain ACL rules.

Component: Advanced Firewall Manager

Symptoms:
Certain ICMP packets (such as ICMPv6 Destination Unreachable) match twice against Global and Route-Domain ACL rules.

Conditions:
AFM provisioned and licensed.

Create a Global and/or Route Domain ACL policy with a rule matching ICMP traffic. Send ICMP packet such as Destination Unreachable.

Impact:
Global and Route-Domain ACL rules are evaluated twice under conditions specified above. This causes the rule counters to be incremented by 2 (instead of 1) and may cause double logging if enabled.

Workaround:
None

Fix:
ICMP traffic is now evaluated only once against Global and Route-Domain ACL rules.


515112-1 : Delayed ehash initialization causes crash when memory is fragmented.

Component: Advanced Firewall Manager

Symptoms:
When first using a new feature (fpm, firewall) under memory fragmentation conditions, if the feature uses an ehash table, TMM may crash.

Conditions:
Severe memory fragmentation, where contiguous allocations are not satisfied, combined with initial use of a new feature.

Impact:
TMM crashes.

Workaround:
Utilize all features shortly after TMM comes up, so all initial allocations are performed.

Fix:
Certain allocations are no longer delayed. Delayed allocations which fail retry with smaller sizes, possibly reducing performance.


515072-4 : Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased

Component: Local Traffic Manager

Symptoms:
When a virtual server has priority groups and connection limit configured, if the connection limit is reached and is increased while the member is limited, then subsequent connections will be reset rather than allowed.

Conditions:
Using priority groups and a non-zero connection limit, with one of the following load balancing methods: least-connections-member, least-sessions, ratio-member, ratio-least-connections-member, ratio-session. The issue occurs when the connection limit is adjusted higher when the connection limit is reached on the high-priority pool.

Impact:
New connections are reset without being able to send traffic.

Workaround:
If it is feasible to adjust the priorities, adjust the connection limit to its initial value, and adjust the priority groups so that the traffic currently on the limited pool drains out. When the pool has no connections, increase the limit to restore the correct priorities.

Fix:
Make pool member eligible for load balancing if its not connection limited after modifying its connection limit.


515033 : [ZRD] A memory leak in zrd

Component: Global Traffic Manager

Symptoms:
Memory leaks for zrd when performing wide IP alias updating.

Conditions:
When an add, modification, or deletion of a GTM Wide IP Alias is made through the GUI or tmsh, there is a small memory leak in zrd. Although this memory leak is small for any one change, it could be noticeable after hundreds or thousands of changes when viewing memory consumption through 'top' or other tools.

Impact:
Memory leak after multiple wide IP alias create/update operations.

Workaround:
If the zrd memory usage is negatively impacting system performance, you can restart zrd and clear out the memory usage by running the command: bigstart restart zrd.

Fix:
Memory no longer leaks for zrd when performing wide IP alias updating.


515030-1 : [ZRD] A memory leak in Zrd

Component: Global Traffic Manager

Symptoms:
Memory leaks for zrd when performing multiple wide IP alias updating.

Conditions:
When an add, modification, or deletion of a GTM Wide IP Alias is made through the GUI or tmsh there is a small memory leak in zrd. This memory leak is not significant for any one change, but it might become noticeable after hundreds or thousands of changes when viewing memory consumption through 'top' or other tools.

Impact:
Memory leak after multiple wide IP alias updates.

Workaround:
Although there is no workaround, you can mitigate potential system performance impacts by restarting zrd, which clears out the memory usage. To do so, run the command: bigstart restart zrd.

Fix:
Memory no longer leaks in zrd when performing multiple wide IP alias updating.


514912-3 : Portal Access scripts had not been inserted into HTML page in some cases

Component: Access Policy Manager

Symptoms:
If HTML page contains forms with absolute action paths, Portal Access scripts must be inserted into this page. But if there are no other reasons to include them, these scripts were not included.

Conditions:
HTML page which consists of the form with absolute action path, for instance:

<form action='/cgi-bin/a.gci">
</form>

Impact:
The form can not be submitted because browser fires JavaScript error.

Workaround:
It is possible to use iRule to insert Portal Access scripts into rewritten HTML page.

Fix:
Now Portal Access scripts are inserted into HTML page if it contains forms with absolute action path.


514838-1 : TMM Crash on Relative URL

Component: WebAccelerator

Symptoms:
When a relative path that starts with ../ is presented to WAM, the code that attempts to rewrite the URL into an absolute, regular form potentially causes TMM to crash.

Conditions:
AAM profile on VIP.

Impact:
Temporary outage while TMM reboots.

Workaround:
An irule that removes or modifies the URL path to be non-relative, or at least to start with a forward slash will protect WAM from this issue.

Fix:
Fix for relative paths that do not start with a forward slash, but do include parent directory references.


514785-2 : TMM crash when processing AAM-optimized video URLs

Component: WebAccelerator

Symptoms:
TMM might crash when processing HTTP requests for certain types of AAM-optimized videos.

Conditions:
AAM-enabled VIP with video optimization and IBR enabled by AAM policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable AAM processing of AAM-optimized video URLs.

Fix:
TMM no longer crashes when processing HTTP requests for certain types of AAM-optimized videos.


514726-4 : Server-side DSR tunnel flow never expires

Component: TMOS

Symptoms:
TMM cores and memory exhaustion using Direct Server Return (DSR). DSR establishes a one-way tunnel between the BIG-IP system and the back-end servers using the clients' IP addresses as the tunnel local-address on the BIG-IP system. These flows never expire.

Conditions:
BIG-IP virtual servers using DSR tunnels to send client traffic to the server.

Impact:
Server-side DSR tunnel flow never expires. Because the DSR tunnels use client's IP address as the tunnel local-address and the server's IP address as the tunnel remote-address, a single DSR setup might introduce as many tunnels as the clients' requests. When these tunnels do not expire, the BIG-IP system memory resource might be used up eventually, causing TMM cores.

Workaround:
None.

Fix:
Individual DSR tunnels are removed after the corresponding client's user flows expire.


514724-1 : crypto-failsafe fail condition not cleared when crypto device restored

Component: TMOS

Symptoms:
If a crypto device fails, the crypto-failsafe fail condition will not be cleared when the crypto device is restored.

Conditions:
This issue affects systems with failed crypto devices that are restored.

Impact:
In an HA pair, the failing unit will fail over, but it will always stay down.

Workaround:
To restore the crypto-failsafe HA fail status, restart tmm by issuing a 'bigstart restart tmm'. Note that on a VIPRION system, this command must be run on the appropriate blade.

Fix:
Allowed the crypto device to be restored and not keep the crypto-failsafe HA status in the fail state.


514636-1 : SWG Category Lookup using Subject.CN results in a crash if the certificate presented does not have a Subject.CN.

Component: Access Policy Manager

Symptoms:
When accessing HTTPS websites (via SWG) that present a certificate without a CN in the subject, a TMM crash occurs.

Conditions:
SWG explicit or transparent proxy using Category Lookup in the per-request access policy with Subject.CN as input. The crash only happens when accessing a site that has no CN in the Certificate's subject - this is not a common condition.

Impact:
This results in a TMM crash and failover.

Workaround:
Use Category lookup with SNI as input.

Fix:
When Category Lookup is configured to use Subject.CN as input, if the certificate subject does not contain a CN, APM processes the error correctly by logging an error.


514604-1 : Nexthop object can be freed while still referenced by another structure

Component: Local Traffic Manager

Symptoms:
Use after free of the Nexthop object may cause memory corruption or tmm core.

Conditions:
This can happen if the proxy connection takes some time to complete, creating a large enough time window where the nexthop object might be freed.

Impact:
The BIG-IP system might crash. This is a very timing/memory-usage dependent issue that is rarely encountered.

Workaround:
None.

Fix:
Management of nexthop object reference counting is more consistent.


514521 : Rare TMM Cores with TCP SACK and Early Retransmit

Component: Local Traffic Manager

Symptoms:
In certain isolated cases, TCP profiles with Early Retransmit and SACK enabled will cause a TMM Crash.

Conditions:
The connection is not in fast recovery but a SACK hole has been retransmitted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable Early Retransmit in the TCP profile.

Fix:
Early retransmit now handles corner cases where the SACK scoreboard is empty.


514450-4 : VXLAN: Remote MAC address movement does not trigger ARL updates across TMMs.

Component: TMOS

Symptoms:
In a VXLAN tunnel, a remote MAC address movement from one endpoint to another does not trigger ARL updates across all TMMs. As a result, some TMMs may contain stale ARL entries which can impact traffic forwarding. Also, when using 'tmsh show net fdb tunnel', there is a duplicated MAC address associated with different endpoints in the same tunnel.

Conditions:
When a remote MAC address is moved from one endpoint to another. For example, when a BIG-IP system in an HA setup configured with a masquerading MAC address changes its state from 'standby' to 'active'.

Impact:
This issue could impact traffic forwarding in VXLAN tunnels.

Workaround:
Although there is no complete workaround, you can mitigate the situation by making sure that the network is properly configured so that every device uses a unique MAC address. For example, in a network with an HA setup, try not to use masquerading MAC addresses.

Fix:
This version of software more consistently handles the condition of a remote MAC address being moved from one endpoint to another.


514277-1 : Provide a way to enable connection bar for Citrix desktops only

Component: Access Policy Manager

Symptoms:
When connection bar is enabled via Custom Parameters in a Citrix resource it's applied to both applications and desktops.

Conditions:
APM is configured for Citrix replacement mode and connection bar is enabled via Custom Parameters in a Citrix resource.

Impact:
Connection bar is displayed for applications where it may not be needed.

Fix:
APM now enables connection bar for Citrx desktops by default. This can be disabled by specifying ConnectionBar=0 in Custom Parameters of the Citrix Remote Desktop resource.


514246-3 : connflow_precise_check_begin does not check for NULL

Component: Local Traffic Manager

Symptoms:
Currently connflow_precise_check_begin does not check for NULL for its parameters while hudproxy has plenty of places where it calls connflow_precise_check_begin with NULL.

Conditions:
Connection Rate Limit is configured

Impact:
This leads to NULL pointer dereference and subsequent tmm crash

Workaround:
This issue has no workaround at this time.

Fix:
Fix NULL pointer dereference in connflow_precise_check_begin


514236-1 : [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses

Component: Global Traffic Manager (DNS)

Symptoms:
IP addresses associated with a BIG-IP DNS server object may not be viewable from the Configuration utility.

Conditions:
This issue occurs when all of the following conditions are met:

-- You use the Configuration utility to create a BIG-IP DNS server object with one or more IP addresses.
-- You then use the Configuration utility to add one or more IP addresses to a BIG-IP DNS server object.
-- You use the Traffic Management Shell (tmsh) to add one or more additional IP addresses to the BIG-IP GTM server object.
-- From the Configuration utility, you navigate to DNS :: GSLB :: Servers :: [BIG-IP DNS Server Name] and then view the BIG-IP DNS server object IP addresses in the Address List box.

Impact:
Only the BIG-IP GTM server object IP addresses that are added from the tmsh utility display in the Configuration utility. After tmsh modifies the BIG-IP DNS server by adding another IP address, the GUI fails to show those IP addresses previously added using the GUI.

Workaround:
Use tmsh to create and modify IP addresses on BIG-IP DNS servers. Or use only the Configuration utility or only the tmsh utility to create and modify BIG-IP GTM server object IP addresses.

Fix:
GUI now adds the partition prefix to device-name for BIG-IP DNS Server IP addresses, so IP addresses associated with a BIG-IP DNS server object are now viewable from the Configuration utility.


514220-1 : New iOS-based VPN client may fail to create IPv6 VPN tunnels

Component: Access Policy Manager

Symptoms:
Newer iOS-based VPN client does not provide MAC address during IPCP negotiation. This prevents the IPv6 VPN tunnel from getting established.

Conditions:
It affects only iOS-based IPv6 VPN connection requests.

Impact:
This impacts only IPv6 VPN tunnel requests from iOS-based devices.

Workaround:
None.

Fix:
Newer iOS-based VPN clients can successfully create IPv6 VPN tunnels.


514216 : Internal unit test issue found by F5 testing prior to release.

Component: Local Traffic Manager

Symptoms:
Internal unit test fails, catching an issue with SPDY.

Impact:
Unable to compile TMM.

Workaround:
None

Fix:
Resolve an internal build issue found by F5 testing before release.


514117-1 : Store source port higher than 32767 in Request Log record

Component: Application Security Manager

Symptoms:
Any Request Log record for request with source port higher than 32767 will have source port equal to 32767.

Conditions:
Request Log record get wrong source port when source port value of request higher than 32767.

Impact:
Request Log record has wrong source port if source port value higher than 32767.

Workaround:
There is no workaroud

Fix:
The Request log record now gets the correct source port even when the source port value of the request is higher than 32767.


514108-1 : TSO packet initialization failure due to out-of-memory condition.

Component: Local Traffic Manager

Symptoms:
TCP Segmentation Offload (TSO) packet initialization failure due to out-of-memory condition with the message: packet is locked by a driver.

Conditions:
This is related to tmm running out of memory while configured with TSO, on BIG-IP or VIPRION platforms which implement the HSB (High Speed Bridge) device in hardware.

This problem may occur on all currently-supported BIG-IP or VIPRION platforms EXCEPT the following:
BIG-IP 2000-/4000-series appliances.
BIG-IP 1600, 3600 appliances.

Impact:
TMM posts the assert message: packet is locked by a driver, then crashes.

Workaround:
Disable TSO (for more information, see SOL15609: Overview of TCP Segmentation Offload, available here: https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15609.html):

To enable or disable TSO functionality, you can use the following command syntax:

tmsh modify sys db tm.tcpsegmentationoffload value <enable | disable>

Note: After modifying the tm.tcpsegmentationoffload database variable, you must restart the TMM daemon by running the bigstart restart tmm command. Restarting TMM temporarily interrupts traffic processing. F5 recommends running this command only during a maintenance window.

Fix:
TCP Segmentation Offload (TSO) packet is now cleared correctly with no packet-locked message.


514093-1 : Allow request logs to be filtered by destination IP

Component: Application Security Manager

Symptoms:
Request Log: Missing useful filter by Destination IP.

Impact:
Missing a useful filter.

Fix:
Filter by Destination IP was added to the Request log.


513969-3 : UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running

Component: Access Policy Manager

Symptoms:
UAC prompt is shown for machine cert check for non-limited users, even if Machine Cert Check service is running on client Windows machine.

Conditions:
Current user is non-limited.
Machine Cert Check service is running.
User tries to pass Access Policy.

Impact:
Non-limited user has to press 'ok' in UAC window.

Fix:
Now Machine Certificate Check service is used for certificate verification even for non-limited users.


513953-1 : RADIUS Auth/Acct might fail if server response size is more than 2K

Component: Access Policy Manager

Symptoms:
RADIUS authentication or accounting fails when a response from the backend server is bigger than 2048 bytes

Conditions:
Response from backend server is bigger than 2048 bytes

Impact:
RADIUS Auth/Acct agent failed.

Fix:
Now RADIUS Auth and RADIUS Acct agents can successfully parse packets of sizes up to 4K, which is the maximum allowed RADIUS packet size. At the moment the BIG-IP system does not support RADIUS packet fragmentation.


513916-5 : String iStat rollup not consistent with multiple blades

Component: TMOS

Symptoms:
An iStat of type string does not merge consistently in a multi-bladed chassis, so the value read on different blades at the same time may differ.

Conditions:
The iStat must be of type string, and the chassis must have multiple blades.

Impact:
The value of the iStat after the merge differs on different blades.

Workaround:
Use clsh to write the string iStat value to all blades together.

Fix:
The rollup of strings is based on a timestamp of the last update, but this value was not preserved through the first level of merge so the second level done on each blade was arbitrary. Now, the value is preserved, so the iStat value for multiple blades is correct.


513822-1 : ASM REST: Expected Content Value Is Not Set When Setting The responseActionType For A Response Page

Component: Application Security Manager

Symptoms:
When setting the responseActionType, such as "default" or "soap-fault", to a value that has an expected related unmodifiable responseContent value, the expected responseContent is not set.
As a result an empty response page is returned when ASM blocks a request.

Conditions:
Via ASM REST a client changes the responseActionType from "custom" to "default" or "soap-fault".

Impact:
An empty response page is returned when ASM blocks a request.

Workaround:
The alternate response body can be set explicitly via REST

Fix:
Expected responseContent is now set when changing responseActionType to a static content type like "default" or "soap-fault" using ASM REST.


513795-1 : HTML5 client is not available on APM Full Webtop when using VMware Horizon 6.1

Component: Access Policy Manager

Symptoms:
When Horizon v6.1 is deployed using an APM Full webtop, the option to launch the View HTML5 client is missing.

Conditions:
VMware Horizon and VMware View agents have been upgraded to v6.1 (v3.4 for clients) or a new v6.1 deployment.

Impact:
Users are not able to use HTML5 View client to launch View remote desktops from an APM full webtop.

Workaround:
An alternative access methods are available as a temporary workaround to provide access for Horizon users. Administrators can have users use the native VMware View clients instead of using the APM full webtop with the HTML5 View client.

Fix:
Starting with release v6.1 of VMware Horizon, the public API that APM uses for integration with View Connection Server has changed.

This caused an issue where the View HTML5 client was no longer available to launch View desktops when deployed on an APM Full Webtop.

The option to launch a View HTML5 client is now available again on the APM Full Webtop.


513763 : Slow response from GUI when listing Event Logs

Component: Application Security Manager

Symptoms:
Slow GUI performance in Request Log for Internet Explorer browser.

Conditions:
IE8-IE11 used

Impact:
Slow GUI performance in Request Log for Internet Explorer browser.

Workaround:
You can remove all columns with IP in configuration or reduce number of entries per page

Fix:
GeoIP tooltip library rewritten to improve performance in all browsers.


513706-2 : Incorrect metric restoration on Network Access on disconnect (Windows)

Component: Access Policy Manager

Symptoms:
The metric after Network Access disconnect differs from metric before Network Access for default route.

Conditions:
Using Network Access on Windows systems.

Impact:
A multi-home environment might experience routing issues after disconnecting Network Access, for example, by default traffic might go through Wi-Fi instead of wired networks.

Workaround:
Disable and enable the network adapter.

Fix:
Fixed an issue causing incorrect metric restoration on Network Access on disconnect.


513646-1 : APM(ACCESS)/SWG filter might process SessionDB replies after flow has been aborted resulting in orphaned timer

Component: Access Policy Manager

Symptoms:
APM(ACCESS)/SWG filter might process SessionDB replies after flow has been aborted resulting in orphaned timer.

Conditions:
APM(ACCESS)/SWG.

Impact:
This results in rare TMM crashes/cores. The backtrace from cores usually point to the timer.

Fix:
APM(ACCESS)/SWG filter operation no longer results in orphaned timers.


513565-1 : AFM Kill-on-the-fly does not re-evaluate existing flows against any Virtual/SelfIP ACL policies if a Global or Route-Domain rule action is modified from Accept-Decisively to Accept.

Component: Advanced Firewall Manager

Symptoms:
Existing flows are not re-evaluated against Virtual Server AFM policies in Kill-on-the-fly if a previous Global or Route Domain AFM rule with action = Accept Decisively is modified to action = Accept.

Conditions:
AFM provisioned and licensed.

Have a Global AFM (or route domain) rule with action = Accept Decisive and also have a virtual server AFM rule.

Initial flow will be allowed due to global AFM rule action being Accept-decisively and will not be matched against Virtual Server Rule.

Now, modify the global AFM rule action to Accept. This should trigger Kill-on-the-fly to re-evaluate all existing flows against AFM policies.

Impact:
Existing flows bypass Virtual Server AFM Policy match evaluation in the sweeper under the conditions specified above.

Workaround:
None

Fix:
With this fix, existing flows will be evaluated against virtual server ACL policy if a previous Global or Route Domain AFM rule with action = Accept Decisively is modified to action = Accept.


513545-1 : '-decode' option produce incorrect value when it decodes a single value

Component: Access Policy Manager

Symptoms:
When a session variable set by AD/LDAP module is HEX-encoded, it is possible to decode it with the -decode option for the mcget command. The option works correctly when the session variable contains multiple values (such as | 0xABCD | 0xDCBA |), but it does not work properly with a single encoded value (such as0xABCD).

Conditions:
The problem occurs under these conditions: the -decode option is specified when retrieving a HEX-encoded variable, and the session variable contains only one value/

Impact:
As a result, the access policy does not follow the expected branch rule.

Workaround:
While decoding a single value, the mcget command produces a result like
EncodedValueDecodedValue. For example, for encoded string 0x616161, the result of the operation will be 616161aaa.

It is possible to write a Tcl expression in the Variable Assign agent that truncates the left half of the string and leaves aaa, the decoded value only.

Fix:
The -decode option works as expected for single-value and multi-value session variables.


513464-1 : Some autodiscovered virtuals may be removed from pools.

Component: Global Traffic Manager

Symptoms:
As part of a larger effort to refine Virtual Server Auto Discovery and monitoring, several changes were made to improve cross version interoperability and Virtual Server matching.

As part of these fixes, an error was introduced which caused some virtual servers to be deleted and rediscovered. This removed them from the Pool they were assigned to, which can cause load balancing errors.

Conditions:
This can occur with Virtual Servers that were originally specified on a pre-folder aware version of BIGIP, such as 10.2.x.

When they are discovered by a folder aware version, they may be deleted from the GTM config and re-added with "/Common/" prepended to the name.

Impact:
Some virtual servers will be removed from Pools. The virtual server will be deleted and recreated, but not added back to the pool.

This will result in incorrect load balancing decisions.

Workaround:
Changing the GTM config to add the virtual servers back to the pool will resolve the issue.

Fix:
The discovery and monitoring of virtual servers has been made more robust to deal with cases of multiple GTM VSes pointing at the same LTM virtual, as well as naming/folderization issues.


513454-3 : An snmpwalk with a large configuration can take too long, causing snmpd or mcpd restarts

Component: TMOS

Symptoms:
The snmpwalk will fail and the mcpd daemon could be restarted.

Conditions:
The configuration must be large so that the number of configured items related to the snmpwalk are in the tens of thousands.

Impact:
Failure to read SNMP data, mcpd restart and temporary loss of service.

Workaround:
Spread the configuration among more BIG-IPs or avoid running snmpwalks.

Fix:
Cache internal query data to optimize statistical queries.


513403-1 : TMM asserts when certain ICMP packets (e.g multicast echo) are classified by AFM and match rules at Global and Route Domain context with logging enabled for these rules and also log-translations is enabled in AFM Logging configuration.

Component: Advanced Firewall Manager

Symptoms:
TMM asserts when certain ICMP packets are classified by AFM and match rules at the Global and Route Domain context with logging and log-translations enabled.

Conditions:
This might occur in the following configurations: -- AFM Rule Logging is enabled and Log Translations is enabled in Log Profile, -- Server side AVR Statistics collection is enabled under Security :: Reporting. -- Certain ICMP packets (such as multicast ICMP echo) are classified and match AFM rules at Global and Route Domain contexts.

Impact:
TMM crashes (assert). Traffic disruption due to TMM process crashing.

Workaround:
Disabling log-translations in AFM Logging Profile configuration can prevent the TMM crash for these types of ICMP packets.

Fix:
TMM crash (assert) for certain ICMP packets when classified by AFM and logging is enabled with log-translations has been fixed.


513382-1 : Resolution of multiple OpenSSL vulnerabilities

Vulnerability Solution Article: SOL16317


513294-8 : LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances

Component: TMOS

Symptoms:
The following issues may be observed on BIG-IP 5000-/7000-series appliances:
1. When a system shuts down due to a over temperature condition, the name of the sensor that triggered the shutdown does not display.
2. Unable to configure AOM IP address using the DHCP Menu Option, with the system responding with the message: Error: Failed to configure AOM management port.
3. TMOS may log a critical alarm for the 0.9 volt sensor even though the voltage is in the nominal range.

Conditions:
BIG-IP 5000-/7000-series appliances with LBH firmware versions prior to v3.07 may experience each of the above issues under the following corresponding conditions:
1. Over temperature, thermal shutdown.
2. When trying to configure an IP address for AOM using the N - Configure AOM network option.
3. When the host is powered off using the AOM menu, the LBH will detect an under voltage condition for all non-standby voltage rails.

Impact:
The impacts of these issues are:
1. The user cannot determine which sensor triggered the thermal shutdown.
2. Unable to configure the AOM address using DHCP.
3. There will be a single ltm log message indicating this critical alarm, however the voltage reported in the log message will be in the nominal range.

Workaround:
Corresponding workarounds include:
1. None.
2. None.
3. Do not power cycle the host with the AOM menu. This error does not occur with an AC power cycle.

Fix:
LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances now works as expected.


513283-1 : Mac Edge Client doesnt send client data if access policy expired

Component: Access Policy Manager

Symptoms:
If an access policy expires (for example, if a user took too long to enter password ) then BIG-IP Edge Client displays a new page with link "Start a New session". Clicking this link causes Edge Client for Mac to be detected as browser by BIG-IP APM.

Conditions:
Edge Client fpr <ac, access policy expires.

Impact:
Edge Client is detected as browser.

Workaround:
Click disconnect button and Connect buttons on Edge Client.

Fix:
APM no longer detects BIG-IP Edge Client for Mac as a browser when a user clicks "Start a New session" on access policy expired page.


513243-1 : Improper processing of crypto error condition might cause memory issues.

Component: Local Traffic Manager

Symptoms:
Improper processing of a crypto error condition might cause memory issues.

Conditions:
Error when processing certain crypto commands.

Impact:
The error might cause TMM to crash.

Workaround:
None.

Fix:
If certain crypto commands return an error, but memory is allocated successfully, the system now completes the operation as expected.


513215 : Only one of the TMMs load the classification library after an IM package upgrade

Component: Traffic Classification Engine

Symptoms:
Not all traffic is processed by the classification library from the newly installed IM package.
Flows that go through TMM that didn't load the new library will continue being classified by the old library.

Impact:
Possible misclassification of some of the flows since they will be processed by the old library.

Workaround:
run the following command after the upgrade
'bigstart restart tmm'

Fix:
The fix addresses the problem by loading the library on all TMMs.


513201-6 : Edge client is missing localization of some English text in Japanese locale

Component: Access Policy Manager

Symptoms:
Edge Client is missing localization of some English text in Japanese locale.

Conditions:
Edge Client in Japanese locale

Impact:
Edge Client shows some text in english

Fix:
BIG-IP Edge Client is correctly localized for Japanese locale.


513098-1 : localdb_mysql_restore.sh failed with exit code

Component: Access Policy Manager

Symptoms:
In certain scenarios, deleting a dynamic user entry from memory does not clear the entry from the underlying table.

Conditions:
This might occur when a dynamic user record is marked for deletion but has not yet been removed when the dynamic user representing that record is re-authenticated.

Impact:
Over time, the table grows in size due to stale records.

Fix:
Orphaned dynamic user records are now correctly deleted.


513034-1 : TMM may crash if Fast L4 virtual server has fragmented packets

Vulnerability Solution Article: SOL17155


512999-1 : LDAP Query may fail if user belongs to a group from foreign domain

Component: Access Policy Manager

Symptoms:
LDAP Query might fail if a user belongs to a group from a foreign domain.

Conditions:
This occurs when LDAP Query is configured with the option Fetch groups to which the user or group belong, and the user belongs to a group from a foreign domain.

Impact:
Login fails. LDAP Query fails with error: Referral, 0000202B: RefErr: DSID-03100747, data 0, 1 access points ref 1: 'example.domain'.

Workaround:
None.

Fix:
Do not try to resolve group membership if the group belongs to a foreign domain.


512734 : Socket error when Webroot cloud lookup is enabled under stress condition

Component: Policy Enforcement Manager

Symptoms:
When Webroot cloud lookup is enabled and the BIG-IP system is under stress load with URLs that cannot be categorized by the local Webroot database managed on the BIG-IP system, the wr_urldbd daemon may return the socket error 'EAI_AGAIN error'. As a result, some of the Webroot cloud lookups are not performed, and relevant URLs are categorized as UNKNOWN.
After a large number of cloud lookups, the daemon runs out of sockets. The cloud queries do not go through. URLs get categorized as UNKNOWN.

Conditions:
If Webroot cloud lookup is enabled while there is heavy traffic with URLs that cannot be categorized by the local Webroot database managed on the BIG-IP system.

Impact:
Due to the socket error under stress load for Webroot cloud lookups relevant URLs could be categorized as UNKNOWN. This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.

Workaround:
None.

Fix:
This issue has been fixed by releasing sockets properly, so that the wr_urldbd will recover from temporary socket exhaustion.


512668-1 : ASM REST: Unable to Configure Clickjacking Protection via REST

Component: Application Security Manager

Symptoms:
The REST API for URLs was missing a field for Clickjacking Protection configuration.
When trying to configure that Rendering in Frames should only be allowed from a single URL, there is no field to specify that URL.

Conditions:
REST API is being used to configure Clickjacking Protection for URLs.

Impact:
A REST API client is unable to correctly configure protection that is meant to only be allowed from a specified URL.

Workaround:
Configure via GUI instead of REST.

Fix:
We added this missing field for REST to specify the "only-from" clickjacking URL: "allowRenderingInFramesOnlyFrom".


512663 : Added urlcatblindquery iRule command

Component: Policy Enforcement Manager

Symptoms:
It was desired to allow the existing PEM customers the ability to query the customDB that is encrypted using an iRule command. When the urlcatblindquery iRule is used, PEM will not try to parse the input, rather it will allow direct queries against the customDB and categorize the input accordingly.

Conditions:
This is a special enhancement that only applies when the new urlcatblindquery iRule is specified by a PEM customer who needs it.

Impact:
This has no impact to existing PEM URL Categorization features and it's behavior.

Fix:
The new iRule comamnd, urlcatblindquery is added to support existing customer use cases.


512616-1 : BD crash during brute force attack on cluster environement

Component: Application Security Manager

Symptoms:
A BD crash happens when there is a brute force attack on a blade environment.

Conditions:
Brute force attack, blade environment.

Impact:
BD crash, traffic sessions reset, failover.

Workaround:
N/A

Fix:
The blade system no longer experiences a BD crash when a brute force attack happens.


512609 : Firewall rules specifying wildcard IPv6 addresses match IPv4 addresses

Component: Advanced Firewall Manager

Symptoms:
A Firewall Rule with Src/Dst = ::/0 (or 0::0/0) matches any IPv6 traffic which is correct, but also matches any IPv4 traffic which is incorrect.

Conditions:
Network Firewall Rule with wildcard IPv6 source or destination address ::0 or 0::0/0.

Impact:
IPv4 traffic will match.

Workaround:
None

Fix:
A Firewall Rule with Src/Dst = ::/0 (or 0::0/0) no longer incorrectly matches any IPv4 traffic.


512490-3 : Increased latency during connection setup when using FastL4 profile and connection mirroring.

Component: Local Traffic Manager

Symptoms:
Connection setup when using FastL4 profile and connection mirroring takes longer than previous versions.

Conditions:
FastL4 profile with connection mirroring.

Impact:
Slight delay during connection setup.

Workaround:
Disable tm.fastl4_ack_mirror. Optionally, enable tm.fastl4_mirroring_taciturn for signal to noise ratio improvements. This helps resolve connection setup latency.

Fix:
Disable Nagle algorithm on TCP/HA profile to improve performance.


512485-3 : Forwarding of flooded VXLAN-encapsulated unicast frames may introduce additional forwarding

Component: TMOS

Symptoms:
In VXLAN overlays, unicast frames are flooded (via multicast or unicast replication) when the destination MAC address is known and the remote endpoint is unknown. Upon receiving a flooded unicast frame, the BIG-IP system might forward the frame again to yet another endpoint. Eventually an additional L2 hop might be introduced between the sender and the receiver. This applies to both the multicast and the multipoint (unicast replication) configurations of VXLAN.

Conditions:
This affects deployments with three or more VXLAN endpoints.

Impact:
The introduction of an additional hop adds unnecessary latency.

Fix:
In this release, the system does no L2 forwarding of encapsulated frames received from one endpoint and destined to another within the same overlay (VXLAN VNI/Tunnel), so no extra hop is added.


512383-3 : Hardware flow stats are not consistently cleared during fastl4 flow teardown.

Component: Local Traffic Manager

Symptoms:
The PVA stat curr_pva_assist_conn is not being updated properly for certain Fast L4 flows.

Conditions:
1) Fast L4 virtual server.
2) PVA-acceleration enabled.

This occurs when the connection flow is not created because UDP traffic arrives at an undefined port on the virtual server. The curr_pva_assist_conn value is incremented though there are no active PVA flows.

This can also occur when LTM gets ICMP unreachable messages from the serverside.

Impact:
Stats counts for Fast L4 virtual server, curr_pva_assist_conn value and 'Current SYN Cache', show invalid counts. If the hardware SYN cookie protection is on, the SYN cookie protection may be activated when it is not supposed to.

Workaround:
None.

Fix:
Stats counts for Fast L4 virtual server, curr_pva_assist_conn value and 'Current SYN Cache', now show the correct counts.


512378-1 : Changing per request policy in the middle of data traffic can cause TMM to crash

Component: Access Policy Manager

Symptoms:
Changing per request policy while BIG-IP serving the user requests can cause TMM to restart. This makes the TMM services unavailable until TMM is back.

Conditions:
Administrator has to change the per-request policy while TMM serving user requests.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change per-request policy in planned scheduled maintenance window where there is no user traffic expected.

Fix:
TMM does not crash and administrator can change per-request policy any time now.


512345-2 : Dynamic user record removed from memcache but remains in MySQL

Component: Access Policy Manager

Symptoms:
When the system fetches a dynamic user record from MySQL and places the record into memcache, the record might remain there in an unmodified state for ten days.

Conditions:
This occurs when a dynamic user record is removed from memcache but remains in MySQL, due to an intermittent race condition between apmd/memcache and localdbmgr.

Impact:
Dynamic user, if locked out, remains in memcache for ten days. During this interval, the dynamic user record is unusable.

Workaround:
The Admin can remove the user by deleting the associated memcache record.

Fix:
Now APM handles the condition in which a dynamic user record is removed from memcache but remains in MySQL due to an intermittent race condition between apmd/memcache and localdbmgr.


512245-7 : Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname

Component: Access Policy Manager

Symptoms:
Machine certificate agent checker on client might extract wrong certificate based on LocalHostName if it is not same as hostname. Machine certificate agent checker might fail.

Conditions:
BIG-IP APM with machine certificate agent.

Impact:
Machine certificate check might fail

Fix:
Machine Cert Auth agent passes on OS X 10.8 and OS X 10.9.


512148-1 : Self IP address cannot be deleted when its VLAN is associated with static route

Component: Local Traffic Manager

Symptoms:
A self IP address cannot be deleted when its VLAN is associated with a static route

Conditions:
The self IP address' VLAN is associated with a static route.

Impact:
Self IP address cannot be deleted.

Workaround:
Temporarily remove the static route entries, delete the self IP, and then add the static route entries again.

Fix:
A self IP now can be deleted even when its VLAN is associated with a static route, as long as at least one self IP exists on that VLAN. If the static route is IPv4, then an IPv6 self IP does not meet the requirement, and vice versa.


512062-2 : A db variable to disable verification of SCTP checksum when ingress packet checksum is zero

Component: Local Traffic Manager

Symptoms:
BIG-IP system drops SCTP INIT multi-homing message with checksum 0x00000000.

Conditions:
This occurs when the SCTP packet's verification tag is 0x00000000 and the checksum also is 0x00000000.

Impact:
System drops these SCTP packets.

Workaround:
None.

Fix:
Added a db variable to disable verification of SCTP checksum when ingress packet's checksum is zero. The current default behavior is not changed if this db variable is not enabled.


512054-1 : CGNAT SIP ALG - RTP connection not created after INVITE

Component: Service Provider

Symptoms:
The client has no audio when it makes a call.

Conditions:
This occurs when a client initiates a call with a CSeqID value greater than 64 KB.

Impact:
The BIG-IP system fails to create a media channel for audio/video traffic.

Workaround:
None.

Fix:
The BIG-IP system now correctly creates a media channel for audio/video traffic when the CSeqID value greater than 64 KB.


512016-1 : DB variable added to determine DNS UDP truncation behavior.

Component: Local Traffic Manager

Symptoms:
There is no option to change the DNS UDP truncation value to something other than 512 bytes.

Conditions:
Using DNS UDP truncation.

Impact:
Certain network topologies that might require the UDP DNS to be passed through or have a higher limit cannot configure for it.

Workaround:
None.

Fix:
There is now a DB variable to control DNS UDP truncation behavior: dns.udptruncate. When dns.udptruncate is enabled, UDP DNS responses are truncated if the response is larger than 512 bytes. When dns.udptruncate is disabled, the message is not truncated, and the full message is received. If the client specifies a non-default size via EDNS, the message is truncated if the response is larger than the specified size regardless of the value of dns.udptruncate.

Behavior Change:
There is now a DB variable to control DNS UDP truncation behavior: dns.udptruncate. When dns.udptruncate is enabled, UDP DNS responses are truncated if the response is larger than 512 bytes. When dns.udptruncate is disabled, the message is not truncated, and the full message is received. If the client specifies a non-default size via EDNS, the message is truncated if the response is larger than the specified size regardless of the value of dns.udptruncate.


512001-1 : Using REST API to Update ASM Attack Signatures Fails

Component: Application Security Manager

Symptoms:
The Attack Signature Update task remains in "STARTED" status.

Conditions:
ASM REST API is being used with the /mgmt/tm/asm/tasks/update-signatures endpoint.

Impact:
REST API cannot be used to trigger an immediate download of new Attack Signatures.

Workaround:
Use scheduled updates or GUI to update Attack Signatures.

Fix:
REST Update Signatures Task now works correctly.


512000-1 : Event Log Filter using Policy Group isn't accurate

Component: Application Security Manager

Symptoms:
Request Log - filter by policy group does not work.

Conditions:
At least one policy group created and used.

Impact:
Request Log - filter by policy group does not work.

Workaround:
N/A

Fix:
Request Log - filter by policy group now works correctly.


511961-1 : BIG-IP Edge Client does not display logon page for FirePass

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client cannot display FirePass logon page: "Connecting..." status; instead, Edge Client displays blank pages. As a result, clients cannot use the latest BIG-IP Edge Client for Mac with FirePass.

Conditions:
Firepass and APM-supplied build of BIG-IP Edge Client for Mac.

Impact:
User cannot log in to Firepass if using BIG-IP Edge Client for Mac.

Workaround:
Update to latest client

Fix:
Clients using the BIG-IP Edge Client for Mac supplied with this APM release can continue to log in and do not get stuck at a "Connecting..." screen.


511947-1 : Policy auto-merge of Policy Diff

Component: Application Security Manager

Symptoms:
Running auto-merge on the Diff of two policies fails.

Conditions:
Running auto-merge on the Diff results of two policies.

Impact:
Policies cannot be auto-merged after viewing Diff.

Workaround:
None.

Fix:
The auto-merge functionality of Policy Diff now works as expected.


511873 : TMM core observed during SSL cert-related tmsh execution.

Component: Local Traffic Manager

Symptoms:
A crash could be seen when SSL forward proxy is enabled.

Conditions:
TMM core observed during SSL cert-related tmsh execution.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes a core observed when SSL forward proxy is enabled.


511854-4 : Rewriting URLs at client side does not rewrite multi-line URLs

Component: Access Policy Manager

Symptoms:
Exception posted when rewriting multi-line URLs on the client side.

Conditions:
Using multi-line URLs in client-side JavaScript code.

Impact:
Web-application logic might not work as expected. The system might post a message similar to the following: Unable to get property '2' of undefined or null reference.

Workaround:
None.

Fix:
This release fixes client-side URL rewriting for multi-line URLs.


511651-3 : CVE-2015-5058: Performance improvement in packet processing.

Vulnerability Solution Article: SOL17047


511648-2 : On standby TMM can core when active system sends leasepool HA commands to standby device

Component: Access Policy Manager

Symptoms:
On standby system TMM can core after it comes up when the active system sends leasepool HA commands to the standby device.

Conditions:
This occurs on standby systems when the active system sends it leasepool HA commands.

Impact:
Traffic disrupted while tmm restarts.

Fix:
On a standby system, TMM no longer cores after it comes up when an active system sends leasepool HA commands to the standby device.


511534-1 : A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load,

Component: WebAccelerator

Symptoms:
When loading an AAM policy, the tmm compiles the rules to an internal structure that is efficient for execution. Some conditions however may cause this process to take too long and the tmm gets halted before the system has finished compiling the policy.

Conditions:
The compilation time increases dramatically when regular expressions are used on more than one or 2 operands.

Since you can have conditions on many different path-segments (e.g. the 1st, 2nd, 3rd, etc), using regular expression on path-segments are a likely way to trigger this condition.

Impact:
The compilation time increases dramatically when regular expressions are used on more than one or two operands.

Since conditions might exist on many different path-segments (e.g., the 1st, 2nd, 3rd, etc.), using regular expression on path-segments is a likely way to trigger this condition.

Workaround:
None.

Fix:
Now, you can prevent AAM policy compilation from taking too long by turning the regular expression into plain matches using the '\' character to escape those symbols that turn a string into a regular expression. For example, previously, 'favicon.ico' was treated as a regular expression because '.' means 'any character'. Now the user can specify 'favicon\\.ico' (double '\' required by tmsh), which causes the '.' to mean the period character, thus avoiding the (unintended) regular expression.


511517-1 : Request Logging profile cannot be configured with HTTP transparent profile

Component: Local Traffic Manager

Symptoms:
Cannot configure both a Request Logging profile and an HTTP transparent profile on the same virtual server.

Conditions:
HTTP transparent profile is attached to a virtual server.

Impact:
Request Logging profile cannot be configured on the same virtual server.

Fix:
The system now supports a simultaneously configuring both a Request Logging profile and an HTTP transparent profile on a single virtual server.


511488-1 : Correlation restarting on a multi-bladed vCMP guest

Component: Application Security Manager

Symptoms:
The following error will appear in ASM log:

Watchdog detected failure for process. Process name: correlation, Failure: Insufficient number of threads

Conditions:
ASM provisioned on a multi-bladed vCMP guest

Impact:
Correlation daemon endlessly restarting

Workaround:
N/A

Fix:
To prevent endless restarting, correlation is now disabled on a multi-bladed vCMP guest.


511477-2 : Manage ASM security policies from BIG-IQ

Component: Application Security Manager

Symptoms:
Certain aspects of ASM Security Policies on BIG-IP 11.5.2 could not be managed by BIG-IQ Security.

Conditions:
New ASM security policies can now be created by BIG-IQ version 4.5. Currently it's disabled by default, and can be turned on by changing the rest_api_extensions option to "1" on the Advanced Configuration/System Variables page in the ASM GUI, and then restarting httpd.

Impact:
BIG-IQ Security cannot effectively manage ASM on BIG-IP 11.5.2.

Workaround:
None.

Fix:
This is a part of ID 498361.


511441-3 : Memory leak on request Cookie header longer than 1024 bytes

Component: Access Policy Manager

Symptoms:
Memory leak on request Cookie header longer than 1024 bytes.

Conditions:
Client is sending 'Cookie' request header with more than 1024 bytes of data to APM Portal Access host.

Impact:
Memory used by 'rewrite' process keeps increasing and leads to 'out of memory' logs and possibly failover.

Fix:
Portal Access no longer leaks memory on large Cookie request headers from the client.


511406-1 : Pagination issue on firewall policy rules page

Component: Advanced Firewall Manager

Symptoms:
Firewall policy rules page shows only the first 100 rules in the policy.

Conditions:
This is an issue when there are more than 100 rules configured in a policy.

Impact:
User is only able to see the first 100 rules in the policy

Fix:
Firewall policy rules page is now able to view more than 100 rules.


511326-2 : SIP SUBSCRIBE message not forwarded by BIG-IP when configured as SIP ALG with translation.

Component: Service Provider

Symptoms:
The BIG-IP system does not forward messages when configured as SIP ALG with translation.

Conditions:
The BIG-IP system is configured as SIP ALG with translation, and the subscriber sends a SUBSCRIBE message to receive a notification.

Impact:
The Subscriber does not receive any notification regarding the subscribed events.

Workaround:
None.

Fix:
The BIG-IP system now correctly forwards messages when configured as SIP ALG with translation.


511196-1 : UMU memory is not released when remote logger can't reach its detination

Component: Application Security Manager

Symptoms:
UMU memory is printed in the bd.log as being held although there is no traffic in the system.

Conditions:
Remote logger has an unreachable detination

Impact:
Some memory is wasted and is not released for a long time

Workaround:
Fix the remote logger configuration, or the network issue

Fix:
We fixed UMU memory slow releases that occurred when the remote logger's destination was unreachable.


511130-3 : TMM core due to invalid memory access while handling CMP acknowledgement

Component: Local Traffic Manager

Symptoms:
Rarely, TMM might core due to invalid memory access while handling a CMP acknowledgement.

Conditions:
Memory is not validated before handling a CMP acknowledgement.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Memory is now validated before handling a CMP acknowledgement.


511064-1 : Repeated install/uninstall of policy with usage monitoring stops after second time

Component: Policy Enforcement Manager

Symptoms:
Usage monitoring as required by the policy stops working.

Conditions:
Policy configured with usage monitoring is installed/uninstalled multiple times within a session.

Impact:
Usage reporting stops working.

