Applies To:

Show Versions Show Versions

Supplemental Document: Release Information: Hotfixes: BIG-IP 12.1.2

Original Publication Date: 05/24/2017

BIG-IP Hotfix Release Information

Version: BIGIP-12.1.2
Build: 271.0
Hotfix Rollup: 1

Cumulative fixes from BIG-IP v12.1.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v12.1.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
652151-1 CVE-2017-6131 K61757346 Azure VE: Initialization improvement
641256-1 CVE-2016-9257 K43523962 APM access reports display error
623885-4 CVE-2016-9251 K41107914 Internal authentication improvements
621371-2 CVE-2016-9257 K43523962 Output Errors in APM Event Log
648865-2 CVE-2017-6074 K82508682 Linux kernel vulnerability: CVE-2017-6074
643187-2 CVE-2017-3135 K80533167 BIND vulnerability CVE-2017-3135
636702-3 CVE-2016-9444 K40181790 BIND vulnerability CVE-2016-9444
636699-5 CVE-2016-9131 K86272821 BIND vulnerability CVE-2016-9131
631582 CVE-2016-9250 K55792317 Administrative interface enhancement
628836-4 CVE-2016-9245 K22216037 TMM crash during request normalization
624570-1 CVE-2016-8864 K35322517 BIND vulnerability CVE-2016-8864
623093-1 CVE-2016-3990 CVE-2016-3632 CVE-2015-7554 CVE-2016-5320 K38871451 TIFF vulnerability CVE-2015-7554
596340-8 CVE-2016-9244 K05121675 F5 TLS vulnerability CVE-2016-9244
648879-2 CVE-2016-6136 CVE-2016-9555 K90803619 Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555
641612-2 CVE-2017-0302 K87141725 APM crash
635412 CVE-2017-6137 K82851041 Invalid mss with fast flow forwarding and software syn cookies
635252-1 CVE-2016-9256 K47284724 CVE-2016-9256
631841-7 CVE-2016-9311 K55405388 NTP vulnerability CVE-2016-9311
631688-7 CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433 K55405388 K87922456 K63326092 K51444934 K80996302 Multiple NTP vulnerabilities
630150-1 CVE-2016-9253 K51351360 Websockets processing error
625372-5 CVE-2016-2179 K23512141 OpenSSL vulnerability CVE-2016-2179
622496 CVE-2016-5829 K28056114 Linux kernel vulnerability CVE-2016-5829
622126-1 CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127 K54308010 PHP vulnerability CVE-2016-7124
621337-6 CVE-2016-7469 K97285349 XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469
618261-6 CVE-2016-2182 K01276005 OpenSSL vulnerability CVE-2016-2182
615267-2 CVE-2016-2183 K13167034 OpenSSL vulnerability CVE-2016-2183
613225-7 CVE-2016-2180, CVE-2016-6306, CVE-2016-6302 K90492697 OpenSSL vulnerability CVE-2016-6306
606710-10 CVE-2016-2834, CVE-2016-5285, CVE-2016-8635 K15479471 Mozilla NSS vulnerability CVE-2016-2834
600232-9 CVE-2016-2177 K23873366 OpenSSL vulnerability CVE-2016-2177
600223-2 CVE-2016-2177 K23873366 OpenSSL vulnerability CVE-2016-2177
599858-7 CVE-2015-8895 CVE-2015-8896 CVE-2015-8897 CVE-2015-8898 CVE-2016-5118 CVE-2016-5239 CVE-2016-5240 K68785753 ImageMagick vulnerability CVE-2015-8898
635933-3 CVE-2004-0790 K23440942 K13361021 The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
628832-4 CVE-2016-6161 K71581599 libgd vulnerability CVE-2016-6161
622662-7 CVE-2016-6306 K90492697 OpenSSL vulnerability CVE-2016-6306
609691-1 CVE-2014-4617 K21284031 GnuPG vulnerability CVE-2014-4617
600205-9 CVE-2016-2178 K53084033 OpenSSL Vulnerability: CVE-2016-2178
600198-2 CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 K53084033 OpenSSL vulnerability CVE-2016-2178
599285-2 CVE-2016-5094 CVE-2016-5095 CVE-2016-5096 K51390683 PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
598002-10 CVE-2016-2178 K53084033 OpenSSL vulnerability CVE-2016-2178
621937-1 CVE-2016-6304 K54211024 OpenSSL vulnerability CVE-2016-6304
621935-6 CVE-2016-6304 K54211024 OpenSSL vulnerability CVE-2016-6304
606771-2 CVE-2016-5399 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-5385 CVE-2016-6291 CVE-2016-6292 CVE-2016-6207 CVE-2016-6294 CVE-2015-8879 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297 K35799130 Multiple PHP vulnerabilities


Functional Change Fixes

ID Number Severity Description
628972-2 2-Critical BMC version 2.51.7 for iSeries appliances
624831-2 2-Critical BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps
616918-1 2-Critical BMC version 2.50.3 for iSeries appliances
633723-3 3-Major New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
633391-1 3-Major GUI Error trying to modify IP Data-Group
609614-3 3-Major Yafuflash 4.25 for iSeries appliances
581840-5 3-Major Cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.
564876-2 3-Major New DB variable log.lsn.comma changes CGNAT logs to CSV format
609084-2 4-Minor Max number of chunks not configurable above 1000 chunks
597270-2 4-Minor tcpdump support missing for VXLAN-GPE NSH


TMOS Fixes

ID Number Severity Description
655500 1-Blocking Rekey SSH sessions after one hour
642058-1 1-Blocking CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances
641390-5 1-Blocking Backslash removal in LTM monitors after upgrade
627433-1 1-Blocking HSB transmitter failure on i2x00 and i4x00 platforms
624457-5 1-Blocking Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
602830-1 1-Blocking BIG-IP iSeries appliance LCD does not indicate when BIG-IP is in platform_check diagnostic mode
653453 2-Critical ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.
648056-2 2-Critical bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.
645805 2-Critical LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain bad ethernet src mac address
641248 2-Critical IPsec-related tmm segfault
641013-5 2-Critical GRE tunnel traffic pinned to one TMM
638935-3 2-Critical Monitor with send/receive string containing double-quote may cause upgrade to fail.
638137 2-Critical CVE-2016-7117 CVE-2016-4998 CVE-2016-6828
636918-2 2-Critical Fix for crash when multiple tunnels use the same traffic selector
636290 2-Critical vCMP support for B4450 blade
627898-2 2-Critical TMM leaks memory in the ECM subsystem
625824-1 2-Critical iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
624263-4 2-Critical iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
618779-1 2-Critical Route updates during IPsec tunnel setup can cause tmm to restart
616059-1 2-Critical Modifying license.maxcores Not Allowed Error
614296-1 2-Critical Dynamic routing process ripd may core
613536-5 2-Critical tmm core while running the iRule STATS:: command
610295-1 2-Critical TMM may crash due to internal backplane inconsistency after reprovisioning
610255-1 2-Critical CMI improvement
583516-2 2-Critical tmm ASSERT's "valid node" on Active, after timer fire..
567457-2 2-Critical TMM may crash when changing the IKE peer config.
652484-2 3-Major tmsh show net f5optics shows information for only 1 chassis slot in a cluster
649617-2 3-Major qkview improvement for OVSDB management
648544-5 3-Major HSB transmitter failure may occur when global COS queues enabled
646760 3-Major Common Criteria Mode Disrupts Administrative SSH Access
644490-1 3-Major Finisar 100G LR4 values need to be revised in f5optics
637559-1 3-Major Modifying iRule online could cause TMM to be killed by SIGABRT
636535 3-Major HSB lockup in vCMP guest doesn't generate core file
635961-1 3-Major gzipped and truncated files may be saved in qkview
635129 3-Major Chassis systems in HA configuration become Active/Active during upgrade
635116-1 3-Major Memory leak when using replicated remote high-speed logging.
634115-1 3-Major Not all topology records may sync.
633879-1 3-Major Fix IKEv1 md5 phase1 hash algorithm so config takes effect
633512-1 3-Major HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.
633413-1 3-Major IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI
631627-4 3-Major Applying BWC over route domain sometimes results in tmm not becoming ready on system start
630622-1 3-Major tmm crash possible if high-speed logging pool member is deleted and reused
630610-5 3-Major BFD session interface configuration may not be stored on unit state transition
630546-1 3-Major Very large core files may cause corrupted qkviews
629499-9 3-Major tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"
629085-1 3-Major Any CSS content truncated at a quoted value leads to a segfault
628202-4 3-Major Audit-forwarder can take up an excessive amount of memory during a high volume of logging
628164-3 3-Major OSPF with multiple processes may incorrectly redistribute routes
628009-1 3-Major f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800
627961-3 3-Major nic_failsafe reboot doesn't trigger if HSB fails to disable interface