Workaround:
None.

Fix:
The system now correctly handles the case in which a policy with usage monitoring is installed and removed multiple times.


510979-1 : Password-less SSH access after tmsh load of UCS may require password after install.

Component: TMOS

Symptoms:
Should an account such as admin have password-less SSH access, after loading the UCS config or doing a live install and moving the config, SSH access no longer works without a password.

Conditions:
User has .ssh/authorized_keys file owned with uid=0.

Impact:
tmsh load sys ucs config replaces the uid ownership of /home/user_name/.ssh/authorized_keys incorrectly, which prevents SSH access without passwords.

Workaround:
Create a directory in /var/ssh for each user, move .ssh/authorized_keys there, and then link to the moved file in the ~/.ssh directory. In that case, UCS load affects the link, but not the linked file, so password-less SSH access is maintained.

Note: A UCS file taken after the workaround will not include the file /var/ssh/<username>/authorized_keys. If you have a plan to load the UCS on a different unit, for example, for the purposes of RMA, please save the file individually.

Fix:
Password-less SSH access is now maintained after tmsh load (or install and move config) of UCS.


510921-1 : Database monitors do not support IPv6 nodes

Component: Local Traffic Manager

Symptoms:
Unable to monitor IPv6 nodes.

Conditions:
Pool configured with a DB monitor (MySQL, MSSQL, Oracle or Postgres) and IPv6 nodes.

Impact:
IPv6 nodes are reported down and do not receive traffic.

Fix:
Database monitors now support monitoring IPv6 nodes.


510837-2 : Server initiated renegotiation fails with dhe_dss/ecdhe_ecdsa and ecdh_ecdsa ciphers. bigip sends bad client key exchange.

Component: Local Traffic Manager

Symptoms:
BIG-IP SSL when serves as a SSL client and the ciphers used are ECDHE_ECDSA or DHE_DSS, it will send a bad client key exchange to SSL server in server initiated renegotiation.

Conditions:
BIG-IP acts as a SSL client and the ciphers used are ECDHE_ECDSA or DHE_DSS in server initiated renegotiation.

Impact:
SSL handshake failed. The SSL server may reset the SSL connection with an error:
digest check failed, or ssl handshake failed.

Workaround:
Do not use ciphers ECDHE_ECDSA or DHE_DSS.

Fix:
BIG-IP SSL now works well with ciphers ECDHE_ECDSA or DHE_DSS in server initiated renegotiation where BIG-IP acts as a client.


510811-1 : PEM::info irule does not take effect if used right after PEM::session config policy irule

Component: Policy Enforcement Manager

Symptoms:
Using the PEM::info irule to set the session attribute right after PEM::session config policy irule set the referential policy does not work. The session attribute is not set correctly in this case.

Conditions:
Use the PEM::session config policy irule and PEM::info irule one after the other.

Impact:
PEM::info irule does not set the session attribute as expected.

Workaround:
Putting a delay, "after 10" in between these two irules in the irule script.

Fix:
After the fix, the PEM::session info irule is setting the pem session attribute correctly, even using immediately after the PEM::session config policy irule.


510721-1 : PEM::enable / PEM::disable iRule errors out with an error message

Component: Policy Enforcement Manager

Symptoms:
When trying to use PEM::enable and PEM::disable irule, error message is shown, indicating the irule procedure is undefined.

Conditions:
Using PEM::enable or PEM::disable irule in the irule script

Impact:
PEM::enable and PEM::disable irule cannot be used.

Fix:
Add correct validation to the PEM::enable and PEM::disable irule. After the fix, the irules can be used, no more error message.


510720-1 : iRule table command resumption can clear the header buffer before the HTTP command completes

Component: Local Traffic Manager

Symptoms:
iRule table command resumption can clear the header buffer before the HTTP command completes.

Conditions:
An HTTP request was attempted with an iRule table command that resumed after parking.

Impact:
Results in a SIGABRT. The header names might intermittently output incorrectly, and report empty names and/or parts of the request line.

Workaround:
This issue has no workaround at this time.

Fix:
iRule resumption after halting now works correctly.


510709-1 : Websso start URI match fails if there are more than 2 start URI's in SSO configuration.

Component: Access Policy Manager

Symptoms:
If more than 2 start URIs are configured, start URI parsing does not work correctly. This results in no start URI match and websso failure.

Conditions:
SSO error happens only if there are more than 2 start URIs configured in the SSO configuration.

Impact:
SSO V1(websso) fails for configured start URI due to start URI mismatch.

Workaround:
No workaround

Fix:
Websso config start URI parsing was wrong when there are multiple lines in start URI configuration. Websso start URI parsing is fixed.


510638-1 : [DNS] Config change in dns cache resolver does not take effect until tmm restart

Component: Local Traffic Manager

Symptoms:
Config change in DNS cache resolver does not take effect until tmm restart.

Conditions:
Make changes to LTM DNS cache resolver.

Impact:
Changes made to DNS cache resolver are not in effect until tmm restarts. For example, changes to the DNS cache resolver's parameters Max. Concurrent Queries and Allowed Query Time
do not load into the system until tmm restarts.

Workaround:
Restart tmm after making changes, or create a new DNS cache profile.

Fix:
Config change in DNS cache resolver now take effect immediately and no longer require tmm restart.


510597-3 : SNAT Origin Address List is now stored correctly when first created

Component: TMOS

Symptoms:
Creating a SNAT under Local Traffic :: Address Translation : SNAT List and specifying an address list under origin, there is no host or network SNAT type to select from.

Conditions:
This occurs in this scenario: 1. Create a SNAT and specify an address list with a /24 mask and update.
2. Run the command: tmsh list ltm snat SNAT_created.

Impact:
A /32 IP address will show instead. For
example, 1.1.1.0/24 will be translated to 1.1.1.0/32.

Fix:
SNAT Origin Address List is now stored correctly when first created.


510596-6 : Broken DNS resolution on Linux client when "DNS Default Domain Suffix" is empty

Component: Access Policy Manager

Symptoms:
DNS resolution can break for a Linux client when the "DNS Default Domain Suffix" setting is empty in a Network Access configuration in APM.

Conditions:
BIG-IP Edge Gateway, Linux CLI and empty "DNS Default Domain Suffix" in Network Access configuration

Impact:
DNS resolution might not work on Linux

Workaround:
Configure "DNS default domain suffix" in network access configuration

Fix:
DNS resolution on Linux works now even when the "DNS Default Domain Suffix" setting in the Network Access configuration is empty.


510499-2 : System Crashes after Sync in an ASM-only Device Group.

Component: Application Security Manager

Symptoms:
System crashes after an ASM Sync in an ASM-only Device Group.

Conditions:
This occurs when the following conditions are met:
1) Two devices with both a full-sync device group, and a sync-only, ASM-enabled device group. Both manual sync groups.
2) Have a policy active on a virtual server on both devices.
3) Deactivate the policy on one device.
4) Push the ASM config from that device to another device.

Impact:
Peer Device is left in an inconsistent state and BD crashes.

Workaround:
None.

Fix:
ASM Configuration Sync now will gracefully handle being unable to deactivate when it conflicts with LTM config.


510459-1 : In some cases Access does not redirect client requests

Component: Access Policy Manager

Symptoms:
A client may receive the following error message upon request: "The requested file could not be found on the server. Please contact system administrator."

Conditions:
Client requests received by Access running on BIG-IP versions 11.4.0 to 11.6.0 may encounter this issue.

Impact:
Client request is not fulfilled and error message received.

Workaround:
None

Fix:
Resolved issue in which clients receive a file not found message from Access due to out of date White List entry in OPSWAT.


510393-1 : TMM may occasionally restart with a core file when deployed VCMP guests are stopped

Component: TMOS

Symptoms:
VCMP guest shutdown can interfere with execution of the VCMP hypervisor TMM, causing 'Clock advanced' messages and TMM restarts wit corresponding core files.

Conditions:
vCMP guests in state 'deployed' are modified to state 'provisioned' or 'configured', or are deleted entirely. The likelihood of a TMM restart increases with the number of guests that are stopping at the same time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Shut down vCMP guests one at a time to reduce the likelihood of encountering this issue.

Fix:
Resolved occasional TMM restarts when stopping vCMP guests on 12050 and 10350N appliances


510226-2 : All descriptions for ports-list's members are flushed after the port-list was updated

Component: Advanced Firewall Manager

Symptoms:
'Description' for port-list entries created from tmsh gets deleted when the corresponding port-list object is updated from GUI.

Conditions:
When a user updates an port-list object with member's description set, it gets deleted.

Impact:
User will lose the description value set for its members.

Workaround:
Not update the port list entry from GUI when its members have a 'description', or use tmsh to update port list

Fix:
Descriptions created for port list members from tmsh no longer get deleted when a user updates the port list object.


510224-2 : All descriptions for address-list members are flushed after the address-list was updated

Component: Advanced Firewall Manager

Symptoms:
'Description' for address-list entries created from tmsh gets deleted when the corresponding address-list object is updated from GUI.

Conditions:
When a user updates an address-list object with member's description set, it gets deleted.

Impact:
User will lose the description value set for its members.

Workaround:
Not update the address list entry from GUI when its members have a 'description.'

Fix:
Descriptions created for address list members from tmsh no longer get deleted when a user updates the address list object.


510159-1 : Outgoing MAP tunnel statistics not updated

Component: TMOS

Symptoms:
Outgoing statistics for MAP tunnels are not being shown in the 'tmsh show net tunnels command.

Conditions:
When sending bidirectional traffic over a MAP tunnel between a client and server across a DUT.

Impact:
Only incoming traffic is shown in the 'tmsh show net tunnels' command output. This is a cosmetic error, and does not indicate incorrect functionality.

Fix:
Outgoing statistics for MAP tunnels are now included in the 'tmsh show net tunnels command.


510119-4 : HSB performance can be suboptimal when transmitting TSO packets.

Component: TMOS

Symptoms:
For heavily fragmented TSO packets, it is possible to populate a high percentage of the HSB's transmit ring.

Conditions:
This can happen when transmitting large fragmented TSO packets.

Impact:
Suboptimal behavior might be seen when transmitting large fragmented TSO packets. There is a rare chance it can lead to a full or stuck transmit ring.

Workaround:
Disable TSO.


510049 : Revised BIG-IP CGNAT Implementations content

Component: TMOS

Symptoms:
The BIG-IP 11.6.0 CGNAT Implementations manual includes SIP ALG content for security, dialog_aware, insert_record_route_header settings. Also, content refers to the SIP Security check box, instead of the SIP Firewall check box.

Conditions:
Content for a SIP profile includes steps for configuring the Dialog Aware check box, the Security check box, and the Insert Record-Route Header check box, which cause an error. Content also refers to the SIP Security check box, instead of the SIP Firewall check box.

Impact:
Configuring the Dialog Aware check box, the Security check box, and the Insert Record-Route Header check box, causes an error. Content incorrectly refers to the SIP Security check box, instead of the SIP Firewall check box.

Workaround:
Deleted content for configuring the Dialog Aware check box, the Security check box, and the Insert Record-Route Header check box. Changed content referring to the SIP Security check box to the SIP Firewall check box.

Fix:
Documentation is revised to omit content for configuring the Dialog Aware check box, the Security check box, and the Insert Record-Route Header check box. Documentation also now refers to the SIP Firewall check box instead of the SIP Security check box.


509968-3 : BD crash when a specific configuration change happens

Component: Application Security Manager

Symptoms:
A reconfiguration or security application attaching to a VIP or a new security policy or other big config change followed by a traffic halting/resetting, a shrinking message in the bd.log followed by A BD crash.

Conditions:
Remote logger with "report anomalies" attached to the virtual, a session transaction attack is on-going and a configuration change of the session transaction configuration together with a custom header (for XFF) configuration. This can happen also when adding new web applications to existing virtual server or attaching existing web application to a virtual server while there is a session transaction attack on a virtual server.

Impact:
Traffic halted, a failover and traffic resets. BD will startup with the updated configuration in place.

Workaround:
Don't add security policies or attach security policies to a virtual server or reconfigure security policy or change the session transaction configuration together with the custom header configuration while there is a session transaction attack going on a virtual that has remote logger attached.

Fix:
A crash that happens upon a specific configuration change was fixed.


509956-4 : Improved handling of cookie values inside SWG blocked page.

Component: Access Policy Manager

Symptoms:
Certain components of cookies are not escaped and might negatively impact functionality.

Conditions:
Use of a reject ending in a per-request access policy.

Impact:
Potential disruption of functionality.

Workaround:
None.

Fix:
Improved the way that we process cookie values in an SWG blocked page.


509934-1 : Blob activation fails due to counter revision

Component: Advanced Firewall Manager

Symptoms:
Activation of Blob failed after config from ucs files (saved config has policy with atleast 1 rule) and running config has a policy (with same name) without any rules

Conditions:
Running config has a policy (say policy name = X) with no rules and associated to a context. Saved config (UCS) has a different policy (but same name X) with at least 1 rule. When loading UCS (saved config), blob activation fails due to TMM not being able to revise counters for the new container.

Impact:
Activation fails

Workaround:
N/A

Fix:
Correct counter tracking


509919-2 : Incorrect counter for SelfIP traffic on cluster

Component: Advanced Firewall Manager

Symptoms:
SelfIP traffic is always handled on the primary blade on a cluster and if it's disaggregated to non-primary blade, it gets internally forwarded to the primary blade.

Due to this, AFM was double classifying this traffic (only on cluster) causing incorrect AFM ACL/IPI counts.

Conditions:
SelfIP traffic is disaggregated to non-primary blade on a cluster and AFM is enabled

Impact:
Incorrect AFM ACL/IPI rule counters due to internal forwarding of SelfIP traffic on a cluster from non-primary to primary blade causing AFM to match/classify these packets twice.

Workaround:
None

Fix:
With the fix, self IP traffic on a cluster is counted correctly for AFM ACL/IPI matches.


509873-1 : Rare crash and core dump of TMM or bd after rebooting a device or joining a trust domain.

Component: Application Security Manager

Symptoms:
The TMM process or bd daemon may crash and core dump within 24 hours of either rebooting a device, restarting TMM, or joining a trust domain. This may also happen on a standalone device that has been rebooted.

Conditions:
Traffic arrives to a virtual server that is configured with: an anti-fraud profile, an ASM Security Policy, or a DOS profile that has 'Application Security' enabled.

Impact:
The crash might happen only within 24 hours of either rebooting a device, restarting TMM, or joining a trust domain. The TMM or bd crash causes the device to not handle traffic while the process is being restarted.

Workaround:
Performing the following actions prevents the crash from happening. Requires shell access to the device.

( 1. )

Edit the file /etc/bigstart/scripts/datasyncd:

Remove the last line, which contains:
exec /usr/share/datasync/bin/datasyncd >> /var/log/datasync/datasyncd.log

In its place, add this:
exec >> /var/log/datasync/datasyncd.log 2>&1

echo "`date`: fix start."
set -x
tmsh list security datasync local-profile
tmsh list security datasync local-profile | grep '^security' | awk '{print $4}' | while read -r table; do tmsh modify security datasync local-profile $table max-gen-rows infinite; done
tmsh list security datasync local-profile
set +x
echo "`date`: fix end."

exec /usr/share/datasync/bin/datasyncd

( 2. )

Run 'bigstart restart tmm'.
NOTE: This causes the device to be offline and not handle traffic while TMM restarts.

Fix:
This release fixes a potential (but rare) crash of either TMM or the Enforcer that may happen within 24 hours of either rebooting a device, or joining a trust domain.


509782-3 : TSO packets can be dropped with low MTU

Component: TMOS

Symptoms:
If an interface is configured with a low MTU, it is possible for the system to drop TSO packets. This can be observed looking at the tx_drop_tso_bigpkt stat in the tmm/hsb_internal_fsc table.

Conditions:
The interface is configured with a low MTU, usually 750 or lower. If TMM then attempts to use TSO for a packet, there is a chance this packet will be dropped.

Impact:
Large TSO packets are dropped.

Workaround:
Increase the MTU or disable TSO.

If TSO is not disabled, three related fixes are needed to fully address the issue:

-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:

-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html

Fix:
Three related fixes are needed to fully address the issue:

-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:

-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html


509758-2 : EdgeClient shows incorrect warning message about session expiration

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client shows an incorrect warning message once a network access connection is established.

Conditions:
Access Policy has disabled Maximum Session timeout (set to 0) and
Network Access webtop is used.

Impact:
Versions that have session expiration timeout display all zeroes instead of the timeout value. This is a cosmetic issue that does not indicate incorrect system functionality.

Workaround:
None.

Fix:
Now, the BIG-IP Edge Client does not show an incorrect cosmetic warning message.


509722-1 : BWC traffic blocked

Component: Access Policy Manager

Symptoms:
BWC traffic blocked when configured using percentages and the configuration is modified.

Conditions:
Modifying configurations of BWC categories using percentages.

Impact:
BWC traffic is blocked.

Workaround:
The workaround is to not configure with percentages but configure with bandwidth.

Fix:
The problem with modifying BWC configured percentages has been corrected.


509677-1 : Edge-client crashes after switching to network with Captive Portal auth

Component: Access Policy Manager

Symptoms:
When switching to a network with Captive Portal authentication, the Edge-client becomes unresponsive.

Conditions:
- Captive Portal uses https logon page
- Network switching done by unplugging network cable from NIC or disconnecting from wireless network (not disabling network
interface).

Impact:
Edge-client crashes

Workaround:
N/A

Fix:
Corrected invalid pointer by update pointer name.


509600-1 : Global rule association to policy is lost after loading config.

Component: Advanced Firewall Manager

Symptoms:
The association of a global rule to a policy appears to be lost after loading a config by directly loading, saving, upgrading, and config syncing. As a result of this issue, you may encounter the following symptom:

After re-enabling a global policy and waiting for an unspecified period of time, you observe that the policy is disabled again.

Conditions:
This occurs when you associate a global rule with a policy, and then initiate an operation that causes config load.

Impact:
Policies are removed from enforcement in the global context.

Workaround:
To work around this issue, you can add back the rules manually, or, if you have not configured a route domain, you can apply route domain rules to Route Domain 0, which is effectively the same as the global rule context when no other route domains are configured.

Impact of workaround: If you have other route domains configured, Route Domain 0 is no longer usable as a global context.

Fix:
The association of a global rule to a policy is now retained after loading a config by directly loading, saving, upgrading, and config syncing.


509504-5 : Excessive time to save/list a firewall rule-list configuration

Component: TMOS

Symptoms:
A configuration containing a large number of firewall rule-list::rules might take an excessively long time to save. Similarly, excessive times are seen for listing the firewall configuration.

Conditions:
Large number of AFM rules.

Impact:
A long time to save or list the configuration. While this issue was noticed for a firewall rule-list::rules configuration, the same issue might occur for deeply nested configurations.

Fix:
The save and list times for the numerous firewall rules/deeply nested configurations [example: firewall rule-list::rules] is significantly reduced.


509503-4 : tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration

Component: TMOS

Symptoms:
For certain configurations with deeply nested structures in it ex: some of the firewall rule rule-list configuration, requires excessive time for the tmsh load config file merge operation.

Conditions:
Configurations containing deeply nested structures.

Impact:
The time for the merge is significantly more than the time needed for load operation.

Workaround:
If you are affected of long load times during merging a configuration file into existing one, you can instead append the config file to the respective bigip_base.conf or bigip.conf file manually.

Fix:
The tmsh load sys config merge operation performance was optimized. With this optimization the time for merge operation is slightly greater than the load operation.


509495 : A TMM memory leak when HTTP protocol security enabled profile and no AFM license

Component: Application Security Manager

Symptoms:
This command :
tmctl memory_usage_stat | (head -n 2; grep httpsec)
shows increased memory on the httpsec::httpsec_plugin per transaction.

Conditions:
HTTP protocol security profile is enabled while AFM is not licensed.

Impact:
TMM memory increased on each transaction.

Workaround:
License AFM

Fix:
Fixed a memory leak on TMM when AFM is not licensed and HTTP security enabled profile is assigned to a virtual server.


509490-2 : [IE10]: attachEvent does not work

Component: Access Policy Manager

Symptoms:
Websites are broken in Internet Explorer if they use postMessage to send objects. There could be errors in the JavaScript console.

Conditions:
Web application in Internet Explorer 8, 9 or 10 that uses window.postMessage() and recieves message with handler added through window.attachEvent() working through Portal Access.

Impact:
Web-Application cannot use Window.postMessage() to send data with Portal Access in Internet Explorer.

Workaround:
No

Fix:
The 'onmessage' handler added with window.attachEvent() now correctly recieves data sent through window.postMessage().


509475 : SPDY profile with activation-mode always may not load on upgrade to 11.6.0 or later

Component: TMOS

Symptoms:
In 11.5.x and earlier versions it was possible to have a SPDY profile with the following combination of settings: activate-mode always, and protocol-versions { spdy3 spdy2 http1.1 }. In 11.6.0 this was changed to allow only a single protocol-version in conjunction with 'activation-mode always'.

Conditions:
A SPDY profile with activate-mode always and multiple protocol versions for protocol-versions.

Impact:
This might cause a failure when upgrading from prior versions to 11.6.0 or later.

Workaround:
Before upgrading make sure all SPDY profiles with 'activation-mode always' only have a single 'protocol-versions' value set.

Fix:
A SPDY profile with 'activation-mode always' and multiple 'protocol-versions' no longer causes an upgrade to fail. Instead upgrade changes the profile such that the 'protocol-versions' field only contains the highest SPDY protocol version that was listed before the upgrade.


509416 : Suspended 'after' commands may result in unexpected behaviors

Component: Local Traffic Manager

Symptoms:
Unexpected iRule behavior, crashes or aborts.

Conditions:
Can occur when a virtual server has a OneConnect profile and an iRule using the 'after' command.

Impact:
tmm crash.

Fix:
Connections are ineligible for re-use while there is still a pending, suspended or in-progress 'after' iRule. This is correct behavior.


509346-2 : netHSM caused timout may trigger chassis failover which may fail all blades

Component: Local Traffic Manager

Symptoms:
When experiencing long delay caused by netHSM, tmm may incur a watchdog timeout which triggers failover to other blades. Since all blades share the same netHSM, these blades may quickly be failed. If that happens, all tmm traffic will be down. There might be many reasons causing netHSM delay/failure.

Conditions:
netHSM has delay or failure.

Impact:
all blades in chassis are put to "disabled" mode.

Workaround:
The workaround can be restart the chassis to clear the state.

Fix:
We disabled the timeout trigger for failover when netHSM is used. There may be many reasons for such failure. With this fix, people will see netHSM related SSL failure but that won't cause all blades to be disabled.


509310-5 : Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances

Component: Local Traffic Manager

Symptoms:
The egress VxLAN traffic on VIPRION chassis and 5000 series appliances has bad UDP checksum in its outer UDP header. The BIG-IP hardware does not support UDP checksum offload for VxLAN traffic if the outer UDP header is IPv4. The BIG-IP hardware uses UDP destination port 4789 to identify VxLAN traffic.

Conditions:
The outer UDP header of egress VxLAN traffic on VIPRION chassis and 5000 series appliances is IPv4 and has destination port equal to 4789.

Impact:
The egress VxLAN traffic is dropped due to bad UDP checksum.

Workaround:
Set db variable iptunnel.vxlan.udpport to 0. So the BIG-IP system hardware does not classify UDP destination port equal to 4789 as VxLAN traffic.

Fix:
VIPRION chassis and 5000 series appliances no longer generate bad bad outer IPv4 UDP checksums on egressing VxLAN traffic.


509276-4 : VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on standby device

Component: TMOS

Symptoms:
VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on the standby device.

Conditions:
A VXLAN tunnel with a floating local address on the standby device.

Impact:
Incorrect gratuitous ARPs are generated on the standby device.

Fix:
VXLAN tunnels with floating local addresses no longer generate incorrect gratuitous ARPs on the standby device.


509273 : hostagentd consumes memory over time

Component: Device Management

Symptoms:
The hostagentd process on a vCMP host might consume more memory over time.

Conditions:
BIG-IP appliance or VIPRION blade/cluster with vCMP guests.

Impact:
Rarely, the vCMP host might run out of memory.

Workaround:
To work around this issue, you can disable guest health statistic collection on the vCMP host. To do so, perform one of the following procedures:

Option 1: Disabling statistic collection for the tmsh show vcmp health command.
Impact of workaround: This procedure affects values returned by the tmsh show vcmp health stats command.
1. Log in to the command line of the vCMP host appliance or primary blade of the cluster.
2. To disable statistic collection, type the following command:
tmsh modify vcmp guest all capabilities add { stats-isolated-mode }.
3. To restart the hostagentd process, type the following command:
a. On a BIG-IP appliance:
bigstart restart hostagentd.
b. On a blade in a VIPRION cluster:
clsh bigstart restart hostagentd.


Option 2: Disabling the hostagentd process
Impact of workaround: This procedure affects health statistic collection, as well as the ability for guests to install from a host-provided ISO.
1. Log in to the command line of the vCMP host appliance or primary blade of the cluster.
2. To disable the hostagentd process, type the following command:
a. On a BIG-IP appliance:
bigstart stop hostagentd.
b. On a blade in a VIPRION cluster:
clsh bigstart stop hostagentd.

3. To exclude the hostagentd process from starting up after rebooting the system, type the following command:
a. On a BIG-IP appliance:
bigstart disable hostagentd.
b. On a blade in a VIPRION cluster:
clsh bigstart disable hostagentd.

Fix:
Fixed a rare vCMP host memory growth issue.


509108-1 : CGNAT PBA may log port-block allocation and port-block release log messages for a port-block which is already allocated to a different subscriber

Component: Carrier-Grade NAT

Symptoms:
CGNAT PBA may log port-block allocation(LSN_PB_ALLOCATED) and immediately followed by a port-block release(LSN_PB_RELEASE) log message for a port-block which is already allocated to a different subscriber.

Conditions:
This can happen if subscriber traffic is received when blade is being added/removed or when blade is failing or while HA failover is in progress

Impact:
Causes ambiguity in reverse mapping subscriber connections

Fix:
CGNAT PBA does not log port-block allocation and port-block release log messages for a port-block which is already allocated to a different subscriber during a blade add/remove/fail/HA failover


509105-1 : TMM cores sometimes if provisioning hold time is set to non-zero.

Component: Policy Enforcement Manager

Symptoms:
TMM might core sometimes if provisioning hold time is set. When a multiple IP session is created with IPv4 and IPv6 addresses.

Conditions:
Provisioning hold time is set to non-zero.And remove one of the IP address by running the command: radius stop.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable provisioning hold time. Set the tmm.pem.session.radius.provisioning.hold.time DB variable to 0:

list sys db tmm.pem.session.radius.provisioning.hold.time
sys db tmm.pem.session.radius.provisioning.hold.time {
    value "0"
}
root@(dpi-bvt2)(cfg-sync Standalone)(Active)(/Common)(tmos)#.

Fix:
In this release, TMM no longer cores if provisioning hold time is set to non-zero.


509037-1 : BIG-IP systems allows creating wild-card IPIP tunnels with the same local-address and tunnel-type

Component: TMOS

Symptoms:
MCPD accepts the wild-card IPIP tunnels with the same local-address and tunnel type (ip4ip6, ipip, ip6ip4, ip6ip6) without validation, although the configuration is eventually discarded in TMM.

Conditions:
Creating wild-card tunnels with the same local-address and IPIP tunnel-type.

Impact:
This incorrect configuration is allowed on the BIG-IP system without error.

Workaround:
Specify wild-card tunnel using different local-address and tunnel-type.

Fix:
Wild-card tunnel setup trials are now detected by BIG-IP system validation during creation time. The system disallows creation of wild-card tunnels with the same local-address and tunnel-type.


509010 : Adding/Deleting a local user takes 30 seconds to complete

Component: Access Policy Manager

Symptoms:
It takes about 30 seconds to add or to delete a local user.

Conditions:
The occurs when using the GUI to add or delete local users (on the GUI Access Policy :: Local User DB :: Manage Users screen).

Impact:
The add or delete operation incurs a delay of approximately 30 seconds.

Workaround:
None.

Fix:
Adding or deleting a local user now completes within an expected time interval.


508908-1 : Enforcer crash

Component: Application Security Manager

Symptoms:
A bd crash. Connections reset until the system restarts or a failover completes.

Conditions:
A multipart request with specific syntax error.

Impact:
A bd process crash, failover. Will reset connection until the system restarts/ failover finishes.

Workaround:
No workaround

Fix:
An Enforcer crash was fixed.


508719-1 : APM logon page missing title

Component: Access Policy Manager

Symptoms:
The title might be missing from a logon page.

Conditions:
Logon page uses field filled with dynamically assigned session variable.

Impact:
No title displays on the logon page.

Workaround:
Modify page logon.inc using customization panel.

*Add function:
function getSoftTokenPrompt()
{
    if ( softTokenFieldId != "" && edgeClientSoftTokenSupport()) {
        var div = document.getElementById("formHeaderSoftToken");
        if (div) {
            return div.innerHTML;
        }
    }
    return null;
}



*Replace code:
function OnLoad()
{
    var header = document.getElementById("credentials_table_header");
    var softTokenHeaderStr = getSoftTokenPrompt();
    if ( softTokenHeaderStr ) {
        header.innerHTML = softTokenHeaderStr;
    }

By:
function OnLoad()
{
    var header = document.getElementById("credentials_table_header");
    var softTokenHeaderStr = "<? echo $formHeaderSoftToken; ?>"
    if ( softTokenFieldId != "" && softTokenHeaderStr != "" && edgeClientSoftTokenSupport()) {
        header.innerHTML = softTokenHeaderStr;
    } else {
        header.innerHTML = "<? echo $formHeader; ?>";
    }

* Replace code
<td colspan=2 id="credentials_table_header" ></td>
By
<td colspan=2 id="credentials_table_header" ><? echo $formHeader; ?></td>

* Add code before </body> tag:
<div id="formHeaderSoftToken" style="overflow: hidden; visibility: hidden; height: 0; width: 0;"><? echo $formHeaderSoftToken; ?></div>

Fix:
The title displays on the logon page now.


508716-4 : DNS cache resolver drops chunked TCP responses

Component: Local Traffic Manager

Symptoms:
DNS cache resolver drops chunked TCP responses

Conditions:
If the cache resolver uses TCP to resolve a query, and a nameserver does not include the complete reply in the first TCP segment.

Impact:
The response will be discarded, the connection dropped, and the query retried

Fix:
DNS cache resolver no longer drops chunked TCP responses


508660-1 : Intermittent TMM crash in classification library

Component: Traffic Classification Engine

Symptoms:
TMM crashes sporadically without apparent triggers when using classification on the virtual server.

Conditions:
Using classification on the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable classification on the virtual server if not needed.

Fix:
Most recent classification library that has memory allocation fixes was integrated


508630-4 : The APM client does not clean up DNS search suffixes correctly in some cases

Component: Access Policy Manager

Symptoms:
The APM client does not clean up DNS search suffixes correctly when the DNs suffixes configured on a client contain names configured in an APM Network Access resource.

Conditions:
The problem occurs when a suffix name that is configured in a Network Access resource matches the suffix configured locally on the user's machine.

Impact:
As a result, DNS suffixes are not restored correctly.

Fix:
An additional fix was made to restore DNS suffixes correctly.


508544-1 : AVR injects CSPM JavaScript when the payload does not contain an HTML <head> tag

Component: Application Visibility and Reporting

Symptoms:
AVR injects CSPM JavaScript when the payload does not contain an HTML <head> tag.

Conditions:
This occurs when the following conditions are met. -- The page-load-time feature turned on. -- The HTTP content is not compressed. -- The HTTP content-type is text or HTML. -- The HTTP content does not contain an html <head> tag.

Impact:
JavaScript is unnecessarily included in HTTP responses.

Workaround:
Use iRules. This way, CSPM can be enabled and disabled and can be controlled for particular pages.

If the user can determine which URLs are fit for CSPM or by some specific content in the response, then it is possible to use iRules.
In order to do so, the page-load-time feature should be turned on in the Analytics profile and an iRule should be used. See details here:
https://support.f5.com/kb/en-us/solutions/public/13000/800/sol13859.html

Fix:
AVR injects CSPM JavaScript only when the payload contains an HTML tag. This is correct behavior.


508519-4 : Performance of Policy List screen

Component: Application Security Manager

Symptoms:
There is a performance issue with the Policy List/Import Policy/PCI report configuration utility screens.

Conditions:
20+ active security policies in the system

Impact:
With 160 active security policies it took about 10 second to load Policy List/Import Policy/PCI report configuration utility screens.

Workaround:
There is no workaround at this time.

Fix:
We fixed a performance issue with the Policy List/Import Policy/PCI report configuration utility screen.


508338-1 : Under rare conditions cookies are enforced as base64 instead of clear text

Component: Application Security Manager

Symptoms:
False positive "modified domain cookie" violation or false positive "illegal base64 value" violation created.

Conditions:
No specific condition, rare.

Impact:
The violation "illegal base64 value" on a cookie appears on transactions, even for cookies that are not marked as base64 value cookies.

Workaround:
No workaround

Fix:
We fixed an issue that rarely caused a false positive illegal base64 value, or false positive modified domain cookie violation.


508051-1 : DHCP response may return to wrong DHCP client.

Component: Policy Enforcement Manager

Symptoms:
When there are multiple DHCP solicits messages from different clients with different source IPs, the DHCP responses may return to the client/source IP address which sends the first DHCP request to BIG-IP/PEM.

Conditions:
The issue may occur when multiple DHCP clients send DHCP solicits messages to BIG-IP/PEM in DHCP relay mode.

Impact:
When it occurs, DHCP responses may be returned to wrong DHCP clients who are requesting solicits messages in DHCP relay mode.

Workaround:
None.

Fix:
Multiple DHCP-solicits requests from different clients/source IP addresses are handled properly, and the response is sent back to the proper client/source IP address accordingly.


507919-1 : Updating ASM through iControl REST does not affect CMI sync state

Component: Application Security Manager

Symptoms:
Updates through REST in a manual sync CMI device group do not change the sync status to PENDING.

Conditions:
ASM is configured in a manual sync group and REST API is utilized.

Impact:
Sync status will now be changed after updates through REST in a manual sync CMI device group.

Workaround:
There is no workaround at this time.

Fix:
Sync status is now changed after updates through REST in a manual sync CMI device group.


507905 : Saving Policy History during UCS load causes DB deadlock/timeout

Component: Application Security Manager

Symptoms:
Loading a UCS from an older version for upgrade can cause DB timeouts. /var/log/ltm has this error signature: DBD::mysql::db do failed: Lock wait timeout exceeded; try restarting transaction at /usr/lib/perl5/site_perl/F5/DbUtils.pm

Conditions:
This is a rare issue that occurs when two devices with different versions installed on them are in a CMI device group. It seems to be triggered if a sync is triggered from the device running the older version. This occurs while a device group is in the middle of an upgrade, the newer version being pre 11.6.0 HF5 or 11.5.2 HF1

Impact:
UCS load fails and multiple error messages are logged.

Workaround:
Do not have BIG-IP devices with different versions in the same DSC device group

Fix:
We corrected an intermittent issue where an error state was received during the upgrade of a DSC device group.


507902-1 : Failure and restart of mcpd in secondary blade when cluster is part of a trust domain.

Component: Application Security Manager

Symptoms:
The mcpd daemon of a secondary blade reports failure and is restarted, causing the blade to be offline and not handle traffic for a few minutes.

Conditions:
A multi-blade device (cluster) is part of a trust domain, and one of the other devices in the trust domain is being rebooted. The mcpd failure may occur within a time frame of between a few minutes, and up to 24 hours. The failure should only happen once, and not repeat until the next time that a device in the trust-domain is being rebooted.

Impact:
During the mcpd restart, the blade is offline and not handling traffic for a few minutes. There is no impact to traffic handled by the primary blade.

Workaround:
The mcpd failure is caused by inconsistency between the primary and the secondary blades, after a reboot of a different device in the trust domain. So, the workaround is to check and fix the inconsistency after every reboot of any device in the trust domain. There is no need to do this when only one of the blades is being rebooted.

After any reboot of a device in the trust-domain, perform the following actions:

( 1. ) Check for inconsistency:

On each blade of each cluster in the trust-domain, run the following command:

tmsh -c 'list security datasync device-stats /Common/datasync-device-*/*cs-asm-dosl7* table'

You should see an object for each of the devices (clusters) in the trust domain.
For example, if two multi-blade devices are joined in the trust-domain: vcmp1 and vcmp2, both having 2 blades.

[root@vcmp1:/S2-green-S:Active:In Sync (Sync Only)] config # tmsh -c 'list security datasync device-stats /Common/datasync-device-*/*cs-asm-dosl7* table'
security datasync device-stats datasync-device-vcmp1.qa.com/datasync-device-vcmp1.qa.com-cs-asm-dosl7-stats {
    table cs-asm-dosl7
}
security datasync device-stats datasync-device-vcmp2.qa.com/datasync-device-vcmp2.qa.com-cs-asm-dosl7-stats {
    table cs-asm-dosl7
}

This shows both vcmp1 and vcmp2, so the state is good, no further action needed on this device.

However, in the faulty state, the secondary blade of vcmp2 will show:
[root@vcmp2:/S2-green-S:Active:In Sync (Sync Only)] config # tmsh -c 'list security datasync device-stats /Common/datasync-device-*/*cs-asm-dosl7* table'
security datasync device-stats datasync-device-vcmp1.qa.com/datasync-device-vcmp1.qa.com-cs-asm-dosl7-stats {
    table cs-asm-dosl7
}

The vcmp2 device is missing. The means that the state is inconsistent, and an mcpd failure may happen sometime within 24 hours.

( 2. ) Fix the inconsistency if needed:

To fix the state, force a sync of the datasync device groups from vcmp1 (if vcmp2 had the faulty state).
If vcmp2 had the inconsistency, run the following commands on vcmp1 :

tmsh modify cm device-group datasync-global-dg devices modify { vcmp1.qa.com { set-sync-leader } }

Wait a few seconds

tmsh modify cm device-group datasync-device-vcmp1.qa.com-dg devices modify { vcmp1.qa.com { set-sync-leader } }
tmsh modify cm device-group datasync-device-vcmp2.qa.com-dg devices modify { vcmp1.qa.com { set-sync-leader } }

Wait a few more seconds, then check again the state using the instructions in step #1.
(tmsh -c 'list security datasync device-stats /Common/datasync-device-*/*cs-asm-dosl7* table')
All blades should be good now.

Repeat steps #1 and #2 on each of the blades, in each of the clusters that are part of a trust-domain, when a device is being rebooted.

Fix:
The mcpd daemon of a secondary blade in a cluster no longer fails and restarts, when the cluster is part of a trust domain, and one of the other devices in the trust-domain is being rebooted.


507899 : Custom APM report - Assigned IP field shows 'IPv4' instead of assigned IP value

Component: Access Policy Manager

Symptoms:
In a custom APM report, the Assigned IP field shows IPv4 instead of the assigned IP value.

Conditions:
This affects only 11.5.x and 11.6.x releases. If user creates a custom report with 'Assigned IP' as a field and runs the report, the content of Assigned IP is the IP type rather than the correct IP.

Impact:
The report content is not correct.

Workaround:
Use one of the built-in reports, All Sessions or Current Sessions, to get the correct content for the Assigned IP field.

Fix:
This release shows the correct 'Assigned IP' value instead of the IP type in the custom report field.


507853-1 : MCP may crash while performing a very large chunked query and CPU is highly loaded

Component: TMOS

Symptoms:
MCP crashes while performing a chunked query (such as 'tmsh show sys connection) that returns a large result if a connection to a TMM is severed (due to a zero-window timeout).

Conditions:
CPU is highly loaded.

Impact:
Failover (in a device cluster) or temporary outage (in a standalone system). A core file is generated that has a stack trace that includes a message similar to the following: error reading variable: Cannot access memory at address 0x1.

Workaround:
None.

Fix:
Ensured that MCP no longer crashes when performing a large chunked query and a connection to a TMM is severed.


507842-2 : Patch for BIND Vulnerability CVE-2015-1349

Vulnerability Solution Article: SOL16356


507782-1 : TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data

Component: Access Policy Manager

Symptoms:
TMM crashes on an attempt to open Citrix connection

Conditions:
Unpatched/malformed ICA file received by the client

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed validation for the input data sent in the ICA connection so that for the invalid/non-patched Address it will reject the connection instead of crashing.


507753 : URL categorization missed if HTTP1.0 header does not have HOST

Component: Policy Enforcement Manager

Symptoms:
If a URL does not contain input from HTTP host header in the URL request (which is a valid HTTP 1.0 request, but not valid on HTTP 1.1), the categorization does not happen.

Conditions:
When PEM URLCAT is enabled, and the URL input from HTTP host header is not available, which is possible for HTTP 1.0 request.

Impact:
URL is categorized as UNKNOWN under the condition.

Workaround:
None.

Fix:
Now, when the HTTP host header is not present in the HTTP request, the PEM categorization engine still considers and processes it.


507681-5 : Window.postMessage() does not send objects in IE11

Component: Access Policy Manager

Symptoms:
Websites are broken if they use postMessage to send objects in Internet Explorer 11. There could or could not be error in JavaScript console based on web application.

Conditions:
Web-Application that uses Window.postMessage() with Portal Access working in Internet Explorer 11.

Impact:
Web-Application can't use Window.postMessage() to send non-string data with Portal Access in Internet Explorer 11.

Workaround:
No

Fix:
Window.postMessage() now works in Internet Explorer 11.


507602-1 : Data packet over IPsec tunnel might be looping between cores after rekey if IPsec lifebyte is enabled

Component: TMOS

Symptoms:
IPsec lifebyte might cause inconsistent Security Association state among different cores. This might cause a memory leak and in some case data packets going through the IPsec tunnel can be looping between cores.

Conditions:
IPsec lifebyte is enabled in IPsec Policy configuration object on BIG-IP system or 3rd party IPsec device.

Impact:
Possible data packets looping and memory leak.

Workaround:
Disable lifebyte on IPsec devices on both end of the IPsec tunnel.

Fix:
IPsec lifebyte functions properly and leaves no inconsistent state on the BIG-IP device after rekey.


507575-1 : An incorrectly formated NAPTR creation via iControl can cause an error.

Component: TMOS

Symptoms:
NAPTR records are somewhat complicated and if an incorrect set of string arguments are passed to iControl, the string parsing can fail and generate unhelpful error messages.

Conditions:
Specifically, it is valid to have empty strings as some of the fields of a NAPTR record.
However, these empty strings must be quoted as empty strings.

An example of a valid empty string parameter
foo.example.com. 19799 IN NAPTR 100 7 "u" "good" "" bar.example.com.

Not quoting the empty parameter (after "good") confuses the parser into thinking that not enough parameters were passed.
This causes a segfault and the error.

Impact:
Potential failure of iControl parsing.

Workaround:
Use quotes around empty strings such as:
foo.example.com. 19799 IN NAPTR 100 7 "u" "good" "" bar.example.com.

Fix:
The string parser has been made tolerant of missing parameters for these records and will now report an error.


507549-1 : PEM may ignore a RAR if the target session is in the Provision-Pending state

Component: Policy Enforcement Manager

Symptoms:
A session may remain in the Provision-Pending state longer than desirable resulting in the wrong policies being applied for the session.

Conditions:
When a new session is created, PEM sends out a CCR-I and expects a CCA-I within a certain time. If the CCA-I from the PCRF is delayed/lost, this can result in the session remaining in the Provision-Pending state (which implies waiting for PCRF to provide a policy update for the session) for longer than desired. PEM will continue to retransmit CCR-I until a CCA-I is received from the PCRF. During this time period if a RAR is received from the PCRF, it will be ignored and thus the PCRF is unaware of the state of the session.

Impact:
While in the Provision-Pending state, PEM does not have any specific policies to apply to the new session. Consequently, it will continue to apply the Unknown-subscriber policies for the session as long as it continues to stay in the P-P state.

Fix:
Modified the state machine to generate an RAA with an error status to indicate to the PCRF that the RAR was not accepted.


507529-1 : Active crash with assert: tmm failed assertion, non-zero ha_unit required for mirrored flow

Component: Local Traffic Manager

Symptoms:
A blade on the active system crashes in a configuration containing a performance layer 4 virtual server with connection mirroring enabled.

Conditions:
The chassis is configured for network mirroring within cluster.

There is more than one blade installed in the system or vcmp guest.

A virtual server has connection mirroring enabled and is associated with a virtual address that is not assigned a traffic-group (traffic-group is none).

Impact:
When the crash occurs, the blade posts the following assert: 'tmm failed assertion, non-zero ha_unit required for mirrored flow' and crashes.

Workaround:
Ensure that mirrored virtual servers are utilizing virtual addresses that are associated with a traffic group.


507490-1 : Invalid HTTP/2 input can cause the TMM to hang

Component: Local Traffic Manager

Symptoms:
A HTTP/2 frame with an overlarge encoded size can cause the TMM to hang.

Conditions:
A malformed HTTP/2 stream with overlarge lengths.

Impact:
The TMM will hang until killed by SOD.

Workaround:
None.

Fix:
The HTTP/2 filter now handles oversize headers correctly.


507487-1 : ZebOS Route not withdrawn when VAddr/VIP down and no default pool

Component: TMOS

Symptoms:
The BIG-IP system continues announcing RHI routes when Virtual Servers and Virtual Addresses are down.