627914-1 3-Major Unbundled 40GbE optics reporting as Unsupported Optic
627214-3 3-Major BGP ECMP recursive default route not redistributed to TMM
626839 3-Major sys-icheck error for /var/lib/waagent in Azure.
626721-5 3-Major "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart
625703-2 3-Major SELinux: snmpd is denied access to tmstat files
625085 3-Major lasthop rmmod causes kernel panic
624361-1 3-Major Responses to some of the challenge JS are not zipped.
623930-3 3-Major vCMP guests with vlangroups may loop packets internally
623401-1 3-Major Intermittent OCSP request failures due to non-optimal default TCP profile setting
623336-4 3-Major After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS
623119 3-Major Linux kernel vulnerability CVE-2016-4470
623055-1 3-Major Kernel panic during unic initialization
622183-5 3-Major The alert daemon should remove old log files but it does not.
621909-4 3-Major Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members
621273-1 3-Major DSR tunnels with transparent monitors may cause TMM crash.
620659-3 3-Major The BIG-IP system may unecessarily run provisioning on successive reboots
620366-4 3-Major Alertd can not open UDP socket upon restart
617628-1 3-Major SNMP reports incorrect value for sysBladeTempTemperature OID
615934-1 3-Major Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
615107-1 3-Major Cannot SSH from AOM/SCCP to host without password (host-based authentication).
613765-3 3-Major Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.
612809-1 3-Major Bootup script fails to run on on a vCMP guest due to a missing reference file.
611658-3 3-Major "less" utility logs an error for remotely authenticated users using the tmsh shell
611512-1 3-Major AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name.
611487-3 3-Major vCMP: VLAN failsafe does not trigger on guest
610417-1 3-Major Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
609119-7 3-Major Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
608320-3 3-Major iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
604727-1 3-Major Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4.
604237-3 3-Major Vlan allowed mismatch found error in VCMP guest
604061-2 3-Major Link Aggregation Control Protocol May Lose Synchronization after TMM Crash
602376-1 3-Major qkview excludes files
598498-7 3-Major Cannot remove Self IP when an unrelated static ARP entry exists.
598134-1 3-Major Stats query may generate an error when tmm on secondary is down
596067-2 3-Major GUI on VIPRION hangs on secondary blade reboot
590211-2 3-Major jitterentropy-rngd quietly fails to start
583754-7 3-Major When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
575027-1 3-Major Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
562928-2 3-Major Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled
557471-3 3-Major LTM Policy statistics showing zeros in GUI
543208-1 3-Major Upgrading v11.6.0 to v12.x in a sync-failover group might cause mcpd to become unresponsive.
534520-1 3-Major qkview may exclude certain log files from /var/log
424542-5 3-Major tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments
418349-2 3-Major Update/overwrite of FIPS keys error
643404-2 4-Minor "tmsh system software status" does not display properly in a specific cc-mode situation
636520-3 4-Minor Detail missing from power supply 'Bad' status log messages
633181-1 4-Minor A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section
632668-5 4-Minor When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds
632069-3 4-Minor Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076
621957-2 4-Minor Timezone data on AOM not syncing with host
617901-1 4-Minor GUI to handle file path manipulation to prevent GUI instability.
609107-1 4-Minor mcpd does not properly validate missing 'sys folder' config in bigip_base.conf
605420-5 4-Minor httpd security update - CVE-2016-5387
601268-5 4-Minor PHP vulnerability CVE-2016-5766
599191-2 4-Minor One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card
589379-2 4-Minor ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
585097-1 4-Minor Traffic Group score formula does not result in unique values.
541550-3 4-Minor Defining more than 10 remote-role groups can result in authentication failure
541320-10 4-Minor Sync of tunnels might cause restore of deleted tunnels.
500452-8 4-Minor PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware
642015-2 5-Cosmetic SSD Manufacturer "unavailable"
524277-2 5-Cosmetic Missing power supplies issue warning message that should be just a notice message.


Local Traffic Manager Fixes

ID Number Severity Description
651476 2-Critical bigd may core on non-primary bigd when FQDN in use
648715-2 2-Critical BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0
643396-2 2-Critical Using FLOW_INIT iRule may lead to TMM memory leak or crash
642400-2 2-Critical Path MTU discovery occasionally fails
640352-2 2-Critical Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet
639744-1 2-Critical Memory leak in STREAM::expression iRule
637181-4 2-Critical VIP-on-VIP traffic may stall after routing updates
632685 2-Critical bigd memory leak for FQDN nodes on non-primary bigd instance
630475-5 2-Critical TMM Crash
630306-1 2-Critical TMM crash in DNS processing on UDP virtual server with no available pool members
629145-1 2-Critical External datagroups with no metadata can crash tmm
628890-1 2-Critical Memory leak when modifying large datagroups
627403-2 2-Critical HTTP2 can can crash tmm when stats is updated on aborting of a new connection
626360 2-Critical TMM may crash when processing HTTP2 traffic
625198-1 2-Critical TMM might crash when TCP DSACK is enabled
624526-3 2-Critical TMM core in mptcp
622856-1 2-Critical BIG-IP may enter SYN cookie mode later than expected
621870-2 2-Critical Outage may occur with VIP-VIP configurations
620400-1 2-Critical TMM crash during TLS processing
619663-3 2-Critical Terminating of HTTP2 connection may cause a TMM crash
619528-4 2-Critical TMM may accumulate internal events resulting in TMM restart
619071-3 2-Critical OneConnect with verified accept issues
614509-1 2-Critical iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart
609027-1 2-Critical TMM crashes when SSL forward proxy is enabled.
608304-1 2-Critical TMM crash on memory corruption
603667-2 2-Critical TMM may leak or corrupt memory when configuration changes occur with plugins in use
603082-3 2-Critical Ephemeral pool members are getting deleted/created over and over again.
602136-5 2-Critical iRule drop command causes tmm segfault or still sends 3-way handshake to the server.
601828-1 2-Critical An untrusted certificate can cause TMM to crash.
600982-5 2-Critical TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"
599720-2 2-Critical TMM may crash in bigtcp due to null pointer dereference
597828-1 2-Critical SSL forward proxy crashes in some cases
596450-1 2-Critical TMM may produce a core file after updating SSL session ticket key
594642-3 2-Critical Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.
581746-1 2-Critical MPTCP traffic handling may cause a BIG-IP outage
580026-5 2-Critical HSM logging error
557358-5 2-Critical TMM SIGSEGV and crash when memory allocation fails.
423629-3 2-Critical bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted
651106 3-Major memory leak on non-primary bigd with changing node IPs
649571-1 3-Major Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello
648990 3-Major Serverside SSL renegotiation does not occur after block cipher data limit is exceeded
641512-4 3-Major DNSSEC key generations fail with lots of invalid SSL traffic
641360-2 3-Major SOCKS proxy protocol error
632324-2 3-Major PVA stats does not show correct connection number
629412-3 3-Major BIG-IP closes a connection when a maximum size window is attempted
627246-1 3-Major TMM memory leak when ASM policy configured on virtual
626386-1 3-Major SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled
626106-3 3-Major LTM Policy with illegal rule name loses its conditions and actions during upgrade
625106-2 3-Major Policy Sync can fail over a lossy network
624616-1 3-Major Safenet uninstall is unable to remove libgem.so
620625-2 3-Major Changing Connection.VlanKeyed may cause asymmetric/npath connections to fail
620079-3 3-Major Removing route-domain may cause monitors to fail
619849-4 3-Major In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
618430-2 3-Major iRules LX data not included in qkview
618428 3-Major iRules LX - Debug mode does not function in dedicated mode
618254-4 3-Major Non-zero Route domain is not always used in HTTP explicit proxy
617858-2 3-Major bigd core when using Tcl monitors
616022-2 3-Major The BIG-IP monitor process fails to process timeout conditions
613326-1 3-Major SASP monitor improvements
612694-5 3-Major TCP::close with no pool member results in zombie flows
610429-5 3-Major X509::cert_fields iRule command may memory with subpubkey argument
610302-1 3-Major Link throughput graphs might be incorrect.
609244-4 3-Major tmsh show ltm persistence persist-records leaks memory
608551-3 3-Major Half-closed congested SSL connections with unclean shutdown might stall.
607152-1 3-Major Large Websocket frames corrupted
604496-4 3-Major SQL (Oracle) monitor daemon might hang.
603979-4 3-Major Data transfer from the BIG-IP system self IP might be slow
603723-2 3-Major TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
603550-1 3-Major Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
600827-8 3-Major Stuck nitrox crypto queue can erroneously be reported
600593-1 3-Major Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests
600052-1 3-Major GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system
599121-2 3-Major Under heavy load, hardware crypto queues may become unavailable.
592871-3 3-Major Cavium Nitrox PX/III stuck queue diagnostics missing.
591666-3 3-Major TMM crash in DNS processing on TCP virtual with no available pool members
589400-1 3-Major With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
586738-4 3-Major The tmm might crash with a segfault.
584471-1 3-Major Priority order of clientssl profile selection of virtual server.
584310-1 3-Major TCP:Collect ignores the 'skip' parameter when used in serverside events
584029-6 3-Major Fragmented packets may cause tmm to core under heavy load
582769-1 3-Major WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual
579926-1 3-Major HTTP starts dropping traffic for a half-closed connection when in passthrough mode
568543-4 3-Major Syncookie mode is activated on wildcard virtuals
562267-3 3-Major FQDN nodes do not support monitor alias destinations.
517756-6 3-Major Existing connections can choose incorrect route when crossing non-strict route-domains
509858-5 3-Major BIG-IP FastL4 profile vulnerability
419741-3 3-Major Rare crash with vip-targeting-vip and stale connections on VIPRION platforms
352957-4 3-Major Route lookup after change in route table on established flow ignores pool members
660170-1 4-Minor tmm may crash at ~75% of VLAN failsafe timeout expiration
631862-1 4-Minor Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk
618517-1 4-Minor bigd may falsely complain of a file descriptor leak when it cannot open its debug log file
611161-3 4-Minor VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
587966-1 4-Minor LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
583943-1 4-Minor Forward proxy does not work when netHSM is configured on TMM interfaces
574020-5 4-Minor Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')


Performance Fixes

ID Number Severity Description
621115-1 2-Critical IP/IPv6 TTL/hoplimit may not be preserved for host traffic


Global Traffic Manager Fixes

ID Number Severity Description
642330-2 3-Major GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.
629530-2 3-Major Under certain conditions, monitors do not time out.
601180-2 3-Major Link Controller base license does not allow DNS namespace iRule commands.