Conditions:
The issue occurs in the following case: -- Have a VIP with pool selection via iRule. -- Configure RHI on the VAddr corresponding to the VIP. -- Down the pools (for example, toggling between HTTP monitor (up) and UDP monitor (down)). -- VIP, VAddr, and pools are red. -- Run the imish command.

Impact:
The kernel route still is announced, which might cause other network devices to be confused on the network status, so the impact varies.

Workaround:
Configure virtual server with default pool instead of iRule.

Fix:
Added validation for virtual server iRule pools.


507461-6 : Net cos config may not persist on HA unit following staggered restart of both HA pairs.

Component: TMOS

Symptoms:
The net cos global-settings may be cleared on a HA unit, as a result of a HA pair configuration sync.

Conditions:
With fully synced pair of HA chassis, restart active chassis blade and then restart standby chassis blade.

Impact:
Portion of cos config information on active chassis blade is missing, resulting in incongruent cos behavior between active and standby.

Workaround:
None.

Fix:
The system no longer resets active net cos settings during device/group HA configuration sync operations.


507327-1 : Programs that read stats can leak memory on errors reading files

Component: TMOS

Symptoms:
Daemons that read statistics might leak memory over time so the amount of memory they use continues to grow.

Conditions:
There is an error reading a statistics file. For example, permissions on the file or directory prohibit access.

Impact:
Eventually the daemon or system might run out of memory.

Workaround:
Remove anything causing an error reading a stats file such as deleting unneeded files or fixing permissions.

Fix:
A memory leak reading stats has been fixed.


507321-3 : JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields

Component: Access Policy Manager

Symptoms:
If JavaScript application uses user-defined object which contains 'origin', 'source' and 'data' fields with NULL values, any attempt to get these values fires an error.

Conditions:
User-defined JavaScript object with 'origin', 'source' and 'data' fields and with NULL value in any of these fields, for example:

var a = { origin: null , data:null , source:null };

Any attempt to read these values leads to JavaScript error in Portal Access scripts.

Impact:
Web application does not work correctly.

Fix:
Now user-defined JavaScript objects with 'origin', 'source' and 'data' fields may contain any values in these fields.


507318-3 : JS error when sending message from DWA new message form using Chrome

Component: Access Policy Manager

Symptoms:
When using Chrome to send a new message on DWA, a JavaScript 'toString' error occurs.

Conditions:
If user clicks on the Send button on the new message form, then JavaScript errors appear: -- cache-fm.js:5 Uncaught TypeError: Cannot read property 'toString' of undefined
?. -- OpenDocument&Form=l_ScriptFrame&l=en&CR&MX&TS=20140915T180028,72Z&charset=UTF-8&charset=UTF-8&KIC&…:37 Uncaught TypeError: Cannot read property 'EgI' of undefined.

Impact:
The message is sent, but the tab is not closed.

Workaround:
None.

Fix:
When using Chrome to send a new message on DWA, a JavaScript error occurred. The message was sent but the tab did not close. This no longer occurs.


507312-1 : icrd segmentation fault

Component: TMOS

Symptoms:
icrd segmentation fault generates a core

Conditions:
Multiple signals to the same Quit signal handler

Impact:
Core generated

Workaround:
N/A

Fix:
Simplify std::map to an array to avoid problems with signal
       races.


507289-3 : User interface performance of Web Application Security Editor users

Component: Application Security Manager

Symptoms:
Slow GUI performance for Web Application Security Editor users

Conditions:
At least 100 active security policies in the system

Impact:
Most ASM pages takes more than 5 seconds to load for Web Application Security Editor users

Workaround:
There is no workaround at this time.

Fix:
ASM Configuration utility pages load faster than they did previously for Web Application Security Editor users.


507143-1 : Diameter filter may process HUDCTL_ABORT message before processing previously queued events leading to tmm assertion

Component: Service Provider

Symptoms:
tmm cores due to 'valid pcb' assertion.

Conditions:
This can happen when the Diameter filter:
 - Receives and queues HUDCTL_SHUTDOWN event.
 - Receives a HUDCTL_ABORT event before HUDCTL_SHUTDOWN has been unqueued.

Impact:
tmm abort and restart.

Fix:
Diameter filter will now queue HUDCTL_ABORT events to prevent leapfrogging previously queued events.


507139-1 : Invalid HTTP/2 input can cause the TMM to hang

Component: Local Traffic Manager

Symptoms:
A HTTP/2 frame with an too-small encoded size can cause the TMM to hang.

Conditions:
A malformed HTTP/2 stream with a frame shorter than the encoded contents.

Impact:
The TMM will hang until killed by SOD.

Workaround:
None.

Fix:
The HTTP/2 filter now handles short frames correctly.


507127-2 : DNS cache resolver is inserted to a wrong list on creation.

Component: Local Traffic Manager

Symptoms:
When a DNS cache resolver is created, it should be added to the cache resolver linklist. However, it is instead added to an incorrect linklist.

Conditions:
When creating a new DNS cache resolver.

Impact:
Unable to find the DNS cache resolver when search the resolver link list.

Workaround:
None.

Fix:
DNS cache resolver is added to the correct linklist on creation and removed from the correct linklist on deletion.


507116-1 : Web-application issues and/or unexpected exceptions.

Component: Access Policy Manager

Symptoms:
Web-application issues and/or unexpected exceptions.

Conditions:
Undisclosed conditions related to web-applications.

Impact:
Unexpected web-application functionality.

Workaround:
None.

Fix:
Web-application issues have been fixed.


506734 : Cloud lookup stress condition

Component: Policy Enforcement Manager

Symptoms:
This is a problem specific to a URL Cloud lookup.

Conditions:
When the number of URLs that require cloud lookup exceed TMM limits (currently unprocessed 64 requests), TMM slows down. Data path traffic is throttled.

Impact:
TMM slows down. Data path traffic is throttled.

Workaround:
Self correcting after the normal URL traffic resumes.

Fix:
Thresholds were introduced in TMM. When the number of URLs that require cloud lookup exceed TMM limits (currently unprocessed 64 requests), URL cloud categorization is not attempted.


506702-4 : TSO can cause rare TMM crash.

Component: Local Traffic Manager

Symptoms:
TSO can cause rare TMM crash.

Conditions:
When TSO is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TSO no longer causes rare TMM crash.


506578 : Webroot cloud lookup does not yield a category.

Component: Policy Enforcement Manager

Symptoms:
If the URL portion of the cloud query (HOST and URL) consists of uppercase letters, the returned result consists of lowercase URL. This converted URL does not match a subsequent request to same URL in cloud. The URL goes uncategorized.

Conditions:
This occurs when Webroot cloud lookup is enabled, and the incoming HTTP request has a URL with some uppercase letters (host portion is case insensitive). This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.

Impact:
Additional Webroot cloud lookup request are sent to Webroot cloud service under certain condition.

Workaround:
None.

Fix:
Webroot cloud lookup is now categorized correctly. The request URL is stored without case conversion in the cache. A subsequent HTTP request with same URL is found in cache.


506407 : Certain upgrade paths to 11.6.x lose the redirect URL configuration for Alternate Response Pages

Component: Application Security Manager

Symptoms:
Redirect Response pages become 'invalid' and lose their redirect URL configuration after upgrade.

Conditions:
1) In 11.2.x a policy existed with a redirect response page where the Response Header had a 'Location' command in it.

2) Policy or device is upgraded to 11.4.x or 11.5.x (pre 11.5.3 HF2)

3) Policy or device is upgraded to 11.6.0 (pre 11.6.0 HF5).

Impact:
The Alternate Response Page is no longer valid and no longer redirects users to the desired URL.

Workaround:
Before upgrade, ensure the redirect URL is correctly configured.

Fix:
Upgrade to 11.6.x now correctly retains redirect URLs for Alternate Response Pages.


506386-2 : Automatic ASM sync group remains stuck in init state when configured from tmsh

Component: Application Security Manager

Symptoms:
When a failover device group (without ASM enabled) is in a fully synchronized state, and then ASM and auto-sync are enabled on the device group through tmsh, the units sit waiting for an "initial sync" event which never comes. All subsequent sync events are Incremental and never Full.

Conditions:
A failover device group (without ASM enabled) is in a fully synchronized state, and then ASM and auto-sync are enabled on the device group through tmsh.

Impact:
Infrequently an initial sync event fails after ASM and auto-sync are enabled on a failover device group that did not have ASM enabled.

Workaround:
ASM device sync flag should be configured before initial sync, or from GUI.

Fix:
We fixed an issue that occurred rarely when an initial sync event did not occur after ASM and auto-sync were enabled on a failover device group that did not have ASM enabled.


506372 : XML validation files related errors on upgrade

Component: Application Security Manager

Symptoms:
The following error appears in the ASM log after upgrade:

PLC.PL_XML_PROFILE_VALIDATION_FILES is missing xml_validation_file_id (0) -- skipping

Conditions:
ASM provisioned.
ASM policy with XML profile and validation files are assigned.

Impact:
XML validation files are not properly upgraded.

Workaround:
N/A

Fix:
XML validation files are now properly upgraded.


506355-1 : Importing an XML file without defined entity sections

Component: Application Security Manager

Symptoms:
Importing an XML file without entity sections defined will not create default wildcard entities in the security policy.

Conditions:
Importing a partially defined XML security policy file.

Impact:
Policy was not created with default entities as expected.

Workaround:
Add the missing entities after importing the incomplete XML file.

Fix:
Previously, importing an XML file without defining the entity sections resulted in an empty URL wildcard list. Now, this process creates default wildcard entities in the security policy, as expected.


506349-4 : BIG-IP Edge Client for Mac identified as browser by APM in some cases

Component: Access Policy Manager

Symptoms:
APM sometimes determines that BIG-IP Edge Client for Mac is a browser. This can happen if user connects again using the link on the logout page that says "Click here to open new session"

Conditions:
APM, MAC Edge client

Impact:
Impact depends upon access policy but user might not be able to connect.

Workaround:
Click the Disconnect/Connect buttons on BIG-IP Edge Client instead of clicking the links on the logout page.

Fix:
APM now correctly identifies BIG-IP Edge Client for Mac as an Edge Client even if the user opens a new session by clicking the link on the logout page that says "Click here to open new session".


506304-2 : UDP connections may stall if initialization fails

Component: Local Traffic Manager

Symptoms:
UDP connections that never expire. tmm logs containing 'hud queue full' errors.

Conditions:
UDP connections fail to initialize if the tmm's hud message queue is full. If these connections are flagged to not expire then they will linger forever.

Impact:
Stalled connections. Increased memory usage.

Fix:
UDP connections no longer stall if initialization fails.


506290-4 : MPI redirected traffic should be sent to HSB ring1

Component: Local Traffic Manager

Symptoms:
The MPI redirected traffic is the traffic between two TMMs. It is currently sent to HSB ring0. HSB ring0 has small packet buffers and is used to handle the traffic of highest priority. Large amount of MPI redirect traffic can cause packet drops on HSB ring0.

Conditions:
Large amount of MPI redirect traffic.

Impact:
Potential packet drops on HSB ring0.

Workaround:
None.

Fix:
Send MPI redirected traffic to HSB ring1, which is correct behavior.


506286-1 : TMSH reset of DOS stats

Component: Advanced Firewall Manager

Symptoms:
DOS stat reset via TMSH results in TMM restarts and cores.

Conditions:
Reset DOS stats via TMSH command

Impact:
TMM restarts and core files

Workaround:
N?A

Fix:
Corrected reset command to prevent core and restarts


506283 : 100% TPS drop when webroot cloud lookup is enabled under stress condition

Component: Policy Enforcement Manager

Symptoms:
When Webroot cloud lookup is enabled and the BIG-IP system is under stress load with URLs that cannot be categorized by the local Webroot database managed on the BIG-IP system, the TPS of the data path traffic slows down as it gets throttled.

Conditions:
If Webroot cloud lookup is enabled while there is heavy traffic with URLs that cannot be categorized by the local Webroot database managed on the BIG-IP system.

Impact:
The TPS Throughput may be reduced when this condition persists. This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.

Workaround:
None.

Fix:
The system now throttles URL cloud lookup requests when PEM detects that the number of URLs that requires cloud lookup exceed TMM limits/thresholds.


506282-1 : GTM DNSSEC keys generation is not sychronized upon key creation

Component: Local Traffic Manager

Symptoms:
DNSSEC key generation is not synchronized upon key creation.

Conditions:
This occurs when creating LTM DNSSEC keys on one unit of a sync group.

Impact:
The keys are synced, but the key generation information is not.

Workaround:
Modify another parameter on the GTM system after DNSSEC key generation to trigger the sync operation.

Fix:
DNSSEC key generation is now synchronized upon key creation.


506281 : F5 Internal tool change to facilitate creating Engineering Hotfixes.

Component: TMOS

Symptoms:
F5 Internal tool change to facilitate creating Engineering Hotfixes.

Conditions:
Engineering Hotfix creation.

Impact:
No customer impact.

Fix:
Configuration Management tools fix for better reliability.


506235-2 : SIGSEGV caused by access_redirect_client_to_original_uri

Component: Access Policy Manager

Symptoms:
TMM might core, possibly more than once in quick succession (within a few minutes).

Conditions:
BIG-IP v11.5.1 HF6 or later with APM provisioned.

Impact:
TMM core: -- Failover to standby (if applicable). -- Possible additional TMM cores on active and Standby units. If the BIG-IP system is configured in an HA pair, TMM might core on the Standby unit shortly after the Active unit. The TMM log entries reporting the TMM core might not include any stack trace details.

Fix:
This release fixes a TMM core that occurred with APM provisioned.


506223-2 : A URI in request to cab-archive in iNotes is rewritten incorrectly

Component: Access Policy Manager

Symptoms:
There are direct (not rewritten) requests in web application traffic (iNotes 8.5, 9)

Conditions:
Web application runs through Portal Access

Impact:
Installation of iNotes plug-ins is impossible.
Some resources may be not loaded.

Fix:
Portal Access rewrites URIs correctly.


506199-4 : VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles

Component: TMOS

Symptoms:
When multiple VCMP guests are configured on a VDAG platform, It is possible through cycles of provisioning and deprovisioning the guests to cause switch rules that play a role in disaggregation to be programmed in an order that causes packets to reach the wrong TMM in a guest, thus causing lower dataplane performance.

Conditions:
On a configuration with at least two VCMP guests that share at least one blade on a VDAG-based platform, change the vCMP state to provisioned, then to configured, then to provisioned, and so on.

Impact:
The potential for decreased dataplane performance. In addition to potentially lower performance, the guest's tmm flow redirect statistics increment quickly in conjunction with traffic. To determine these stats, run a command similar to the following: config # tmctl -d blade tmm/flow_redir_stats. This presents results similar to the following:
pg pu redirect_pg redirect_pu packets
-- -- ----------- ----------- -------
 0 0 0 1 636991

Also, VDAG statistics on the host might show an imbalance in destination port hits for those assigned to a single guest. To determine these stats, run a command similar to the following: config # tmctl -d blade switch/vdag_dest_hits -w 200. This presents results similar to the following:
slot dst_mod dst_port dst_trunk hits red_hits
---- ------- -------- --------- ------ --------
   1 1 0 0 0 0
   1 7 0 0 0 0
   1 13 0 0 0 0
   1 19 0 0 0 0
   1 0 0 0 0 0
   1 1 5 0 509100 0
   1 1 6 0 0 0

Workaround:
During a window in which a brief traffic interruption is acceptable, restart bcm56xxd on each effected blade in the host. On the host, run a command similar to the following: clsh bigstart restart bcm56xxd

Fix:
The system now ensures that VDAG entries get ordered correctly to avoid cases where VCMP guests on VDAG platforms might experience excessive TMM redirects after multiple guest provisioning cycles


506110-1 : Log flood within datasyncd.log in clustered environment

Component: Application Security Manager

Symptoms:
Log flooding occurs within datasyncd.log every few seconds:
rsync: failed to connect to 127.3.0.3: No route to host (113).

Conditions:
Within clustered environment, and one or more of the blades are either down, powered off, disabled, or not populated. This may happen in a blade that is powered on, or when the cluster is added to a trust-domain. The logged messages continue for a duration from a few minutes to a few hours.

Impact:
No impact to traffic. Messages are added to datasyncd.log every few seconds.

Workaround:
None.

Fix:
datasyncd.log no longer causes a log flood in clustered environments where one or more of the blades are either down, powered off, disabled, or not populated.


506041-2 : Folders belonging to a device group can show up on devices not in the group

Component: TMOS

Symptoms:
All folders and partitions always get synced regardless of whether they are in the device group. If a user wants to utilize the same folder/partition scheme across multiple devices, this can lead to conflicts. In particular it can clobber the default route domain on a partition or rewrite the device group of a folder.

Conditions:
This only occurs during a full sync.

This can occur if two different device groups use the same folder or partition names. For example, if there are two separate failover-sync groups in the same trust and they both sync a different set of objects in /MyHAFolder.

This can also occur if a device has a local folder or partition with the same name as one in a device group.

Impact:
If a conflicted partition uses different default route domains, they will be overridden and may result in a sync error.

Conflicted folders will inherit the configuration of the source of the config sync. This can override the device group, traffic group, and iApp reference of the folder.

Workaround:
Use unique partition and folder names across all devices in the trust group.

Fix:
Only folders and partitions in the device group will get synced. However, since multiple device groups can still share the same partition, there is still a chance that the route domain on the partition could get overridden if the two device groups use different route domains.


506034-3 : NTP vulnerabilities (CVE-2014-9297,CVE-2014-9298)

Vulnerability Solution Article: SOL16393


505986 : Extra Webroot cloud lookup requests when cache is full

Component: Policy Enforcement Manager

Symptoms:
When the Webroot cloud lookup cache is full, additional Webroot cloud lookup requests are made to Webroot cloud services when URL inputs cannot be categorized by local Webroot database and cloud lookup cache managed on the BIG-IP system.

Conditions:
This occurs when Webroot cloud lookup is enabled, and the 128 KB-sized cloud-entries internal cache is full.

Impact:
Additional Webroot cloud lookup request are sent to Webroot cloud service under certain conditions. This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.

Workaround:
None.

Fix:
Webroot cloud lookup requests are no longer sent out to the cloud if the cloud lookup cache is full. This is correct behavior.


505964 : Invalid http cookie handling can lead to TMM core

Component: Local Traffic Manager

Symptoms:
If an http cookie is invalid, then subsequent modifications to http cookie entries can result in a TMM core.

Conditions:
This issue can occur with an HTTP virtual server that performs cookie processing (either via an iRule, profile configuration, or as a result of persistence) and also performs header manipulation.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
A crash in the HTTP profile implementation of cookie handling has been fixed.


505878 : Configuration load failure on secondary blades may occur when the chassis is rebooted

Component: TMOS

Symptoms:
On secondary blades, errors similar to the following appear in the ltm log:

-- err mcpd[8115]: 01070821:3: User Restriction Error: User (Unknown) may not change the role of Administrator (t004576a).
-- err mcpd[8115]: 01070935:3: Unexpected exception caught in MCPProcessor::rm_DBLowHighWide().
-- err mcpd[8115]: 01070734:3: Configuration error: MCPProcessor::check_initialization:.

Conditions:
A multi-bladed system is required, along with the presence of a user account (other than admin or root) that has Administrator privileges. The issue may then occur with a reboot of some or all of the blades.

Impact:
Secondary blades are offline.

Workaround:
None.

Fix:
Configuration now loads to completion on secondary blades.


505797-1 : Citrix Receiver for Android fails to authenticate with APM configured as StoreFront proxy and Access Gateway

Component: Access Policy Manager

Symptoms:
Citrix Receiver for Android fails to authenticate with APM when it is configured in StoreFront proxy mode for AGEE authentication.

Conditions:
APM is configured in StoreFront proxy mode for AGEE authentication and Citrix Receiver for Android is used.

Impact:
Citrix Receiver for Android is unable to authenticate with APM.

Fix:
Now Citrix Receiver for Android can successfully authenticate with APM when it is configured in StoreFront proxy mode for AGEE authentication.


505755-3 : Some scripts on dynamically loaded html page could be not executed.

Component: Access Policy Manager

Symptoms:
Some scripts on dynamically loaded HTML page might not execute.

Conditions:
Dynamically loaded HTML page

Impact:
Web application accessed via Portal Access does not work as expected.

Workaround:
None.

Fix:
Fixed an issue in Portal Access that could affect script execution in documents.


505662-1 : Signed SAML IdP/SP exported metadata contains some elements in wrong order

Component: Access Policy Manager

Symptoms:
Location of <Signature> element is incorrect when exporting signed metadata from the BIG-IP system when configured as a SAML Identity Provider (IdP) or Service Provider (SP).

Conditions:
BIG-IP is configured as IdP or SP.
Administrator chooses to sign exported metadata.

Impact:
External SAML product may not be able to import metadata produced by BIG-IP system.

Workaround:
Metadata could be edited manually in text editor to move
<Signature> element to correct location.

Fix:
The location of the <Signature> element is now correct in exported signed metadata, whether the BIG-IP system is configured as a SAML Identity Provider (IdP) or Service Provider (SP).


505624-1 : Remote logger will continue to get DoS L7 messages after it was removed from the virtual server configuration

Component: Advanced Firewall Manager

Symptoms:
A remote logger will continue to get DoS layer 7 messages after it was removed from the virtual server configuration.

Conditions:
A remote logger was connected to a virtual server and the user removed it from the virtual server configuration.

Impact:
That remote logger will continue to get DoS layer 7 messages.

Workaround:
bigstart restart dosl7d

Fix:
An issue where the DoS profile continued to write to a removed logging profile was fixed.


505529 : wr_urldbd restarts continuously on VIPRION chassis with webroot lookup enabled.

Component: Policy Enforcement Manager

Symptoms:
On VIPRION chassis the wr_urldbd may restart.

Conditions:
If webroot cloud lookup is enabled on a specific platform, such as VIPRION.

Impact:
When webroot cloud lookup is enabled on certain platform such as VIPRION, the PEM URL categorization feature is disrupted due to wr_urldbd daemon restart.

Workaround:
None.

Fix:
wr_urldbd no longer restarts on VIPRION chassis with webroot lookup enabled.


505331-1 : SASP Monitor may core

Component: Local Traffic Manager

Symptoms:
The SASP monitor unexpectedly terminates with a core dump.

Conditions:
More than one Group Workload Manager (GWM) server, and all servers are down at the same time.

Impact:
When the monitor cores, a pool member gets marked down, which might lead to an outage.

Workaround:
None.

Fix:
SASP monitor no longer cores when multiple Group Workload Manager (GWM) servers are down.


505323-1 : NSM hangs in a loop, utilizing 100% CPU

Component: TMOS

Symptoms:
NSM daemon hangs in an endless loop searching recursive nexthop in a trie. This causes NSM to be unresponsive.

Conditions:
Configure BGP with recursive nexthop.

Impact:
Dynamic routing fails to be responsive to imish commands, and NSM might not update routes.

Workaround:
None.

Fix:
NSM endless loop issue has been fixed and does not hang. Dynamic routing operation is normal.


505222-2 : DTLS drops egress packets when traffic is large

Component: Local Traffic Manager

Symptoms:
DTLS drops egress packets when traffic is large

Conditions:
DTLS has egress queue with maximum elements 127(default).
When traffic is large enough, the queue reaches the maximum limit and some packets are dropped.

Impact:
DTLS drops egress packets.

Workaround:
We can change the maximum elements from 127 to some bigger value by DB variable.

Fix:
In current implementation, DTLS sends CN requests one by one. DTLS sends one request, waits for the response and then sends another one.

The fix is sending multiple requests currently to CN.


505097-1 : lsn-pool backup-member not propagated to route table after tmrouted restart

Component: Carrier-Grade NAT

Symptoms:
The lsn-pool backup-member prefix is not in the route table after tmrouted restart, when lsn-pool route-advertisement is enabled.

Conditions:
An lsn-pool with route-advertisement enabled, and backup-members, backup-member prefix not properly propagated to the route-domain routing table after tmrouted restart.

Impact:
No routes for lsn-pool backup-member prefix.

Workaround:
Remove and re-add lsn-pool backup members.

Fix:
The lsn-pool backup-member prefix is now present in the route table after tmrouted restart, when lsn-pool route-advertisement is enabled.


505069 : Webroot cloud lookup granularity

Component: Policy Enforcement Manager

Symptoms:
When Webroot cloud lookup is enabled and a URL that can not be categorized using the local Webroot database managed on the BIG-IP system, the Webroot cloud database look up is performed in a way that the entire URL is considered as one query rather than by its subparts.

Conditions:
If Webroot cloud lookup is enabled, and if the first request is: example.com/url1 and second request is example.com/url2, the second URL request results in an unnecessary cloud lookup.

Impact:
Potential performance impact due to additional, unnecessary Webroot cloud lookup. This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.

Workaround:
None.

Fix:
The issue has been addressed with granular Webroot cloud lookup so that the 1st URL Webroot cloud lookup request gets all cloud results, so that additional Webroot cloud lookups could be avoided.


505059-1 : Some special characters are not properly handled for username and password fields in TCL monitors

Component: Local Traffic Manager

Symptoms:
Pool members are taken down

Conditions:
special characters like ", \ in the username or password fields in FTP, IMAP, POP3

Impact:
Pool members are taken down

Workaround:
Remove the special characters from the password and username.

Fix:
Handle special characters properly for username and password fields


505056-5 : BIG-IP system might send an egress packet with a priority different from that of ingress packet on the same flow.

Component: Local Traffic Manager

Symptoms:
When the hardware COS queue feature is enabled, in some cases the BIG-IP system sends an egress packet with a priority different from that of ingress packet on the same flow.

Conditions:
Hardware COS queue feature is enabled.

Impact:
Egress packets are sent with an incorrect packet priority and delivered on the incorrect switch COS queues, resulting in lower performance.

Workaround:
None.

Fix:
Packet priority passthrough mode is now sending correct packet priority and delivering on the correct switch COS queue.


505045-1 : MAP implementation not working with EA bits length set to 0.

Component: TMOS

Symptoms:
MAP implementation not working with EA bits length set to 0.

Conditions:
MAP-E tunnel profile is configured with (ea-bits-length == 0) and (ip4-prefix-length greater than 0). - Case when (ea-bits-length == 0) and (ip4-prefix-length is greater than 0). - Case when (ip6-prefix-length plus ea-bits-length, which is the MAP domain prefix-length) is greater than 48 bits. In this case, the Interface ID in the IPv6 destination address will be overwritten.

Impact:
MAP-E tunnel does not work.

Workaround:
None.

Fix:
MAP implementation is now working with EA bits length set to 0.


504973-1 : Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead

Component: Application Security Manager

Symptoms:
When creating a policy using a route domain and a full 32 bit subnet mask, the ASM saves it as a 128 bit mask.

Conditions:
Provisioned ASM

Impact:
Wrong 128 bit subnet mask is saved instead of the configured 32 bit mask.

Fix:
When creating a security policy using a route domain and a full 32 bit subnet mask, ASM no longer saves it as a 128 bit mask.


504899-2 : Duplicated snat-translation addresses are possible (a named and an anonymous (created by snatpool) one)

Component: Local Traffic Manager

Symptoms:
It is possible to have duplicated snat-translation addresses if one is explicitly created (named one) and the other is implicitly created when adding anonymous addresses to a snatpool.

Conditions:
No special conditions required other than to perform the configuration changes.

Impact:
As duplicated snat-translation addresses may exist, any change to an address entry which is assigned to an snatpool may not be affecting the right entry, this is:
we have the following snat-addresses:

snat_address_01 address 1.2.3.1
1.2.3.1(anonymous) address 1.2.3.1

And the following snatpool:

snat_pool { 1.2.3.1 1.2.3.2 }

If there is a change in snat_address_01 (which address is part of snat_pool (1.2.3.1)), then the actual snat_pool member (anonymous 1.2.3.1) will not be updated with the new setting and there will be no effect.


504880-2 : TMM may crash when RDP client connects to APM configured as Remote Desktop Gateway

Component: Access Policy Manager

Symptoms:
TMM may crash when RDP client connects to APM configured as Remote Desktop Gateway.

Conditions:
APM configured as Remote Desktop Gateway. RDP client connects to APM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM crash is fixed for the scenario where RDP client connects to APM configured as Remote Desktop Gateway.


504718-2 : Policy auto-merge of Policy Diff

Component: Application Security Manager

Symptoms:
Running auto-merge on the Diff of two policies fails.

Conditions:
Running auto-merge on the Diff results of two policies.

Impact:
Policies cannot be auto-merged after viewing Diff.

Workaround:
None.

Fix:
The auto-merge functionality of Policy Diff now works as expected.


504633-1 : DTLS should not update 'expected next sequence number' when the record is bad.

Component: Local Traffic Manager

Symptoms:
DTLS updates the 'expected next sequence number' even if the record is bad. This might cause the unexpected sequence number of good records dropping.

Conditions:
DTLS receives a bad record with a very large sequence number.

Impact:
DTLS might drop the good records that have smaller sequence number packets than the bad records.

Workaround:
None.

Fix:
The system now updates the 'expected next sequence number' only when the record is good.


504627-1 : Valid RADIUS sessions deleted on no session inactivity if no subscriber traffic exists during session timeout period.

Component: Policy Enforcement Manager

Symptoms:
Valid sessions may be deleted after the session timeout period expires with no subscriber traffic, even if RADIUS accounting updates are being sent within the timeout period.

Conditions:
Sessions are created through RADIUS and remain open with no subscriber traffic for 2 minutes or longer.

Impact:
Valid sessions fail due to lack of activity and the user must re-authenticate. RADIUS Accounting-Request updates are not sufficient to keep the sessions open.

Workaround:
None.

Fix:
Alive or Valid sessions won't be deleted before the timeout any more due to a lack of traffic.


504606-3 : Session check interval now has minimum value

Component: Access Policy Manager

Symptoms:
Session check interval can be changed or turned off completely for debug purposes.

Conditions:
Using the session check interval.

Impact:
Session check interval may be set to excessively short value.

Workaround:
None.

Fix:
Session check interval now has a minimum (5000 msec), which prevents the value from being too small.


504572-4 : PVA accelerated 3WHS packets are sent in wrong hardware COS queue

Component: TMOS

Symptoms:
Under full ePVA acceleration, 3WHS (3-way handshake) packets from VIP to node will always egress on hardware COS queue 3, regardless of COS queue mapping configured on the system.

Conditions:
The packets needs to be fully accelerated by ePVA.

Impact:
Potential performance downgrade.

Workaround:
None.

Fix:
PVA accelerated 3WHS packets are new egressed on correct hardware COS queue.


504496-3 : AAA Local User Database may sync across failover groups

Component: TMOS

Symptoms:
APM units that are not in the same BIG-IP Sync-Failover group are sharing local user entries. The system may possibly also experience higher management CPU load as a result of frequently syncing the local user database.

Conditions:
There is at least one sync-failover group in the Device Management :: Device Groups list, and there are devices listed in Device Management :: Devices list that are not members of that sync-failover group (either standalone or members of another device group), and those devices are provisioned with APM.

Impact:
Unwanted sharing of local user database between sync-failover groups and/or standalone devices. The system may also experience higher management CPU load as a result of frequently syncing the local user database. Under severe conditions where the database is synced multiple times per minute continually for hours or days, the rapid syncing of the database may result in unexpected failover.

Fix:
AAA Local User Database now syncs correctly.


504494-2 : Upgrading to 11.5.0 and later might associate a disabled HA group to traffic groups.

Component: TMOS

Symptoms:
If the BIG-IP system has a disabled HA Group and is upgraded to 11.5.x or later, the disabled group might be associated with traffic groups on upgrade.

Conditions:
Pre-upgrade there is exists a HA Group that is disabled.
Upgrade to 11.5.x or later from 10.2.x or 11.x (pre-11.5.0) to a version earlier than 12.0.0, 11.5.4, or 11.6.1.

Impact:
If the BIG-IP system is rebooted after the upgrade, it's possible that the switch will fail over because the HA group score is used even though the HA group is disabled.

Workaround:
After the upgrade, check all traffic groups and ensure that none of them are configured to use a disabled HA Group.

Fix:
Upgrading to 11.5.0 and later no longer associates a disabled HA group to traffic groups. This is correct behavior.


504490-1 : The BIG-IP system sometimes takes longer on boot up to become Active.

Component: TMOS

Symptoms:
The system takes several minutes longer than normal after boot up to go from Offline to Active.

Conditions:
This timing issue occurs rarely on boot up. This might more frequently occur on older platforms running newer versions of the software.

Impact:
Because of a timing issue during system load, it takes longer for the system to become ready to pass traffic after being deployed or rebooted.

Workaround:
None.

Fix:
A BIG-IP system no longer take longer than normal to become Active on boot up due to this particular underlying issue.


504461-2 : Logon Page agent gets empty user input in clientless mode 3 when a Variable Assign agent resides in front of it.

Component: Access Policy Manager

Symptoms:
APM is unable to complete the access policy when there is a Variable Assign agent in front of a Logon Page agent.

Conditions:
Access policy has a Variable Assign agent in front of a Logon Page agent.

Impact:
APM is unable to complete the access policy.

Fix:
Now APM can successfully run access policies where a Variable Assign agent resides in front of a Logon Page agent.


504414-1 : AVR HTTP External log - missing fields

Component: Application Visibility and Reporting

Symptoms:
New fields were added to HTTP statistics in version 11.6 and they are available in the Configuration utility, but they were not exported out to the external log.

Conditions:
Use AVR HTTP profile, with the external log option.

Impact:
Some information that AVR can provide is missing.

Workaround:
No workaround

Fix:
We added these previously missing fields to the external report:
DosL7ProfileName
TransactionOutcome
DosL7AttackID


504348-1 : iRules in event ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT cannot see modified headers

Component: Service Provider

Symptoms:
ADAPT iRules cannot inspect adapted headers because the rule sees the original headers before the request is adapted.
Similarly for the ADAPT_RESPONSE_RESULT event.

Conditions:
Using request-adapt or response-adapt profiles, and an internal virtual server that can modify the HTTP headers.

Along with an iRule such as:
when ADAPT_REQUEST_RESULT {
        log local0. "Modified host = [HTTP::host]"
}

Impact:
It is impossible to inspect the modified headers. One consequence is that if a request adaptation modifies the 'Host:' value, it is not possible to use an iRule to apply that to the transport connection, and as a result the modified request goes to the original server.

Workaround:
None.

Fix:
Two new ADAPT iRule events have been added (ADAPT_REQUEST_HEADERS and ADAPT_RESPONSE_HEADERS) which trigger after ADAPT has received the modified headers, when the IVS is returning a modified request or response. They do not trigger when the IVS has instructed ADAPT to bypass or a service-down condition has occurred.

Behavior Change:
Two new ADAPT iRule events have been added (ADAPT_REQUEST_HEADERS and ADAPT_RESPONSE_HEADERS) which trigger after ADAPT has received the modified headers, when the IVS is returning a modified request or response. They do not trigger when the IVS has instructed ADAPT to bypass or a service-down condition has occurred.


504306-2 : https monitors might fail to re-use SSL sessions.

Component: Local Traffic Manager

Symptoms:
SSL handshakes for https monitors might fail to correctly re-use SSL session IDs.

Conditions:
A configuration that utilizes https monitors to servers that implement an SSL session cache. More servers utilizing the same https monitor make the problem more likely to occur.

For the monitor flapping or false negative symptom in 11.5.0 or higher, a monitor must be configured for a combination of TLS 1.0 and TLS 1.2 servers.

Impact:
The bigd process might consume more CPU than necessary because it might always be performing complete SSL handshakes with monitored servers.

BIG-IP version 11.5.0 or higher in environments with both TLS 1.0 and TLS 1.2 servers that perform SSL session caching may experience monitor flapping or servers that are marked down unexpectedly.

Workaround:
None.

Fix:
https monitors now properly perform SSL session re-use.


504232-1 : Attack signatures are not blocked after signature/set change

Component: Application Security Manager

Symptoms:
System wide signature updates, like Attack Signature Update, can cause some security policies to erroneously change their enforcement of attack signatures to Transparent mode.

Conditions:
There are security policies in both Transparent and Blocking mode, and there is an update to the system's attack signatures.

Impact:
A security policy will not block attack signatures that are meant to be blocked.

Workaround:
Toggle the transparent/enforce flag on a security policy, and apply the security policy.

Fix:
We fixed an issue that caused false positives or a lack of enforcement (such as not blocking) when attack signatures were updated or modified.


504225-2 : Virtual creation with the multicast IPv6 address returns error message

Component: Local Traffic Manager

Symptoms:
When LTM has DHCPv6 profile attached to a virtual server with relay mode configured with multicast IPv6 address, it will return error message, '01020064:3: IPv6 Address ff02::1:2 is invalid, Multicast address not allowed.'

Conditions:
Create an IPv6 virtual with multicast IPv6 address with DHCPv6 profile (relay mode) attached.

Impact:
Cannot create a IPv6 virtual server with multicast IPv6 address and DHCPv6 relay mode profile attached.

Workaround:
None.

Fix:
Can now create an IPv6 virtual with multicast IPv6 address with DHCPv6 profile (relay mode) attached.


504182-1 : Enforcer cores after upgrade upon the first request

Component: Application Security Manager

Symptoms:
If an ASM security policy contains entities with invalid configuration from a previous version, UCS load will fail and leave the device in an inconsistent state, leading to BD crash.

Conditions:
An ASM security policy contains entities with invalid configuration from a previous version. This can occur on an upgrade from 11.5.x to 11.6.0 prior to HF5.

Impact:
UCS load will fail and leave the device in an inconsistent state, leading to BD crash.

Workaround:
Correct ASM entity configuration before upgrade.

Fix:
We fixed an upgrade issue where the Enforcer crashed after the upgrade upon the first request (this was due to a missing data protection configuration).


504105-4 : RRDAG enabled UDP ports may be used as source ports for locally originated traffic

Component: Local Traffic Manager

Symptoms:
RRDAG enabled UDP ports may be used as the source port on locally originated connections.

Conditions:
RRDAG is enabled

Impact:
Connections may be forwarded between tmms resulting in a performance impact

Fix:
RRDAG enabled ports can no longer be selected as a source port for locally originated connections.


504060 : iOS and Mac receivers cannot create account on Citrix StoreFront in proxy mode

Component: Access Policy Manager

Symptoms:
Creating a new account in Citrix Receiver for MacOS or iOS fails.

Conditions:
User creates a new account in Citrix Receiver for MacOS or iOS

Impact:
User is not able to access Store.
An error is displayed and the account is not created.

Workaround:
None

Fix:
Make sure AGEE auth request doesn't contain Connection: close header to keep the connection alive.


504031-1 : document.write()/document.writeln() redefinition does not work

Component: Access Policy Manager

Symptoms:
document.write()/document.writeln() redefinition does not work. Initial function is used instead.

Conditions:
When web application JavaScript tries to redefine document.write() and/or document.writeln().

Impact:
Web application layout an/or logic can be broken.

Fix:
Web application JavaScript can successfully redefine document.write and document.writeln.


504028-1 : Generate CCR-T first and then CCR-I if session being replaced

Component: Policy Enforcement Manager

Symptoms:
CCR-I was send first and then CCR-T was sent if same subscriber session is created with different IP. This could cause confusion to PCRF when it sees at period of time 2 active sessions for the same subscriber.

Conditions:
A session is created with subscriber ID say S1 and IP1 and new radius start or session create request arrives with S1 and IP2.

Impact:
CCR-I generated first and then CCR-T which will cause confusion to PCRF who maintain subscriber ID as their key to subscriber session.

Fix:
Upgrade to latest hotfix or version which has the fix for the issue.


504021-1 : lsn-pool member routes not properly propagated to routing table when lsn-pool routing-advertisement is enabled

Component: Carrier-Grade NAT

Symptoms:
lsn-pool with route-advertisement enabled does not have routes properly propagated to the routing-table.

Conditions:
when route-domain routing protocol is enabled after lsn-pool route-advertisement is enabled and lsn-pool member added.

Impact:
route entries for lsn-pool members with route-advertisement enabled.

Workaround:
Either 1) restart tmrouted after enable routing-protocol for the desired route-domain. 2) toggle routing-advertisement on lsn-pool after enable routing-protocol for the desired route-domain.

Fix:
route-domain with routing-protocol enabled will have routes for lsn-pool members, regardless of ordering in which routing-protocol or route-advertisement is enabled.


503979-1 : High CPU usage when DNS cache resolver sends a large number of DNS queries to the backend name server.

Component: Local Traffic Manager

Symptoms:
When DNS cache resolver is resolving a DNS query, it might send queries to the backend name server iteratively. If the name server is responding slowly and the cache resolver is sending queries to name servers at a high rate, the CPU usage of the BIG-IP system might be vary high.

Conditions:
(1) Configure the cache resolver to have a large value (, for example, 40 KB) for both max-concurrent-queries and max-concurrent-udp.
(2) The cache resolver sends queries to the name servers at a high rate.
(3) The backend name server is responding slowly to the cache resolver.

Impact:
The CPU usage might be extremely high. Site might be unstable.

Workaround:
Configure the cache resolver to have a default value for both max-concurrent-queries and max-concurrent-udp.

Fix:
The CPU usage does not increase unexpectedly when the cache resolver sends a large number of DNS queries to slow backend name servers.


503924-1 : Citrix receivers cannot authenticate

Component: Access Policy Manager

Symptoms:
Citrix Receivers does not successfully authenticate when username or password contain ampersand and Storefront is configured without APM gateway.

Conditions:
This occurs with Citrix Receivers for all users that have an ampersand in either their username or password.

Impact:
These users cannot authenticate.

Workaround:
For affected users that have an ampersand in their password, you can ask them to change to a password that does not contain an ampersand.

Fix:
Citrix Receivers successfully authenticate when username or password contain ampersand and Storefront is configured without APM gateway.


503875-1 : Configure bwc policy category max rate

Component: TMOS

Symptoms:
When category max rate percentage is configured with a low value, for example, a lower value relative to the policy max user rate, some packets might be dropped.

Conditions:
The bwc policy is configured as dynamic, with categories. And the category max rate is configured to low value when the policy is being provisioned and mapped to traffic flows.

Impact:
The packets in flows using the bwc policy and category may be dropped, the flows mapped to the category might not be able to pass packets.

Workaround:
Configure category rate in absolute value and higher value relative to policy max user rate.

Fix:
Category max rate percentage is now configured to ensure valid settings.


503741-2 : DTLS session should not be closed when it receives a bad record.

Component: Local Traffic Manager

Symptoms:
According to RFC6347: 4.1.2.7. Handling Invalid Records:
'Unlike TLS, DTLS is resilient in the face of invalid records (e.g., invalid formatting, length, MAC, etc.). In general, invalid records SHOULD be silently discarded, thus preserving the association; however, an error MAY be logged for diagnostic purposes. Implementations which choose to generate an alert instead, MUST generate fatal level alerts to avoid attacks where the attacker repeatedly probes the implementation to see how it responds to various types of error. Note that if DTLS is run over UDP, then any implementation which does this will be extremely susceptible to denial-of-service (DoS) attacks because UDP forgery is so easy. Thus, this practice is NOT RECOMMENDED for such transports.'

In the BIG-IP implementation, DTLS chooses to disconnect the session when it receives invalid record.

Conditions:
DTLS receives a bad record packet.

Impact:
DTLS disconnects the session.

Workaround:
None.

Fix:
The system now silently discards all of the invalid records and preserves the association. This is correct behavior.


503683 : Configuration upgrade failure due to change in an ASM predefined report name

Component: Application Visibility and Reporting

Symptoms:
A configuration load failure occurs after creating an ASM predefined report in a previous version and upgrading.

Conditions:
Define scheduled report on top of 'Top alerted URLs' on previous version and upgrade the version. This can trigger on an upgrade to 11.6.0, but is fixed in 11.6.1 and beyond.

Impact:
Version upgrade fails, and the BIG-IP system is not usable.

Workaround:
Change the '/Common/Top Alerted URLs' reference in the bigip.conf file of the UCS to '/Common/Top Alarmed URLs', and then load the modified UCS.

Fix:
A configuration load failure no longer occurs after creating an ASM predefined report in a previous version and upgrading.


503676-4 : SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events

Component: Service Provider

Symptoms:
SIP REFER, INFO, and UPDATE requests do not trigger iRule events.

Conditions:
The occurs when the following conditions are met: -- Virtual server has a SIP profile. -- Virtual server has iRule(s) containing SIP_REQUEST or SIP_REQUEST_SEND events. -- SIP REFER, INFO, or UPDATE request is received on the virtual server.

Impact:
iRule event is not executed.

Workaround:
none

Fix:
SIP REFER, INFO, and UPDATE requests now trigger the SIP_REQUEST and SIP_REQUEST_SEND iRule events. This is the correct behavior.


503673-1 : APM sets MRHSession cookie on /cgi/login request from Citrix Receivers

Component: Access Policy Manager

Symptoms:
When Citrix Receiver clients send /cgi/login reqeust APM replies with a response containing MRHSession cookie.

Conditions:
APM is configured for Citrix replacement or proxy and Citrix Receiver clients are used.

Impact:
Unnecessary cookie value sent to the client.

Fix:
APM no longer sets MRHSession cookie on /cgi/login request from Citrix Receivers.


503652-4 : Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit.

Component: Service Provider

Symptoms:
When a blade is enabled on a cluster while it is actively processing SIP UDP traffic, some packets might be lost.