Application Security Manager Fixes

ID Number Severity Description
646511-1 2-Critical BD crashes repeatedly after interrupted roll-forward upgrade
636397-1 2-Critical bd cores when persistent storage configuration and under some memory conditions.
634001-2 2-Critical ASM restarts after deleting a VS that has an ASM security policy assigned to it
627117-1 2-Critical crash with wrong ceritifcate in WSS
625783-1 2-Critical Chassis sync fails intermittently due to sync file backlog
618771-1 2-Critical Some Social Security Numbers are not being masked
601378-2 2-Critical Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons
584082-3 2-Critical BD daemon crashes unexpectedly
540928-1 2-Critical Memory leak due to unnecessary logging profile configuration updates.
640824-1 3-Major Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log
635754-1 3-Major Wildcard URL pattern match works inncorectly in Traffic Learning
632344-2 3-Major POP DIRECTIONAL FORMATTING causes false positive
632326-2 3-Major relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation
631737-1 3-Major ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations
630929-1 3-Major Attack signature exception list upload times-out and fails
627360-1 3-Major Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log
625832-4 3-Major A false positive modified domain cookie violation
622913-2 3-Major Audit Log filled with constant change messages
621524-2 3-Major Processing Timeout When Viewing a Request with 300+ Violations
620635-2 3-Major Request having upper case JSON login parameter is not detected as a failed login attempt
611151-2 3-Major An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive
608245 3-Major Reporting missing parameter details when attack signature is matched against parameter value
581406-1 3-Major SQL Error on Peer Device After Receiving ASM Sync in a Device Group
580168-4 3-Major Information missing from ASM event logs after a switchboot and switchboot back
576591-6 3-Major Support for some future credit card number ranges
572885-1 3-Major Policy automatic learning mode changes to manual after failover
392121-3 3-Major TMSH Command to retrieve the memory consumption of the bd process
642874-1 4-Minor Ready to be Enforced filter for Policy Signatures returns too many signatures


Application Visibility and Reporting Fixes

ID Number Severity Description
634215-1 2-Critical False detection of attack after restarting dosl7d
573764-1 2-Critical In some cases, only primary blade retains it's statistics after upgrade on multi bladed system
642221-2 3-Major Incorrect entity is used when exporting TCP analytics from GUI
641574 3-Major AVR doesn't report on virtual and client IP in DNS statistics
635561-1 3-Major Heavy URLs statistics are not shown after upgrade.
631722 3-Major Some HTTP statistics not displayed after upgrade
605010-1 3-Major Thrift::TException error
560114-6 3-Major Monpd is being affected by an I/O issue which makes some of its threads freeze