Conditions:
This occurs in an Active HA cluster containing VIPRION B2100 blades with the udp.hash value set to 'ipport' and client-side round robin TMM disaggregation enabled.

Impact:
Some SIP UDP traffic packets might be lost.

Workaround:
Do not enable a blade in a cluster while the blade is processing SIP UDP traffic.

Fix:
Some SIP UDP connections are now retained after enabling a blade on the Active HA unit.


503620-3 : ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later

Component: Local Traffic Manager

Symptoms:
BIG-IP SSL when using ciphers ECDHE_ECDSA and DHE_DSS does not work consistently with OpenSSL clients using OpenSSL versions 1.0.1k or later.

Conditions:
When the ciphers used are ECDHE_ECDSA or DHE_DSS, and the OpenSSL clients have versions later than OpenSSL 1.0.1k.

Impact:
SSL handshake failed. The OpenSSL clients might encounter a decryption error while reading the server key exchange.

Workaround:
Use OpenSSL versions earlier than OpenSSL 1.0.1k.

Fix:
BIG-IP SSL now works well with ciphers ECDHE_ECDSA or DHE_DSS with OpenSSL client version OpenSSL 1.0.1k and later.


503604-3 : Tmm core when switching from interface tunnel to policy based tunnel

Component: TMOS

Symptoms:
When the configuration is changed from interface tunnel to policy based tunnel, tmm crashes.
Most likely this is a timing issue where the pnh is not updated while the policy was updated. So the policy_type (policy_interface vs policy_ipsec) mismatched.

Conditions:
Traffic passing in the background and change the configuration from interface tunnel to policy based tunnel.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround

Fix:
When switching from interface tunnel to policy based tunnel, tmm cores.


503560-2 : Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server.

Component: Local Traffic Manager

Symptoms:
Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server.

Conditions:
HTTP transparent profile is attached to a virtual server. Statistics profile now cannot be attached to the same virtual server.

Impact:
Only a Statistics profile or an HTTP transparent profile may be assigned to a single virtual server.

Workaround:
None.

Fix:
The validation logic is now changed so as to allow a Statistics profiles and an HTTP transparent profile to be attached to the same virtual server simultaneously.


503541-2 : Use 64 bit instead of 10 bit for Rate Tracker library hashing.

Component: Advanced Firewall Manager

Symptoms:
Rate Tracker 10 bit hashing may cause inaccurate rate-limits by the Sweep & Flood DoS vectors.

Conditions:
When Sweep and Flood vector is enabled in AFM module.

Impact:
Impact to Sweep and Flood detection rate accuracy.

Workaround:
None.

Fix:
The system now uses 64 bit instead of 10 bit for Rate Tracker hashing, which results in more accuracy in attack detection and mitigation.


503471-1 : Memory leak can occur when there is a compressed response, and abnormal termination of the connection

Component: Application Visibility and Reporting

Symptoms:
Memory utilization grows over time.

Conditions:
This issue occurs when the BIG-IP system sends a compressed response, and an abnormal termination of the connection occurs.

Impact:
Memory leak in TMM that grows over time.

Workaround:
Avoid configuration of Application DoS with Client-side mitigation.

Fix:
A memory leak has been fixed that occurred when there was a compressed response and an abnormal termination of the connection.


503384-1 : SMTP monitor fails on multi line greeting banner in SMTP server

Component: Local Traffic Manager

Symptoms:
SMTP monitor fails

Conditions:
This issue occurs when a multi line greeting banner is configured in SMTP server.

Impact:
SMTP monitor fails.

Workaround:
To work around this issue, configure a single line greeting banner in SMTP server.

Fix:
SMTP monitor succeeds with multi line greeting banner in SMTP server.


503381-2 : SSL persistence may cause connection resets

Component: Policy Enforcement Manager

Symptoms:
If SSL persistence is enabled, and the resulting connection does not use SSL (that is, it is plaintext), the connection may be reset.

Conditions:
SSL persistence is enabled on a virtual that does not use SSL.

Impact:
The connection is reset.

Workaround:
None.

Fix:
SSL persistence no longer cause the connection to be reset with non-SSL traffic.


503343-7 : TMM crashes when cloned packet incorrectly marked for TSO

Component: Local Traffic Manager

Symptoms:
TMM cores

Conditions:
1. Clone pool configured

2. Clone MTU > Client or Server MTU

3. tm.tcpsegmentationoffload db var in "disable" state

4. TSO enabled in client or server side interface

5. TSO disabled in clone interface

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove the configured clone pool

Fix:
Prevent TMM crash due to cloned packet incorrectly marked for TSO.


503319-4 : After network access is established browser sometimes receives truncated proxy.pac file

Component: Access Policy Manager

Symptoms:
On MAC OSX platform, After network access is established, poxy.pac received by the browser is truncated.

Conditions:
This occurs if proxy.pac file is larger than 65535 bytes (~65 KB).

Impact:
Large proxy.pac file might not be downloaded or might be truncated.

Workaround:
Reduce proxy.pac file size so that merge file is less than ~65 KB.

Fix:
Merged (by F5 tunnel server) proxy.pac is now NOT truncated when sent to the browser even if its size is greater than ~65 KB.


503237-8 : CVE-2015-0235 : glibc vulnerability known as Ghost

Vulnerability Solution Article: SOL16057


503214-3 : Under heavy load, hardware crypto queues may become unavailable.

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system is under heavy load, it may erroneously determine that the hardware crypto queues are unavailable and trigger an HA failover event.

Conditions:
BIG-IP system under heavy load and using hardware crypto.

Impact:
HA failover. You might see messages similar to the following:
 -- crit tmm2[22560]: 01010025:2: Device error: crypto codec cn-crypto-2 queue is stuck.
 -- warning sod[6892]: 01140029:4: HA crypto_failsafe_t cn-crypto-2 fails action is failover.
 -- notice sod[6892]: 010c0052:5: Standby for traffic group /Common/traffic-group-1.

Workaround:
None.

Fix:
BIG-IP system now performs an extra check to determine whether the crypto hardware queues are available.


503169-1 : XML validation files are broken after upgrade

Component: Application Security Manager

Symptoms:
XML validation files are not assigned to the correct XML profiles after upgrade/policy import. The upgrade fails with the following signature in /var/log/asm:

crit perl[15504]: 01310027:2: ASM subsystem error (asm_start,F5::DbUtils::insert_data_to_table): Row 431 of table PLC.PL_CONTENT_PROFILE_VALUE_METACHARS is missing profile_id (277) -- skipping F5::ImportExportPolicy::Binary

Conditions:
ASM provisioned, XML profiles with XML validation files assigned. This can trigger on upgrade to 11.6.0.

Impact:
XML validation files are not assigned to the correct XML profiles.

Workaround:
N/A

Fix:
XML validation files are now assigned to the correct XML profiles.


503118-2 : clientside and serverside command crashes TMM

Component: Local Traffic Manager

Symptoms:
When parking command is used inside clientside or serverside, tmm crashes.

Conditions:
Parking command, e.g., the table command, is used inside clientside or serverside command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Move the parking command outside clientside or serverside command.

Fix:
Parking command can run inside clientside and serverside.

The client side connection must exist when clientside command runs; the server side connection must exist when serverside command runs; otherwise the clientside and serverside commands fail.


503085-3 : Make the RateTracker threshold a constant

Component: Advanced Firewall Manager

Symptoms:
Dynamic detection threshold may impact Sweep and Flood detection rate accuracy under high traffic conditions.

Conditions:
When Sweep and Flood is enabled in AFM module.

Impact:
Some Sweep and Flood functionality might not provide sufficient detection rate accuracy.

Fix:
The RateTracker threshold is now a constant, which improves detection rate accuracy.


502959-2 : Unable get response from virtual server after node flapping

Component: Local Traffic Manager

Symptoms:
If persistence is used, and a node is marked down and then up in quick succession (less than about 7 seconds), then persistence may act inconsistently.

Conditions:
Persistence, rapid node flapping, new connection (via a TMM with an existing connection) after node has been re-marked as up.

Impact:
Persistence may act inconsistently (meaning, not all connections expected to persist to a server will do so). In certain circumstances, requests may hang (the client is connected, waiting for a response).

Workaround:
None.

Fix:
The system now deletes a persist entry from all peer TMMs when it is deleted in any TMM, so no conflicts occur.


502852-2 : Deleting an in-use custom policy template

Component: Application Security Manager

Symptoms:
If a user tries to delete a custom policy template while there are still security policies in the system that were created from that template, the delete will fail. This also leaves the custom template in an unusable state that can neither be used to create further Policies nor can it ever be deleted.

Conditions:
A security policy exists on the system that was created from a custom template. The user then tries to delete the template before removing the policy from the system.

Impact:
The custom template becomes unusable for creating new policies, and cannot be deleted even after there are no longer any policies created from it left on the system.

Workaround:
Contact support for a script that will disassociate all user defined policy templates from existing policies.
This will allow any user defined template to be successfully deleted.

Fix:
If you fail to delete a custom policy template because an existing security policy refers to it, it no longer leaves the custom policy template in an unusable state.


502770-2 : clientside and serverside command crashes TMM

Component: Local Traffic Manager

Symptoms:
When the parking command is used inside clientside or serverside, tmm crashes.

Conditions:
Parking command, e.g. table command, is used inside clientside or serverside command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Move the parking command outside clientside or serverside command.

Fix:
Parking command can run inside clientside and serverside.

The client side connection must exist when clientside command runs; the server side connection must exist when serverside command runs; otherwise the clientside and serverside commands fail.

Behavior Change:
clientside and serverside command error out if client side or server side connection does not exist at the time the command runs. Here is an example of where this might occur: clientside { SSL::disable }. This script fails if the client side connection does not exist. To work correctly, change the script to: SSL::disable clientside.


502683-3 : Traffic intermittently dropped in syncookie mode, especially when hardware syncookie is on

Component: Local Traffic Manager

Symptoms:
In certain corner cases, BIG-IP software rejects valid SYN-Cookie responses due to incorrect hardware algorithm masking on the software side.

Conditions:
This issue appears only on hardware-SYN-Cookie-capable platforms when running the hardware SYN-Cookie algorithm.

Impact:
Intermittent connection failures.

Workaround:
Run software SYN-Cookie algorithm. Use the DB variable.
This makes sure software is running correct generation and validation algorithm.

Fix:
Traffic is now handled correctly in certain corner cases involving hardware syncookies.


502675-1 : Improve reliability of LOP/LBH firmware updates

Component: TMOS

Symptoms:
Certain F5 appliances and blades implement the Always On Management functionality via a LOP (Lights Out Processor) or LBH (Lights Out Processor/Backplane Microcontroller Hybrid) device.
Under rare conditions, if a critical kernel event occurs while the LOP/LBH firmware is being updated to a newer version, the LOP/LBH firmware image may become corrupted on the LOP/LBH device.

Conditions:
This issue may occur on the following F5 Network appliances and blades: -- BIG-IP 2000-/4000-series, 5000-/7000-series, 10000-/12000-series appliances. -- VIPRION B2100, B2150, B2250 blades.

Impact:
If the LOP/LBH firmware becomes corrupted, the LOP/LBH device does not function properly, affecting critical chassis-management functionality such as identification of platform details including a blade's current slot in the chassis, obtaining current license state, and monitoring of chassis health information.

Workaround:
None.

Fix:
LOP/LBH firmware updates are protected against rare corruption by critical kernel events.


502443-4 : After enabling a blade/HA member, pool members are marked down because monitoring starts too soon.

Component: Local Traffic Manager

Symptoms:
The external monitoring daemon (bigd) sends monitoring traffic before tmm is ready to receive those responses. The response traffic is routed to a tmm on another blade/HA member. This tmm responds to the server with an ICMP "Unreachable" message. Meanwhile, the originating tmm on the new blade/HA member marks the pool member "down" because it never received the server's response.

Conditions:
Start with at least 1 blade enabled in a chassis or one HA member configured, and pass traffic constantly through a virtual server with a monitor-enabled pool attached. Then, enable a new blade in the cluster or a new HA member.

Impact:
Some packets are lost for several seconds. It can be longer depending on the total number of pool members.

Workaround:
Before adding a new blade to a chassis or a member to the HA configuration that is actively processing traffic, temporarily remove the monitor(s) from the pool. Once the new blade/HA member is up, manually add the monitor(s) back to the pool.

Fix:
When a VIPRION blade or BIG-IP HA member comes on-line, the bigd process on the blade/HA member no longer starts health monitors prematurely, which could have caused some monitored objects to be marked down incorrectly.

Behavior Change:
The external monitoring daemon (bigd) no longer sends monitoring traffic while the blade (cluster member) is offline or disabled, or while the HA member (chassis or appliance) is offline (including forced offline).


502441-5 : Network Access connection might reset for large proxy.pac files.

Component: Access Policy Manager

Symptoms:
Network Access connection might reset when large proxy.pac files are configured in the access policy.

Conditions:
MAC Edge client, browsers, Network Access, large proxy.pac file.

Impact:
Network Access connection might reset.

Workaround:
Reduce the proxy.pac file size to be less than 10 KB.

Fix:
Network Access connection does not reset if a large proxy.pac file is configured.


502414-2 : Make the RateTracker tier3 initialization number less variant.

Component: Advanced Firewall Manager

Symptoms:
Sweep and Flood vectors may exceed configured rate limit values by 10%-30$.

Conditions:
When Sweep and Flood vector is enabled in AFM module.

Impact:
Sweep and Flood attack detection at higher than configured levels.

Workaround:
None.

Fix:
An optimization was made to Rate Tracker that makes attack detection more accurate.


502269-1 : Large post requests may fail using form based SSO.

Component: Access Policy Manager

Symptoms:
SSOV2 modifies the payload for big post requests and since the server does not understand this, so all such transactions fail.

Conditions:
Large post requests using form based SSO.

Impact:
SSOV2 is a very common use case for APM. Many applications are configured with SSOV2. Any large post in such case will fail.

Workaround:
This issue has no workaround at this time.

Fix:
The fix essentially does not modify the payload so the applications have no problem.


502238-3 : Connectivity and traffic interruption issues caused by a stuck HSB transmit ring

Component: TMOS

Symptoms:
BIG-IP can experience sudden and permanent traffic interruption, impacting all traffic through TMM.

Conditions:
With TCP Segmentation Offload (TSO) enabled, it is possible to fill up the High-Speed Bridge (HSB) transmit ring, resulting in a stuck transmit ring.

The exact conditions under which this occurs is unknown, but it requires sudden transmission of a number of large packets that require TSO in order to result in a full transmit ring.

Impact:
The HSB's transmit ring becomes stuck. This requires a TMM restart in order to clear.

Workaround:
Disable TSO. This can be done using the following steps:
1. tmsh modify sys db tm.tcpsegmentationoffload value disable
2. bigstart restart tmm.

If TSO is not disabled, three related fixes are needed to fully address the issue:

-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:

-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html

Fix:
Three related fixes are needed to fully address the issue:

-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:

-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html


502174-4 : DTLS fragments do not work for ClientHello message.

Component: Local Traffic Manager

Symptoms:
DTLS fragments do not work for ClientHello message.

Conditions:
DTLS ClientHello splits into multiple fragments.

Impact:
Both first handshake and renegotiation are affected.

Fix:
DTLS ClientHello fragments are now handled.


502149-3 : Archiving EC cert/key fails with error 'EC keys are incompatible for Webserver/EM/iQuery.'

Component: Local Traffic Manager

Symptoms:
When archiving cert/key via GUI, the following error message is displayed : 'EC keys are incompatible for Webserver/EM/iQuery.'

Conditions:
When archiving cert/key via GUI.

Impact:
Intermittently, an error is received when trying to archive key or certificates via GUI.

Workaround:
None.

Fix:
iControl stores the mode info and set a default value to it, so no error is reported..


502016-4 : MAC client components do not log version numbers in log file.

Component: Access Policy Manager

Symptoms:
Some client components do not log version numbers in the log file.

Conditions:
Mac client components.

Impact:
Lack of version numbers in the log file.

Workaround:
None.

Fix:
Client components for Mac now log version numbers in log files.


501986-3 : Add a sys db tunable to make Sweep and Flood vectors be rate-limited per TMM process

Component: Advanced Firewall Manager

Symptoms:
There is a need for Sweep and Flood vectors to be very accurate (+-5%). To ensure that Sweep and Flood can be very accurate we have to add a mode in which the Sweep and Flood vectors work per TMM process. In this case the traffic must be very well distributed for it to be effective.

So, now we have a sys db tunable which is: dos.globalsflimits which is true by default. If the tunable is set to false then the Sweep and Flood vectors work per TMM process. The limits that have been configured by the user are divided up equally among the various TMM processes, and because the traffic is well-distributed among the TMM processes we will get close to the limits specified.

Conditions:
When Sweep and Flood vector is enabled in AFM module.

Impact:
If the db variable is changed to false, the incoming traffic must be well distributed.

Workaround:
None.

Fix:
Add a sys db tunable to make Sweep and Flood vectors be rate-limited per TMM process.


501953-2 : HA failsafe triggering on standby device does not clear next active for that device.

Component: TMOS

Symptoms:
An HA failsafe triggering on a standby device that is marked at next active for a traffic group does not clear the next active setting for that device. This leaves the system in a state when the device designated as next active cannot take over for the active device in the case of a failure.

Conditions:
HA setup with two or more devices in a device trust and device group. HA failsafes are configured on one or more devices in the device group. The HA failsafes are triggered on a device that is currently in the standby state and designated next active for a traffic group.

Impact:
A device marked as next active for a traffic group with a triggered HA failsafe does not take over a traffic group in the case of a failure on the active switch.

Workaround:
Workaround is to force the device in question offline, so that another device is marked as next active.

Fix:
The fix correctly removes the next active setting for a device when it is in standby mode and a HA failsafe triggers. This causes a new device to be picked as next active if one is in standby mode and capable of running the traffic group.


501690-3 : TMM crash in RESOLV::lookup for multi-RR TXT record

Component: Local Traffic Manager

Symptoms:
TMM crashes with a specific ASSERT-based backtrace.

Conditions:
Requires an LTM listener with an iRule that has a RESOLV::lookup command querying for a TXT record and receiving multiple RRs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes due to the behavior of the LTM listener with an iRule that has a RESOLV::lookup command when parsing its return values.


501612-4 : Spurious Configuration Synchronizations

Component: Application Security Manager

Symptoms:
Some items (for example, Incidents) were considered to be config elements that require synchronization when their status changes (such as being read), but are not actually synchronized in a device group.

Conditions:
Event Correlation Incidents occur and are read by the user while in a manual sync device group for ASM.

Impact:
The synchronization state of a device group erroneously changes to "Pending"

Workaround:
None.

Fix:
Items that are not synchronized across a device group no longer cause changes to the synchronization state.


501516-5 : If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted.

Component: Local Traffic Manager

Symptoms:
When using a very large number of monitors, bigd may run out of file descriptors when it is restarted.

Conditions:
A system with a large number of monitors configured.

Impact:
bigd cores and gets into a restart loop; monitors no longer work properly. The ltm log might contain error messages similar to the following: socket error: Too many open files.

Workaround:
Reduce the number of monitors on the system.

Fix:
bigd no longer runs out of file descriptors during restart when using a very large number of monitors.


501498-1 : APM CTU doesn't pick up logs for Machine Certificate Service

Component: Access Policy Manager

Symptoms:
CTU report does not contain logs from Machine Certificate Service.

Conditions:
When the CTU report is run, it does not contain data in the logs.

Impact:
Logs are not available to technical staff

Workaround:
You can pick up logs manually from C:\Windows\Temp\logterminal.txt.

Fix:
CTU correctly pick ups logs for Machine Cert service.


501494-1 : if window.onload is assigned null, then null should be retrieved

Component: Access Policy Manager

Symptoms:
After window.onload=null, non null value is returned from window.onload.

Conditions:
Web application that assigns null to window.onload and expects to obtain null in window.onload then.

Impact:
Web application logic can be broken.

Fix:
After window.unload=null, null is returned by getting value of window.onload;


501480-3 : AFM DoS Single Endpoint Sweep and Flood Vectors crash TMM under heavy traffic.

Component: Advanced Firewall Manager

Symptoms:
With AFM DoS Single Endpoint Sweep and Flood Vectors configured, TMM might crash while processing a huge amount of the configured attack traffic.

Conditions:
AFM DoS Single Endpoint Sweep and Flood attack vector is enabled in the AFM module.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not configure the AFM DoS Single Endpoint Sweep and Flood Vector.

Fix:
AFM DoS Single Endpoint Sweep and Flood Vectors now correctly handles traffic so that TMM does not crash.


501437-3 : rsync daemon does not stop listening after configsync-ip set to none

Component: TMOS

Symptoms:
If a device is not in a CMI configuration, but has configsync-ip set on its self device object, and this configsync-ip is set to none, an rsync daemon continues to listen on the old configsync-ip.

Conditions:
This occurs when the following conditions are met: -- Device is not in a CMI configuration. -- Self device has a configsync-ip set.

Impact:
The rsync server may continue to listen even after it is expected that it will not listen.

Workaround:
None.

Fix:
The rsync daemon is now shut down properly when the configsync-ip is set to none, and no longer listens on configsync-ip.


501371-4 : mcpd sometimes exits while doing a file sync operation

Component: TMOS

Symptoms:
mcpd exits randomly. If mcpd debug logging is enabled, the system might post an operation similar to the following: Received request message from connection 0x5fe47008 (user %cmi-mcpd-peer-/Common/LNJDCZ-VPN1.example):
query_all {
   sync_file {
      sync_file_file_to_sync "/var/apm/localdb/mysql_bkup.sql"
      sync_file_target_dg "/Common/HA_Rhodes_APM"
      sync_file_postprocess_action "/usr/libexec/localdb_mysql_restore.sh"
      sync_file_originator "/Common/LNJDCZ-VPN1.example"
   }
}

Conditions:
mcpd is performing a file sync.

Impact:
Randomly, mcpd exits, triggering a failover.

Workaround:
None.

Fix:
Ensured mcpd no longer exits while performing a file sync.


501343-3 : In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle

Component: TMOS

Symptoms:
In FIPS HA setup when the FIPS private handle of x.key on Device A is a FIPS public handle of x.key on Device B, Device B (the HA peer) gets the configuration from Device A and operates as if the handle is correct because the modulus matches, but it actually is the public-handle and not the private-handle.

Conditions:
FIPS HA setup and FIPS private handle of x.key on Device A is a FIPS public handle of x.key on Device B.

Impact:
With this configuration, when the device fails over, it can lead to traffic failure. This occurs because TMM tries to use the public-handle when it should be using the private-handle.

Fix:
FIPS HA peer verifies the FIPS handle type to confirm that it uses only the private FIPS handles.


500938-3 : Network Access can be interrupted if second NIC is disconnected

Component: Access Policy Manager

Symptoms:
Networks Access connection breaks if second NIC disconnects.
Both NICs should be connected to same network. This happens for a specific Network Access configuration.

Conditions:
Network Access configuration:
* Full tunnel with "Prohibit routing table changes during Network Access connection" set to true.
* Split tunneling with "Prohibit routing table changes during Network Access connection" set to true, Address space is 0.0.0.0/0.
Client with 2 NICs both connected to the same network.

Impact:
NA is interrupted.


500925-3 : Introduce a new sys db variable to control number of merges per second of Rate Tracker library.

Component: Advanced Firewall Manager

Symptoms:
The accuracy of the rate limit for the Sweep and Flood vectors is affected by the number of merges per second in Rate Tracker library.

Conditions:
When sweep and flood vector is enabled in AFM module.

Impact:
No way to control number of merges per second of Rate Tracker, which could help in Rate Tracker libray accuracy.

Workaround:
None.

Fix:
Introduce a new sys db variable to control number of merges per second of Rate Tracker library.


500640-1 : TMM core could be seen if FLOW_INIT iRule attached to Virtual server

Component: Advanced Firewall Manager

Symptoms:
TMM core is seen when FLOW_INIT iRule is applied to Virtual server for global rule

Conditions:
When logging is enabled and FLOW_INIT rule is applied and we get packets where we cannot the find Virtual Server, TMM could crash

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no work around

Fix:
Added check for NULL context in connflow to avoid rare crash bug.


500544-1 : XML validation files are not correctly imported/upgraded

Component: Application Security Manager

Symptoms:
XML validation files are not assigned to the correct XML profiles after upgrade/policy import.

Conditions:
ASM provisioned
XML profiles with XML validation files assigned

Impact:
XML validation files are not assigned to the correct XML profiles.

Workaround:
N/A

Fix:
XML validation files are now assigned to the correct XML profiles.


500457-1 : Synchronization problem in AVR lookups that sometimes causes TMM and other daemons, such as the Enforcer, to crash

Component: Application Visibility and Reporting

Symptoms:
There is a synchronization problem in AVR lookups that sometimes causes TMM and other daemons, such as the Enforcer, to crash.

Conditions:
AVR is provisioned or report statistic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release corrects a synchronization problem in AVR lookups that sometimes caused TMM and other daemons, such as the Enforcer, to crash.


500450-1 : ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso.

Component: Access Policy Manager

Symptoms:
With APM and ASM configured on the same virtual server, cookie validation on ASM could modify the Set-Cookie header sent by the application server or inject another Set-Cookie header. APM websso module does not honor the Set-Cookie modification, nor the injection. ASM subsequently causes the connection to reset.

Conditions:
With APM and ASM configured on the same virtual server, if cookie validation on ASM modifies the Set-Cookie header sent by the application server or injects another Set-Cookie header, then APM websso module does not honor this.

Impact:
Connection reset on the above condition.

Workaround:
Use layered virtual servers with an iRule virtual command to send traffic from the ASM virtual server to an APM virtual server with ARP disabled instead of having everything on one virtual server.

Fix:
The APM websso module is modified to handle an ASM use case. Now the websso reparses the HTTP 401 response header from the server at the client side in addition to the current parsing at server-side processing.
With this fix any Set-Cookie modification or addition by ASM is sent to server in the response to 401 header.


500449 : "Any IPv4 or IPv6" choice in sweep attack has atypical definition

Component: Advanced Firewall Manager

Symptoms:
OLH does not convey the function of Any IPv4 or Any IPv6 choice in single endpoint sweep attack configuration.

Conditions:
When one of these options is chosen, the configuration does not behave as expected and detect "any" traffic.

Impact:
When selected, the endpoint sweep attack detects only traffic "other than TCP, UDP, ICMP, or IGMP."

Fix:
In the DoS Device Protection configuration for a Single Endpoint Sweep attack, the packet types "Any IPv4" and "Any IPv6" do not actually apply to all IPv4 and IPv6 traffic. Rather, these categories apply to any traffic other than TCP, UDP, ICMP, or IGMP. This has been clarified in the system online help.


500424-2 : dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error

Component: Carrier-Grade NAT

Symptoms:
DNATutil exits with the error "dnatutil: No tmms on the blade."

Conditions:
A DNAT state log entry that is interpreted as invalid

Impact:
DNATUtil will not be able to parse the whole log file for reverse mappings

Workaround:
remove the DNAT state chunk that produces the error.

Fix:
DNATUtil will continue on even if it encounters an error. It will report the error but not exit.


500365-3 : TMM Core as SIP hudnode leaks

Component: Service Provider

Symptoms:
There is a memory leak when using SIP in TCP/ClientSSL configurations.

Conditions:
The leak occurs when the clientside flow is torn down in response to the SSL handshake not completing.

Impact:
Because the SSL handshake is not complete, the SIP handler cannot complete the operation as expected, which results in an error and a memory leak of the SIP handler. The tmm memory increases, which eventually requires restarting tmm as a workaround.

Workaround:
Although there is no workaround to prevents the issue, you can recover from the memory-leak condition by restarting tmm.

Fix:
This release fixes a memory leak that occurred when using SIP in TCP/ClientSSL configurations, when the clientside flow was torn down in response to the SSL handshake not completing. The system now frees the SIP handler upon receiving the notification of a failed SSL handshake, so that the connection is rejected, the system performs the proper cleanup of the SIP handler, and no memory leak occurs.


500303-3 : Virtual Address status may not be reliably communicated with route daemon

Component: Local Traffic Manager

Symptoms:
Occasionally, when the Virtual Server status changes, the Virtual Address status may not me communicated to the routing services (that is, the tmrouted service).

This can result in incorrect routes.

Conditions:
Exact conditions unknown, but it can occur when the Virtual Server status changes.

Impact:
Virtual Addresses may have advertised routes when they are down, or vice versa.

Workaround:
None.

Fix:
The Virtual Address state change code was improved in multiple areas:
1. GTM is checked for provisioning.
2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast.
3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority.
4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3.
5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations.

Behavior Change:
The Virtual Address state change code was improved in multiple areas:
1. GTM is checked for provisioning.
2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast.
3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority.
4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3.
5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations.


500234-4 : TMM may core during failover due to invalid memory access in IPsec components

Component: TMOS

Symptoms:
TMM cores when transitioning from standby to active.

Conditions:
This might occur when the following conditions are met: -- An IPsec tunnel is enabled. -- The BIG-IP system is a member of an HA pair. -- The BIG-IP system transitions from standby to active.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a race condition that might have caused IPsec components to access previously freed memory.


500219-1 : TMM core if identical radius starts messages received

Component: Policy Enforcement Manager

Symptoms:
TMM cores and restarts with identical radius start messages are received by bigip when PEM provisioned.

Conditions:
Identical radius start message received by PEM to create session.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed tmm core issue when duplicate radius start messages are received by handling it properly.


500088-1 : OpenSSL Vulnerability (January 2015) - OpenSSL 1.0.1l update

Vulnerability Solution Article: SOL16123


500034-1 : [SMTP Configuration] Encrypted password not shown in GUI

Component: Application Visibility and Reporting

Symptoms:
Under SMTP configuration, when authentication is enabled (the "use authentication" check box is checked) and a user name and password are configured, the password field is empty in the configuration utility when accessing the newly created SMTP object. TMSH shows the password in hash format.

Conditions:
1. authentication is enabled.
2. username and password are configured.

Impact:
SMTP authentication fails.

Workaround:
After saving the SMTP configuration for the first time using the configuration utility, use only TMSH, REST API, or iControl to edit it or re-enter the password.

Note: This will not fix sending AVR e-mails. The only way to send e-mail before this fix is using a non-authenticated SMTP server.

Fix:
Under SMTP configuration, when authentication is enabled (the "use authentication" check box is checked) and a user name and password are configured, the password is correctly decrypted using standard BIG-IP tools.


499950-5 : In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs

Component: Local Traffic Manager

Symptoms:
Inconsistent persistence entries across TMMs.

Conditions:
This occurs under the following conditions are met: -- intra_cluster HA configuration. -- node flapping.

Impact:
Inconsistent persistence behaviors.

Workaround:
Add an iRule command to the PERSIST_DOWN event that deletes the persistence entry for this connection. One example might be:

when PERSIST_DOWN {
    persist delete source_addr [IP::client_addr]
}

For more information, see SOL14918: Node flapping may cause inconsistent persistence records, available here: http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14918.html.

Fix:
An issue involving inconsistent behavior of persistence across TMMs is fixed.


499947 : Improved performance loading thousands of Virtual Servers

Component: TMOS

Symptoms:
In v11.5.1 and newer, when loading thousands of Virtual Servers, mcpd might become overloaded, causing loads to take a long time, or fail entirely when mcpd times out and is restarted.

This might be more severe if GTM was enabled.

Conditions:
Thousands of Virtual Servers, GTM enabled. The problem is caused when tracking the state of Virtual Address changes and broadcasting those state changes under certain circumstances.

Impact:
Might cause long load times or configuration load failure because of mcpd timeout and restart.

Workaround:
Disable GTM. Reduce the number of Virtual Addresses.

Fix:
The Virtual Address state change code was improved in multiple areas:
1. GTM is checked for provisioning.
2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast.
3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority.
4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3.
5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations.

Behavior Change:
The Virtual Address state change code was improved in multiple areas:
1. GTM is checked for provisioning.
2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast.
3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority.
4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3.
5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations.


499946-3 : Nitrox might report bad records on highly fragmented SSL records

Component: Local Traffic Manager

Symptoms:
When using an AES-GCM cipher on highly fragmented SSL records, platforms with Cavium Nitrox cards might report Bad records.

Conditions:
The negotiated cipher is one of the AES-GCM ciphers, and the MTU is such that the SSL records are highly fragmented.

Impact:
The BIG-IP system disconnects Client SSL connections prematurely. The SSL profile shows a number of Bad records.

Workaround:
None.

Fix:
The processing buffers reserve the proper number of subsequent parameters.


499880 : boot menu titles might not contain volume suffix

Component: TMOS

Symptoms:
The title of a boot entry normally contains a suffix which is the name of the volume in which it resides, in angle brackets. Ex:

BIG-IP 11.6.0 Build 3.0.364 <MD1.2>

When BIG-IP 11.6.0 hf3 is installed, the resulting boot entry is missing the suffix:

BIG-IP 11.6.0 Build 3.0.412

Conditions:
occurs when hotfix 11.6.0 hf3 is installed

Impact:
none

Workaround:
none necessary

Fix:
Improved installer for HFR.


499778-1 : A static subscriber's session is not deleted if master-IP is deleted from the subscriber's list of IPs

Component: Policy Enforcement Manager

Symptoms:
A stale session is left behind.

Conditions:
1. Create a session by sending radius start messages to static subscriber that learns IP addresses dynamically.
2. remove master IP from static subscriber list.
3. delete static subscriber.
4. Use pem_sessiondump --list to see that the session is not deleted.

Impact:
No functional issue.

Fix:
Reprovison session if IP removed/added in SSP case too. This will fix session delete if Master IP being removed


499719-1 : Order Zones statistics would cause database error

Component: Global Traffic Manager (DNS)

Symptoms:
'General database error retrieving information' error in GUI.

Conditions:
This occurs when using the GUI to view Statistics for DNS zones.

Impact:
Not able to view Statistics from GUI for DNS zones.

Workaround:
Use tmsh to view Statistics for DNS zones.

Fix:
'General database error retrieving information' error no longer occurs when viewing DNS zone statistics from the GUI.


499701-1 : SIP Filter drops UDP flow when ingressq len limit is reached.

Component: Service Provider

Symptoms:
UDP stats shows increase in the number of flows and valid SIP messages are dropped.

Conditions:
This occurs when an iRule processing delay occurs (session db operations) combined with increase in the SIP incoming flow.

Impact:
SIP UDP flows are dropped.

Workaround:
None.

Fix:
The SIP UDP flow now remains when the ingress len limit is reached.


499620-6 : BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated.

Component: Access Policy Manager

Symptoms:
The BIG-IP Edge Client for Mac shows the wrong SSL protocol version in Details; it does not display the protocol version that was negotiated.

Conditions:
BIG-IP Edge Client for Mac.

Impact:
The BIG-IP Edge Client for Mac displays the incorrect SSL protocol version now in Details.

Workaround:
None.

Fix:
The BIG-IP Edge Client for Mac displays the correct SSL protocol version now in Details.


499537-3 : Qkview may store information in the wrong format

Component: TMOS

Symptoms:
When creating a new monitor, some information may be stored in the wrong format.

Conditions:
Create a new monitor. Run qkview.

Impact:
Occasionally, some information stored for the new monitor will be in the incorrect format.

Workaround:
None.

Fix:
Monitor information is now stored in the correct format.


499478-2 : Fix bug 464651 which introduced change-in-behavior for SSL server cert chains by not including the root certificate

Component: Local Traffic Manager

Symptoms:
Bug 464651 fixed a loop issue when building certificate chain caused by a bad configuration in certificates.
The fix un-intentionally exclude the root certificate in the chain. While it is still a valid certificate chain, it does create a change-in-behavior issue.

Conditions:
This occurs in affected versions containing the fix for ID464651 (11.4.1, 11.5.4)

Impact:
Some customers required the root certificate being included in the certificate chain. Or the certificate validation failed.

Fix:
This fix is to restore the same behavior by including the root certificate in the chain.


499427-1 : Windows File Check does not work if the filename starts with an ampersand

Component: Access Policy Manager

Symptoms:
Windows File Check does not work if the filename starts with an ampersand.

Conditions:
Run Windows file check and add a file name that starts with an ampersand.

Impact:
Depends upon access policy, but in the worst case a user might be allowed to log in.

Fix:
Access policy Windows File check now works with a file name that starts with an ampersand (&).


499422-1 : An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm.

Component: Local Traffic Manager

Symptoms:
An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm.

Conditions:
When an ACK with an "invalid" sequence number is received, the resulting calculations involving the incoming seqno and rcv_nxt causes an outgoing ACK to be generated which will repeat if the server behavior repeats.

Impact:
Many connections delayed and CPU usage is very high, peak usage is around 90%. Traffic suffer a severe deterioration.

Fix:
This problem is now corrected by ensuring that when outgoing ACK is being generated that the FIN is stripped if it is not a retransmission of the FIN.


499315-1 : Added "Collect full URL" functionality.

Component: Application Visibility and Reporting

Symptoms:
Added functionality to collect the full URL (with host name) to AVR statistics.

Conditions:
In tmsh, run the command: modify sys db avr.includeserverinuri value disable

Run traffic with the URL http://172.29.33.87/debug

The URL that will be written to the lookup table is: "/debug"

In tmsh, run the command: modify sys db avr.includeserverinuri value enable

Run traffic with the URL http://172.29.33.87/debug

The URL that will be written to the lookup table is: "172.29.33.87/debug"

Impact:
Now possible to collect full URLs

Fix:
Added functionality to collect the full URL (with host name) to AVR statistics.


499280-1 : Client side or server side SSL handshake may fail if it involves SHA512-signed certificates in TLS1.2

Component: Local Traffic Manager

Symptoms:
A handshake with either client-ssl or server-ssl when presented with a certificate signed/hashed with sha512 may fail.

Conditions:
The issue is seen when it meets the following 3 conditions.
1. The SSL connection is using TLS1.2
2. The backend server's certificate is signed/hashed with sha512.
3. The backend server is Microsoft IIS server. More precisely, a server that strictly enforces the RFC policy for TLS1.2: 'If the client provided a 'signature_algorithms' extension, then all certificates provided by the server MUST be signed by a hash/signature algorithm pair that appears in that extension.' This kind of server rejects the SSL connection if the BIG-IP system does not advertise sha512 when sending the clienthello message. Microsoft IIS server does strictly enforce this rejection behavior, although Apache and OpenSSL servers do not.

On the client side:
1. Client is trying to establish SSL connection using TLS1.2.
2. Client-ssl is configured with client-cert authentication.
3. Client is configured with sha512-signed certificate only. When the BIG-IP system sends a CertificateRequest that does not include sha512, the client might send back a null certificate.

Impact:
The BIG-IP system cannot establish SSL connection with the backend server. Client fails to establish an SSL connection with the BIG-IP system.

Workaround:
To workaround this:
-- Use TLS1/TLS1.1/SSL3 instead of TLS1.2.
-- Configure the backend server to use certificates signed/hashed with something other than sha512.
-- Use a backend server other than Microsoft IIS.

Fix:
For the serverside, the system now contains sha512 in the signature_algorithms extension when sending the clienthello with TLS1.2 (when you configures 'ANY' in the SSL sign hash option in the serverssl profile), so that the server does not reject the SSL connection because the BIG-IP system does not contain sha512 in the clienthello. sha512 is also included on the clientside, so that if the client uses sha512 to hash/sign the certvfy message, the BIG-IP system (acting as a server) does not reject to verify it (when you configures 'ANY' in the SSL sign hash option in the clientssl profile).


499260-3 : Deleting trust-domain fails when standby IP is in ha-order

Component: TMOS

Symptoms:
Deleting trust-domain fails when the ha-order traffic group contains a standby unit's IP address.

Conditions:
This occurs when there is a non-local device that is used by the HA order in one of the traffic groups.

Impact:
Unable to delete trust domain. The tmsh command 'delete cm trust-domain all' intermittently hangs. Pressing Ctrl + C shows: Unexpected Error: Could not reset trust-domain (error from devmgmtd): Error reading from server...' In the /var/log/ltm the system posts the message: 'err devmgmtd[7887]: 015a0000:3: -unknown- failed on -unknown-.devicegroup: 01071761:3: Cannot delete device (bigipsystem.example.com) from device group (/Common/sync-failover-1) because it is used by HA order on traffic group (/Common/traffic-group-2)'.

Workaround:
Retrying sometimes succeeds. Removing the ha-order traffic group also allows the operation to succeed.

Fix:
Deletion of a device trust domain now completes successfully when the BIG-IP system is a member of a device trust domain configured with a traffic group high-availability order that references a device other than the local system.


499150-3 : OneConnect does not reuse existing connections in VIP targeting VIP configuration

Component: Local Traffic Manager

Symptoms:
Significant increase in Active Connections and Connections per Second for virtual servers that receive connections from another virtual server with the Policy action 'virtual' or iRule command 'virtual' and the client virtual server has a OneConnect profile. The connections per second will match the rate of HTTP requests sent to the server virtual server.

A packet capture would reveal that OneConnect is not reusing previously opened connections, and previously opened connections remain idle until timeout.

Conditions:
This occurs when either of the following conditions are met:

-- Virtual-to-virtual configuration with OneConnect profile.
-- iRule contains the following command: node <ip> <port>.

Impact:
An increase in CPU and memory resources occurs due to the increase in connections established and connections that remain in memory.

Workaround:
If not required, remove the OneConnect profile from the client virtual server.

Fix:
Connections are correctly reused even with VIP on VIP configuration.


499036 : Rare cases of errors when loading data into mysql

Component: Application Visibility and Reporting

Symptoms:
In some cases, some AVR data was formed with duplicated rows, causing errors when inserting saving the data in mysql. You will see the following in monpd.log: "Some rows of load_stat_ip_1420015200.1 not loaded (22670 rows affected).".

Conditions:
This can occur when avr loads.

Impact:
Loss of some statistical data.

Workaround:
None

Fix:
We fixed an issue where in some cases, some AVR data was formed with duplicated rows, and triggered errors when saving the data in mysql.


498993-1 : it is possible to get infinite loop in LDAP Query while resolving nested groups

Component: Access Policy Manager

Symptoms:
Processing nested groups might cause an infinite loop.

Conditions:
LDAP query is configured to get group membership using 'member' attribute. On the LDAP server, group1 has group2 as a member and group2 has group1 as a membermember (membership loop), then the LDAP Query falls into an infinite loop trying to resolve nested groups.

Impact:
User cannot pass access policy that contains the affected agent. The apd process must be restarted to re-initialize LDAP agent.

Workaround:
None.

Fix:
The LDAP Query resolves group membership including nested groups as expected.


498992-6 : Troubleshooting enhancement: improve logging details for AWS failover failure.

Component: TMOS

Symptoms:
Logging information on BIG-IP VE for Failover on AWS was inadequate and did not provide the reason for failures in Failover.

Conditions:
Traffic-group failover sometimes failed without providing specific reason for the failure.

Impact:
The lack of logging messages that could pin-point the mis-configuration or connectivity issues on AWS makes it difficult to determine what is causing the Failover to fail.

Workaround:
None

Fix:
Added more logging details for AWS failover failure to assist in detecting problems in failover.

Behavior Change:
Previously, the following AWS permissions were required when running failover: ec2:AssignPrivateIpAddresses and ec2:DescribeNetworkInterfaces. Failover could fail because of region or key issues, and so an additional AWS permission, ec2:DescribeInstanceStatus, is now also required for running failover.


498785 : Black List Classes/Black List Categories terminology inconsistency

Component: Advanced Firewall Manager

Symptoms:
There is a terminology inconsistency in how the GUI in AFM 11.5.0 IP Intelligence, which refers to 'Black List Classes', and AFM 11.6.0 IP Intelligence, which refers to 'Black List Categories'. In addition, viewing 11.6.0 labels on Reporting or Event Logs for IP Intelligence reads 'Class', where they should read 'Category'.

Conditions:
This occurs when comparing AFM screens in 11.5.0 and 11.6.0.

Impact:
Inconsistent terminology might result in customer confusion.

Fix:
Black List Classes is now correctly referred to as Black List Categories in AFM 11.6.0 IP Intelligence, which makes the term consistent across the GUI versions.


498782-2 : Config snapshots are deleted when failover happens

Component: Access Policy Manager

Symptoms:
When failover occurs, the config snapshots on the new active node might be deleted during the HA state transition. As a result, a user might encounter one of the errors below:
1. Login failure/denied.
2. Some webtop resources are missing after successful login.

Conditions:
When the standby node switches to active.

Impact:
User cannot login or access some resources after login.

Workaround:
Restart APD by running the command: bigstart restart apd.

Fix:
Now APD uses a short time interval for periodic checking of config snapshots right after failover happens. If config snapshots are found to be missing, APD recreates them. After a few such cycles, APD reverts to using a long time interval for the check.


498708-1 : Errors logged in bd.log coming from the ACY module

Component: Application Security Manager

Symptoms:
Cosmetic errors logged in bd.log from the ACY module:
'acy_prepare_RWdas failed to init rwkm-report_kw_data report'.

Conditions:
Configuration changes between signature sets on a security policy.

Impact:
False errors appear constantly. These errors are cosmetic, and do not indicate a problem with the system.

Workaround:
None.

Fix:
We fixed false error logs that were coming from the ACY module.


498597-5 : SSL profile fails to initialize and might cause SSL operation issues

Component: Local Traffic Manager

Symptoms:
When the SSL profile fails to initialize, it causes the SSL enter pass-through mode instead of rejecting traffic.

Conditions:
SSL profile fails to initialize, for example, due to failure to load cert/key files.

Impact:
SSL enters pass-through mode instead of rejecting traffic. As a side effect, ConfigSync might fail, as the communication channel does not establish because of a hung SSL connection.

Workaround:
Make sure cert/key is available and has the proper grant access mode.

Fix:
When the SSL profile fails to initialize, it now causes the SSL to reject traffic correctly.


498469-5 : Mac Edge Client fails intermittently with machine certificate inspection

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac fails intermittently with machine certificate inspection when "Match CN with FQDN" setting is configured.

Conditions:
The problem occurs with BIG-IP Edge Client for Mac and machine certificate agent when in the access policy "Match CN with FQDN" is set.

Impact:
Edge ClienT fails to pass machine certificate inspection.

Fix:
BIG-IP Edge Client for Mac does not fail intermittently with machine certificate inspection agent.


498334-2 : DNS express doesn't send zone notify response

Component: Local Traffic Manager

Symptoms:
When a virtual server on the BIG-IP system receives a zone notify message, it does not send a response message back. Instead, it sends the original notify message back to the remote name server.

Conditions:
A zone notify message is sent to a virtual server with a DNS profile. The zone is configured to allow notify from the sender and the notify action is set to be consumed.

Impact:
The remote name server sends the notify message to the BIG-IP system several times since the remote name server does not receive a response message.

Workaround:
None.

Fix:
TMM will correctly send a response message back when processing a zone notify message from a remote name server.


498269-1 : 5200 does not forward STP BPDUs across VLAN groups when in PASSTHRU mode

Component: Local Traffic Manager

Symptoms:
When configured for bridging all traffic, 5200 platform does not bridge STP BPDUs when in PASSTHRU mode.

Conditions:
This occurs under the following conditions: -- Configure a VLAN group and configure to bridge all traffic. -- Configure STP in PASSTHRU mode.

Impact:
The 5200 platform does not forward STP BPDUs across VLAN groups when in PASSTHRU mode, so STP PASSTHRU mode does not work correctly between VLAN groups.

Fix:
The 5200 platform now forwards STP BPDUs across VLAN groups when in PASSTHRU mode.


498227-2 : Incorrect AFM firewall rule counter update after pktclass-daemon restarts.

Component: Advanced Firewall Manager

Symptoms:
Incorrect firewall rule counters are updated upon classifying traffic when rules are re-ordered AND pktclass-daemon is also restarted.

Conditions:
pktclass-daemon restarts and there are active firewall rules present (at any context).

Impact:
While there is no incorrect behavior in matching/classifying traffic, updating incorrect rule counter may lead to impression that traffic is being classified incorrectly.

Workaround:
None

Fix:
The issue regarding update of incorrect rule counter (after pktclass-daemon restarts) has been fixed.


498189-3 : ASM Request log does not show log messages.

Component: Application Security Manager

Symptoms:
The request log does not show log messages related to ASM.

Conditions:
This occurs when first assigning the application logging profile, and then assigning the DOS logging profile on the same virtual server.

Impact:
There will not be log messages related to ASM.

Workaround:
Remove the ASM logging profile, apply and re-add the application logging profile.

Fix:
ASM request log now shows log messages related to ASM, even if the application logging profile was assigned to the virtual server before the DOS logging profile was assigned to it.


497870-1 : PEM configured with BWC doing pem policy changes could trigger leak

Component: TMOS

Symptoms:
When PEM is configured to use bwc policy and cause re-evaluations due to pem policy change in configuration and/or PCRX could cause leak in bwc memory for active flows.

Conditions:
- PEM need to be configured to use bwc.
- Active flows.
- PEM policy change event for live flows.

Impact:
- memory leak.

Workaround:
- restart tmm.
- upgrade image.
- avoid PEM policy change event for live traffic flows.
- attach bwc to pem policy after PEM policy change event.

Fix:
The case when PEM policy is modified on live traffic, PEM initiates policy re-evaluation. In process internally bwc is detached and attached. During this, the flow active flag is not cleared thus during flow release memory is not released.


497769 : Policy Export: BIG-IP does not export redirect URL for "Login Response Page"

Component: Application Security Manager

Symptoms:
ASM does not export redirect URLs in "Login Response Page" for XML policies.

Conditions:
Redirect URL in "Login Response Page" is used in ASM security policy.

Impact:
We fixed an issue with XML policy export where the redirect response page was missing from the security policy.

Workaround:
Use binary policy export for exporting redirection response pages for login url.

Fix:
We fixed an issue with XML policy export where the redirect response page was missing from the security policy.


497742-3 : Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address

Component: Local Traffic Manager

Symptoms:
Some packets re-transmitted as part of a full-proxy, non-SNAT'd TCP virtual server on a translucent-mode vlangroup do not correctly have the translucent-mode bit-flip applied.

Conditions:
This occurs with a translucent vlangroup and full virtual server with no SNAT.

Impact:
Egressing traffic with the source-MAC of another host can potentially lead to traffic loops.

Workaround:
Enable SNAT on the virtual server.

Fix:
All TCP re-transmits have the proper source MAC address.


497732-2 : Enabling specific logging may trigger other unrelated events to be logged.

Component: Advanced Firewall Manager

Symptoms:
When logging is enabled for TCP events some internal traffic like UDP could be logged.

Conditions:
When logging is enabled in AFM for TCP events.

Impact:
Some unwanted log messages with show up

Workaround:
There is no work around.

Fix:
Fixed a bug where undesired traffic was logged when TCP events logs were enabled.


497719-1 : NTP vulnerability CVE-2014-9293, NTP vulnerability CVE-2014-9294, NTP vulnerability CVE-2014-9295, and NTP vulnerability CVE-2014-9296

Vulnerability Solution Article: SOL15934


497681-1 : Tuning of Application DoS URL qualification criteria

Component: Application Visibility and Reporting

Symptoms:
Application DoS can not be tuned in order to tell which transactions are qualified for client side mitigation.

Conditions:
1. Create new L7-DoS profile, enable CS injection prevention
2. Sent more than 10 requests to qualified URL. Make sure that URL detected as qualified (I used avrstat tool)
3. Send 1 request with HEAD or TRACE methods. URL will be detected as non-qualified.

Impact:
AVR didn't qualify URLs according to the system's qualification criteria.

Workaround:
N/A

Fix:
We tuned the Application DoS URL qualification criteria.


497667-2 : Configuring of ICMPv4/ICMPv6 ip-protocol in mgmt port ACL Rules generated error

Component: Advanced Firewall Manager

Symptoms:
PCCD gives error exhausted; causes inability to activate new mgmt port rules.

Conditions:
The mgmt port is configured as an IPV4 interface and an ICMPv6 protocol rule is applied with the action set to reject or vice-versa.

Impact:
error: resources exhausted; causes inability to activate new mgmt port rules

Fix:
Validation added to block invalid application of management firewall rule specifying ICMPv6 when management interface is configured with only IPv4 address. Validation also detects the reverse condition (IPv6 management address, ICMPv4 firewall rule). A descriptive error message is added.


497662-3 : BIG-IP DoS via buffer overflow in rrdstats

Component: Access Policy Manager

Symptoms:
BIG-IP DoS via buffer overflow in rrdstats

Conditions:
rrdstats given malformatted input

Impact:
Crash in rrdstats - some services unavailable while rrdstats down

Workaround:
No workaround. rrdstats will be restarted by bigip

Fix:
Improved request parsing to make it more robust against invalid formats.


497627-3 : Tmm cores while using APM network Access and no leasepool is created on bigip.

Component: Access Policy Manager

Symptoms:
TMM cores in Network Access scenario when no leasepool is created on the BIG-IP system and IP address assignment is done through the Variable Assign agent (mcget {session.ldap.last.attr.vpnClientIp}).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
To work around the problem, create a leasepool on the BIG-IP system; it does not need to be attached to an access policy.

Fix:
TMM does not core now.


497619-6 : TMM performance may be impacted when server node is flapping and persist is used

Component: Performance

Symptoms:
TMM consumes a higher percentage of the CPU resources when handling traffic.

Conditions:
This intermittent issue occurs when a pool members goes up and down when using source_addr persistence.

Impact:
System performance is impacted.

Workaround:
This issue has no workaround at this time.

Fix:
The intermittent performance impact no longer occurs when a pool members goes up and down when using source_addr persistence.


497584-2 : The RA bit on DNS response may not be set

Component: Local Traffic Manager

Symptoms:
Under some circumstances, the recursion available (RA) bit may be unset in responses from DNS cache.

Conditions:
If the system caches a message from the authoritative server without the rd bit, and subsequent queries with rd set find that message, the first message will not be used because the rd bit is not set. In this case, the operation falls back to the rrset cache and composes a message, but leaves the RA bit unset. This is appropriate for the transparent cache, but not the non-transparent cache.

Impact:
The impact of this issue is that recursion available is not signaled to clients so they may not treat the DNS cache as an available resolver.

Workaround:
To work around this issue, write an iRule to set the RA bit when the cache is a resolver. Must also check origin for CACHE.

Fix:
The RA bit is set for the response when the cache resolver answers the query from the fast path.


497564-2 : Improve High Speed Bridge diagnostic logging on transmit/receive failures

Component: TMOS

Symptoms:
When an HSB transmitter or receive failure occurs, no information is provided on the state of the HSB transmit/receive rings prior to the failure.

Conditions:
The HSB experiences a transmitter or receive failure.

Impact:
The unit is rebooted.

Workaround:
None.

Fix:
Improved High Speed Bridge diagnostic logging on transmit/receive failures.


497455-1 : MAC Edge client crashed during routine Network Access.

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac crashes during routine Network Access operations.

Conditions:
Edge Client for Mac and BIG-IP v11.6.0. This is a rarely occurring issue. Specific conditions are unknown.

Impact:
MAC Edge client crashes.

Workaround:
Restart Edge Client for Mac.

Fix:
A rarely occurring issue where BIG-IP Edge Client for Mac would crash randomly during regular Network Access connection has been fixed.


497436-4 : Mac Edge Client behaves erratically while establishing network access connection

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac does not establish a network access connection, or if it can establish a connection, then it drops the connection. A user might see a cycle of connect/re-connect again.

Conditions:
OS X Yosemite, network access, BIG-IP Edge Client for Mac.

Impact:
User cannot establish network access connection.

Workaround:
None.

Fix:
BIG-IP Edge Client for Mac can now establish a connection correctly. An issue with routing table patch coding deleting an essential route has been resolved.


497433-2 : SSL Forward Proxy server side now supports all key exchange methods.

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy implementation requires the clientssl and serverssl profiles to configure at least one RSA ciphersuite. If the backend server uses ciphersuites other than RSA key exchange such as (ECDHE-ECDSA, ECDH-ECDSA, DHE-DSS), the connection fails.

Conditions:
Must use RSA key exchange on the server side, meaning that it is not possible to have server side SSL uses key exchange methods--such as ECDHE-ECDSA, ECDH-ECDSA, DHE-DSS--while the client side still uses RSA key exchange.

Impact:
SSL Forward Proxy on the server side cannot be configured to use all key exchange methods the SSL module supports, and is limited to RSA.

Workaround:
None.

Fix:
SSL Forward Proxy server side supports all key exchange methods. Previously, SSL Forward Proxy on the server side only supported RSA, ECDHE-RSA, and EDH-RSA key exchange methods.

Behavior Change:
SSL Forward Proxy server side supports all key exchange methods. Previously, SSL Forward Proxy on the server side only supported RSA, ECDHE-RSA, and EDH-RSA key exchange methods.


497389-1 : Extraneous dedup_admin core

Component: Wan Optimization Manager

Symptoms:
There have been some extraneous dedup_admin cores generated during system shutdown.

Conditions:
Race condition during shutdown of vcmp with 2 blades.

Impact:
Extraneous dedup_admin core generated.

Workaround:
None

Fix:
Missing virtual destructor was added.


497376-1 : Wrong use of custom XFF headers when there are multiple matches

Component: Application Visibility and Reporting

Symptoms:
A specific case of multiple matching XFF headers and special settings, that lead to treating one of the supplied XFF headers, but not the desired one.

Conditions:
1. Configuring at least one custom XFF header in the HTTP profile.
2. The incoming request has at least 2 headers that match the custom headers.
3. The DB variable avr.alwaysuselastxff is set to 0.

Impact:
The incoming request is treated as coming from an IP address that is not the desired address, this affects the reports and the identification of this request by the DoS system.

Workaround:
It is possible to set an iRule that will do the logic of the comparing the XFF headers, remove the unnecessary ones, and keep only the desired one.

Fix:
The desired XFF header is taken as the one that represents the HTTP request IP address.


497342 : TMM crash while executing FLOW_INIT event (with multiple commands that abort the connection) in an iRule attached to an AFM firewall rule.

Component: Advanced Firewall Manager

Symptoms:
Critical system failure due to TMM process restarting.

Conditions:
Following conditions will trigger the TMM crash:

i) AFM rule match triggers an iRule execution.
ii) iRule has one (or more) FLOW_INIT event with 2 (or more) commands that result in aborting the connection (e.g. 'drop' followed by 'reject')

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
The aforementioned TMM crash has been fixed.


497325-1 : New users cannot log in to Windows-based systems after installing BIG-IP EDGE client in certain deployment

Component: Access Policy Manager

Symptoms:
New users cannot log in to Windows-based systems after installing BIG-IP Edge client in certain deployments.

Conditions:
This is a rare, environment-based issue.

Impact:
New users cannot log in to Windows-based systems

Workaround:
Remove \F5 Networks\VPN\client.f5c file.

Fix:
A rare, environment-based issue that prevented new users from logging in to Windows-based systems has been fixed.


497311 : Can't add a ICMPv6 type and code to a FW rule.

Component: Advanced Firewall Manager

Symptoms:
Can't add a ICMPv6 type and code to a FW rule

Conditions:
choose the protocol as ICMPv6 and try to add a type and code.

Impact:
Firewall Rule Creation Page gets affected.

Workaround:
Use tmsh to add ICMPv6 type and code to a FW rule.

Fix:
GUI now accepts firewall rules specifying ICMPv6 with type and code.


497304-1 : Unable to delete reconfigured HTTP iApp when auto-sync is enabled

Component: TMOS

Symptoms:
When deleting an HTTP iApp, the system posts errors similar to this in the LTM log, along with similar sync errors in the GUI:

-- err mcpd[6629]: 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16).
-- err mcpd[6629]: 01071488:3: Remote transaction for device group /Common/HA_Group to commit id 895 6070871290648001573 /Common/cr-ltm-bb2.ns.uwaterloo.ca 0 failed with error 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16).

Conditions:
Auto-sync must be enabled. HTTP iApp must have been reconfigured prior to deleting the iApp.

Impact:
Sync failure. Cannot delete the iApp manually after the error occurs.

Workaround:
Do not use auto-sync. If the sync failure has already occurred, refer to SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) for information on how to restore configuration sync.

Fix:
Ensure the sFlow data source is removed from an HTTP profile when it is deleted.


497299-5 : Thales install fails if the BIG-IP system is also configured as the RFS

Component: Local Traffic Manager

Symptoms:
Thales install fails.

Conditions:
This occurs when the BIG-IP system is also configured as the RFS.

Impact:
Cannot use Thales HSM with the BIG-IP system.

Workaround:
In the following procedure, when running nethsm-thales-rfs-install.sh, the script returns the IP address used by the RFS server. Use that IP address when running the 'rfs-setup' command. When prompted with: Did you successfully run the above 'rfs-setup' command on the RFS server? (Yes/No), perform the following steps: 1. Open a new SSH connection to the BIG-IP system. 2. Run the following command: /opt/nfast/bin/rfs-setup --force -g --write-noauth x.x.x.x. 3. Return to nethsm-thales-install.sh SSH screen and answer 'Yes'. The script should now exit with a success message.

Fix:
Thales install script now runs successfully when the BIG-IP system is also configured as the RFS.


497263-1 : Global whitelist count exhausted prematurely

Component: Advanced Firewall Manager

Symptoms:
You receive an error message with this signature: error 0107181d:3: Cannot create white list entry, maximum limit 8 entries reached.

Conditions:
This can occur when configuring entries on both BIG-IP's in a sync group and syncing them. The whitelist count may be less than 8 but the error is still generated.

Impact:
You may receive an error message while creating a whitelist telling them they've exceeded the global whitelist count limit.

Workaround:
None

Fix:
An internal inconsistency with the system that oversees the whitelist count has been fixed.


497078-1 : Modifying an existing ipsec policy configuration object might cause tmm to crash

Component: TMOS

Symptoms:
Modifying an existing ipsec policy configuration object might cause tmm to crash

Conditions:
Modifying an existing ipsec policy configuration object that's not associated with any traffic selector that's assigned to an ikev2 ike peer configuration object.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Delete and re-create the ipsec policy mcp object

Fix:
tmm will not crash when user modify an existing ipsec policy configuration object


497062-1 : PEM configured with BWC doing PEM policy changes could trigger leak

Component: TMOS

Symptoms:
When PEM is configured to use bwc policy and cause re-evaluations due to pem policy change in configuration and/or PCRX could cause leak in bwc memory for active flows.

Conditions:
This occurs when the following conditions are met: PEM is configured to use BWC. -- System is processing active flows. -- PEM is applying a policy change event for live flows.

Impact:
PEM configured with BWC doing PEM policy changes might trigger leak. Eventual low memory conditions, possibly followed by TMM core and traffic outage.

Workaround:
To work around this issue, complete the following steps: -- Restart tmm. -- Upgrade the image. -- Avoid PEM policy change events for live traffic flows. -- Attach BWC to the PEM policy after PEM policy change events.

Fix:
The case in which the PEM policy is modified while the system is processing live traffic, PEM now initiates policy re-evaluation and BWC is attached correctly to the policy, so no memory leak occurs.


496976-2 : Crash when receiving RADIUS message to update PEM static subscriber.

Component: Policy Enforcement Manager

Symptoms:
Crash when receiving RADIUS message to update PEM static subscriber.

Conditions:
1) A large number of PEM static subscribers in the system, for example, 100K.
2) Sends RADIUS messages for these 100K subscribers to update info.

Impact:
System crash.

Fix:
BIG-IP system no longer crashes when updating the static subscribers with RADIUS messages.


496950-1 : Flows may not be mirrored successfully when static routes and gateways are defined.

Component: Local Traffic Manager

Symptoms:
In certain circumstances, some L4 flows may not be successfully remirrored when a standby BIG-IP comes online. This involves a race condition when there are multiple routes and/or gateways defined; if the new standby device does not yet have the lasthop information when it gets the mirrored flow.

Conditions:
Using mirroring with layer 4 virtuals, with gateways and/or static routes defined.

Impact:
Not all flows will have been successfully remirrored to the standby device.

Workaround:
Usually "bigstart restart tmm" will recover most or all of the L4 flows. This does not work perfectly all of the time, but is far less likely to encounter the error condition than a "bigstart restart" or "shutdown -r".

Fix:
The standby device ignores the route to the client when accepting mirrored connections. If failover occurs without a route back to the client, the connection will still fail on failover.


496894-1 : TMM may restart when accessing SAML resource under certain conditions.

Component: Access Policy Manager

Symptoms:
When a user performs SAML Identity Provider (IdP)-initiated web single sign-on (Web SSO) using Artifact binding and the Artifact Resolution Service is not configured on IdP, TMM may restart.

Conditions:
This occurs under all of the following conditions:
1. The BIG-IP system is configured as a SAML IdP.
2. The IdP service does not have Artifact Resolution Service configured.
3. The corresponding Service Provider (SP) connector object, which is bound to the IdP, has Artifact binding configured.
4. The SAML Resource from this IdP is published on a webtop.

Impact:
As a result, TMM restarts.

Workaround:
To work around the problem, configure an Artifact Resolution Service and assign it to the IdP object.

Fix:
An issue where TMM would restart under certain conditions is now fixed.


496849-1 : F5 website update retrievals vulnerability

Vulnerability Solution Article: SOL16090


496845-1 : We fixed a vulnerability in the Tree View screen

Vulnerability Solution Article: SOL15933


496817-1 : Big-IP Edge client for Windows fails to connect to Firepass server if tunnel is established through a proxy

Component: Access Policy Manager

Symptoms:
In a reconnect scenario, Big-IP Edge Client cannot connect to a FirePass server if the tunnel was established through a proxy server.

Conditions:
Proxy is used to create VPN tunnel.
The server is FirePass.

Impact:
The client fails to restore the VPN connection to the FirePass server.

Workaround:
Restart client.

Fix:
Added backward compatibility changes to BIG-IP Edge Client for Windows to work properly with FirePass.


496775-3 : [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for bigip monitor

Component: Global Traffic Manager

Symptoms:
[GTM] [big3d] Unable to mark LTM virtual server up if there is another virtual server with same ltm_name for bigip monitor.

Conditions:
LTM (running BIG-IP software older than v11.2.X) with a virtual server: /Common/http_vip with destination /Common/192.168.10.34:80.

GTM (running BIG-IP software newer than v11.5.0) with this LTM as a BIG-IP Server. Two virtual servers on LTM: One with the original LTM virtual server address, and the other with the translated address: 1. name ltm_http_vip :: destination 192.168.10.34:80 :: monitor /Common/bigip. 2. name ltm_http_trans_vip :: destination 10.10.10.34:80 :: translation-address 192.168.10.34:80 :: monitor /Common/bigip.

Impact:
Both virtual servers are marked up for a brief interval. After a few minutes, one of them is marked down.

Workaround:
You can use either of the following workarounds: -- Use a monitor other than bigip. -- Replace /shared/bin/big3d on the LTM system with a copy of a version v11.2.1 big3d.

Fix:
The bigip health monitor no longer incorrectly marks down virtual servers with a duplicate ltm-name when there are BIG-IP GTM systems with differing software versions monitoring BIG-IP LTM virtual servers using the bigip monitor.


496758-5 : Monitor Parameters saved to config in a certain order may not construct parameters correctly

Component: Local Traffic Manager

Symptoms:
When configuring both a monitor and a child monitor, if the two monitors are saved in reverse order, the default monitor parameters will not be created.

For example:

ltm monitor tcp /Common/child {
    defaults-from /Common/parent
    destination *.990
    interval 5
    ip-dscp 0
    time-until-up 0
    timeout 16
}
ltm monitor tcp /Common/parent {
    defaults-from /Common/tcp
    destination *:*
    interval 5
    ip-dscp 0
    time-until-up 0
    timeout 16
}

Some of the default parameters for the above configuration will not be created upon loading config.

Conditions:
This occurs when there are at least two monitors, and the child custom monitor appears before the parent monitor. Must have a parent that derives from a root monitor, and a child that derives from the parent monitor.

Impact:
Possible undefined behavior in bigd, and failing iControl calls. On performing a 'tmsh load sys config verify' the system posts an error message similar to the following: 01070740:3: Performance monitor /Common/http-a may not have the manual resume feature. Unexpected Error: Validating configuration process failed.

Workaround:
A possible workaround involves switching the order of the monitors in the config file. This can either be accomplished manually, or by naming things in alphabetical order, such that the parent precedes the child:

ltm monitor tcp /Common/aaa_parent {
    defaults-from /Common/tcp
    destination *:*
    interval 5
    ip-dscp 0
    time-until-up 0
    timeout 16
}
ltm monitor tcp /Common/bbb_child {
    defaults-from /Common/aaa_parent
    destination *.990
    interval 5
    ip-dscp 0
    time-until-up 0
    timeout 16
}

Fix:
The system now handles a configuration in which a child custom monitor precedes the parent's, so that monitor parameters are constructed properly.


496588-1 : HTTP header that is larger than 64K can be analyzed incorrectly, leading to TMM crash

Component: Local Traffic Manager

Symptoms:
TMM may restart

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.

Fix:
Fixed a problem that occurred when extracting request headers. This problem could sometimes cause TMM to crash.


496565-1 : Secondary Blades Request a Sync

Component: Application Security Manager

Symptoms:
Secondary blades requesting ASM sync "ASM is now entering sync recovery state. Requesting complete configuration from" noise in the logs, and needless sync work done.
This issue does not affect enforcement or the actual sync state of the devices, it is just requesting extra synchronizations when they may not be needed.

Conditions:
Secondary blade restarts in unsynchronized mode.

Impact:
Unnecessary sync events are created

Workaround:
Restarting the asm_config_server process on the secondary blade should alleviate the issue, but it may recur.

Fix:
To optimize the system, DSC synchronization is no longer requested from secondary blades. This issue did not affect enforcement or the actual synchronization state of the devices.


496560-1 : AVR and APM: TMM crashes (additional fixes for ID 480350)

Component: Application Visibility and Reporting

Symptoms:
tmm can crash with AVR configured.

Conditions:
AVR and APM are used together.

Impact:
Traffic disrupted while tmm restarts.

Fix:
We fixed an issue that intermittently caused TMM to crash when APM and AVR are provisioned together.
This fix is additional to the one provided in ID 480350.


496498-3 : Firewall rule compilation will fail in certain scenario when there are multiple scheduled AFM rules and one of the non scheduled AFM rule is modified.

Component: Advanced Firewall Manager

Symptoms:
Firewall rule compilation will fail and following message will appear in /var/log/ltm:

Serialization failed: No Blobs available.

pktclass-daemon will transit in the failed state and any further firewall rule modifications will be rejected till the corrective action is taken.

Conditions:
For this issue to manifest, following conditions may suffice:

i) Presence of multiple scheduled firewall rules (expiring at different intervals).
ii) Presence of non scheduled firewall rules.
iii) Modify any non scheduled firewall rules in between the time interval of expiry to any 2 scheduled rules.

Impact:
Firewall rule compilation will fail and pktclass-daemon will go into failed state causing any further firewall rule update to be ignored till user-initiated corrective action is taken.

Fix:
The aforementioned incorrect behavior has been fixed.


496449-1 : APM does not support using session variables for the destination address in Citrix and VMware View remote desktop resources.

Component: Access Policy Manager

Symptoms:
APM does not support using session variables for the destination address in Citrix and VMware View remote desktop resources.

Conditions:
N/A, this release note describes an enhancement.

Impact:
N/A

Fix:
APM supports using session variables for the destination address in Citrix and VMware View remote desktop resources by configuring %{session.logon.last.domain} in the remote-desktop resource.


496447-1 : APM does not apply route domain configured in visual policy editor to Citrix/VMware View connections when their backends are specified as hostname/IP address.

Component: Access Policy Manager

Symptoms:
APM does not apply the route domain that is configured in visual policy editor to Citrix or VMware View connections when the Citrix or the VMware View backend is specified in the resource using a hostname or an IP address.

Conditions:
Citrix or VMWare View resources configured, and they use route domains

Impact:
Traffic is not sent to the resource's route domain.

Fix:
APM applies the route domain that is configured in visual policy editor to Citrix or VMware View connections when the Citrix or the VMware View backend is specified in the resource using a hostname or an IP address.

Note that if the Virtual Server and the resource are in different route domains and route domains have strict isolation mode, you may see an error in the Ltm log:
err tmm[18245]: 01230140:3: RST sent from 172.29.74.80:443 to 172.29.68.233:54767, [0x1f2920c:1989] Route domain not reachable (strict mode)

To correct this, ensure you set the virtual server route domain to be the parent of the Resource route domain.


496441-1 : APM does not apply route domain configured in visual policy editor to Java AppTunnel connections.

Component: Access Policy Manager

Symptoms:
APM does not apply route domain configured in visual policy editor to Java AppTunnel connections.

Conditions:
This can be encountered if your Java AppTunnel connections are using route domains.

Impact:
Unable to configure or use the route domain.

Fix:
In this release you can configure a route domain in the visual policy editor to Java AppTunnel connections.


496440-1 : APM does not apply route domain configured in visual policy editor to Java RDP connections.

Component: Access Policy Manager

Symptoms:
APM does not apply route domain configured in visual policy editor to Java RDP connections.

Conditions:
This is encountered if your Java RDP connections are configured to use route domains.

Impact:
You will be unable to configure a route domain for the resource.

Fix:
You can now configure a route domain in the visual policy editor for Java RDP connections.


496278-2 : Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name

Component: Advanced Firewall Manager

Symptoms:
Disabling/enabling Rule within Rule List causes disabling/enabling of a different but same-named Rule in a single Policy on the Active Rule Page in the GUI.

Conditions:
Only happens it the Rule names are the same with a single policy.

Impact:
Potentially, the incorrect Rule is disabled.

Workaround:
Make sure Rules have different names.

Fix:
The system now enables/disables only the selected Rule, regardless of the existence of other, same-name Rules in the policy.


496264-1 : SOAP Methods Were Not Being Validated For WSDL Based XML Profiles

Component: Application Security Manager

Symptoms:
After configuring an XML Content Profile from a WSDL file, the system was not validating the SOAP Methods.

Conditions:
WSDL Based XML Content Profiles with SOAP Methods are used on the system.

Impact:
SOAP Traffic was not properly validated.

Workaround:
None

Fix:
WSDL based XML Content Profiles are now enforced correctly.


496036 : GUI throws an error in some situations when an ASM policy is assigned to virtual server

Component: Advanced Firewall Manager

Symptoms:
When attempting to apply an ASM policy to a virtual server that is using LTM forwarding, the GUI no longer returns an error: An error has occurred while trying to process your request.

Conditions:
This occurs when navigating to Local Traffic :: Virtual Servers : Virtual Server List :: 'http_vip' :: Security :: Policies...

Impact:
The system posts an error: An error has occurred while trying to process your request.

Workaround:
None.

Fix:
When attempting to apply an ASM policy to a virtual server that is using LTM forwarding, the GUI no longer returns an error: An error has occurred while trying to process your request.


496011-1 : Resets when session awareness enabled

Component: Application Security Manager

Symptoms:
A connection reset may occur when a transaction takes a long time (more than 10 seconds together from the request start till the response end).

Conditions:
The session tracking feature is turned on and long transaction occurs.

Impact:
A connection reset.

Workaround:
Turn off session tracking.

Fix:
Connection resets no longer occur when session awareness is enabled and the server response takes a long time.


495928-5 : APM RDP connection gets dropped on AFM firewall policy change

Component: Advanced Firewall Manager

Symptoms:
An active RDP connection over APM VPN tunnel gets dropped when administrator makes a change to the AFM firewall policy.

Conditions:
APM tunnel and its application connections are subject to AFM firewall policy.

Impact:
RDP session disconnects and automatically reconnects.

Workaround:
Add an Allow rule to the firewall policy for destination TCP port 3389.

Fix:
RDP connections no longer get dropped during AFM firewall policy changes.


495913-2 : TMM core with CCA-I policy received with uninstall

Component: Policy Enforcement Manager

Symptoms:
If a CCA-I is received with Charging-Rule-Remove AVP for the session then TMM will core.

Conditions:
CCA-I message received with charging-rule-remove AVP

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed the tmm crash when CCA-I with policy uninstall is received.


495901-3 : Tunnel Server crash if probed on loopback listener.

Component: Access Policy Manager

Symptoms:
VPN client might disconnect and reconnect.

Conditions:
Unexpected request is sent on tunnel server loopback listener.

Impact:
Tunnel server crashes resulting in VPN disconnection and reconnection.

Workaround:
None.

Fix:
Additional check implemented in tunnel server before accepting incoming connection.


495875-2 : Connection limit on nodes causes TMM infinite loop and heartbeat failure with heavy traffic

Component: Local Traffic Manager

Symptoms:
TMM might experience an infinite loop when selecting an available node for load balancing under heavy traffic conditions.

Conditions:
This occurs when the connection limit is specified for nodes, and there is heavy traffic.

Impact:
This causes a 10-second TMM heartbeat failure and a SIGABRT in TMM. The device goes offline and traffic processing is disrupted.

Workaround:
None.

Fix:
Connection limit on nodes now works correctly, and no longer causes tmm to loop indefinitely with heavy traffic.


495862-1 : Virtual status becomes yellow and gets connection limit alert when all pool members forced down

Component: TMOS

Symptoms:
Invalid display of virtual status.

Conditions:
When all pool members forced down and the pool member's connection limit has been reached.

Impact:
Virtual monitor status becomes yellow and receives the following connection limit alert: The pool member's connection limit has been reached.

Workaround:
None.

Fix:
Virtual status now stays red if all the pool members are down.


495836-2 : SSL verification error occurs when using server side certificate.

Component: Local Traffic Manager

Symptoms:
SSL is stuck at signature check for server side certificates and hence can't complete the SSL handshake.

Conditions:
The issue can be seen when it meets the following conditions:
1. The backend server is Microsoft IIS or Netty.
2. serverSSL profile requires server side certificate authentication.

Impact:
SSL handshake fails. The handshake hangs until the timeout.

Workaround:
To work around this issue, you can configure the back-end Netty based SSL servers to use a Certificate Authority (CA) signed certificate. Otherwise, do not use use 'peer-cert-mode require'.

Fix:
SSL verification error no longer occurs when using server side certificate.


495702-4 : Mac Edge Client cannot be downloaded sometimes from management UI

Component: Access Policy Manager

Symptoms:
Sometimes BIG-IP Edge Client for Mac cannot be downloaded from the management GUI.

Conditions:
Mac Edge Client, BIG-IP management UI.

Impact:
Mac Edge Client cannot be downloaded.

Workaround:
None.

Fix:
BIG-IP Edge Client for Mac can now be downloaded from the connectivity profile screen of the APM GUI.


495698-3 : iRule can be deleted even though it exists in a rule-list

Component: Advanced Firewall Manager

Symptoms:
The rule-list will reference a non existent iRule.

Conditions:
Have a rule-list that contains an iRule, and then delete that iRule.

Impact:
iRule will no longer have an effect, even though it still appears to be contained in the rule-list.

Workaround:
Do not delete an iRule if it is referenced by a rule-list.

Fix:
Introduced validation to ensure that a referenced iRule cannot be deleted.


495574-3 : DB monitor functionality might cause memory issues

Component: Local Traffic Manager

Symptoms:
TMM restarts continuously.

Conditions:
DB monitors configured

Impact:
System stops responding. System posts message: notice panic: FATAL: mmap of: /dev/mprov/tmm/tmm.4 length 1480589312 offset 4441767936 failed 12 (Cannot allocate memory).

Workaround:
Either kill the DB monitor java process or issue a bigstart restart.

Fix:
DB monitor functionality might cause memory issues.


495557-1 : Ephemeral node health status may report as 'unknown' rather than the expected 'offline'

Component: Local Traffic Manager

Symptoms:
Ephemeral node health status may report as 'unknown' rather than the expected 'offline'.

Conditions:
Change the monitor rule on the node several times.

Impact:
Node may be in unknown status when it should be offline.

Workaround:
Reset bigd.

Fix:
Ephemeral node health status now reports 'offline' rather than 'unknown' in cases in which the monitor is offline.


495526-1 : IPsec tunnel interface causes TMM core at times

Component: TMOS

Symptoms:
If users choose to modify the tunnel interface attributes, such as MTU value, TMM cores. This can occur regardless if traffic has flowed through the tunnel.

Conditions:
When IPsec tunnel interface has its configuration modified.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid modifying IPsec tunnel interface. Configure IPsec tunnel interface in one shot, using either create or delete.

Fix:
TMM no longer cores if users choose to modify the tunnel interface attributes, such as MTU value.


495525-1 : iApps fail when using FQDN nodes in pools

Component: iApp Technology

Symptoms:
Use of FQDN nodes causes errors in almost all f5-supported iapps.

Conditions:
1. create an FQDN node named "foo" that refers to the fqdn "www.foo.com"
2. create an iapp instance using the attached ephemeral_example template
3. enter "foo" when prompted by the iapp for a node name
4. click "finished" and observe the pool in the component view
5. click "reconfigure"
6. click "finished".

Impact:
iApp will throw an error: "0107189b:3: Cannot delete ephemeral object: /Common/foo-173.194.33.144."

Workaround:
none

Fix:
The iApp mark-and-sweep framework should be modified to ignore ephemeral pool members when modifying iApp-managed pools.


495443-4 : ECDH negotiation failures logged as critical errors.

Component: Local Traffic Manager

Symptoms:
When a failure occurs in an SSL negotiation involving Elliptic Curve Diffie-Hellman (ECDH) key agreement, a critical error may be logged. However, an SSL negotiation failure is not a critical issue.

Conditions:
An SSL negotiation failure involving ECDH key agreement.

Impact:
Spurious critical error logs.

Workaround:
Treat SSL ECDH negotiation failures as non-critical errors.

Fix:
These ECDH failures are now logged as non-critical errors.


495432-2 : Add new log messages for AFM rule blob load/activation in datapath.

Component: Advanced Firewall Manager

Symptoms:
Prior to fix, as AFM rule blob is compiled/serialized by pktclass-daemon and TMM is notified to activate it in datapath, there is no visibility to identify if the activation failed or succeeded.

Conditions:
AFM rule serialization message is processed by TMM

Impact:
End user lacks any visibility if the AFM rule serialized blob is successfully being used in the data path.

Workaround:
None

Fix:
With the fix, now we log message (in /var/log/ltm) as AFM rule serialized blob is activated in data path.


495336-1 : Logon page is not displayed correctly when 'force password change' is on for local users.

Component: Access Policy Manager

Symptoms:
Logon page is not displayed correctly when 'force password change' is on for local users.

Conditions:
When more than one logon page is configured in the Access policy, and the administrator sets 'Force Password Change' in the local user account database.

Impact:
Although it is correct behavior to require an initial password change and to require a logon after changing the password, the expected first page is a one-time password-change request, instead of the same change-password change page displayed twice.

Workaround:
The current workaround is to add 'Variable Assign' agent in the LocalDB Auth Successful branch with a custom variable, for example: session.logon.page.challenge = expr { 0 }.

Fix:
The system now shows the correct logon page after the successful password change.


495335-1 : BWC related tmm core

Component: TMOS

Symptoms:
tmm coredumps while BWC is processing packets.

Conditions:
BWC is being enabled on a virtual server that does not have any BWC iRules enabled. Reasons for this are being investigated.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Avoid a divide by zero while computing average packet size.


495319-3 : Connecting to FP with APM edge client is causing corporate network to be inaccessible

Component: Access Policy Manager

Symptoms:
Connecting to FirePass with a BIG-IP Edge Client for Mac that was downloaded from APM might not provide complete network access.

Conditions:
APM Edge Client, Firepass server, network access connection.

Impact:
Incomplete network access.

Workaround:
None.

Fix:
All configured networks are now reachable when connecting to FirePass using a BIG-IP Edge Client for Mac downloaded from APM.


495273-1 : LDAP extended error info only available at debug log level which could affect Branch rules

Component: Access Policy Manager

Symptoms:
LDAP session variable contains only simple error message at INFO log level and requires DEBUG log level to display the full error message. This variable is displayed in the logon page after logon failure.

Conditions:
LDAP Auth/Query is configured and there is need for extended error details at NON debug log level.

Impact:
Branch rules in visual policy editor based on extended error message will not work correctly in 11.6.

Fix:
A new session variable is introduced: session.ldap.last.errmsgext which contains extended error information at any log level. The existing session.ldap.last.errmsg variable contains only simple error message (decoded error code).

Behavior Change:
A new session variable is introduced, session.ldap.last.errmsgext, which contains extended error information at any log level. The existing session.ldap.last.errmsg variable now contains only a simple error message (decoded error code). Branch rules in visual policy editor based on extended error message will not work correctly.


495265-1 : SAML IdP and SP configured in same access profile not supported

Component: Access Policy Manager

Symptoms:
SLO might not work properly under certain conditions.
When a user attempts to start SLO, the connection gets reset. The system logs messages such as the following: RST sent from x.x.x.x:433 to x.x.x.x:xxxx, [0xxxxxx:xxx] Internal error ((APM::SSO) Error in reading sp info from session db failed)

Conditions:
All conditions must be met:

1. Both BIG-IP as SP and BIG-IP as IdP are configured on the same access profile.
2. SLO is configured for both BIG-IP as IdP and BIG-IP as SP.
3. SLO is executed in multiple TCP sessions between the user's browser and the BIG-IP system.

Impact:
SLO is not properly executed; users's session might not be terminated.

Workaround:
None.

Fix:
A problem with SAML single-logout has been fixed.


495253-1 : TMM may core in low memory situations during SSL egress handling

Component: Local Traffic Manager

Symptoms:
TMM may core in low memory situations during SSL egress handling.

Conditions:
This occurs when the following conditions are met: -- Low memory. -- SSL connections

Impact:
Traffic disrupted while tmm restarts.

Fix:
TMM no longer cores in low-memory situations during SSL egress handling.


495030-1 : Segfault originating from flow_lookup_nexthop.

Component: Local Traffic Manager

Symptoms:
Segfault originating from flow_lookup_nexthop when neighbor_resolve is not able to determine the next hop.

Conditions:
Memory pressure or error condition.

Impact:
tmm core and tmms restart.

Fix:
Segfault originating from flow_lookup_nexthop problem has been corrected.


494978-1 : The hostagentd daemon should not be running in non-vcmp mode.

Component: TMOS

Symptoms:
The hostagentd daemon is running when vCMP is not provisioned.

Conditions:
This issue occurs on all platforms that support vCMP.

Impact:
In non-vCMP mode, hostagentd is an unnecessary system process. It may use a small amount of memory and cpu but does not otherwise impact system performance or traffic passing.

Workaround:
Hostagentd may be disabled by issuing 'bigstart disable hostagentd' on all blades of a chassis or on an appliance system.

Fix:
The hostagentd daemon is no longer started when the BIG-IP system is not provisioned for vCMP.


494743-1 : Port exhaustion errors on VIPRION 4800 when using CGNAT

Component: Carrier-Grade NAT

Symptoms:
You may see the following on a VIPRION 4800 platform configured to use LSN deterministic NAT:

crit tmm3[12240]: 01010201:2: Inet port exhaustion on ...

Conditions:
VIPRION 4800 platform with multiple blades with LSN deterministic NAT

Impact:
DNAT port exhaustion alert,

Workaround:
Change LSN Pool members for LSN deterministic NAT pools, which will trigger a deterministic NAT data rebuild.

Fix:
TMM translations after blade failure or startup can be properly reverse-mapped by dnatutil, which fixes the port exhaustion alerts.


494637-2 : localdbmgr process in constant restart/core loop

Component: Access Policy Manager

Symptoms:
The localdbmgr process keeps crashing repeatedly.

Conditions:
The issue is caused by corruption in the contents stored in the memcache. Although the conditions under which the memory corruption occurs are not reproducible, this is a rarely occurring issue.

Impact:
The localdbmgr process crashes repeatedly.

Workaround:
None.

Fix:
The localdbmgr process has been updated in order to gracefully handle corruption in the memcache contents.


494565-4 : CSS patcher crashes when a quoted value consists of spaces only

Component: Access Policy Manager

Symptoms:
CSS content that contains some spaces between quotes leads to rewrite crash.

Example:
...
background: url(' ') // some spaces between quotes
...

Conditions:
Conditions leading to this problem include any case when CSS content contains a quoted value which consists of spaces only.

Impact:
The impact of this issue causes a rewrite crash which leads to a possible web application malfunction.

Workaround:
To work around this issue, create a particular iRule that removes mentioned spaces between quotes.


494367-2 : HSB lockup after HiGig MAC reset

Component: TMOS

Symptoms:
HSB lockups can occur after a HiGig MAC reset on BIG-IP 5000-series and 7000-series platforms.

Conditions:
This occurs after a HiGig MAC reset on BIG-IP 5000-series and 7000-series platforms.

Impact:
An HSB lockup results in a NIC failsafe and reboot of the unit. The system posts messages similar to the following in the LTM log: -- bcm56xxd[8161]: 012c0015:6: Link: 4.1 is DOWN. -- bcm56xxd[8161]: 012c0012:6: Reset HSBe2 (bus 1) HGM0 MAC completed on higig2 link 4.1 down event. -- bcm56xxd[8161]: 012c0015:6: Link: 4.1 is UP. ... -- tmm2[13842]: 01230111:2: Interface 0.3: HSB DMA lockup on transmitter failure.

Workaround:
None.

Fix:
HSB lockups no longer occur after a HiGig MAC reset on BIG-IP 5000-series and 7000-series platforms.


494322-6 : The HTTP_REQUEST iRule event may cause the TMM to crash if the explicit proxy is used

Component: Local Traffic Manager

Symptoms:
If the flow inside a HTTP_REQUEST event raised by the explicit proxy is expired, the TMM may crash.

Conditions:
The explicit proxy is configured for HTTP, and the HTTP_REQUEST iRule event is used.

Impact:
If state-changing commands are used within the HTTP_REQUEST event raised by the explicit proxy, they may not work correctly, and TMM might crash.

Workaround:
Avoid the HTTP_REQUEST event if possible.

Fix:
The TMM no longer crashes when under load when the HTTP_REQUEST iRule handler is used with the explicit proxy. HTTP state-changing commands used within HTTP_REQUEST on the explicit proxy works correctly.


494319-1 : Proxy SSL caused tmm to core by dereferencing a null pointer

Component: Local Traffic Manager

Symptoms:
When server side SSL decides to 'passthrough' the traffic, it requests that the client side convert itself to 'passthrough' mode, but the client side SSL was already in a closing state (due to timeout).

Conditions:
When both Proxy SSL and Proxy SSL Passthrough are enabled.
Proxy SSL changes to passthrough mode, but the client side is closed or has timed out.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now checks that the state is not in closing state before updating the statistics.