Access Policy Manager Fixes

ID Number Severity Description
637308-8 2-Critical apmd may crash when HTTP Auth agent is used in an Access Policy
633349 2-Critical localdbmgr hangs and eventually crashes
632005-1 2-Critical BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes
622244-2 2-Critical Edge client can fail to upgrade when always connected is selected
617310-2 2-Critical Edge client can fail to upgrade when Always Connected is selected
608424-2 2-Critical Dynamic ACL agent error log message contains garbage data
608408-2 2-Critical TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library
593078-1 2-Critical CATEGORY::filetype command may cause tmm to crash and restart
643547-1 3-Major APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP
638799-1 3-Major Per-request policy branch expression evaluation fails
638780-3 3-Major Handle 302 redirects for VMware Horizon View HTML5 client
636044-1 3-Major Large number of glob patterns affects custom category lookup performance
634576 3-Major TMM core in per-request policy
634252 3-Major TMM crash with per-request policy in SWG explicit
632504-1 3-Major APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list
632499-1 3-Major APM Policy Sync: Resources under webtop section are not sync'ed automatically
632472-1 3-Major Frequently logged "Silent flag set - fail" messages
632386-1 3-Major EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists
630571-1 3-Major Edge Client on Mac OSX Sierra stuck in a reconnect loop
629801-2 3-Major Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain.
629698-1 3-Major Edge client stuck on "Initializing" state
629069-2 3-Major Portal Access may delete scripts from HTML page in some cases
628687-2 3-Major Edge Client reconnection issues with captive portal
628685-2 3-Major Edge Client shows several security warnings after roaming to a network with Captive Portal
627972-2 3-Major Unable to save advanced customization when using Exchange iApp
627059-1 3-Major In some rare cases TMM may crash while handling VMware View client connection
626910-1 3-Major Policy with assigned SAML Resource is exported with error
625474-1 3-Major POST request body is not saved in session variable by access when request is sent using edge client
625159-1 3-Major Policy sync status not shown on standby device in HA case
624966-2 3-Major Edge client starts new APM session when Captive portal session expire
623562-3 3-Major Large POSTs rejected after policy already completed
622790-1 3-Major EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP
621976-4 3-Major OneDrive for Business thick client shows javascript errors when rendering APM logon page
621974-4 3-Major Skype For Business thick client shows javascript errors when rendering APM logon page
621447-1 3-Major In some rare cases, VDI may crash
621210-2 3-Major Policy sync shows as aborted even if it is completed
621126-2 3-Major Import of config with saml idp connector with reuse causes certificate not found error
620829-2 3-Major Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
620801-3 3-Major Access Policy is not able to check device posture for Android 7 devices
620614-4 3-Major Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account
619879-1 3-Major HTTP iRule commands could lead to WEBSSO plugin being invoked
619811-2 3-Major Machine Cert OCSP check fails with multiple Issuer CA
619486-3 3-Major Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self
619473-2 3-Major Browser may hang at APM session logout
618170-3 3-Major Some URL unwrapping functions can behave bad
617063-1 3-Major After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel
617002-1 3-Major SWG with Response Analytics agent in a Per-Request policy fails with some URLs
616838-3 3-Major Citrix Remote desktop resource custom parameter name does not accept hyphen character
615970-1 3-Major SSO logging level may cause failover
615254-2 3-Major Network Access Launch Application item fails to launch in some cases
612419-1 3-Major APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))
611968-3 3-Major JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow
611669-4 3-Major Mac Edge Client customization is not applied on macOS 10.12 Sierra
610180-2 3-Major SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
597214-5 3-Major Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
595819-1 3-Major Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached,
595272-1 3-Major Edge client may show a windows displaying plain text in some cases
591246-1 3-Major Unable to launch View HTML5 connections in non-zero route domain virtual servers
584582-1 3-Major JavaScript: 'baseURI' property may be handled incorrectly
570217-2 3-Major BIG-IP APM now uses Airwatch v2 API to retreive device posture information
533956-3 3-Major Portal Access: Space-like characters in EUC character sets may be handled incorrectly.
503842-4 3-Major MS WebService html component doesn't work after rewriting
640521-1 4-Minor EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices
636254-2 4-Minor Cannot reinitiate a sync on a target device when sync is completed
618404-1 4-Minor Access Profile copying might end up in invalid way if series of names.
606257-3 4-Minor TCP FIN sent with Connection: Keep-Alive header for webtop page resources


WebAccelerator Fixes

ID Number Severity Description
630661-2 3-Major WAM may leak memory when a WAM policy node has multiple variation header rules


Wan Optimization Manager Fixes

ID Number Severity Description
644970-1 2-Critical Editing a virtual server config loses SSL encryption on iSession connections
644489-1 3-Major Unencrypted iSession connection established even though data-encrypt configured in profile


Service Provider Fixes

ID Number Severity Description
639236-1 2-Critical Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute
624023-3 2-Critical TMM cores in iRule when accessing a SIP header that has no value
569316-1 2-Critical Core occurs on standby in MRF when routing to a route using a transport config
649933-1 3-Major Fragmented RADIUS messages may be dropped
629663-1 3-Major CGNAT SIP ALG will drop SIP INVITE
625542-1 3-Major SIP ALG with Translation fails for REGISTER refresh.
625098-3 3-Major SCTP::local_port iRule not supported in MRF events
601255-4 3-Major RTSP response to SETUP request has incorrect client_port attribute


Advanced Firewall Manager Fixes

ID Number Severity Description
632731-2 2-Critical specific external logging configuration can cause TMM service restart
628623-1 2-Critical tmm core with AFM provisioned
639193-1 3-Major BIG-IP devices configured with Manual Sync, deleting parent policy causes sync to fail.
631131-3 3-Major Some tmstat-adapters based reports stats are incorrect
631025-1 3-Major 500 internal error on inline rule editor for certain firewall policies
627907-1 3-Major Improve cURL usage
627747-1 3-Major Improve cURL Usage
626438-1 3-Major Frame is not showing in the browser and/ or an error appears
614563-3 3-Major AVR TPS calculation is inaccurate
610129-3 3-Major Config load failure when cluster management IP is not defined, but instead uses address-list.
592113-5 3-Major tmm core on the standby unit with dos vectors configured
590805-4 3-Major Active Rules page displays a different time zone.
583024-1 3-Major TMM restart rarely during startup
431840-3 3-Major Cannot add vlans to whitelist if they contain a hyphen


Policy Enforcement Manager Fixes

ID Number Severity Description
627257-2 2-Critical Potential PEM crash during a Gx operation
626851-2 2-Critical Potential crash in a multi-blade chassis during CMP state changes.
624744-1 2-Critical Potential crash in a multi-blade chassis during CMP state changes.
624733-1 2-Critical Potential crash in a multi-blade chassis during CMP state changes.
624228-1 2-Critical Memory leak when using insert action in pem rule and flow gets aborted
623922-5 2-Critical TMM failure in PEM while processing Service-Provider Disaggregation
641482-2 3-Major Subscriber remains in delete pending state until CCR-t ack has success as result code is received
640510-3 3-Major BWC policy category attachment may fail during a PEM policy update for a subscriber.
640457-2 3-Major Session Creation failure after HA
635233-3 3-Major Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages
630611-1 3-Major PEM module crash when subscriber not fund
627916-1 3-Major Improve cURL Usage
627798-3 3-Major Buffer length check for quota bucket objects
627279-2 3-Major Potential crash in a multi-blade chassis during CMP state changes.
623927-2 3-Major Flow entry memory leaked after DHCP DORA process
564281-3 3-Major TMM (debug) assert seen during Failover with Gy
628869-4 4-Minor Unconditional logs seen due to the presence of a PEM iRule.


Carrier-Grade NAT Fixes

ID Number Severity Description
609788 2-Critical PCP may pick an endpoint outside the deterministic mapping
642284 3-Major Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption.
629871-2 3-Major FTP ALG deployment should not rewrite PASV response 464 XLAT cases


Fraud Protection Services Fixes

ID Number Severity Description
639750-1 2-Critical username aliases are not supported
636370 3-Major Application Layer Encryption AJAX support
629627-1 3-Major FPS Log Publisher is not grouped nor filtered by partition
629127-1 3-Major Parent profiles cannot be saved using FPS GUI
628348-1 3-Major Cannot configure any Mobile Security list having 11 records or more via the GUI
628337-1 3-Major Forcing a single injected tag configuration is restrictive
625275-1 3-Major Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI
624198-1 3-Major Unable to add multiple User-Defined alerts with the same search category
623518-1 3-Major Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition
594127-2 3-Major Pages using Angular may hang when Websafe is enabled
635541 4-Minor "Application CSS Locations" is not inherited if changing parent profile


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
642039-2 2-Critical TMM core when persist is enabled for wideip with certain iRule commands triggered.
584374-2 2-Critical iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address.
640903-1 3-Major Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen
632423-4 3-Major DNS::query can cause tmm crash if AXFR/IXFR types specified.
628897-1 3-Major Add Hyperlink to gslb server and vs on the Pool Member List Page
625671-4 3-Major The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
624876-1 3-Major Response Policy Zones can trigger even after entry removed from zone
624193-2 3-Major Topology load balancing not working as expected
623023-1 3-Major Unable to set DNS Topology Continent to Unknown via GUI
621239-2 3-Major Certain DNS queries bypass DNS Cache RPZ filter.
620215-5 3-Major TMM out of memory causes core in DNS cache
619398-7 3-Major TMM out of memory causes core in DNS cache
612769-1 3-Major Added better search capabilities on the Pool Members Manage page.
557434-4 3-Major After setting a Last Resort Pool on a Wide IP, cannot reset back to None
366695-1 5-Cosmetic Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed


Traffic Classification Engine Fixes

ID Number Severity Description
625172-1 2-Critical tmm crashes when classification is enabled and ftp traffic is flowing trough the box
631472-1 3-Major Reseting classification signatures to default may result in non-working configuration


Device Management Fixes

ID Number Severity Description
606518-3 2-Critical iControl REST with 3rd party auth does not function as expected with '@' / email addresses as username.
642983-1 3-Major Update to max message size limit doesn't work sometimes
641445-1 3-Major iControl improvements
629845-2 3-Major Disallowing TLSv1 connections to HTTP causes iControl/REST issues
626542-2 3-Major Unable to set maxMessageBodySize in iControl REST after upgrade