494305-3 : [GUI] [GTM] Cannot remove the first listed dependent virtual server from dependency list.

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use the GUI to remove the first virtual server listed in alphabetical order from the dependent list of virtual server if there are multiple virtual servers in the dependency list.

Conditions:
Virtual server with several dependency virtual servers configured.

Impact:
Cannot manage virtual server dependency list using GUI as expected.

Workaround:
Use the corresponding tmsh commands to manage the virtual server dependency list.

Fix:
You can now use the GUI to remove the alphabetically first virtual server from the dependent list of virtual servers.


494284-3 : Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status.

Component: Access Policy Manager

Symptoms:
With BIG-IP Edge Client for Mac, when primary language is set to German on the Mac, the text shown under the disconnected status contains extra, unneeded text wording.

Conditions:
Edge Client for Mac, when primary language is set to German on the Mac.

Impact:
Shows the following message: 'Um eine Verbindung herzustellen, wählen Sie aus dem Menü oben einen Server aus, und klicken Sie dann auf die Schaltfläche 'Auto-Verbindung' oder 'Verbinden' sichern und Werner der Seite standen aufs Auge drücken als Schadenersatz einer Woche kein Telefonat erneute.'

Workaround:
None.

Fix:
For BIG-IP Edge Client for Mac with primary language of German, the content that displays under disconnected status is now correct, without any unneeded text.


494280-3 : TMM crashes when PPTP finds a redirected flow when checking for an existing tunnel

Component: Carrier-Grade NAT

Symptoms:
TMM crashes when PPTP finds a redirected flow when checking for an existing tunnel.

Conditions:
PPTP-ALG and CGNAT on a chassis system when a blade has been added with a stale PPTP tunnel.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The system now drops the new flow/tunnel and allow it to clean up, so TMM no longer crashes when PPTP finds a redirected flow when checking for an existing tunnel.


494189-1 : Poor performance in clipboard channel when copying

Component: Access Policy Manager

Symptoms:
JavaRDP client hangs when user tries to copy very large text fragment into clipboard.

Conditions:
User tries to copy very large text fragment.

Impact:
JavaRDP client lags or hangs on copying. In the worst case, user should close and reconnect JavaRDP client.

Workaround:
None

Fix:
Clipboard channel has significantly better performance now.


494176-5 : Network access to FP does not work on Yosemite using APM Mac Edge Client.

Component: Access Policy Manager

Symptoms:
If APM BIG-IP Edge Client for Mac on OS X Yosemite attempts to connect to FirePass, network access cannot be established.

Conditions:
APM Edge Client for Mac on OS X Yosemite connecting to FirePass.

Impact:
Network access cannot be established with FirePass.

Workaround:
None.

Fix:
Network access can now be established with FirePass using APM BIG-IP Edge Client for Mac on OS X Yosemite.


494122-2 : Deterministic NAT state information from HSL is not usable on VIPRION B4300 blades

Component: Carrier-Grade NAT

Symptoms:
Deterministic NAT HSL state information is not useable by dnatutil, resulting in "Unparseable line" error.

Conditions:
Deterministic NAT and HSL logging for LSN pool on a VIPRION B4300 blade.

Impact:
Cannot use the HSL logged state information for dnatutil.

Workaround:
Use LTM logged deterministic NAT state information.

Fix:
Deterministic NAT state information from HSL is now usable on VIPRION B4300 blades.


494098-6 : PAC file download mechanism race condition

Component: Access Policy Manager

Symptoms:
PAC file download mechanism might encounter a race condition if /etc/hosts is patched with the static entry of the host that contains PAC file.

Conditions:
The /etc/hosts is patched with the static entry of the host that contains PAC file.

Impact:
Proxy PAC file fails to download.

Workaround:
Add delay in proxy PAC file download to avoid race condition.

Fix:
PAC file download mechanism now avoids a race condition if /etc/hosts is patched with the static entry of the host that contains PAC file.


494088-4 : APD or APMD should not assert when it can do more by logging error message before exiting.

Component: Access Policy Manager

Symptoms:
APD or APMD asserts and exits without logging error messages to aid in debugging the error.

Conditions:
In some rare situation apmd (for example, access 'profile not found', failure in 'loading policy object'), APD, APMD assert. This results in dumping core.

Impact:
Restarting of APD, APMD and core file.

Workaround:
None.

Fix:
Now, in some rare situations where previously APD or APMD would assert, the system logs proper error messages before exiting. This results in restarting APD or APMD.


494078-4 : Update Check feature can be target of man-in-middle-attack

Vulnerability Solution Article: SOL16090


493993-6 : TMM crashes on the standby when starting up in HA config and Active processing traffic in APM module

Component: Access Policy Manager

Symptoms:
On a standby unit, TMM dumps core files when it is starting up and continues to do so when the active unit is handling traffic in the APM module.

Conditions:
The issue happens on APM systems when high availability is configured and the following conditions are met:
1. The active device is busy processing traffic.
2. Some sessions on the active device are terminated.
3. The TMM in standby device is starting up.

Impact:
TMM on the standby device crashes with SEGV, which causes existing sessions not stored on the standby device and users have to re-login should failover occur.

Fix:
In APM HA environments, the system now prevents global status from being updated before the initialization is completed on a standby device. TMM on the standby no longer dumps core files on startup.


493825-1 : Upgrade failure from version 11.4.0 due to incorrect configuration being saved

Component: Application Visibility and Reporting

Symptoms:
Upgrade failure, after saving a custom filter based on a client IP address in the Requests logs, loading the configuration, or upgrading from it, might fail.

Conditions:
After saving a custom filter based on a client IP address in the Requests logs.

Impact:
Configuration is not loaded.

Workaround:
Edit /config/bigip.conf, search for the following line, and delete it: values { \? }.

Fix:
After saving a custom filter based on a client IP address in the Requests logs, loading the configuration, or upgrading from it, now completes successfully.


493807-5 : TMM might crash when using PPTP with profile logging enabled

Component: Carrier-Grade NAT

Symptoms:
TMM might crash when using PPTP with profile logging enabled.

Conditions:
This occurs when the following conditions are met: -- PPTP-ALG with log profile enabled. -- CGNAT configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable logging from the PPTP profile.

Fix:
Using PPTP with profile logging now works correctly and no longer causes TMM to crash.


493791-2 : iApps do not support FQDN nodes

Component: TMOS

Symptoms:
All iApps fail when FQDN nodes are included as pool members in an iApp-generated pool.

Conditions:
- In an iApp, create a pool with nodes defined by FQDN.
- In an iApp, attempt to reconfigure, or even open, make no change, and click update.

Impact:
GUI shows the following error: 'script did not successfully complete: (field not present: 'address'...'.

Workaround:
Create the pool outside of the iApp and attach it with the 'use existing pool' option, which is a feature of all recent F5 Networks iApps.

Fix:
iApps now support FQDN nodes.


493673-2 : DNS record data may have domain names compressed when using iRules

Component: Local Traffic Manager

Symptoms:
Some DNS record types forbid dns name compression in their record data, e.g., the NAPTR Replacement field. For certain parts of the DNS feature set, some of these record datum may have compressed names, e.g., DNS iRules, DNSSEC, GTM.

Conditions:
Using iRules.

Impact:
Some clients may expect uncompressed names and may not be able to follow compression pointers. This may cause the client to fail to use the RR.

Workaround:
None.

Fix:
Fields are properly not compressed, e.g., the NAPTR Replacement field.


493487-3 : Function::call() and Function::apply() wrapping does not work as expected

Component: Access Policy Manager

Symptoms:
Function::call() and Function::apply() wrapping does not work as expected.

Conditions:
This occurs when using an indirect method call.

Impact:
Possible Adobe Flash web application malfunction, but the symptoms can vary.

Fix:
Indirect method call using Function::call() or Function::apply() works properly now.


493401-2 : Concurrent REST calls on a single endpoint may fail

Component: Application Security Manager

Symptoms:
Concurrent REST PATCH calls on a particular endpoint, or configuration by BIG-IQ, may fail due to database deadlocks.

Conditions:
Concurrent REST PATCH calls were made on a particular endpoint, or device was configured by BIG-IQ.

Impact:
Configuration changes fail due to database deadlock.

Workaround:
Return values from REST calls should be checked before proceeding to next call.

Fix:
We fixed a MySQL deadlock that occurred when using REST API to send several patch requests to parameters of a security policy.


493385-6 : BIG-IP Edge Client uses generic icon set even if F5 icon set is configured

Component: Access Policy Manager

Symptoms:
BIG-IP Edge client uses generic icon set even if F5 icon set is configured.

Conditions:
BIG-IP MAC Edge client customized for a specific language.

Impact:
The UI might show the generic icon set for MAC edge client in the system menu.

Workaround:
Remove customization for that language.

Fix:
Now BIG-IP Edge Client uses the set of icons that the configuration specifies. Also, F5 icons no longer display for a split second during application launch when the configuration specifies the generic set of icons.


493360-1 : Fixed possible issue causing Edge Client to crash during reconnect

Component: Access Policy Manager

Symptoms:
Edge Client may rarely crash during reconnect.

Conditions:
Session reconnection using Edge Client. When APM session closes on BIG-IP (by a timeout, or by other options, for example, 'Restrict to Single Client IP') the Edge Client starts new session. Occasionally when reestablishing connection to the BIG-IP system, the Edge Client crashes.

Impact:
Rarely encountered crash.

Workaround:
None.

Fix:
Fixed possible issue that could cause BIG-IP Edge Client for Windows to crash during reconnect.


493275-3 : Restoring UCS file breaks auto-sync requiring forced sync.

Component: TMOS

Symptoms:
Automatic sync will temporarily not work after loading a UCS.

Conditions:
Load of a UCS on an affected hotfix.

Impact:
Until a manual sync is done, auto-sync will not occur.

Workaround:
Perform a forced manual sync and then the system will return to operation.

Fix:
Restoring UCS file now retains auto-sync functionality.


493246-2 : SNMP error: Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot

Component: TMOS

Symptoms:
An SNMP query for sysCpuSensorSlot 0 returns 'Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot'.

Conditions:
SNMP query for sysCpuSensorSlot 0.

Impact:
SNMP MIB variable sysCpuSensorSlot 0 is not available.

Workaround:
Use the command 'tmctl cpu_info_stat' on the BIG-IP system to retrieve the sysCpuSensorSlot value.

Fix:
The software that generates the F5 BIG-IP MIBs has been updated to allow a slot 0 return value.


493234-1 : Device version in AFM log message could be empty

Component: Advanced Firewall Manager

Symptoms:
Device version in AFM log message could be empty

Conditions:
When a log message is generated for AFM events

Impact:
Log message will not have device version

Fix:
AFM log messages not correctly show device version.


493223-3 : syscalld core dumps now keep more debugging information

Component: TMOS

Symptoms:
syscalld has a fixed-size queue of jobs. If this fills up, then it will intentionally dump core, but this core dump has little visibility into what commands were being run at the time.

Conditions:
syscalld is mostly invoked by the GUI or CMI sync to trigger the configuration being saved.

Impact:
syscalld core dumps will occur and generate customer cases, but it is difficult for a developer to obtain any useful information.

Workaround:
None.

Fix:
syscalld has a fixed-size queue of jobs. If this fills up, then it will intentionally dump core, but this core dump used to have little visibility into what commands were being run at the time. It now maintains a list of the most recently run commands that will be written into the core file.


493213-1 : RBA eam and websso daemons segfaulting while provisioning

Component: TMOS

Symptoms:
Crash while provisioning

Conditions:
This sometimes seem to happen with only APM being provisioned and not being tested for APM functionality.

Impact:
RBA eam and websso daemons are segfaulting

Workaround:
none


493164-3 : flash.net.NetConnection::connect() has an erroneous security check

Component: Access Policy Manager

Symptoms:
Accessing some content in a different domain does not work as expected because of an erroneous security check.

Conditions:
This occurs when getting a URI property immediately after calling the connect() method.

Impact:
Possible Flash web application malfunction, but symptoms vary.

Fix:
The erroneous security check has been fixed, so accessing some content in a different domain now works as expected.


493140-1 : Incorrect persistence entries are created when invoking cookie hash persistence within an iRule using offset and length parameters.

Component: Local Traffic Manager

Symptoms:
When using a cookie hash persistence profile and an iRule to provide finer granularity using offset and length parameters to calculate the hash, the system creates incorrect persistence entries.

Conditions:
Cookie hash persistence profile and iRule on top of that specifies offset and length of the cookie to be used for hashing is needed.

Impact:
Incorrect persistence entries are created.

Fix:
Using cookie hash persistence and invoking cookie hash persistence from within an iRule now works as expected.


493117-6 : Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted

Component: Local Traffic Manager

Symptoms:
After changing the netmask of an advertised virtual address, the address is no longer advertised.

Conditions:
Must have an advertised virtual address, and change its netmask.

Impact:
tmrouted must be restarted whenever the netmask of an advertised virtual address is changed.

Workaround:
Restart tmrouted whenever the netmask of an advertised virtual address is changed.

Fix:
Now, an advertised route remains advertised after its netmask is changed.


493023-3 : Export of huge policies might ends up with 'too many pipes opened' error

Component: Access Policy Manager

Symptoms:
Export of huge policies might ends up with 'too many pipes opened' error. Policy must be >321 elements

Conditions:
Huge policy (300+ elements i.e. ~100 items)

Impact:
It's not possible to export access policy

Workaround:
N/A

Fix:
Extra huge policies are exportable


492978-1 : All blades in a cluster remain offline after provisioning ASM or FPS

Component: Application Security Manager

Symptoms:
After provisioning either ASM or FPS on a cluster, the system may reach a state in which the datasyncd process will keep all of the blades offline. The system will repeatedly switch the primary blade, but never successfully transition to online.

Conditions:
This is a rare scenario that may happen when provisioning either ASM or FPS on a cluster.

Impact:
If this state is reached, all of the blades will remain offline and not handle incoming traffic until the entire chassis is rebooted.

Workaround:
If this scenario happens, the workaround is to reboot the entire chassis, or individually reboot all of the blades roughly at the same time.

Fix:
Fixed a rare scenario in which all the blades in a cluster remain offline after provisioning either ASM or FPS.


492844-1 : Office365 generated SAML SLO message causes browser connection to be reset.

Component: Access Policy Manager

Symptoms:
When a user initiates SAML single logout (SLO) from Microsoft Office 365 (as a Service Provider), the request is terminated by the BIG-IP system.

Conditions:
This occurs under all of the following conditions:
1. The BIG-IP system is configured as a SAML Identity Provider (IdP).
2. Microsoft Office 365 is configured as a SAML Service Provider (SP).
3. SP-initiated SLO is attempted and the SLO message contains a detached signature.

Impact:
As a result, SLO is not executed and sessions on the BIG-IP system and the SP are left alive.

Fix:
Microsoft Office 365 generated SAML SLO message no longer causes browser connection to reset.


492809-4 : Small but continuous mcpd memory leak associated with statistics.

Component: TMOS

Symptoms:
A small amount of memory is allocated and not released each time the statsd process gathers the global access statistic information. Symptoms include a small but constant rise in memory usage associated with statistics. Note: Although the memory leak occurs in association with APM statistics specifically, APM does not need to be provisioned for the leak to occur.

Conditions:
This occurs during normal operation.

Impact:
Over a long period of time, mcpd runs out of memory. The system periodically posts messages similar to the following in /shared/tmp/mcpd.out: mcpd: BUG: tmstat_dealloc invoked on a handle with rows outstanding; release all rows before calling tmstat_dealloc.

Workaround:
None.

Fix:
An issue has been fixed that resulted in a small, periodic mcpd memory leak associated with statistics.


492780-1 : Elliptic Curves Extension in ServerHello might cause failed SSL connection.

Component: Local Traffic Manager

Symptoms:
Supported Elliptic Curves Extension is present in ServerHello, but some clients cannot process it. So we remove it.

Conditions:
The issue occurs when Supported Elliptic Curves Extension is present in ServerHello when presented to a client that cannot process it.

Impact:
Failed SSL connection.

Workaround:
None.

Fix:
Elliptic Curves Extension has been removed to support more types of clients.


492701-3 : Resolved LSOs are overwritten by source device in new Policy Sync with new LSO

Component: Access Policy Manager

Symptoms:
Previously resolved Location-Specific Object (LSO) on target devices are overwritten by values on source device in a new Policy Sync operation with new LSO to resolve.

Conditions:
Perform a Policy Sync on a profile with LSO, make changes to the LSO on resolution.
Perform another Policy Sync on the same profile with new LSO that requires resolution

Impact:
Previously customized values for LSO on target device are lost.

Workaround:
Config the value back on target device after the new sync.

Fix:
Customized LSO values on target device from previous Policy Sync will be retained after a new Policy Sync with new LSO.


492570-1 : JavaScript error during CSRF protection

Component: Application Security Manager

Symptoms:
Since Javascript is executed on client side. When it comes to page render, javascript errors might break your page.

Conditions:
Using Internet Explorer 8 with CSRF ASM enabled.

Impact:
Since Javascript is executed on client side. When it comes to page render, javascript errors might break your page.

Workaround:
N/A

Fix:
After upgrading to BIG-IP version 11.6.0, using Internet Explorer 8, there is no longer the JavaScript error "Object doesn't support this action" when using the CSRF protection feature. Note that despite the error message, there was CSRF protection.


492458-1 : BIOS initial release

Component: TMOS

Symptoms:
This is a report of the initial release of BIOS 1.05.033.0.

Conditions:
New BIOS release.

Impact:
BIOS is updated to BIOS 1.05.033.0.

Workaround:
None.

Fix:
Initial BIOS 1.05.033.0 release. No issues.


492422-4 : HTTP request logging reports incorrect response code

Component: TMOS

Symptoms:
HTTP request logging reports 200/OK response code before any response has been received.

Conditions:
HTTP request logging enabled.

Impact:
Misleading messages in the logs. These messages are benign and can safely be ignored.

Fix:
Response code now reported only in HTTP response logs.


492368-5 : Unbound vulnerability CVE-2014-8602

Vulnerability Solution Article: SOL15931


492367-4 : BIND vulnerability CVE-2014-8500

Vulnerability Solution Article: SOL15927


492352-3 : Mismatch ckcName between GUI and TMSH can cause upgrade failure

Component: Local Traffic Manager

Symptoms:
Make the ckcName of clientssl_certkeychain same as TMSH.
Case 1: clientssl_certkeychain includes key/cert
TMSH uses <key-name> as ckcName
GUI uses <key-name>.key as ckcName
Case 2: clientssl_certkeychain includes key/cert/chain
TMSH uses <key-name>_<chain-name> as ckcName
GUI uses <key-name>.key as ckcName
The fix is making GUI same as TMSH.

Conditions:
Use GUI to create one SSL profile, then upgrade it.

Impact:
The upgrade failure since the mismatch ckcName between GUI and TMSH.

Fix:
Make ckcName same for both GUI and TMSH


492305-1 : Recurring file checker doesn't interrupt session if client machine has missing file

Component: Access Policy Manager

Symptoms:
If file required for recurring file checker agent is deleted on client machine when session already established - session would not be interrupted.

Conditions:
File checker agent is used.
Recurring check is enabled for it.

Impact:
Session is not interrupted when it should be.

Fix:
Now session is interrupted when file required for recurring file check is missing.


492287-1 : Support Android RDP client 8.1.3 with APM remote desktop gateway

Component: Access Policy Manager

Symptoms:
Support Android RDP client 8.1.3 with APM remote desktop gateway

Impact:
User's cannot run up-to-date official Android RDP client against APM as RDG.

Fix:
Support Android RDP client 8.1.3 with APM remote desktop gateway


492238-6 : When logging out of Office 365 TMM may restart

Component: Access Policy Manager

Symptoms:
TMM may restart when a user initiates single logout (SLO) from Microsoft Office 365 configured as a SAML Service Provider (SP).

Conditions:
The problem occurs under these conditions: 1. The BIG-IP system is configured as a SAML Identity Provider (IdP) with Office 365 configured as a SAML Service Provider (SP).
2. Single logout (SLO) is configured on the BIG-IP system.
3. As a part of a SLO request, the SP sends unsupported query parameters.

Impact:
Under certain conditions TMM may restart.

Workaround:
To work around the problem, disable SLO on the BIG-IP system.

Fix:
TMM no longer restarts when a user initiates single logout (SLO) from Microsoft Office 365 configured as a SAML Service Provider (SP).


492163-3 : Applying a monitor to pool and pool member may cause an issue.

Component: TMOS

Symptoms:
Typically, when applying a monitor to pool and a monitor to pool member, there are no issues. In a scenario where the pool monitor is incompatible with the pool member, it can cause validation issue.

Conditions:
A scenario where the pool monitor is incompatible with the pool member, it can cause validation issue. For example, a pool with an http monitor and a wildcard pool member (even if pool member had its own monitor).

Impact:
Failed transaction or configuration load.

Workaround:
Remove the pool monitor, load, then add pool monitor back.

Fix:
Instances in which the pool monitor is incompatible with the pool member are now validated correctly.


492153-2 : Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated.

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel changes to deprecated.

Conditions:
BIG-IP Edge Client monitors the state of IP address for the DTLS tunnel, so the system can react quickly to any network connectivity issues. The monitor correctly disconnects the tunnel if the adapter loses the IP address. However, there is an issue that causes the tunnel to shut down when the state of IP address is changed to deprecated.

Impact:
Tunnel processing halts.

Fix:
BIG-IP Edge Client now keeps the DTLS connection until the IP address becomes invalid, as expected.


492149-3 : Inline JavaScript with HTML entities may be handled incorrectly

Component: Access Policy Manager

Symptoms:
If JavaScript code is included into an HTML page and contains HTML entities inside, it may be processed incorrectly by Portal Access.

Conditions:
HTML page which contains inline JavaScript code with HTML entities inside.

Impact:
Web application does not work as expected.

Workaround:
Use an iRule for each individual case to correct this behavior.

Fix:
Now JavaScript code with HTML entities inside is processed correctly.


491887-1 : Changing the ending of a macro in Access Policy crashes TMM.

Component: Access Policy Manager

Symptoms:
The default ending for a macro is out. Changing this to anything else crashes the TMM and causes it to core.

Conditions:
Create a macro, change the ending.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed to allow for name changes to the macro endings, so that macros are no longer required to end in out.


491791-3 : GET on non-existent pool members does not show error

Component: TMOS

Symptoms:
Performing a GET on nonexistent pool members does not show an error.

Conditions:
This occurs when using iControl REST with nonexistent pool members.

Impact:
The returned response typically indicates an almost-empty resource instead of a not-found error.

Workaround:
Use members GET for all members and iterate through the items returned to determine if a pool member exists.

Fix:
Performing a GET on nonexistent pool members now shows an error when using iControl REST with nonexistent pool members.


491771-2 : Parking command called from inside catch statement

Component: Policy Enforcement Manager

Symptoms:
If inside a proc or control statement (if, for, while) and a parking command (like table, session, open, send, RESOLVE::lookup) which is called from catch statement followed by a command which results in TCL error (caught), TMM will core with SIGFPE panic and this message:

    panic: TclExecuteByteCode execution failure: end stack top < start stack top

Example (THIS CODE MAY CAUSE TMM TO CRASH if this procedure is called):
    proc id491771 {
        # WILL CAUSE TMM TO CRASH
        catch { [table lookup "key"] }
    }

The correct usage of "catch" is without the brackets:
    proc id491771 {
        catch { table lookup "key" }
    }

Conditions:
1) A parking command like "table"
2) The very next operation generates an error
3) Both commands are inside a "catch" block
4) And this catch block exists within a proc or control statement (e.g., if, for, while)

Impact:
TMM cores with a SIGFPE and this panic string:

    panic: TclExecuteByteCode execution failure: end stack top < start stack top

Workaround:
Any command which completes without parking after the parking command but before the error will prevent the issue. For instance

set A "a"

Another solution is to move "catch" statement outside of proc or control statement into body of script.

Alternately remove the square brackets that indicate that the result of the command should be evaluated in this specific case. The use of brackets in this way is likely a mistake in coding of the iRule.


491716-2 : SNMP attribute type incorrect for certain OIDs

Component: TMOS

Symptoms:
The following OIDs have an incorrect setting of Gauge when they should be Integer:

sysIntfMediaIndex
sysIfIndex
sysPacketFilterAddrIndex
sysPacketFilterVlanIndex
sysPacketFilterMacIndex
sysStpBridgeTreeStatIndex
sysStpInterfaceTreeStatIndex
sysHostCpuIndex
sysIntfMediaSfpIndex

Conditions:
SNMP queries to some F5 enterprise OIDs.

Impact:
The attribute type mismatch may cause some MIB browsers to report errors because of a failure to strictly adhere to the SNMP standard.

Fix:
All F5 enterprise MIB attribute which include a limited value range have been changed to type Integer.


491556-7 : tmsh show sys connection output is corrected

Component: TMOS

Symptoms:
tmsh show sys connection output is corrupted for certain user roles.

Conditions:
This occurs for users with user roles that do not have access to all partitions.

Impact:
The output from tmsh show sys connection is corrupted. After issuing this command, the output of subsequent tmsh commands might not be correct or complete.

Workaround:
Quit out of tmsh. Restart the shell. Do not use the show sys connection command for users that do not have access to all partitions. Use the GUI instead to get this information.

Fix:
tmsh show sys connection output is correct for users that do not have access to all partitions.


491554-2 : [big3d] Possible memory leakage for auto-discovery error events.

Component: Global Traffic Manager

Symptoms:
The big3d process may leak memory.

As a result of this issue, you may encounter one or more of the following symptoms:

You notice a progressive increase in the amount of memory that the big3d process uses.
The big3d process produces a core file in the /shared/core directory.
The BIG-IP system unexpectedly fails over to another system in the device group.
The monitoring system marks the monitored device as unavailable.

Conditions:
This issue occurs when all of the following conditions are met:

Your system is actively monitored by a BIG-IP GTM or Enterprise Manager system.
The monitoring system is configured with discovery enabled.
The big3d process returns error messages to monitor requests.

Impact:
Memory usage for the big3d process increases, and may eventually affect other services and overall system performance.

Workaround:
None.

Fix:
big3d no longer leaks memory during auto-discovery failure events.


491518-2 : SSL persistence can prematurely terminate TCP connection

Component: Local Traffic Manager

Symptoms:
SSL [session id] persistence might prematurely close (FIN) a TCP connection before forwarding all data.

Conditions:
SSL persistence must be in use. A slow client side (WAN) exacerbates the issue.

Impact:
Premature close of TCP connection and potential data loss.

Workaround:
Disable SSL persistence.

Fix:
SSL [session id] persistence no longer prematurely terminate TCP connection.


491478-1 : EAM is a CMP plugin and spins up one thread per TMM.

Component: Access Policy Manager

Symptoms:
When OAM is enabled on a virtual, an 'eam' v1 plugin profile is added to the virtual. Due to ht-split performance changes (specifically addition of "plugin_threads" field in BZ439449the eam plugin profile claims to be a CMP-enabled plugin but forces the thread count to 1. This causes the number of MPI devices to be 0, thus no channel is spun up - all connections through the virtual result in "No plugin configuration found" error in /var/log/ltm and the connection is reset.

 SYMPTOM:

Virtuals with OAM enabled do not pass traffic - "No plugin configuration found" errors in /var/log/ltm

Conditions:
HTTP virtual with OAM enabled

Impact:
Traffic outage on OAM-enabled virtuals

Workaround:
hand-edit of /defaults/config_base.conf

        plugin_threads {
            class-name profile_eam
            container none
            instance-name eam
            value "1" <-- change this to "tmms"
        }

Fix:
EAM is a CMP plugin and spins up one thread per TMM.


491454-6 : SSL negotiation may fail when SPDY profile is enabled

Component: Local Traffic Manager

Symptoms:
SSL handshake fails when SPDY profile is attached.

Conditions:
This occurs when the following conditions are met: -- Client (i.e., Chrome for Android) attempts to use SPDY protocol using Next Protocol Negotiation (NPN) during SSL handshake. -- BIG-IP system has a Cavium Nitrox card.

Impact:
SSL handshake or other connection failure.

Workaround:
Remove SPDY profile.

Fix:
SSL handshake now completes successfully when a SPDY profile is attached when Next Protocol Negotiation (NPN) is detected on a BIG-IP system with a Cavium Nitrox accelerator.


491233-1 : Rare deadlock in CustomDialer component

Component: Access Policy Manager

Symptoms:
Windows 7 systems hang at a black screen after a reboot. This requires a hard boot to resolve.

Conditions:
CustomDialer component.

Impact:
Cannot log in. Requires hard boot to resolve.

Fix:
The CustomDialer component has been updated to prevent a rarely occurring deadlock.


491165-1 : Legal IP addresses sometimes logged in Attack Started/Stopped message.

Component: Advanced Firewall Manager

Symptoms:
Sometimes legal IP addresses are logged as attack started/stopped messages.

Conditions:
AFM licensed and provisioned and Sweep & Flood Vector enabled.

Impact:
Logging.

Workaround:
N/A

Fix:
IP addresses are not logged any more for START/STOP messages. Only sampled messages will have packet details.


491030-6 : Nitrox crypto accelerator can sometimes hang when encrypting SSL records

Component: Local Traffic Manager

Symptoms:
Sometimes when encrypting certain SSL records, the Cavium Nitrox crypto accelerator can hang with the LTM log message "request queue stuck".

Conditions:
Certain SSL records on a system with a Cavium Nitrox card.

Impact:
Nitrox crypto accelerator can hang.

Workaround:
This issue has no workaround at this time.

Fix:
The Nitrox crypto accelerator will no longer hang with certain SSL records.


490893-4 : Determinstic NAT State information incomplete for HSL log format

Component: Carrier-Grade NAT

Symptoms:
Deterministic NAT state information incomplete for HSL log format, could possibly result in incorrect reverse and forward map for dnatutil when using with HSL logged state information.

Conditions:
Found to affect VIPRION B2250 blades with HTSPLIT enabled, when using dnatutil with HSL logged deterministic NAT state for reverse map.

Impact:
Reverse and forward map could be incorrect when use with HSL logged deterministic NAT state information.

Workaround:
Use LTM logged deterministic NAT state information for reverse or forward map.

Fix:
HSL logged deterministic NAT state information can be use to correctly forward and reverse map.


490844-4 : Some controls on a web page might stop working.

Component: Access Policy Manager

Symptoms:
Some controls on a web page might stop working.

Conditions:
Some events with that execute in web applications.

Impact:
Unexpected web application malfunctions.

Workaround:
Create an iRule specific to each case.

Fix:
Problems with EventTarget.addEventListener() new feature support were fixed.


490830-4 : Protected Workspace is not supported on Windows 10

Component: Access Policy Manager

Symptoms:
APM does not support Protected Workspace on Windows 10

Conditions:
Protected Workspace action configured on BIG-IP APM server.
Users connecting to BIG-IP APM using Windows 10 client.

Impact:
Users cannot use Protected Workspace feature on Windows 10.

Workaround:
n/a

Fix:
Protected Workspace disabled on Windows 10 client.


490817-1 : SSL filter might report codec alerts repeatedly

Component: Local Traffic Manager

Symptoms:
TMM cores due to Out of Memory (OOM), and xdata is the majority of the memory consumption.

Conditions:
The SSL enters a failure mode where it appears to transmit alert messages repeatedly until TMM is OOM, which causes the transmissions to stop due to lack of memory. TMM then cores due to lack of memory.

Impact:
The system might crash. (Massive xfrag usage, degraded performance, eventual TMM OOM.)

Fix:
Clear codec alert after propagation so SSL filter no longer reports alerts indefinitely.


490811-5 : Proxy configuration might not to be restored correctly in some rare cases

Component: Access Policy Manager

Symptoms:
Local proxy configuration on Mac OS X might not to be restored correctly in some rare cases.

Conditions:
BIG-IP Edge Client for Mac is connected, tunnel drops for some reason, race condition happens during proxy configuration restoration which causes it to not be restored properly.

Impact:
Proxy configuration might not to be restored correctly in some rare case.

Workaround:
None

Fix:
A rare case where proxy configuration might not be restored correctly has been fixed.


490713-3 : FTP port might occasionally be reused faster than expected

Component: Local Traffic Manager

Symptoms:
FTP port is randomly selected and occasionally might be reused quickly.

Conditions:
FTP active mode. Source Port is set to change.

Impact:
FTP port might occasionally be reused faster than expected.

Fix:
FTP port selection uses a round robin method to avoid quick-reuse as much as possible.


490681-1 : Memcache entry for dynamic user leaks

Component: Access Policy Manager

Symptoms:
A race condition causes a memcache entry to remain in memcache forever.

Conditions:
Due to a race condition between identifying dynamic users in MySQL and removing them from memcache (based on timestamp), some memcache entries remain. Although the entry is removed from MySQL, it remains in memcache.

Impact:
The user state information for the user remains unchanged. If the user is locked out in memcache, the user state remains locked out.

Workaround:
The only way to recover is to remove the user using telnet to access memcache (which is not a typical operation and is difficult to perform).

Fix:
Now a self expiry is set for each memcache object (which is configurable). With this change, each user remains in the cache only for the configured duration.


490675-1 : User name with leading or trailing spaces creates problems.

Component: Access Policy Manager

Symptoms:
User creates dynamic user with leading and trailing spaces. In the case user name will look like " user1 ". When the user entry gets created in MySQL it treats the user name " user1 " same as "user1", by eliminating the spaces at the beginning and the end. The memcache entry does not do the same.

Conditions:
Create a dynamic user with a regular name. Then retry the same username with leading and trailing spaces. There will be multiple entries for the same user (one regular and another with spaces). When the dynamic user gets deleted, the regular user name is deleted from memcache and from MySQL; the other user entry remains in memcache.

Impact:
Unnecessary memcache entries.

Workaround:
This issue has no workaround at this time.

Fix:
In this fix, we trim leading and trailing spaces from the user name before using it. So the user name is uniform everywhere.


490482-1 : Applying Access Policy with an unused macro crashes TMM.

Component: Access Policy Manager

Symptoms:
When an Access Policy has a macro attached but does not use the macro anywhere, applying the Access Policy crashes TMM.

Conditions:
Access Policy that has a macro attached but is not using the macro at any point in the policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Delete all unused macros.

Fix:
Access Policy can now successfully contain a macro attached but does not use the macro anywhere.


490480-3 : UCS load may fail if the UCS contains FIPS keys with names containing dot

Component: Local Traffic Manager

Symptoms:
UCS load may fail if the UCS file contains FIPS keys with names containing dot ( . ).

Conditions:
This occurs when the configuration includes at least one FIPS key with name containing a dot ( . ).

Impact:
UCS loading fails.

Fix:
UCS load now completes successfully if the saved configuration includes FIPS keys with names containing dot ( . ).


490429-2 : The dynamic routes for the default route might be flushed during operations on non-default route domains.

Component: Local Traffic Manager

Symptoms:
The dynamic routes for the default route might be flushed during operations on non-default route domains. For example when non-default route domain is deleted TMM, the operation also removes routes in the default route domain.

Conditions:
This happens on configuration changes and failover.

Impact:
Routing in default route domain might be impacted until tmrouted is restarted.

Workaround:
Avoid deleting non-default route domains. Issuing a bigstart restart tmrouted returns the system to a consistent state.

Fix:
The dynamic routes for the default route are no longer flushed during operations on non-default route domains.


490414-1 : /shared/vmisolinks present on systems running versions where block-devices are not present

Component: TMOS

Symptoms:
/shared/vmisolinks is not removed from vCMP hosts when booting into builds that do not support block-device-image and block-device-hotfix vcmp installations.

Conditions:
This occurs in 11.6.0 or later with vCMP provisioned. In pre-11.6.0 versions, vCMP does not have to be provisioned.

Impact:
/shared/vmisolinks is present and takes up space. /shared can artificially fill up and cause warnings.

Workaround:
/shared/vmisolinks can be safely removed from older versions with the following command sequence: -- 'clsh rm -rf /shared/vmisolinks'. -- 'clsh ls -al /shared/vmisolinks'.

After removing the /shared/vmisolinks directory from each cluster member or the appliance as a vCMP host, the space warnings related to /shared/vmisolinks will cease.

Fix:
/shared/vmisolinks is now properly cleaned up upon system startup.


490284-3 : ASM user interface extremely slow to respond (e.g. >2 minutes to render policy list)

Component: Application Security Manager

Symptoms:
ASM screens take a long time to load, MySQL spikes in usage.

Conditions:
Occurs after several thousand policy configuration changes have been made to the system.

Impact:
Slow ASM user interface pages.

Workaround:
There is no workaround at this time.

Fix:
We reduced the time it takes for ASM screens to load.


490225-3 : Duplicate DNSSEC keys can cause failed upgrade.

Component: Local Traffic Manager

Symptoms:
When DNSSEC keys are stored in HSM and the system is upgraded, config load can fail because of duplicate keys in HSM.

Conditions:
DNSSEC keys in HSM. Upgrade or UCS load of configuration that contains the same keys.

Impact:
Failed upgrade or config load.

Workaround:
None.

Fix:
BIG-IP DNS/mcpd now checks for an existing key and does not import keys that already exist.


490171-1 : Cannot add FQDN node if management route is not configured

Component: TMOS

Symptoms:
Upon trying to create a FQDN (Fully Qualified Domain Name) node without the management route configured, an error is displayed: 01070734:3: Configuration error: Please configure a default gateway.

Conditions:
A basic LTM configuration with DNS lookup server setup

Impact:
User must configure a management route - even if they otherwise do not need one or have one configured.

Workaround:
Create a temporary management-route default gateway in order to add nodes using their FQDN:
   1) tmsh create sys management-route default gateway 172.28.22.254 == create default management-route.
   2) tmsh create ltm node mydomain.com fqdn { name mydomain.com } == create FQDN node.
   3) tmsh delete sys management-route default == remove default management-route.

Fix:
It is no longer required that a default management route is setup in order to add nodes via their FQDN.


490129-1 : SMTP monitor could not create socket on IPv6 node address

Component: Local Traffic Manager

Symptoms:
SMTP Tcl monitor cannot create socket on IPv6 node address.

Conditions:
Conditions leading to this issue include SMTP monitors with IPv6 pool members.

Impact:
SMTP monitor IPv6 pool members are DOWN.

Workaround:
Create a External monitor using SMTP_monitor

Fix:
SMTP monitor successfully monitors IPv6 pool members


489957-5 : RADIUS::avp command fails when AVP contains multiple attribute (VSA).

Component: Service Provider

Symptoms:
The RADIUS::avp command fails when AVP contains multiple attributes (VSA) within an AVP.

Conditions:
One AVP contains multiple attributes (VSA).

Impact:
RADIUS::avp command fails.

Workaround:
None.

Fix:
RADIUS::avp command now completes successfully when AVP contains multiple attribute (VSA).


489888-1 : Configuring VDI profile when APM is not provisioned, but does not.

Component: Access Policy Manager

Symptoms:
LTM GUI allows you to configure a VDI profile when APM is not provisioned, but since APM is not provisioned the profile will not work.

Conditions:
This can be encountered if APM was previously provisioned and one or more VDI profiles were configured. Upon de-provisioning APM, the profiles are still visible in the GUI.

Impact:
There should be no impact other than the GUI allowing you to configure something that cannot be used unless APM is provisioned.

Fix:
The GUI no longer allows you to configure VDI profile when APM is not provisioned.


489796-2 : TMM cores when Woodside congestion control is used.

Component: Local Traffic Manager

Symptoms:
In Woodside congestion control, the congestion window is used to calculate the minimum delay. During this calculation, if congestion window is 0, division by congestion window (0) causes a core during the calculation.

Conditions:
The congestion window becomes 0.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use another congestion control rather than Woodside.

Fix:
A TMM crash bug when using Woodside congestion control has been fixed. The issue was a division by 0 bug.


489767 : Webroot cloud lookup support

Component: Policy Enforcement Manager

Symptoms:
PEM does not have the ability to query the Webroot cloud database for URLs that are only available in the Webroot server in the cloud. There is one global Webroot database on the BIG-IP system, which contains millions of URLs it can categorize. However, the Webroot URL categorization database is hosted on their cloud, and can categorize billions of URLs. In certain countries, some of the popular URLs can only be categorized by the Webroot cloud database.

Conditions:
This only occurs when Webroot cloud lookup enabled. The Webroot cloud lookup features is disabled by default.

Impact:
Certain URLs are categorized as unknown by the local Webroot database that is managed on the BIG-IP system, even though they could be categorized by the Webroot cloud service.

Workaround:
None.

Fix:
The support is added, so that PEM can perform the Webroot cloud lookup asynchronously and cache the categorization result. When feature requests with the same URL arrives, PEM will be able to categorize the URL based on the cached Webroot cloud lookup result.


489754-1 : Flow based reporting attribute mismatch between TMUI and TCL

Component: Policy Enforcement Manager

Symptoms:
Several fields are missed in PEM format script reporting.

Several fields in format script use usec, which should be milli-seconds.

Conditions:
In PEM session and flow format script reporting.

Impact:
Some new fields are added.

For session, here are the new fields:
last-sent-msec
report-id
report-version
timestamp-msec

For flow, here are the new fields:
flow-start-milli-seconds
flow-end-milli-seconds
report-id
route-domain
report-version
timestamp-msec
vlan-id

Workaround:
This issue has no workaround at this time.

Fix:
To keep the backward compatibility, the following fields are still kept. But the values of those *-usec below are 0 now, representing that they are not meaningful; we just do not want to break the users' existing scripts.

For session:
last-sent-usec
timestamp-usec
module-id

For flow:
flow-start-time-usec
flow-end-time-usec
timestamp-usec


489750-3 : Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config

Component: TMOS

Symptoms:
11.4.0 onwards, deletion of FIPS keys by-handle is expected to throw error if the BIG-IP config contains that key object. However, if the key name is different from the FIPS-label of the key, such deletion by-handle will delete key from FIPS card without checking BIG-IP config. It will not delete that key from BIG-IP config.

Conditions:
Delete FIPS key by-handle using tmsh when the key name is different from the FIPS-label of the key.

Impact:
FIPS key deletion by-handle may not throw expected error when the FIPS handle corresponds to a key in the BIG-IP config and will delete the key from FIPS card without deleting the key in the BIG-IP config.

Workaround:
First, FIPS key deletion by-handle should be used only for FIPS key handles that don't have corresponding key objects in the BIG-IP config.

If the FIPS key deletion was desired and by-handle deletion is already performed which did not delete the key from BIG-IP config, then follow the below workaround:

After executing:
'tmsh delete sys crypto fips by-handle <handle-number>'

check if the corresponding key still exists in BIG-IP config by executing:
'tmsh list sys crypto key'

If the concerned key did not get deleted, execute:
'tmsh delete sys crypto key <keyname>'

Fix:
The system now handles the case in which deleting FIPS key by-handle using tmsh when the key name is different from the FIPS-label of the key.


489705-2 : Running out of memory while parsing large XML SOAP requests

Component: Application Security Manager

Symptoms:
Running out of memory while parsing large XML SOAP requests.

Conditions:
System parses as XML a large multipart file upload.

Impact:
Unnecessary memory allocations which could cause the Enforcer to run out of memory. The system posts an error similar to the following: 'ASM out of memory error: event code X239 Exceeded maximum memory assigned for XML/JSON processing'.

Fix:
We fixed an issue where the system parsed as XML a large multipart file upload. Doing that caused unnecessary memory allocations which could cause the Enforcer to run out of memory. The following error message was displayed "ASM out of memory error: event code X239 Exceeded maximum memory assigned for XML/JSON processing".


489682-1 : Configuration upgrade failure due to change in an ASM predefined report name

Component: Application Visibility and Reporting

Symptoms:
A configuration load failure occurs after creating an ASM predefined report in a previous version and upgrading.

Conditions:
Define scheduled report on top of "Top alerted URLs" on 11.3.0 and upgrade the version.

Impact:
Version upgrade fails (the BIG-IP becomes unusable).

Workaround:
Change the "/Common/Top Alerted URLs" reference in the bigip.conf file of the UCS to "/Common/Top Alarmed URLs", and then load the modified UCS.

Fix:
If an ASM predefined report was created in a previous version and the system was updated, it could have caused the configuration upgrade to fail. This failure no longer occurs.


489648-1 : Empty violation details for attack signatures

Component: Application Security Manager

Symptoms:
Attack signatures detected on a transaction. The reporting does not show the details of all attack signatures.

Conditions:
Different signature sets are applied to different policies, and then a transaction with attack signatures appears on a request.

Impact:
Not all the detected attack signature details are shown. In some cases, there are empty violation details for certain attack signatures.

Workaround:
None.

Fix:
All attack signature details are now shown.


489382-7 : Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert

Component: Access Policy Manager

Symptoms:
Browser clients allow Machine Cert Auth agent to pass even if the match SubjectCN and FQDN criteria is not satisfied.
It only happens if the selected certificate is recognized by the BIG-IP system but does not fit the Machine Cert Auth selection criteria.

Conditions:
The problem occurs with a Mac and the browser client, with the Machine Cert Auth agent in the access policy, and a valid certificate.

Impact:
Browser allows network access to be established even though it should not

Workaround:
To work around the problem, add more search criteria in the Machine Cert Auth agent.

Fix:
Browser client now selects the appropriate certificate when the match SubjectCN and FQDN criteria is specified in the Machine Cert Auth agent.


489364-1 : Now web VPN client correctly minimizes IE window to tray

Component: Access Policy Manager

Symptoms:
An Internet Explorer window remains on taskbar on Network Access connect even if 'minimize to tray' option is enabled.

Conditions:
Internet Explorer is used and 'minimize to tray' option is enabled

Impact:
IE window stays on desktop

Fix:
Now an Internet Explorer window is correctly minimized to tray.


489328-9 : When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash.

Component: Access Policy Manager

Symptoms:
If a BIG-IP virtual server is accessed from multiple tabs with long initial URLs before session creation, this might cause TMM to crash.

Conditions:
Rare condition: a user opens the browser and different tabs in the browser pointing to BIG-IP APM virtual server and they cause the access policy to run from both tabs. If the length of the encoded URL falls into 4K boundary then TMM might crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Proper checks were added before processing the URL so that, if there is a long initial URL, the BIG-IP system does not process it, and a user might see a reset. After establishing the session in other tabs, the user can access the long URL again.


489323-1 : Out-of-bounds memory access when 'remotedesktop' profile is assigned to a virtual server.

Vulnerability Solution Article: SOL43552605


489084-1 : Validation error in MCPD for FQDN nodes

Component: TMOS

Symptoms:
Validation does not enforce unique FQDN nodes across folders.

Conditions:
Create two nodes with the same FQDN in two different folders.

Impact:
This issue can cause undefined behavior

Workaround:
Ensure FQDN nodes, like regular IP nodes, to be unique across folders.

Fix:
Ensure FQDN nodes, like regular IP nodes, to be unique across folders.


488986-2 : Access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and edge client.

Component: Access Policy Manager

Symptoms:
An access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and Windows Edge client.

Conditions:
Internet Explorer versions 10 and 11.

Impact:
Access policy cannot enter Windows Protected Workspace.

Workaround:
Use a browser other than Internet Explorer versions 10 and 11.

Fix:
An access policy can now enter Windows Protected Workspace on Internet Explorer versions 10 and 11.


488931-1 : TMM may restart when MPTCP traffic is being handled.

Component: Local Traffic Manager

Symptoms:
There are some conditions where when multi-path TCP (MPTCP) traffic is being handled by an MPTCP-enabled virtual server might cause TMM to restart.

Conditions:
MPTCP traffic is being handled by a L7 virtual server.

Impact:
The TMM might restart when this condition occurs.

Workaround:
None.

Fix:
TMM may restart when multi-path TCP (MPTCP) traffic is being handled.


488917-2 : Potentially confusing wamd shutdown error messages

Component: WebAccelerator

Symptoms:
When shutting down, wamd might log debug messages that appear serious.

Conditions:
wamd shutdown.

Impact:
Unnecessary log messages generated, similar to the following:
-- WA Debug (17637): * WARNING: The server encountered an unexpected condition. -- WA Debug (17637): * Contact F5 support if you are experiencing problems and include -- WA Debug (17637): * the following diagnostic information. These messages are cosmetic and do not indicate a problem with the system.

Workaround:
None.

Fix:
The wamd process no longer generates potentially alarming debug log messages when shutting down.


488916 : CIDR can now be used for SNAT Origin Address List

Component: TMOS

Symptoms:
A validation error occurred when address in IP/CIDR format is entered into the address list field, although it still accepts an address in IP/IP format.

Conditions:
When address in IP/CIDR format is entered into the address list field.

Impact:
Validation error occurs, although the field still accepts an address in IP/IP format.

Fix:
Validation error is no longer thrown and address in IP/CIDR format is now handled correctly.


488908-1 : In client-ssl profile which serves as server side, BIG-IP SSL does not initialize in initialization function.

Component: Local Traffic Manager

Symptoms:
In client-ssl profile that serves as the server side.
BIG-IP SSL does not initialize some parameters.

Conditions:
In client-ssl profile which serves as the server side and retransmitting fragmented datagrams.

Impact:
SSL handshake fails. Datagram Transport Layer Security (DTLS) crash while retransmitting fragmented datagrams.

Workaround:
None.

Fix:
In client-ssl profile which serves as server side, BIG-IP SSL now initializes parameters in initialization function as expected.


488892-3 : JavaRDP client disconnects

Component: Access Policy Manager

Symptoms:
JavaRDP client disconnects user's session when user interacts before the handshake is complete.

Conditions:
The might occur when the network connection is slow but the user is fast enough to click the mouse within the client area or press a key on the keyboard. In this case the RDP client attempts to send this input event to the server.

Impact:
Because the RDP handshake is not completed at this point, the server aborts the connection.

Workaround:
Do not interact within the client area before the window fills with an image from the server. When that occurs, the connection is clearly established and all handshakes are completed.

Fix:
JavaRDP client session starts correctly now, and the system does not process extraneous input that occurs before the handshake completes.


488736-5 : Fixed problem with iNotes 9 Instant Messaging

Component: Access Policy Manager

Symptoms:
iNotes 9 IM (Sametime) is not working. There are errors in JS Console.

Conditions:
User is connected to iNotes 9 through Portal Access.

Impact:
Sametime in iNotes 9 is not accessible.

Workaround:
No

Fix:
iNotes 9 Sametime (instant messaging) is working now.


488713-1 : Corrupt memory

Component: Application Visibility and Reporting

Symptoms:
The Thrift server raises an unhandled exception.

Conditions:
Using Thrift server when encountering an unhandled exception.

Impact:
AVRD crashes.

Workaround:
None.

Fix:
AVRD now handles an unhandled exception when using the Thrift server.


488600-2 : iRule compilation fails

Component: Local Traffic Manager

Symptoms:
Previously created iRules may fail on upgrade

Conditions:
Upgrade to 11.6.x versions may cause iRule compilation failures

Impact:
iRule may not work after upgrade

Workaround:
N/A

Fix:
Fix tickle parse if there is a whitespace before the new line.


488598-1 : SMTP monitor on non-default route domain fails to create socket

Component: Local Traffic Manager

Symptoms:
SMTP monitor on non-default route domain fails to create socket

Conditions:
SMTP monitors on a non-default route domain.

Impact:
SMTP monitor pool members are DOWN. If debug logging is enabled for the monitor, the system posts messages in the monitors debug log: Notice 'ERROR: failed to connect 10.50.1.100%20:25 error: couldn't open socket: host is unreachable'.

Workaround:
Create an External monitor using SMTP_monitor.

Fix:
SMTP monitor no longer fails when using a non-default route domain.


488581 : The TMM process may restart and produce a core file when using the SSL::disable clientside iRule command within a HTTP_REQUEST event

Component: Local Traffic Manager

Symptoms:
The Traffic Management Microkernel (TMM) process may restart and produce a core file when using the SSL::disable client-side iRule command within an HTTP_REQUEST event.

Symptoms

As a result of this issue, you may encounter one or more of the following symptoms:

The BIG-IP system fails over to another host in the device group.
The BIG-IP system generates a TMM core file to the /shared/core directory.
The BIG-IP system temporarily fails to process traffic.

Conditions:
This issue occurs when the following conditions are met:

You have configured a virtual server that uses an iRule.
The iRule contains the SSL::disable client-side iRule command within an HTTP_REQUEST event.
The virtual server processes traffic that triggers the HTTP_REQUEST event while processing encrypted traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not put 'SSL::disable clientside' inside HTTP_REQUEST.

Fix:
The Traffic Management Microkernel (TMM) process no longer restarts and produces a core file when using the SSL::disable client-side iRule command within an HTTP_REQUEST event.


488374-2 : Mismatched IPsec policy configuration causes racoon to core after failed IPsec tunnel negotiation

Component: TMOS

Symptoms:
Mismatched IPsec policy configuration causes racoon to core intermittently after failed IPsec tunnel negotiation.

Conditions:
During IPsec Tunnel negotiation, IKE Phase 1 negotiation succeeds and ISAKMP security association is created, but phase 2 (Quick mode) for IPsec security associations fails due to mismatched IPsec policy configuration. This intermittent error occurs because of a memory issue that causes heap corruption.

Impact:
Intermittently, the racoon daemon cores and crashes when there are earlier failed phase 2 negotiations.

Workaround:
Make sure IPsec policies such as encryption/authentication algorithms for the data going through IPsec tunnel on the remote device match the IPsec policy configured on the BIG-IP system for the same IPsec Tunnel.

Fix:
The racoon daemon no longer crashes due to mismatched IPsec policy configuration.


488306-1 : Requests not logged locally on the device

Component: Application Security Manager

Symptoms:
After deactivating or deleting security policies and then activating other policies, sometimes requests would not be logged on the local device.

Conditions:
Deactivating/deleting security policies and then activating other policies.

Impact:
Requests would not be logged on the local device

Workaround:
Restart ASM

Fix:
ASM now properly tracks security policy changes, and correctly logs requests.


488208-1 : openssl v1.0.1j.

Component: Local Traffic Manager

Symptoms:
openssl has been updated to version 1.0.1j

Conditions:
N/A

Impact:
N/A

Fix:
openssl has been updated to version 1.0.1j.


488166-1 : Provide an option to delete the session if IP class address Limit reached when new IP being added and create a new one instead.

Component: Policy Enforcement Manager

Symptoms:
When Multiple IP feature is supported, If a new IP needs to be add to session will fail if IP address limit is reached for particular class of IP addresses. So, if old IPs are not removed from the session even though subscriber may not be using it, we disallow new IP assignment and hence subscriber traffic might be blocked/not polcied as IP address was not added to session.

Conditions:
IP class address limit for the session and new IP address add for the same same subscriber session arrives.

Impact:
Session does not get created by radius, but by traffic and there is no subscriber ID assigned to it. PCRF may decline to give policy and hence Subscriber traffic may not be policed as expected.

Fix:
Now added a db variable Tmm.pem.session.delete.if.max.ipaddr.per.class.exceeded which is by default set to TRUE. Now. when a new IP address add request comes via Radius and Session IP limit has reached, then we delete the current session and create a new one altogether. So that new Subscriber session is not affected.


488105-3 : TMM may generate core during certain config change.

Component: Access Policy Manager

Symptoms:
While the sandbox file is being used by data-plane, if the admin changes configuration to delete this sandbox file, the TMM may generate core due to accessing freed up memory.

Conditions:
While data-plane is handling requests for the sandbox files, if admin deletes it from the control plane.

Impact:
TMM may core, which may cause APM service to become unavailable for some time.

Fix:
Access whitelist entries are refcount-ed to prevent freeing of the memory while it is still being used.


487859-1 : Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI.

Component: Access Policy Manager

Symptoms:
Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI.

Conditions:
When importing the local DB user from the CSV file, with no UID value provided.

Impact:
All users imported without UIDs will be mapped to one user's detail entry (that is, fname, lname, email, and so on). So all such users show the same first name, last name, email, and other user details.

Workaround:
There is no workaround.

Fix:
Importing local db users with no UID set now generates a Unique ID and stores each user's details in the database.


487808-3 : End of Life announcement for inbound and outbound cost-based link load balancing and inbound link path-based load balancing.

Component: Global Traffic Manager

Symptoms:
The BIG-IP Link Controller and BIG-IP GTM link cost-based and inbound link path-based load balancing features have reached End of Life (EoL).

Conditions:
BIG-IP Link Controller and BIG-IP GTM link cost-based and inbound link path-based load balancing features.

Impact:
Cannot use these features.

Workaround:
None.

Fix:
Link cost and inbound link path load balancing software support has reached EOL. For more information, see SOL15834: End of Life announcement for inbound and outbound cost-based link load balancing and inbound link path-based load balancing, available here: https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15834.html.


487757 : Hybrid higig/front panel port packet discard (Ingress back-pressure v.s. Egress queue discard) counts can be expected during bursty or severe MMU traffic congestion on B4300/B2200/10000/12000-family platforms.

Component: Local Traffic Manager

Symptoms:
Different discard configurations as set on B4300/B2200/10000/12000-family platform interfaces, may result in different packet discard type counts, when the switch encounters bursty or severe MMU congestion.

Conditions:
Dissimilar congestion discard counts observed for switch ports supporting normal v.s. extended unicast queues.

Impact:
When switch ports encounters congestion, ports supporting extended unicast queue ports may show ingress back-pressure discard counts, as opposed to egress queue discard counts for ports supporting regular unicast queue ports.

Workaround:
None.

Fix:
Enabled egress CoS queue discard settings also for switch ports supporting extended unicast queues, as currently set for ports supporting normal unicast queues.


487592 : Change in the caching duration of OCSP response when there is an error

Component: Local Traffic Manager

Symptoms:
Some of the OCSP responses that indicate an error (such as 'unauthorized' response from the responder) are cached indefinitely.

Conditions:
Some of the OCSP responses that indicate an error (such as 'unauthorized' response from the responder).

Impact:
Responses are cached indefinitely.

Workaround:
The response can be deleted from the cache so as to obtain a new response. The new response will be cached based on whether it is valid, and whether the responder indicates an error.

Fix:
Except when the responder sends a certificate-status 'revoked', or a response status 'signature required', the response is cached for the duration given by the 'cache-error-timeout' field.


487587-2 : The allowed range of 'status-age' in OCSP Stapling Parameters (for clientSSL OCSP Stapling) might not be wide enough for some of the scenarios

Component: Local Traffic Manager

Symptoms:
The allowed range of 'status-age' in OCSP Stapling Parameters was 0 - 86400 (0 to 1 day in seconds). This range might not be enough to support some of the scenarios wherein the acceptable value could be as high as a 7-10 days.

Impact:
OCSP response is discarded even when it is acceptable as valid.

Workaround:
This issue has no workaround at this time.

Fix:
The allowed range of 'status-age' has been changed to 0 - MAX_INT, with 0 indicating that the status-age check is not performed. That is, it is not checked if the 'thisUpdate' value in the OCSP response is lagging in time by a specified value. Also, the default value of the status-age has been changed to 86400 (one day in seconds).


487567-4 : Addition of a DoS Profile Along with a Required Profile May Fail

Component: TMOS

Symptoms:
Certain DoS Profiles require a preliminary profile to be attached as well. For example DNS enabled DoS profile may require DNS profile to be attached first. However in cases where both profiles are being attached at the same time, an error may be thrown telling the user that the required profile is not attached.

Conditions:
A DoS profile needs to be attached at the same time with its required profile. For example, Application DoS Profile requires HTTP profile to be attached as well.

Impact:
If you have such DoS profiles in use and attach such profiles in single transaction you may be affected (GUI operations or iControl REST api).

Workaround:
None

Fix:
It is now possible to attach a DoS Profile and a required supporting profile in a single transaction.


487554-2 : System might reuse TCP source ports too quickly on the server side.

Component: Local Traffic Manager

Symptoms:
System might reuse TCP source ports too quickly on server side when dag hash is ip-only and sourceport mode is set to change.

Conditions:
This occurs when the dag-cmp hash is ip-only, and the virtual server or PEM-forwarding endpoints sourceport mode is set to change. The BIG-IP system might reuse some TCP source ports on the server side.

Impact:
Conflicting flows result in connections being reset.

Workaround:
This issue has no workaround at this time.

Fix:
In this release, reuse of TCP source ports is sequential, which eliminates the issue of TCP source ports being used too quickly on the server side.


487552-3 : triplets-not-allowed threshold too high because LTM minimum requirements for 6G guests are coming from 8G table

Component: TMOS

Symptoms:
The system might post the following error when the provisioned modules should be supported: 01071008:3: Provisioning failed with error 255 - 'Physical memory (6144MiB) insufficient for 3 or more modules.'

Conditions:
VCMP guests and VE guests with memory between 5632 MiB and 6250 MiB.

Impact:
Not allowed to provision more than 3 modules.

Workaround:
Create VCMP guests with 4 or more CPUs. Configure the VE guests with more than 6250 MiB of memory available.

Fix:
Three or more modules can be provisioned on VCMP guests and VE guests having 5632 MiB or more memory.

Behavior Change:
You are now allowed to provision any number of combinations of modules on platforms with 5.5 GiB of memory or more so long as there are resources available. Previously, 3 or more modules were not allowed to be provisioned on platforms with 6 GiB or less. Note that Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.


487512-1 : Enable Bittorrent classification in Qosmos by default

Component: Traffic Classification Engine

Symptoms:
Due to poor accuracy of bittorrent classification field is asking to have qosmos enabled by default.
This was tested as part of the SR investigation and confirmed working at a customer site.

Conditions:
Running BitTorrent for a long period of time.

Impact:
Poor accuracy of classification of BitTorrent traffic.

Workaround:
tmsh modify sys db tmm.gpa.cec.behavioral_protocols value 183,271,553,580,597,1040,1041,842

Fix:
Bittorrent classification is now enabled in Qosmos by default.


487420-1 : BD crash upon stress on session tracking

Component: Application Security Manager

Symptoms:
An ASM bd process crash occurs in a specific scenario that involves system stress and session tracking, or the crash can be reached rarely from slow responses/servers with session tracking.

Conditions:
ASM under heavy load, session tracking is running.

Impact:
A bd process crash, failover, and/or traffic resets.

Workaround:
None.

Fix:
This release fixes a system crash scenario that occurred with session tracking.


487233-1 : vCMP guests are unable to access NTP or RSYNC via their management network.

Component: TMOS

Symptoms:
Attempts to access an external NTP server or RSYNC server from within a vCMP guest over the management network fails to pass traffic.

Conditions:
This issue affects vCMP guests running any BIG-IP software version when running on a vCMP hypervisor running software version 11.6.0.

Impact:
vCMP guests are unable to configure an external NTP server reachable over the management network.

Workaround:
An NTP server may be configured using a self-ip and the data plane network without issue.
If access is required via the management port, execute the following steps:
1) Add the commands
iptables -t nat -D PREROUTING -m physdev --physdev-in mgmt_vm_tap_+ -j ACCEPT
iptables -t nat -I PREROUTING 1 -m physdev --physdev-in mgmt_vm_tap_+ -j ACCEPT
to /config/startup on the vCMP hypervisor. This will ensure the workaround persists across reboots.
2) Run the following command at the vCMP hypervisor bash prompt:
clsh iptables -t nat -I PREROUTING 1 -m physdev --physdev-in mgmt_vm_tap_+ -j ACCEPT

Rebooting the hypervisor or affected guests is not required.

Fix:
An issue has been corrected which affected NTP and RSYNC access via the management network in vCMP guests.


487170-1 : Enahnced support for proxy servers that resolve to multiple IP addresses

Component: Access Policy Manager

Symptoms:
VPN might fail to connect in environments where DNS returns multiple IP address for the proxy server host name. This includes both Edge client and web client.

Conditions:
Proxy server name is resolved to multiple IP address, or the
proxy server IP address changes on a subsequent call to the DNS resolver.

Impact:
VPN connection might fail.

Workaround:
Configure DNS to persist an IP addresses for the proxy host name.

Fix:
Added support for scenarios where proxy host name resolves to multiple addresses.


486829-1 : HTTP Protocol Compliance options should not be modified during import/upgrade

Component: Application Security Manager

Symptoms:
HTTP Protocol Compliance options are enabled upon version upgrade or security policy import from a prior version.

Conditions:
This issue occurs when configuration was upgraded to 11.6.0, or security policy was imported from prior version to 11.6.0.

Impact:
HTTP Protocol Compliance options are enabled.

Workaround:
Set HTTP Protocol Compliance options to desired values after import/upgrade.

Fix:
HTTP Protocol Compliance options are correctly preserved after a security policy import or a version upgrade.


486762-1 : lsn-pool connection limits may be invalid when mirroring is enabled

Component: Carrier-Grade NAT

Symptoms:
A client may not be able to create as many connections as allowed because mirroring may cause a connection to be counted more than once against the connection limit.

Conditions:
An lsn-pool with connection limits enabled, assigned to a virtual server.

Impact:
Clients may not be able to open as many connections as they should be able to open. The connections will fail.

Workaround:
This issue has no workaround at this time.

Fix:
With the fix in place, clients may open the full number of allowable connections.


486724-3 : After upgrading from v10 to v11 in a FIPS HA setup, config-sync fails

Component: Local Traffic Manager

Symptoms:
After upgrading from TMOS v10 to TMOS v11 in a FIPS HA setup, config-sync will fail.

Conditions:
In a FIPS HA setup, upgrade from v10 to v11. After upgrade, trigger config-sync.

Impact:
HA devices will be in sync failed state

Workaround:
This issue has no workaround at this time.

Fix:
Config-sync will now be successful after upgrading from v10


486661-3 : Network Access should provide client IP address on reconnect log records

Component: Access Policy Manager

Symptoms:
Network Access should provide client IP address on reconnect log records

Conditions:
- Connect a client via network access - observe log of Client IP
- Disconnect and reconnect from a different client IP (or the same one)

Impact:
note that the log messages generated for the session do not include the client IP address.

Workaround:
none


486597-1 : Fixed Network Access renegotiation procedure

Component: Access Policy Manager

Symptoms:
Network Access reconnects on every SSL renegotiation attempt on Windows 7 for TLS1.2 and TLS1.1 if client cert is requested.

Conditions:
This occurs when the following conditions are met: Windows 7. -- TLS 1.1/TLS1.2. -- Client cert set to 'required' at Virtual Server's Client Cert profile.

Impact:
Reconnect on every SSL renegotiation attempt.

Workaround:
None.

Fix:
Fixed Network Access renegotiation procedure on TLS1.1 and TLS1.2 for Microsoft Windows 7.


486512-7 : audit_forwarder sending invalid NAS IP Address attributes

Component: TMOS

Symptoms:
Forwarded auditing messages contain the incorrect nas-ip-address attribute. It should be the local IP of the box. Instead nas-ip-address is another, random IP address.

Conditions:
This seems to work fine when the BIG-IP is a virtual machine.The issue reproduces only on the actual hardware.

Impact:
Cannot pass certification because config auditing is not working as expected (invalid NAS IP Address).

Workaround:
None.

Fix:
Forwarded auditing messages now contain the correct nas-ip-address attribute, so config auditing is now working as expected.


486485-1 : TCP MSS is incorrect after ICMP PMTU message.

Component: Local Traffic Manager

Symptoms:
After ICMP PMTU message, new TCP packets are well below the maximum size.

Conditions:
After receiving ICMP PMTU messages, which leads to use of undersized TCP packets.

Impact:
Reduced throughput of TCP connections.

Workaround:
Configure TCP MSS to the true value.


486450-2 : iApp re-deployment causes mcpd on secondaries to restart

Component: Local Traffic Manager

Symptoms:
iApp redeployment causes mcpd on secondaries to restart.

Conditions:
This occurs when redeploying iApps with the locally cached files in place.

Impact:
mcpd restarts on secondaries.

Fix:
iApp redeployment now works correctly, and no longer causes mcpd on secondaries to restart.


486356-1 : unable to configure a virtual with stats profile and sip profile in 11.6.0

Component: Service Provider

Symptoms:
Changes in profile validation logic unintentionally blocked using a stats profile with a sip profile in the same virtual server.

Impact:
Unable to add a stats profile to a virtual containing a sip profile.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed mcpd validation to allow a stats profile to be included in a sip virtual server.


486346-3 : Prevent wamd shutdown cores

Component: WebAccelerator

Symptoms:
Under some circumstances, wamd cores while trying to exit.

Conditions:
wamd during shutdown.

Impact:
Unnecessary core files generated consuming some resources.

Workaround:
None.

Fix:
wamd no longer cores and now exits gracefully when shutting down.


486344-2 : French translation does not properly fit buttons in BIG-IP Edge client on Windows

Component: Access Policy Manager

Symptoms:
French translation does not properly fit buttons in BIG-IP Edge Client on Windows-based systems.

Conditions:
French translation in BIG-IP Edge Client on Windows.

Impact:
Text does not fit buttons.

Fix:
Translated French text has been corrected to properly fit buttons in BIG-IP Edge Client on Windows-based systems.


486323-1 : The datasyncd process may keep restarting during the first 30 minutes following a hotfix installation

Component: Application Security Manager

Symptoms:
After an installation of an 11.6.0 hotfix, the datasyncd process may keep restarting during 30 minutes. This is rare, but if it does happen, the system will remain offline during this time, until the state is automatically recovered.

Conditions:
An 11.6.0 hotfix is being installed on a system that is already running 11.6.0, and has either ASM or FPS provisioned.

Impact:
During 30 minutes following the hotfix installation, the system remains offline and does not handle traffic.

Workaround:
This issue has no workaround at this time.

Fix:
We corrected a rare scenario that caused a machine to remain offline for 30 minutes after an 11.6.0 hotfix installation.


486268-1 : APM logon page missing title

Component: Access Policy Manager

Symptoms:
On the BIG-IP APM logon page, a title may not appear.

Conditions:
RSA error message contains newline symbols. (For example RSA 8.1 uses such message)

Impact:
May cause usability issues.

Fix:
Now the title displays correctly on the logon page; RSA error messages are now sanitized.


486137-3 : License activation may not proceed if MCPD is not fully operational

Component: TMOS

Symptoms:
When the MCPD is not fully started, the activation process may fail.

Conditions:
When the MCPD service is not fully operational, and an attempt is made to perform activation, the activation may fail, due to incomplete data in the message to the activation service.

Impact:
Activation of license may not succeed.

Workaround:
Wait until MCPD is fully operational before performing license activation.

Fix:
Activation function has been modified to eliminate dependency on the MCPD.


485948-5 : Machine Info Agent should have a fallback branch

Component: Access Policy Manager

Symptoms:
Machine Info agent is not supported for legacy logon clients (for example, mobile clients and Linux CLI); it is only supported for web logon clients (browsers and BIG-IP Edge Clients). However, the Machine Info agent does not throw any error if a legacy logon client connects to APM with the Machine Info agent in it.

Conditions:
This occurs with a Machine Info agent in the access policy and legacy logon clients.

Impact:
The impact of this issue is that the Machine Info agent does not create any machine information-related session variables for legacy logon clients, neither does it indicate that it is not supported.

Workaround:
To work around the problem, use the Client Type agent to distinguish between legacy logon or web logon clients. And then only add the Machine Info agent in web logon clients branch.

Fix:
The Machine Info agent now differentiates between legacy logon clients and web logon clients by creating an error session variable. The error session variable is set to 1 when legacy logon clients connect to APM and 0 otherwise.


485939-1 : OSPF redistributing connected subnets that are configured in the network element with infinity metric in a HA pair.

Component: TMOS

Symptoms:
In a HA pair setup, the active node is sending an As_External Link-State Advertisement (LSA) with infinity metric value for the redistributed connected subnets that are configured in the network element of the OSPF.

Conditions:
HA pair with redistributed connected subnets and subnets configured in the network element in the OSPF.

Impact:
The active node in the HA pair sends an LSA with infinity metric that gets exchanged in the other networks affecting the routing process.

Workaround:
Clear ip ospf process fixes the issue. However, it is not an effective solution in a production environment.

Fix:
OSPF sessions in an HA pair doesn't send an As_External LSA for the subnets that are configured as network element and redistributed as connected subnets.


485917-3 : BIG/IP is vulnerable to Path MTU discovery attack (CVE-2004-1060)

Vulnerability Solution Article: SOL15792


485906 : TMM may core when an APM virtual server has a OneConnect profile attached to the virtual server

Component: Access Policy Manager

Symptoms:
TMM may core if an APM virtual server detaches from its current resource and attaches to a different resource while handling requests.

Conditions:
This crash is most likely to occur when an APM virtual server is configured with a OneConnect profile. However, as long as there is the possibility that the resource APM should connect to is decided after the client connection is established (e.g., based on the HTTP Host header), this issue is possible. This would include iRules that change the backend resource, the load balancer makes a decision to switch the resource, or APM is configured to possibly interface with a number of different resources.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
If OneConnect is present, removing its profiles from APM virtual servers greatly reduces the likelihood of this issue occurring. If the issue occurs without OneConnect, the other mitigation is to place APM in its own virtual, configured to interface with a layered virtual which remains constant. The layered virtual may then use iRules or load balance as normal. The APM virtual server cannot detach from one resource and re-attach to a different resource.

Fix:
APM virtual servers that can cause the resource to switch during request handling (as is most noticed with OneConnect profiles attached to them) will no longer cause TMM to crash and restart.


485833-7 : The mcpd process may leak memory when using tmsh to modify user attributes

Component: TMOS

Symptoms:
The Master Control Program Daemon (mcpd) may leak memory when you use the Traffic Management Shell (tmsh) to modify user attributes.

Note: The mcpd process is the messenger process that allows userland processes to communicate with the Traffic Management Microkernel (TMM), and the other way around.

As a result of this issue, you may encounter one or more of the following symptoms:

-- You are unable to configure the BIG-IP system.
-- You are unable to obtain statistics, or statistics may not be accurate.
-- In the /var/log/ltm file, you may observe an error message similar to the following example:
02001018:system library:fopen:Too many open files

Conditions:
This issue occurs when the following condition is met:

-- You are using the tmsh modify auth <user> command options to modify local user accounts. Some of the options include the following:
description User description.
partition-access The administrative partition which user has access.
password Set or modify the user password.
role Specifies the user role for the user account.
shell Specifies the shell to which the user has access.

Impact:
-- You cannot obtain or update the system status.
-- You cannot configure the BIG-IP system.
-- Userland processes may not be functional.

Workaround:
There is no workaround for this issue. To restore mcpd functionality, you can restart mcpd from the command line. To do so, perform the following procedure:

Impact of procedure: Restarting the mcpd process interrupts all traffic processing on the BIG-IP system. You should perform this procedure during a maintenance window.

Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh

To restart the mcpd process, type the following command:
restart sys service mcpd

Fix:
Ensure all user directory file descriptors are closed.


485812-2 : libxml2 vulnerability CVE-2014-3660

Vulnerability Solution Article: SOL15872


485787-1 : Firewall ACL counters for staged policy attached to a Virtual/SelfIP are not incremented when a policy with a similar rule to drop/reject packets is enforced by the Global or Route Domain context

Component: Advanced Firewall Manager

Symptoms:
Staged ACL Rule attached to VS or Self IP will never be hit if similar Rule with drop/reject action attached to an upper context as Enforced.

Conditions:
Policy should be staged at the Virtual or SelfIP context and enforced at the Global or Route Domain level. The action should be drop/reject.

Impact:
Staged policy counters are not incremented correctly.
Example:
We have 2 FW Policies (Policy1 and Policy2) with the same Rules:
security firewall policy Policy1 {
    rules {
        Rule1 {
            action reject
            destination {
                addresses {
                    10.10.10.11 { }
                }
            }
        }
    }
}

Policy1 attached to Global context as enforced:
security firewall global-rules {
    enforced-policy Policy1
}

Policy2 attached to VS as staged:
ltm virtual VS4_TCP {
    destination 10.10.10.11:any
    fw-staged-policy Policy2
    ip-protocol tcp
    ......
}

If we send traffic to hit this rule:
Policy1:Rule1 will be hit but Policy2:Rule1 will not be hit.

tmctl -w120 fw_rule_stat
context_type context_name rule_name micro_rules counter last_hit_time
------------ ------------ --------- ----------- ------- -------------
global Rule1 1 10 1413898646


tmctl -w120 fw_staged_rule_stat
context_type context_name rule_name micro_rules counter last_hit_time
------------ --------------- --------- ----------- ------- -------------
virtual /Common/VS4_TCP Rule1 1 0 0

Fix:
Counters for staged ACL rules now increment even when a match at a broader context is enforced. For example, a staged ACL rule in a policy assigned to a Virtual Server will now have policy counters increment even if an enforced policy assigned at the Global or Route Domain context matches.


485771-1 : TMM crashes while executing multiple FLOW_INIT events and one of the event triggers an abort.

Component: Advanced Firewall Manager

Symptoms:
Critical system failure due to TMM process restarting.

Conditions:
Following conditions may suffice to trigger the TMM crash:

AFM rule match triggers an iRule execution with multiple FLOW_INIT events and one of the events will cause the connection to be aborted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
A crash bug when executing multiple FLOW_INIT events has been fixed.


485764-5 : WhiteHat vulnerability assessment tool is configured but integration does not work correctly

Component: Application Security Manager

Symptoms:
When the WhiteHat vulnerability assessment tool is configured on an already existing policy the proper response headers are not added to traffic that are needed for full integration.

Conditions:
The WhiteHat vulnerability assessment tool is configured on an already existing policy.

Impact:
Proper response headers are not added to traffic to integrate fully.

Workaround:
This issue has no workaround at this time.

Fix:
The system now adds correct response headers to traffic after the WhiteHat vulnerability assessment tool is configured.


485760-1 : Tag <NameIDFormat> in SAML metadata may contain wrong attributes

Component: Access Policy Manager

Symptoms:
When Big-IP is used as SAML IdP, SAML metadata could contain invalid NameIDFormat, e.g.:

<NameIDFormat Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" index="0" isDefault="true">urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

Conditions:
BIG-IP is used as IdP.
SAML Artifact Resolution Service is not configured.

Impact:
Metadata could fail to be imported to external Service Providers.

Workaround:
Manually correct metadata.
E.g. replace this:
"<NameIDFormat Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" index="0" isDefault="true">urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>"

with this:

"<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>"

Fix:
Issue where SAML metadata Tag NameIDFormat would contain invalid information under certain conditions is now fixed.


485472-3 : iRule virtual command allows for protocol mismatch, resulting in crash

Component: Local Traffic Manager

Symptoms:
iRule 'virtual' command allows for protocol mismatch.

Conditions:
A virtual server with an iRule which leverages the 'virtual' command targeting a virtual server that differs in protocol. For example, a UDP virtual server targeting a TCP virtual server.

Impact:
tmm might crash with assert: 'Must be syncookie'. Traffic is interrupted.

Workaround:
This is the result of a misconfiguration. Modify iRules to ensure L4 protocols match between virtual servers.

Fix:
Resolved issue where TMM might crash with assert: 'Must be syncookie' when the iRule 'virtual' command leads to a protocol mismatch.


485465-3 : TMM might restart under certain conditions when executing SLO.

Component: Access Policy Manager

Symptoms:
TMM may restart when Single Logout (SLO) request/response contains an invalid 'Issuer' attribute.

Conditions:
SLO is configured on BIG-IP as SP or IdP.
SLO request or response is received from SP/IdP for which there is no current session.

Impact:
TMM restarts.

Workaround:
Disable SLO.

Fix:
The system now handles Single Logout (SLO) response/request so that TMM no longer restarts.


485396 : Online help about persistent cookies does not specify supported use

Component: Access Policy Manager

Symptoms:
Online help for creating an access profile and for creating SSO/Auth Domains does not specify that persistent cookies are supported only in an LTM-APM configuration.

Conditions:
Online Help

Impact:
Help page is unclear.

Fix:
Online help has been updated to clarify the use of persistent cookies for SSO Across Authentication Domains. Persistent cookies are supported only when a session is started using an LTM-APM access profile type.


485355-3 : Click-to-Run version of Office 2013 does not work inside PWS (Protected WorkSpace)

Component: Access Policy Manager

Symptoms:
Click-to-Run Office 2013 applications fail to start inside Microsoft Windows Protected Workspace without any error message.

Conditions:
Click-to-Run version of Office 2013 is used under PWS

Impact:
Click-to-Run version of Office 2013 does not work inside PWS

Workaround:
To work around the problem, use the full installation of Office 2013.

Fix:
Click-to-Run Office 2013 applications can start inside Microsoft Windows Protected Workspace (PWS) now.


485352-1 : TMM dumps core file when loading configuration or starting up

Component: TMOS

Symptoms:
TMM dumps core file when configuration file is being loaded or when TMM is starting up.

Conditions:
This error happens when there is no APM license installed.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The system now correctly handles configuration load when there is no APM license.


485251-1 : AVR core witch include tmstat backtrace

Component: Application Visibility and Reporting

Symptoms:
due to a synchronization problem in AVR, some tmstat data (relevant to AVR only) got corrupted. 
This corruption can cause AVR core.

Conditions:
Provision AVR.

Impact:
This bug cause AVR core.

Fix:
The synchronization problem fixed.


485202-1 : LDAP agent does not escape '=' character in LDAP DN

Component: Access Policy Manager

Symptoms:
Starting from BIG-IP 11.6.0, session variables may have modifiers when used in configuration, such as:
%{session.logon.last.ldap.dn:ldapdn}

With session variable modifier "ldapdn", the resultant value should be escaped by LDAP DN rules. The rules include an equals (=) character which should be escaped, but it is not.

Conditions:
LDAP session variable that contains LDAP DN is used in configuration with "ldapdn" session variable modifier.

Impact:
Depends on the purpose of usage session variable with "ldapdn" modifier in a configuration.

Workaround:
It is possible to escape '=' character using the Variable Assign agent before using that session variable with the modifier in other configurations.

Fix:
Now the session variable modifier "ldapdn" escapes the equal sign (=) character as well as other characters that require escaping.


485189-3 : TMM might crash if unable to find persistence cookie

Component: Local Traffic Manager

Symptoms:
TMM might crash and generate a core if unable to find persistence cookie.

Conditions:
Although specific conditions for this issue are unknown, it is possibly due to having a virtual with cookie persistence enabled and iRules that disable persistence.

Impact:
Traffic disrupted while tmm restarts.

Fix:
TMM now verifies that a persistence cookie was successfully found before extracting it from HTTP responses.


485188-1 : Support for TLS_FALLBACK_SCSV

Component: Local Traffic Manager

Symptoms:
A certain class of SSL attacks using weaker protocol versions is possible.

Conditions:
N/A

Impact:
N/A

Fix:
When the SSL ClientHello contains the SCSV marker, if the client protocol offered is not the latest that the virtual server supports, a fatal alert will be sent.

For more information, see SOL16935: Support for the TLS Fallback SCSV
https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16935.html


485182-2 : wom_verify_config does not recognize iSession profile in /Common sub-partition

Component: Wan Optimization Manager

Symptoms:
The wom_verify_config does not recognize iSession profile in /Common sub-partition.

Conditions:
iApps creates some objects (virtual, profiles) under /Common/DMZPrimary.vysbank.com.app/. These objects are invisible to wom_verify_config.

Impact:
wom_verify_config cannot verify the system configuration.

Fix:
The wom_verify_config now recognizes objects in sub-partitions.


484948-1 : UDP connflow may aborted from parked iRule in server_closed.

Component: Local Traffic Manager

Symptoms:
Some UDP idle flows will abort a parked iRule after the UDP idle timeout.

Conditions:
Conditions leading to this issue include:
1) UDP virtual, drop connection on response.
2) client_closed and server_close iRule, and parked in irule for a long time
3) make the the virtual expired when iRule is parking.

Impact:
The impact of this issue is the iRule aborts and impacts performance. The user cannot keep accurate connection count per client using iRules.

Workaround:
Set the idle timeout to a different value in client and sever will make it happen much less frequently.

Fix:
Resolve problem of double calling functions that caused iRule to abort.


484861-5 : A standby-standby state can be created when auto failback acts in a CRC disagreement scenario

Component: TMOS

Symptoms:
A standby-standby state can occur after a failback if there is a CRC disagreement between peers.

Conditions:
HA pair using auto failback. There must be a CRC disagreement between peers. The failback preferred system must have a lower traffic group score than its peers. NOTE: CRC disagreements may lead to other issues and the customer is strongly advised to sync the devices to remove the disagreement.

Impact:
It's a site down situation as all the objects in the traffic group will become unreachable.

Workaround:
Sync devices to remove the CRC disagreement.

Fix:
Ensure that the preferred system goes active after auto failback, even if its traffic group score is lower than that of its peers.


484856-1 : Citrix remote desktop visible even if the user cannot access it

Component: Access Policy Manager

Symptoms:
When a remote desktop has auto logon enabled and has no resources assigned for the user, its folder icon is still visible from APM webtop.

Conditions:
This occurs with APM with Citrix XML Broker Integration with Dynamic Web top, and you have users configured to not use the desktop

Impact:
These users can see the remote desktop.

Fix:
Now when a remote desktop has auto logon enabled and has no resources assigned for the user, its folder icon is hidden from APM webtop.


484847-2 : DTLS cannot be disabled on Edge Client for troubleshooting purposes

Component: Access Policy Manager

Symptoms:
There is no client side option to disable DTLS. This option can be very useful in troubleshooting client connectivity issues.

Conditions:
It is required to debug DTLS versus TLS connections.

Impact:
Troubleshooting connectivity issues becomes difficult.

Workaround:
Disable DTLS on server side.

Fix:
Now you can add new registry keys and use them to disable DTLS on both BIG-IP Edge Client and browsers. Using these keys, you can disable DTLS on a particular client without changing the BIG-IP system configuration.

To disable DTLS on a client machine:
Create registry DWORD value (keys are both valid for both x64 and x86 systems):
HKEY_LOCAL_MACHINE\Software\F5 Networks\RemoteAccess\EnableDTLSTransport
or
HKEY_CURRENT_USER\Software\F5 Networks\RemoteAccess\EnableDTLSTransport
and set to 0


484733-4 : aws-failover-tgactive.sh doesn't skip network forwarding virtuals

Component: TMOS

Symptoms:
When there are forwarding virtual servers with SNATs defined in the configuration, the reassignment of IP addresses for virtual servers does not happen correctly in Amazon Web Services (AWS).

Conditions:
Forwarding virtual servers with SNATs defined.

Impact:
HA failover is impacted.

Fix:
The reassignment of IP addresses for forwarding virtual servers with SNATs defined in the configuration now occurs as expected in Amazon Web Services (AWS).


484706-2 : Incremental sync of iApp changes may fail

Component: TMOS

Symptoms:
Incremental sync of the deletion of an iApp instance may fail, with the error message indicating that certain objects owned by the application are still in use. Alternatively, child objects that should have been deleted when reconfiguring an iApp instance may remain on peer devices after incremental sync has completed.

Conditions:
Incremental sync of the deletion of an iApp instance. Incremental sync of deleting a child object, if the iApp implementation script creates the parent object without child objects, and then separately adds the replacement child objects.

Impact:
An attempt to delete an iApp may cause a sync failure. An attempt to reconfigure an iApp without a previously existing child object (pool member, etc.) may cause the object to continue to exist on peer devices.

Workaround:
Full load sync (either the 'Overwrite Configuration' option on the Device Management Overview page, or temporarily setting the device group to full load only), and then performing the sync operation completes successfully.

Fix:
Incremental sync of the deletion of an iApp instance now completes successfully. Incremental sync of iApp changes, where the iApp template creates a parent object separately from child objects now syncs correctly.


484635-10 : OpenSSL DTLS SRTP Memory Leak CVE-2014-3513, OpenSSL vulnerability CVE-2014-3567, and OpenSSL vulnerability CVE-2014-3568.

Vulnerability Solution Article: SOL15722


484582-2 : APM Portal Access is inaccessible.

Component: Access Policy Manager

Symptoms:
APM Portal Access is inaccessible.

Conditions:
One of sessions reaches 64 KB of Portal Access application cookie storage.

Impact:
Rewrite plugin crashes; APM Portal Access becomes inaccessible. Shortly after this plugin crashes with *** glibc detected *** memory-corruption-message. The rewrite daemon log contains following lines:
- notice rewrite - cookie.cpp:543 : updateCookieSessionStore : expiring cookie ...

Workaround:
None.

Fix:
Rewrite plugin no longer crashes when Portal Access application cookies require more than 32 KB of storage.


484483-2 : TCP and UDP was classified as Unknown by classification library

Component: Traffic Classification Engine

Symptoms:
When traffic didn't map to any of the supported Application Layer protocol/service it was classified as Unknown which is misleading and doesn't provide enough granularity.

Conditions:
Traffic didn't map to any of the supported Application Layer protocol.

Impact:
Misleading classification results

Fix:
Instead of classifying traffic as Unknown we will now tag flows as TCP or UDP depending what type of traffic is seen by the classification library


484454-3 : Users not able to log on after failover

Component: Access Policy Manager

Symptoms:
Users fail the access policy check after failover happens. The command 'configdump -allkeys' does not display any entry for the access profile.

Conditions:
The issue will show up after the following events:
1. The TMM on the active node restarts or crashes, the node become standby.
2. TMM and APD restart. APD re-creates config snapshots in the SessionDB.
3. The snapshots just created get deleted.
4. Failover happens again and the node becomes active.
5. Users fail to log on

Impact:
Users cannot log on

Workaround:
Run 'bigstart restart apd' to re-create config snapshots.

Fix:
APM checks config snapshots periodically and recreates them if any are missing.


484429-4 : After updating a key/certificate in place and synchronizing the configuration, TMM may log critical-level messages that it could not load a key, certificate, or chain.

Component: Local Traffic Manager

Symptoms:
After updating a key/certificate in place and synchronizing the configuration, TMM may log critical-level messages about loading a key, certificate, or chain.

Conditions:
A certificate and/or key referenced by an SSL profile are deleted and then recreated, and then that is synchronized (via a full sync, not an incremental sync) to peer devices.

Impact:
In 11.5.0 and later, this message indicates an issue that impacts traffic to affected virtual servers: 01260000:2: Profile /Common/otters: could not load key/certificate. In versions earlier than 11.5.0, these messages can safely be ignored: -- 01260000:2: Profile /Common/otters-ssl: could not load key file. -- 01260000:2: Profile /Common/otters-ssl: could load neither certificate nor chain file

Fix:
TMM still log critical-level messages, but the system function properly and traffic is not affected.


484399-2 : Virtual Edition second installation slot and VMWare

Component: TMOS

Symptoms:
You cannot install TMOS on 2nd slot on BIG-IP VE 11.5.1 LTM-only image for VMWare.

Conditions:
The LTM-only BIG-IP VE deployed on VMWare.

Impact:
Inconvenience. As a workaround , you must manually delete 2nd slot and then do the installation.

Workaround:
[root@cblee_11:LICENSE EXPIRED:Standalone] images # tmsh install sys software image BIGIP-11.6.0.0.0.401.iso volume HD1.2
[root@cblee_11:LICENSE EXPIRED:Standalone] images # tmsh show sys software

-------------------------------------------------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status
-------------------------------------------------------------------------------------------
HD1.1 BIG-IP 11.6.0 0.0.401 yes complete
HD1.2 BIG-IP 11.6.0 0.0.401 no failed (Disk full (volume group). See SOL#10636)

[root@cblee_11:LICENSE EXPIRED:Standalone] images # tmsh delete sys software volume HD1.2
[root@cblee_11:LICENSE EXPIRED:Standalone] images # tmsh show sys software

---------------------------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status
---------------------------------------------------------------------
HD1.1 BIG-IP 11.6.0 0.0.401 yes complete
HD1.2 BIG-IP 11.6.0 0.0.401 no failed to delete volumeset

[root@cblee_11:LICENSE EXPIRED:Standalone] images # reboot

# Login again:

[root@cblee_11:LICENSE EXPIRED:Standalone] config # tmsh show sys software

---------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status
---------------------------------------------------
HD1.1 BIG-IP 11.6.0 0.0.401 yes complete

[root@cblee_11:LICENSE EXPIRED:Standalone] config # cd /shared/images
[root@cblee_11:LICENSE EXPIRED:Standalone] images # tmsh install sys software image BIGIP-11.6.0.0.0.401.iso volume HD1.2 create-volume
[root@cblee_11:LICENSE EXPIRED:Standalone] images # tmsh show sys software
---------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status
---------------------------------------------------
HD1.1 BIG-IP 11.6.0 0.0.401 yes complete
HD1.2 BIG-IP 11.6.0 0.0.401 no complete

Fix:
OVA will only create 1 slot and leave the remaining disk space free.


484305-2 : Clientside or serverside command with parking command crashes TMM

Component: Local Traffic Manager

Symptoms:
Any parking iRule command used inside clientside or serverside crashes TMM.

Conditions:
Parking command used inside clientside or serverside.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
See if you really need to run the parking command inside clientside/serverside, if not, move the command outside.

Fix:
TMM no longer crashes when an iRule executes a parking command inside a 'clientside' or 'serverside' context-switching command.


484298-2 : The aced process may restart in a loop

Component: Access Policy Manager

Symptoms:
The aced process may restart in an infinite loop if a parent process cannot start.

This can result in a user not being able to log in using their valid SecurID credentials.

You may notice repeated "re-starting aced" messages in the log file.

Conditions:
If a parent process dies, the child process may hold server port 60000. If this occurs, then new parent process cannot start.

Impact:
RSA SecurID authentication fails

Fix:
Now, the aced process behaves as expected. A child process never listens at server port.


484278-4 : BIG-IP crash when processing packet and running iRule at the same time

Component: Policy Enforcement Manager

Symptoms:
The BIG-IP system sometimes crashes if it is processing packets and iRules at the same time.

Conditions:
Conditions leading to this issue include having iRule scripts and processing iRule tasks, and processing incoming traffic along with the iRule tasks.

Impact:
The impact of this issue is that the BIG-IP system goes to crash intermittently.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed the iRule processing problem that is causing the BIG-IP to crash while processing incoming packets.


484245-1 : Delete firewall rule in GUI changes port settings in other rules to 'any'

Component: Advanced Firewall Manager

Symptoms:
Using the GUI to delete a network firewall rule causes a change to other rules that specify ports.

Conditions:
This occurs when using the GUI to delete a firewall rule, and there are other rules that are limited to specific ports.

Impact:
The port changes to 'any' in all network firewall rules that specify ports. For example, any firewall rules that match traffic on port '80' change to match on port 'any' when this issue occurs.

Workaround:
Use tmsh, iControl, and BIG-IQ to manage firewall rules. Use port lists instead of specifying ports. These could include lists with a single port.

Fix:
Using the GUI to delete a rule no longer changes ports specified in other rules to 'any.'


484095 : RADIUS accounting message with multiple IPv6 prefix causes TMM crash

Component: Policy Enforcement Manager

Symptoms:
When RADIUS Accounting message contains multiple Framed-IPv6-Prefix AVPs all these AVPs except the first one are parsed incorrectly, and in some cases may lead to tmm crash with core.

Conditions:
RADIUS Subscriber discovery is enabled in PEM.
RADIUS Accounting message contains multiple Framed-IPv6-Prefix AVPs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
For adding multiple IPv6 prefixes into a single PEM session use multiple RADIUS Accounting messages containing a single Framed-IPv6-Prefix AVP for each.
The tmm.pem.session.provisioning.continuous sys db variable should be set to true.

Fix:
Fixes the TMM crash problem, and radius accounting message with multiple IPv6-prefix is now parsed correctly.


484079-1 : Change to signature list of manual Signature Sets does not take effect.

Component: Application Security Manager

Symptoms:
When the signature list of a manual Attack Signature Set is modified, the change does not affect enforcement or remote logging.

Conditions:
The signature list of a manual Attack Signature Set is modified (with no other change to the Signature Set).

Impact:
The change does not take effect in signature enforcement or remote logging.

Workaround:
Any spurious change to the signature set (such as unchecking/checking 'Assign to Policy by Default'), or unassigning and reassigning the signature set to the affected policy.

Fix:
When the signature list of a manual Attack Signature Set is modified, enforcement and remote logging are now updated correctly.


483974-2 : Unrecognized EDNS0 option may be considered malformed.

Component: Local Traffic Manager

Symptoms:
Unrecognized edns0 option may be considered malformed and dropped by the BIG-IP system.

Conditions:
Client sending queries with non-standard edns0 option code. The BIG-IP system is configured with a DNS profile.

Impact:
All queries containing unrecognized option code are dropped. RFC says unrecognized options MUST be ignored.

Workaround:
To work around this issue, write an iRule to parse binary UDP payload; remove option from edns0 record.

Fix:
Unrecognized DNS EDNS0 options are now ignored.


483798-1 : TMM crashes if iRule PSC::ip_address is used after RADIUS Authentication of DHCP discovery.

Component: Policy Enforcement Manager

Symptoms:
Using iRule PSC::ip_address can cause TMM crash after RADIUS authentication of DHCP discovery is conducted.

Conditions:
1. Configure DHCPv4-based subscriber discovery in Relay mode.
2. Configure RADIUS Authentication for DHCPv4 profile.
3. Using PSC::pa_address command in an iRule for RADIUS Authentication virtual
4. Initiate RADIUS authentication process.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The fix fixes the crash problem in using the PSC::ip_address with the RADIUS authentication process


483792-5 : when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources

Component: Access Policy Manager

Symptoms:
Customers running into iSession related issues.

Conditions:
This happens when APM has been running.

Impact:
Some of the Network Access resources may not run properly when iSession control channel is disabled.

Workaround:
None

Fix:
When the iSession control channel is disabled through db variable, then some of the Network Access resources, including App tunnel, Microsoft RDP, and optimized tunnel resources, will not be assigned to the session.


483762-3 : Overlapping vCMP guest MAC addresses

Component: TMOS

Symptoms:
Intermittent traffic disruptions such as unexpected resets and drops may occur as the result of MAC address conflicts between vCMP guests on an affected hypervisor and/or conflict with other F5 devices with adjacent MAC address ranges.

Conditions:
MCPD has restarted on a vCMP hypervisor, and vCMP guest instances with more than 2 VLANs are deployed after the MCPD restart.

Impact:
Intermittent traffic disruptions such as unexpected resets and drops.

Workaround:
1. Restart vCMPD on the hypervisor.
2. Re-deploy the vCMP Guest by setting it to "Configured", then "Deployed" again. Note, you need to set to "Configured", not "Provisioned".

Fix:
MAC address conflicts no longer occur between vCMP guests when the vCMP
  hypervisor is running a fixed version.

  If a vCMP guest running a fixed version detects that the hypervisor has
  provided an invalid set of MAC addresses, the guest will log an error similar
  to
    err chmand[28121]: 012a0003:3: unexpected init failure : VcmpPlatform: MAC pool size from hypervisor is zero
    crit chmand[28121]: 012a0002:2: critical platform initialize failure. exiting...
  and not start.


483751-1 : Internal objects can have load failures on restarted blades

Component: TMOS

Symptoms:
If the primary blade of a chassis is reset, once it rejoins the cluster as a secondary its configuration may fail to load with errors that look like this:

01070088:3: The requested object name (/Common/default-eviction-policy) is invalid.
01070935:3: Unexpected exception caught in MCPProcessor::rm_DBLowHighWide().
01070734:3: Configuration error: MCPProcessor::check_initialization:
01070734:3: Configuration error: URL category (/Common/Abortion) cannot be deleted. It is being used by a URL filter.

Conditions:
This only affects chassis.

Impact:
The impact of this issue is that mcpd will not finish startup unless the workaround steps are performed.

Workaround:
Log in to the affected blade, remove the binary database (/bin/rm -v /var/db/mcp*), and restart all services on the blade (bigstart restart).

Fix:
Formerly, the primary blade of a chassis is reset, once it rejoins the cluster as a secondary its configuration may fail to load with errors that look like this:

01070088:3: The requested object name (/Common/default-eviction-policy) is invalid.
01070935:3: Unexpected exception caught in MCPProcessor::rm_DBLowHighWide().
01070734:3: Configuration error: MCPProcessor::check_initialization:
01070734:3: Configuration error: URL category (/Common/Abortion) cannot be deleted. It is being used by a URL filter.

The system will now load successfully and not hit this error.


483699-1 : No Access error when trying to access iFile object in Local Traffic :: iRules : iFile list

Component: TMOS

Symptoms:
After uploading a file to the system and creating the iFile object, the user is unable to access the object.

Conditions:
Uploading a file to the system and creating the iFile object.

Impact:
The system posts a No Access error, and the user is unable to access the iFile object

Workaround:
This issue has no workaround at this time.

Fix:
Accessing iFile object in Local Traffic :: iRules : iFile list now works correctly and no longer produces No Access error.


483683-3 : MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error

Component: TMOS

Symptoms:
"Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error on secondary blades when starting up. When this happens, MCP is left in a bad state and several issues (not obviously related to this error) can occur.

Conditions:
Only occurs on a chassis system, and only on secondary blades.

Impact:
This error is the precursor to bad behavior on the system. The exact issues seen are hard to quantify, as they vary depending on what state MCP's database is in when the exception is thrown.

Fix:
Added code to catch exceptions in rm_DBLowHighWide. We now delete the binary MCP database when an exception is caught, and restart MCP. This restart without a binary database bypasses rm_DBLowHighWide and allows the secondary MCP to receive its configuration from the primary MCP.


483601 : APM sends a logout Bookmarked Access whitelist URL when session is expired.

Component: Access Policy Manager

Symptoms:
Customer will see a logout page for bookmarked APM whitelist URL after session is expired.

Conditions:
This condition will occur if the user has bookmarked a APM whitelist entry and tries to access this bookmarked URL after some time (Access session is expired).

Impact:
User sees a logout page instead of a logon to revalidate themselves.

Workaround:
This issue has no workaround at this time.

Fix:
If a session is expired and a query is made with an Access whitelist and query parameters, APM code did not handle the case properly and sent a logout page. APM now enables the user to revalidate by starting the Access policy again.


483539-1 : With fastL4, incorrect MSS value might be used if SYN has options without MSS specified

Component: Local Traffic Manager

Symptoms:
Due to the incorrect MSS value, TMM might core because based on the MSS value the outgoing packet attempts to use TSO, which is not correct. This can result in a crash.

Conditions:
A virtual using fastL4 where a SYN packet with options is received, but the SYN packet does not contain an MSS option.

Impact:
If this issue occurs, then TMM will core resulting in a failover/reboot of the system.

Workaround:
None.

Fix:
The correct MSS value is now used when SYN has options without MSS specified, so TMM no longer cores.


483526-1 : Rarely seen Edge Client for Mac crash on session disconnect

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client crashed a couple of times in persistent testing on session disconnect.

Conditions:
Long persistent connection to APM.

Impact:
Edge Client crashes on session disconnect, but restarting Edge Client works fine.

Workaround:
To work around the problem, restart Edge Client for Mac.

Fix:
BIG-IP Edge Client for Mac now gracefully handles session disconnect on long-lived persistent connections.


483501-1 : Access policy v2 memory leak during object deletion in tmm.

Component: Access Policy Manager

Symptoms:
A small memory leak everytime a per request access policy is deleted.

Conditions:
If the access policy delete was done before execute_access_policy' released the ref count, the access policy was getting deleted even though its still being used for one session.
If the access policy delete was done when the access policy was not being used by any session, the access policy was not getting deleted.

Impact:
A small memory leak everytime a per request access policy is deleted.

Workaround:
None

Fix:
1) In 'access_policy_add', increment the access policy reference count before adding the access policy to the global access policy hash table.
   2) In 'release_access_policy' dont return 'access_policy->ref_count' at the end of the function. The 'access_policy' could have potentially been deleted and freed by this point. The return value is not really used so just dont return any value.


483436-1 : Update 11.5.0 license files for "hourly billing" with production licenses.

Component: TMOS

Symptoms:
You are unable to use non-production licenses for hourly billing purpose.

Conditions:
Cloud installations of BIGIP.

Impact:
Cloud installations of BIGIP.

Fix:
Update to AWS License files


483379-1 : High CPU consumption and unresponsive interface of the menubar icon after 20-30 minutes

Component: Access Policy Manager

Symptoms:
MAC edge client has high CPU consumption and unresponsive interface of the menubar icon after 20-30 minutes

Conditions:
MAC Edge client usage for 20-30 minutes

Impact:
Hig CPU consumption and unresponsive menubar resource

Fix:
An issue with BIG-IP Edge Client for Mac consuming high CPU and having an unresponsive menu icon on OS X 10.10 Yosemite is now fixed.


483353-1 : HTTP compression might cause TMM crash in low-memory conditions

Component: Local Traffic Manager

Symptoms:
TMM might crash in HTTP compression in low-memory conditions when unable to initialize the compression provider.

Conditions:
HTTP compression is configured and TMM is low on memory.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove HTTP compression from the virtual to avoid the issue.

Fix:
HTTP compression now gracefully handles failed compression provider initialization.


483328-4 : Client SSL profiles might fail to complete handshake, system logs critical-level error '01260000:2: Profile name-of-profile: could not load key/certificate'

Component: Local Traffic Manager

Symptoms:
- SSL (e.g., HTTPS) virtual servers fail to negotiate SSL handshake. Operations on the device stall (not immediately fail).
- At a packet capture level, the BIG-IP system acknowledges the Client Hello, but does not send a Server Hello.
- System logs critical-level messages similar to the following whenever a user or the system modifies a virtual server: crit tmm[14270]: 01260000:2: Profile name-of-profile: could not load key/certificate.

Conditions:
This issue might occur after an upgrade at the time of the initial ConfigSync; the device that receives the initial ConfigSync is likely to be affected. This issue might also occur if an administrator makes changes to certificates and keys referenced by an SSL profile (for example, deletes and recreates a certificate or key with the same name), and then performs a ConfigSync to the peer device; the peer device may be affected.

Impact:
All traffic to affected SSL virtual servers is disrupted.

Workaround:
After a device has been affected, restarting the affected TMMs resolves the issue. Note that restarting TMM temporarily disrupts traffic (or causes a failover). You can restart the TMMs by running 'bigstart restart tmm' on the affected appliance, or 'clsh bigstart restart tmm' on an affected VIPRION system.

Fix:
SSL virtual servers now successfully negotiate SSL handshake, so the device no longer logs the following message: crit tmm[14270]: 01260000:2: Profile name-of-profile: could not load key/certificate.


483286-3 : APM MySQL database full as log_session_details table keeps growing

Component: Access Policy Manager

Symptoms:
APM stores session reporting data in "apm" MySQL database, under log_session_details table, but never does any cleanup. This causes the table to continuously grow. Eventually this consumes all disk, potentially corrupting the SQL data, and stopping services on the BIG-IP system that rely on MySQL.

Conditions:
Conditions leading to this issue include: APM is provisioned; and 350M APM sessions are created over any period of time (each row in log_session_details consumes ~20 bytes).

Impact:
MySql volume (12G) will fill with data, potentially stopping or degrading services in the box that rely on MySQL. Including: ASM, AVR, APM Reporting, Web UI, and QkView.

Workaround:
Workaround is to manually clean up the log_session_details table in MySQL database.

First, retrieve the randomly generated MySQL password per box, using the following shell command as the root user. For example,

# perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw
PjL7mq+fFJ

where PjL7mq+fFJ is the random password at MySQL installation in this example. Use this password in the following command for clean-up.

# /usr/bin/mysql -uroot -pPjL7mq+fFJ --database=apm -e "delete from log_session_details where active = 'N';"

This will delete all those rows that are referred to by an inactive session.


483228-3 : The icrd_child process generates core when terminating

Component: TMOS

Symptoms:
A race condition in the terminate handler of the icrd_child process causes it to crash and generate a core.

Conditions:
This is an intermittent issue that is caused by a race condition.

Impact:
This does not impact functionality, but the system posts messages to icrd log similar to the following: notice icrd: 5823,14414, RestServer, INFO, Connection idle too long fd:11.

Workaround:
None.

Fix:
This release fixes an intermittent race condition in the terminate handler of the icrd_child process, so the process no longer crashes and generates a core.


483104-3 : vCMP guests report platform type as 'unknown'

Component: TMOS

Symptoms:
vCMP guests report 'unknown' as platform type.

Conditions:
This occurs on vCMP guests.

Impact:
You will be unable to remotely determine exactly which platform is being monitored.

Workaround:
None.

Fix:
vCMP guests now report bigipVcmpGuest as platform type.


483020-1 : [SWG] Policy execution hang when using iRule event in VPE

Component: Access Policy Manager

Symptoms:
Using the iRule Event Visual Policy Editor (VPE) object creates hang in the policy. The event is started, but never finishes, just hangs.

Conditions:
This issue occurs when the iRule event is in the access policy.

Impact:
The access policy evaluation never finishes.

Workaround:
None.

Fix:
[SWG] Policy execution with the iRule event in place no longer hangs.


482943-1 : Cannot upgrade because of lack of root/admin access.

Component: TMOS

Symptoms:
Cannot upgrade because of lack of root/admin access.

Conditions:
Cloud deployments.

Impact:
Cannot upgrade.

Workaround:
None.

Fix:
Changed the internal access properties to support deploying updates to the Cloud.


482915-1 : Learning suggestion for the maximum headers check violation appears only for blocked requests

Component: Application Security Manager

Symptoms:
There are no learning suggestions for the Maximum headers sub-violation if the HTTP protocol compliance violation is in Alarm only (not in Blocking).

Conditions:
If the HTTP compliance is in Alarm only (not in Blocking) and the Maximum number of headers sub-violation is enabled, and there is a violation for the maximum number of headers (which is not blocking) and no other violation in the request is blocking.

Impact:
There will not be a learning suggestion for this violation and no automated learning will happen for the number of headers.

Workaround:
This issue has no workaround at this time.

Fix:
Previously, manual learning of the sub-violation Maximum number of headers happened only for blocked requests. The system now produces learning suggestions for the Maximum number of headers sub-violation even if the HTTP protocol compliance violation is in Alarm only (not in Blocking).


482833 : apd crash for missing db variable

Component: Access Policy Manager

Symptoms:
apd will crash every time it starts

Conditions:
apd will crash always.

Impact:
apd will not to be able to operate.

Fix:
Missing an inclusion of RPM file for bigdbd in rollup package file, caused new db variable unexposed to the system. Due to this whenever, apd trying to access these db variables, it failed and crashed.
We fixed the issue, by including the RPM file definition in rollup.package.inc


482710-4 : SSLv3 protocol disabled in APM clients

Component: Access Policy Manager

Symptoms:
Clients configured to only support SSLv3 will fail to connect. Web login using clients configured to only support SSLv3 will fail.

Impact:
Clients should be configured to support TLS based ciphers.

Fix:
SSLv3 protocol is disabled in APM clients. All clients must connect using TLS based ciphers.


482699-4 : VPE displaying "Uncaught TypeError"

Component: Access Policy Manager

Symptoms:
VPE displaying "Uncaught TypeError"

Conditions:
While editing on Chrome ver >=37

Impact:
Really hard to Edit VPE on chrome

Workaround:
Use different browser

Fix:
Visual policy editor works correctly on Google Chrome.


482442-5 : [GTM] [GUI] Changes to a single wideip Propagates to All WIPs

Component: Global Traffic Manager (DNS)

Symptoms:
When clicking to update one single wideip with below changes, it Propagates the changes to all wideips:
"Description"
"State"
"IPv6 NoError Response",
"IPv6 NoError TTL",
"Load-Balancing Decision Log".

Conditions:
From GUI, disabling/enabling single wideip:
Global Traffic > Wide IPs > (click on any wideip) > Make the related changes > Click Update button

Impact:
When updating single wideip, it propagates all wideips.

Workaround:
1. Use tmsh;
2. If modifying wideip state,
   Enabling/Disabling wideip via wideip list page:
   - Global Traffic > Wide IPs > Select any wideip's check box > Click on Enable button

Fix:
State changes for wideips should be updated correctly when the "Update" button is clicked in the GUI wideip properties page.


482436-1 : BIG-IP processing of invalid SIP request may result in high CPU utilization

Component: Service Provider

Symptoms:
See SOL16973: BIG-IP processing of invalid SIP request may result in high CPU utilization, available here: https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16973.html.

Conditions:
See SOL16973: BIG-IP processing of invalid SIP request may result in high CPU utilization, available here: https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16973.html.

Fix:
See SOL16973: BIG-IP processing of invalid SIP request may result in high CPU utilization, available here: https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16973.html.


482434 : Possible performance degradation in AWS cloud

Component: TMOS

Symptoms:
Throughput and new connections per/sec might be up to 4 times slower in AWS for SR-IOV enabled instances.

Conditions:
This might occur when a BIG-IP virtual server is configured with a Standard profile.

Impact:
Performance is 3-to-4 times slower than the license limit. Slow throuhgput and new connections per/second

Workaround:
If throughput performance is 3x-4x times slower than license limit for virtual servers with 'Standard' profile, consider disabling interruptible sleep. To do so, use the following commands to: 1. set the appropriate DB variable to 0 (zero), and 2. restart tmm: 1. setdb Scheduler.UnicAsleepRxLimit.LTM 0. 2. bigstart restart tmm.

Fix:
Throughput and new connections per/sec are now comparable in AWS for SR-IOV enabled instances and in other instances.


482269-8 : APM support for Windows 10 out-of-the-box detection

Component: Access Policy Manager

Symptoms:
APM does not support out-of-the-box detection for Windows 10 in visual policy editor configuration.

Conditions:
Windows 10, APM

Impact:
Windows 10 cannot be detected in visual policy editor rules.

Fix:
APM now supports out-of-the-box detection of Microsoft Windows 10 in visual policy editor action items, such as, Client OS and Client Type.


482266-3 : Windows 10 support for Network Access / BIG-IP Edge Client

Component: Access Policy Manager

Symptoms:
Connection fails with "Network Access Connection Device was not found." message.

Conditions:
1. Clean installation of Windows 10 (not upgrade)
OR
2. Windows has been upgraded from previous version of Windows OS and it did not have NA driver installed.

Impact:
User running Windows 10 can not establish a VPN connection.

Fix:
Users running on Windows 10 running the BIG-IP Edge Client will no longer see a "Network Access Connection Device was not found." error message.


482260-4 : Location of Captive portal configuration registry entry in 64 bit windows is incorrect

Component: Access Policy Manager

Symptoms:
Captive portal detection configuration in BIG-IP Edge Client does not work as intended on 64-bit Windows-based platforms.

Changing HKEY_CURRENT_USER\Software\F5 Networks\RemoteAccess\DisableCaptivePortalDetection has no impact on captive portal detection in Edge Client on 64-bit Windows.

Impact:
Windows 64-bit clients are not redirected to the custom captive portal page as the expected but instead are sent to the default URL.

Workaround:
Configuring this setting in HKEY_CURRENT_USER\Software\Wow6432Node\F5 Networks\RemoteAccess works.

Fix:
APM captive portal probe URL in BIG-IP Edge Client for Windows can now be customized on x64 Windows-based platforms in the same way as for x86 Windows-based platforms.


482251-3 : Portal Access. Location.href(url) support.

Component: Access Policy Manager

Symptoms:
Some pages cannot be loaded in specific web applications.

Conditions:
This happens in Microsoft Internet Explorer browser-specific code that contains: Location.href(some_url).

Impact:
Web application cannot load some web pages.

Workaround:
None.

Fix:
The Microsoft Internet Explorer browser-specific code Location.href(some_url) now works correctly, so web applications can load previously unloadable web pages.


482241-1 : Windows 10 cannot be properly detected

Component: Access Policy Manager

Symptoms:
Windows 10 cannot be properly detected by BIG-IP

Conditions:
Windows 10 desktop operating system and BIG-IP APM access policy with client OS and Windows info agents.

Impact:
Windows 10 will not be detected out-of-the-box by BIG-IP client OS and Windows info agents.

Workaround:
User agent can be parsed in access policy for windows 10 tokens.

Fix:
Windows 10 can now be detected out-of-the-box by Client OS and Windows Info agents.


482202-1 : Very long FTP command may be ignored.

Component: Carrier-Grade NAT

Symptoms:
FTP commands are delimited with carriage returns. If the BIGIP receives a large buffer with no carriage return then it passes the data through without inspecting for or acting on commands. Since the only commands we act on should be delimited within a reasonable size this does not affect FTP behavior and protects the BIGIP against DDOS attacks where large amounts of data that is not FTP command data is passed across FTP.

Conditions:
If the FTP profile encounters command buffers that contain many carriage returns without valid command data then the buffers are passed on without inspection.

Impact:
Under normal conditions there is no impact. If there is invalid data followed by valid data then the valid data may be ignored.

Workaround:
Do not use the FTP profile for traffic other than FTP.

Fix:
The FTP profile does not process invalid command data


482145-3 : Text in buttons not centered correctly for higher DPI settings

Component: Access Policy Manager

Symptoms:
When high DPI setting are used in Windows, text in buttons is not centered correctly and may run outside the boundaries of buttons.

Conditions:
User interface is displayed and user has set a higher DPI setting for Windows.

Impact:
Button text does not look correct.

Workaround:
Set DPI settings back to default.

Fix:
Buttons are now correctly scaled for Windows DPI setting.


482137-1 : Adding TCP iRules to PEM space

Component: Policy Enforcement Manager

Symptoms:
TCP iRules are missing in the PEM space.

Conditions:
When writing iRules scripts in PEM space, TCP iRules is not working.

Impact:
TCP iRules are not functioning if trying to run in PEM space

Fix:
TCP iRules have been added to PEM space and thus functioning properly


482134-1 : APD and APMD cores during shutdown.

Component: Access Policy Manager

Symptoms:
When apd and apmd shutdown while they are still processing, the system cores while accessing policy configuration data.

Conditions:
This occurs with a second apd or apmd process while an apd or apmd process is already running. The second apd or apmd process goes down (because one process is already up).

Impact:
During this shutdown process, the system cores.

Workaround:
None.

Fix:
APD and APMD no longer core during shutdown of a second occurrence of APD or APMD.


482046-1 : Old password is not verified during password change from View client.

Component: Access Policy Manager

Symptoms:
Old password is not verified during password change from View client. When user's AD password is expired, the system requires the user to change it on logon. Typically for changing the password both old a new passwords are provided.

Conditions:
When user's AD password is expired.

Impact:
Old password is not verified during password change from View client.

Workaround:
None.

Fix:
Now APM verifies the user's old password before submitting the new one to AD when native VMware View client is used.


481987-6 : Allow NTLM feature to be enabled with APM Limited license

Component: Access Policy Manager

Symptoms:
When a BIG-IP system has an APM Limited license, NTLM is silently disabled and the connection goes through.

This breaks many (all) use-cases for Exchange + APM.

Conditions:
APM and Exchange are deployed together with APM Limited / Lite license.

Impact:
Exchange cannot be used with APM Limited license when NTLM frontend authentication is selected, which is used in essentially all APM + Exchange deployments.

Fix:
The NTLM frontend authentication (ECA) feature can now be used with an APM Limited license. Typically, this is for Exchange deployments.


481950-1 : DHCP: Need an upgrade script for DHCPRELAY virtuals for BIG-IP version 11.5 and 11.4

Component: Policy Enforcement Manager

Symptoms:
When you upgrade from 11.4 or 11.5 to 11.6 configuration while you have a virtual of type DHCPREALY, the configuration loading will fail.

Conditions:
The user must have DHCPRELAY virtual for this to happen.

Impact:
The impact of this issue is that configuration load will fail until you fix the issue.

Workaround:
Manually go in bigip.conf and remove the udp{} profile and instead add dhcpv4 or dhcpv6 profile under this virtual.
Also, you need to set the mode of operation (relay or forwarding) in that profile you are attaching.

Forwarding mode work with unicast DHCP traffic, while Relay mode works with Broadcast or multicast traffic.


481880-5 : SASPD monitor cores

Component: Local Traffic Manager

Symptoms:
SASP monitor process core dumping during a state change.

Conditions:
This occurs when the SASP monitor is configured in push mode.

Impact:
Pool member is marked down, which leads to monitor outage.

Fix:
SASP monitor no longer core dumps during a state change in push mode.


481820-1 : Internal misbehavior of the SPDY filter

Component: Local Traffic Manager

Symptoms:
The SPDY filter incorrectly handles the error case in which a child flow is aborted.

Conditions:
A child flow that is aborted for any reason would trigger an superfluous ABORT event to be sent by SPDY.

Impact:
Potential disruption of valid client traffic, in theory.

Workaround:
None.

Fix:
SPDY no longer sends superfluous aborts to an already aborting child flow.


481792-1 : BD may crash within HTTP payload parser.

Component: Application Security Manager

Symptoms:
The BIG-IP system may temporarily fail to process traffic.

Conditions:
Fix JSON parser issue with errors in escaped character - will not copy an error character.

Impact:
The BIG-IP system may temporarily fail to process traffic.

Workaround:
This issue has no workaround at this time.

Fix:
We fixed an issue of specific requests that sometimes caused the Enforcer to crash.


481706-2 : AFM DoS Sweep Vector could log attack detected msgs from a non-attacking src IP

Component: Advanced Firewall Manager

Symptoms:
When a AFM DoS Sweep/Flood attack is ongoing there is a chance that we could log a non-attacking src IP (which is sending packets which are below the detect threshold) as an attacker in the "attack_sampled" AFM DoS log message.

Conditions:
When the AFM DoS Sweep or Flood attack is ongoing, and we have multiple src IPs (attackers and non-attackers) sending packets which match the AFM DoS Sweep or Flood vector, we could see the "attack sampled" log from a IP which is not actually sending packets above the configured attack rate.

Impact:
The log message could list an innocent src IP as an attacker. In AVR also you could see this IP as an attacker.

Workaround:
None, since the log message is cosmetic.

Fix:
Improved security logging to reduce incorrect messages.


481677-2 : A possible TMM crash in some circumstances.

Component: Local Traffic Manager

Symptoms:
If TCP::Close is called during the SSL handshake, the TMM might crash.

Conditions:
TCP::close is called during an SSL handshake

Impact:
Traffic disrupted while tmm restarts.

Workaround:
When closing the connection before or during an SSL/TLS handshake, use the "drop" or "reject" command instead of the TCP::close command.

Fix:
TMM no longer produces a core file when the TCP::close iRule command is executed during an SSL handshake.


481663-5 : Disable isession control channel on demand.

Component: Access Policy Manager

Symptoms:
Customers running into isession related issues.

Conditions:
This happens when APM has been running.

Impact:
TMM could run out of memory because of these issues.

Workaround:
This issue has no workaround at this time.

Fix:
If customer does not need optimized tunnels, app tunnels, remote desktop then he can safely disable the db variable "isession.ctrl.apm" which disables isession.
Then do "bigstart restart tmm apd" so that the db variable takes effect.


481648-8 : mib-2 ipAddrTable interface index does not correlate to ifTable

Component: TMOS

Symptoms:
The ipaddrTable's ipAdEntIfIndex value does not match the ifTable's ifIndex value for the same interface.

Conditions:
Using SNMP to monitor F5 and other network devices.

Impact:
Data in the mib-2 ifTable does not correlate to the data in the ipAddrTable.

Workaround:
Use the F5 MIB to monitor F5 devices.

Fix:
The ipaddrTable's ipAdEntIfIndex value now matches the ifTable's ifIndex value for the same interface.


481541-1 : Memory leak in monpd when LTM and AVR or ASM are provisioned

Component: Application Visibility and Reporting

Symptoms:
When processing 'empty' reports (that is, reports containing no data), monpd has a memory leak.

Conditions:
This might happen when no traffic or data runs for more than 5 minutes through a module that reports to AVR, and therefore no data should be presented by AVR.

Impact:
Memory is gradually exhausted.

Workaround:
To prevent this issue, monitor memory usage and restart monpd prior to the system running out of memory.

Fix:
Previously, a memory leak in the monpd daemon occurred in some situations. It no longer occurs.


481476-5 : MySQL performance

Component: Application Security Manager

Symptoms:
MySQL usage would spike to 100% for extended periods of time.

Conditions:
Occurs after several thousand policy configuration changes have been made to the system.

Impact:
Slow ASM GUI pages.

Workaround:
There is no workaround at this time.

Fix:
A MySQL performance issue was fixed.


481431-1 : AAM concatenation set memory leak on configuration change

Component: WebAccelerator

Symptoms:
When AAM configuration is reloaded, it can leak some data structures associated with concatenation sets

Conditions:
AAM provisioned and concatenation sets defined

Impact:
tmm memory consumption will slowly grow

Workaround:
restart tmm to free memory

Fix:
Reloading AAM configuration no longer leaks memory associated with concatenation sets.


481373-1 : TMM might core when deleting an entry for a user in a Radius AAA cache

Component: Policy Enforcement Manager

Symptoms:
TMM crash resulting in temporary loss of service

Conditions:
Radius AAA in use with user entries present.

Impact:
Traffic disrupted while tmm restarts.

Fix:
TMM no longer cores when deleting a user in the Radius AAA cache.


481257-5 : Information on "OPSWAT Integration Libraries V3" is missing from CTU report

Component: Access Policy Manager

Symptoms:
Information on "OPSWAT Integration Libraries V3" is missing from CTU report

Conditions:
"OPSWAT Integration Libraries V3" are installed on the PC.

Impact:
Information on "OPSWAT Integration Libraries V3" is not available in CTU report

Workaround:
None

Fix:
CTU report now includes information on "OPSWAT Integration Libraries V3".


481216-1 : Fallback may be attempted incorrectly in an abort after an Early Server Response

Component: Local Traffic Manager

Symptoms:
After an Early Server Response, the BIG-IP system might attempt to generate a fallback response if an error occurs. However, the response has already partially egressed, so this does not work correctly.

Conditions:
Fallback configured or enabled by an iRule. An early server response triggers an error that leads to an Abort being raised. The Abort triggers a fallback response inappropriately.

Impact:
The server-side might read HTTP data structures after they have already been freed. A fallback can be generated on the server-side, leading to a use-after-free if the client side has already aborted.

Fix:
A fallback response is no longer inappropriately generated after an error after an Early Server Response.


481210-1 : Active Directory Query doesn't populate all values of multi-value attributes

Component: Access Policy Manager

Symptoms:
If some attribute requested by Active Directory (AD) Query contains multiple values (for example, memberOf), then the last value is omitted in the corresponding session variable.

Conditions:
Active Directory attribute has multiple values.

Impact:
Access policy may make wrong decision based on session variables registered by AD Query.

Fix:
All values are now populated as session variables as expected.


481203-5 : User name case sensitivity issue

Component: Access Policy Manager

Symptoms:
Create a local user (for dynamic user too) starting with upper case. When responding to logon page, user can enter all lower case or upper case or any combination of the same. User gets authenticated, however, for all different combinations of user names, it creates an entry in memcache. Actually there should be only one. So when the user gets deleted, all other entries remains in memcache.

Conditions:
This issue occurs While entering user name during logon page response.

Impact:
This issue causes dangling memcache entries which does not have accountability.

Workaround:
This issue has no workaround at this time.

Fix:
While creating memcache entry, we now normalize the username into utf8 lowerecase. This makes sure, there is only one entry for all combination of usernames.


481189-2 : Change the default value of pccd.hash.load.factor to 25

Component: Advanced Firewall Manager

Symptoms:
Sometimes the firewall rule BLOB is very big even though the configurations do not seems to be very big.

Conditions:
The BLOB size depends on many factors such as Src/Dst IP addresses in a rule. There is no straightforward rule to estimate the size of the BLOB from static inspection of the rules. Two set of configurations that look very similar can generate BLOB of very different sizes sometimes.

Impact:
One factor that contribute to the BLOB size is the load factor (percentage of fullness) of the internal hash tables. The load factor specifies the minimum percentage of fullness that need to be reached before the table is expanded to a larger size.

Workaround:
You can manually set the hash load factor from 0 (don't check) to 75.

Fix:
The load factor controls the minimum percentage of fullness that need to be reached before the table is expanded to a larger size. Setting it to 25 by default prevent the firewall rule compiler from growing the table size too aggressively and results in big firewall BLOB.


481162-2 : vs-index is set differently on each blade in a chassis

Component: Local Traffic Manager

Symptoms:
The vs-index field on virtual servers differs on each blade in a chassis.

Conditions:
This occurs on chassis systems when creating a virtual server on a multi-blade VIPRION and on multi-blade vCMP guests.

Impact:
The recently created virtual server holds different vs_index across blades (typically, the virtual servers differ by one, when compared with the active blade). From that point on, every newly created virtual server carries that inconsistency, so that vs-index is set differently on each blade in a chassis.

Workaround:
Follow the procedure in SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) to clear the configuration cache and reload configuration after reboot.

Fix:
The vs-index is now the same on each blade in a chassis on a multi-blade VIPRION and on multi-blade vCMP guests.


481135-1 : The pool members of a wide IP in Link Controller can not be modified once created

Component: TMOS

Symptoms:
After wide IP is created in the Linked Controller, a user cannot modify them from the GUI member page.

Conditions:
When trying to update the pool members of a wide IP in Link Controller, an error occurs.

Impact:
After wide IP is created in the Linked Controller, a user must use to use tmsh to modify members or use the GUI to delete the wide IP and recreate it with different virtual servers.

Workaround:
Use tmsh to change pool members: tmsh modify gtm pool <pool name> members add { <server>:<vs> }.

Fix:
The pool members of a wide IP in Link Controller can now be modified from the GUI pool member page.


481082-2 : Software auto update schedule settings can be reset during a full sync

Component: TMOS

Symptoms:
After performing a full sync, the auto update settings of the target machine are reset to defaults.

Conditions:
Perform a full sync to a system that has non-default auto update settings.

Impact:
Auto update settings can get out of sync, and be incorrect.

Workaround:
After a full sync, ensure that the auto update settings on both systems are set as desired.

Fix:
The auto update settings no longer reset during a sync operation.


481046-5 : F5_Inflate_text(o, incr, v) wrapper need to be fixed for case when o is script tag

Component: Access Policy Manager

Symptoms:
A web application can get an unrewritten dynamically-generated script when not using Internet Explorer browser.

Conditions:
The problem occurs when scriptTag.text='source script' and the browser is not Internet Explorer.

Impact:
As a result, the web application misfunctions.

Workaround:
This issue has no workaround at this time.

Fix:
The wrapper for scriptTag.text='source script' now rewrites 'source script' for all browsers.


481020-1 : Traffic does not flow through VPN tunnel in environements where proxy server is load balanced

Component: Access Policy Manager

Symptoms:
VPN will appear to be established but no traffic will flow through the VPN tunnel.

Conditions:
VPN is established through proxy server.
DNS returns different IP address for subsequent name resolution query for proxy server.

Impact:
No traffic flows through VPN tunnel.

Workaround:
Use IP address for proxy server instead of name.

Fix:
Resolved intermittent routing table issue that caused Traffic not to flow through tunnel if proxy server is load balanced.


480995-1 : APM client components are not using extended logging by default.

Component: Access Policy Manager

Symptoms:
If end users of APM are encountering issues, extended client logs are disabled by default. This makes troubleshooting more difficult, and you would need to work with the end user to enable extended logging and try to reproduce the symptom they are seeing.

Conditions:
This occurs for end users connecting to APM

Impact:
Extended logs are not present by default, which makes troubleshooting client-side issues more difficult

Fix:
APM client components are now using extended logging by default.


480931-1 : Multiple BASH vulnerabilities - ShellShock

Vulnerability Solution Article: SOL15629


480910 : A TCP profile with 'Rate Pace" or 'Tail Loss Probe' enabled fails to successfully establish a connection.

Component: Wan Optimization Manager

Symptoms:
TCP connection establishment fails on some virtuals.

Conditions:
A TCP profile with advanced options like 'Rate Pace' or 'Tail Loss Probe' enabled, needs to be in use.

Impact:
All TCP connections using a tcp profile which has advanced options like 'Rate Pace' or 'Tail Loss Probe' enabled will fail to establish a connection.

Workaround:
Avoid using the tcp profile options like 'Rate Pace' or 'Tail Loss Probe'. If these options are a must requirement then there is no other workaround, other than to upgrade to a build with fix.

Fix:
A TCP profile with 'Rate Pace" or 'Tail Loss Probe' enabled now successfully establishes a connection.


480903-1 : AFM DoS ICMP sweep mitigation performance impact

Component: Advanced Firewall Manager

Symptoms:
In AFM DoS, the performance of ICMP Sweep Vector Mitigation brings down the performance of the BIG-IP system.

Conditions:
ICMP Traffic levels at 4 million pps from ~100 Src IP addresses, with the AFM DoS Sweep vector enabled to mitigate ICMP traffic.

Impact:
Slower performance of the BIG-IP system. A lot of CPU is used to mitigate the AFM DoS Sweep vector.

Workaround:
Do not enable the AFM DoS Sweep vector for ICMP Traffic when the attack rate is over 4 Million pps.

Fix:
AFM DoS ICMP sweep mitigation performance issues have been alleviated.


480888-2 : Tcl parks during HTTP::collect, and serverssl is present, data can be truncated

Component: Local Traffic Manager

Symptoms:
If Tcl parks during HTTP::collect, and serverssl is present, data can be truncated. serverssl can send an 'early' EOF when notified by the server.

Conditions:
serverssl with a server that notifies SSL of connection termination. If Tcl is parked during a HTTP::collect call, then it is possible for the EOF to be placed before the data collected. If that occurs, then the data is dropped. Use of HTTP::collect in an iRule on the server-side. If HTTP::collect is called within the HTTP_RESPONSE_DATA event, the occurrence is much more likely.

Impact:
The server response is truncated.

Fix:
A response from the server is no longer truncated in some situations when the serverssl profile is combined with the use of the HTTP::collect iRule command.


480827-1 : Logging might show unnecessary messages when Citrix Receiver connects to Storefront: err tmm[20105]: 01490563:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND).

Component: Access Policy Manager

Symptoms:
Logging might show unnecessary messages when Citrix Receiver connects to Storefront: err tmm[20105]: 01490563:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND).

Conditions:
This occurs when VDI log level is set to Debug.

Impact:
BIG-IP logs an error message: err tmm[20105]: 01490563:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND). This message is cosmetic and can be ignored.

Workaround:
Set VDI log level to a level above Debug.

Fix:
Improved error logging to not show unnecessary messages on default level.


480826 : IPs can be added for infinite duration

Component: Advanced Firewall Manager

Symptoms:
Keyword 'infinite' is not seen as valid by tmsh. This fix allows the user to use 'infinite' as a valid input to tmsh.

Conditions:
Attempting to configure an infinite TTL via TMSH for shun list entries.

Impact:
It is not possible to add a shunned IP to a shun list with infinite TTL.

Workaround:
N/A

Fix:
This fix allows the user to use 'infinite' as a valid input to tmsh.


480817-3 : Added options to troubleshoot client by disabling specific features

Component: Access Policy Manager

Symptoms:
It is impossible to turn off specific features on specific clients for troubleshooting purposes.

Conditions:
Always using Edge client

Impact:
Lack of these options made client troubleshooting difficult as the options could only be set on the server.

Fix:
Added following features:

DWORD key Default value HKLM only
------------------------------------------------------------------
UseLocalProxy false yes
EnableEdgeClientUpdate true yes
EnableWebComponentsUpdate true yes
EnableDTLSTransport (Bug484847) true no
EnableNACompression true no
EnableOptimizedTunnelCompression true no
SessionChecksInterval 10000 no
------------------------------------------------------------------
("false" == 0, "true" - any value except 0);

Key: HKLM( or HKCU)\Software\F5 Networks\RemoteAccess

Zero value for SessionChecksInterval disables this features completely.
"HLKM only" means that that feature can be only be disabled/enabled by value located at HKLM sub-tree, features with "no" can be disabled using both HKLM (Local Machine) and HKCU (current User).

CLIENT control channel is not yet implemented


480811-2 : qkview will not collect lib d