Cumulative fixes from BIG-IP v12.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
618306-2 CVE-2016-9247 K33500120 TMM vulnerability CVE-2016-9247
613282-2 CVE-2016-2086, CVE-2016-2216, CVE-2016-1669 K15311661 NodeJS vulnerability CVE-2016-2086
611469-3 CVE-2016-7467 K95444512 Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
597394-2 CVE-2016-9252 K46535047 Improper handling of IP options
591328-7 CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 K36488941 OpenSSL vulnerability CVE-2016-2106
591325-8 CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 K75152412 OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
591042-17 CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 K23230229 OpenSSL vulnerabilities
618549-1 CVE-2016-9249 K71282001 Fast Open can cause TMM crash CVE-2016-9249
618263-1 CVE-2016-2182 K01276005 OpenSSL vulnerability CVE-2016-2182
607314-1 CVE-2016-3500, CVE-2016-3508 K25075696 Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508
605039-3 CVE-2016-2775 K92991044 lwresd and bind vulnerability CVE-2016-2775
601059-6 CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-3627 CVE-2016-3705 CVE-2016-4447 CVE-2016-4448 CVE-2016-4449 K14614344 libxml2 vulnerability CVE-2016-1840
597023-1 CVE-2016-4954 K82644737 NTP vulnerability CVE-2016-4954
595242-1 CVE-2016-3705 K54225343 libxml2 vulnerabilities CVE-2016-3705
595231-1 CVE-2016-3627 K54225343 libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705
594496-1 CVE-2016-4539 K35240323 PHP Vulnerability CVE-2016-4539
593447-1 CVE-2016-5024 K92859602 BIG-IP TMM iRules vulnerability CVE-2016-5024
592485 CVE-2015-5157 CVE-2015-8767 K17326 Linux kernel vulnerability CVE-2015-5157
591358-1 CVE-2016-3425 CVE-2016-0695 CVE-2016-3427 K81223200 Oracle Java SE vulnerability CVE-2016-3425
585424-1 CVE-2016-1979 K20145801 Mozilla NSS vulnerability CVE-2016-1979
580747-1 CVE-2016-0739 K57255643 libssh vulnerability CVE-2016-0739
597010-1 CVE-2016-4955 K03331206 NTP vulnerability CVE-2016-4955
596997-1 CVE-2016-4956 K64505405 NTP vulnerability CVE-2016-4956
591767-8 CVE-2016-1547 K11251130 NTP vulnerability CVE-2016-1547
591438-7 CVE-2015-8865 K54924436 PHP vulnerability CVE-2015-8865
573343-1 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 K01324833 NTP vulnerability CVE-2015-8158


Functional Change Fixes

ID Number Severity Description
615377-3 3-Major Unexpected rate limiting of unreachable and ICMP messages for some addresses.
599536-1 3-Major IPsec peer with wildcard selector brings up wrong phase2 SAs
590122-2 3-Major Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.
581438-2 3-Major Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision.
561348-7 3-Major krb5.conf file is not synchronized between blades and not backed up
541549-2 3-Major AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.
530109-3 3-Major OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
246726-1 3-Major System continues to process virtual server traffic after disabling virtual address
599839-3 4-Minor Add new keyords to SIP::persist command to specify how Persistence table is updated
591733-4 4-Minor Save on Auto-Sync is missing from the configuration utility.


TMOS Fixes

ID Number Severity Description
625784 1-Blocking TMM crash on BigIP i4x00 and i2x00 with large ASM configuration.
617622 1-Blocking In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure
621422 2-Critical i2000 and i4000 series appliances do not warn when an incorrect optic is in a port
620056-1 2-Critical Assert on deletion of paired in-and-out IPsec traffic selectors
617481-1 2-Critical TMM can crash when HTML minification is configured
616864-1 2-Critical BIND vulnerability CVE-2016-2776
614865-5 2-Critical Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
610354-1 2-Critical TMM crash on invalid memory access to loopback interface stats object
605476-3 2-Critical istatsd can core when reading corrupt stats files.
601527-4 2-Critical mcpd memory leak and core
600894-1 2-Critical In certain situations, the MCPD process can leak memory
598748 2-Critical IPsec AES-GCM IVs are now based on a monotonically increasing counter
598697-1 2-Critical vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created
595712-1 2-Critical Not able to add remote user locally
591495-2 2-Critical VCMP guests sflow agent can crash due to duplicate vlan interface indices
591104-1 2-Critical ospfd cores due to an incorrect debug statement.
588686 2-Critical High-speed logging to remote logging node stops sending logs after all logging nodes go down
587698-3 2-Critical bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
585745-2 2-Critical sod core during upgrade from 10.x to 12.x.
583936-5 2-Critical Removing ECMP route from BGP does not clear route from NSM
560109-7 2-Critical Client capabilities failure
557680-4 2-Critical Fast successive MTU changes to IPsec tunnel interface crashes TMM
355806-7 2-Critical Starting mcpd manually at the command line interferes with running mcpd
622877-1 3-Major i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away
622199 3-Major sys-icheck reports error with /var/lib/waagent
622194 3-Major sys-icheck reports error with ssh_host_rsa_key
621423 3-Major sys-icheck reports error with /config/ssh/ssh_host_dsa_key
621242-1 3-Major Reserve enough space in the image for future upgrades.
621225 3-Major LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0"
620782 3-Major Azure cloud now supports hourly billing
619410-1 3-Major TMM hardware accelerated compression not registering for all compression levels.
617986-2 3-Major Memory leak in snmpd
617229-1 3-Major Local policy rule descriptions disappear when policy is re-saved
616242-3 3-Major basic_string::compare error in encrypted SSL key file if the first line of the file is blank
614530-2 3-Major Dynamic ECMP routes missing from Linux host
614180-1 3-Major ASM is not available in LTM policy when ASM is licensed as the main active module
610441-3 3-Major When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.
610352-1 3-Major sys-icheck reports error with /etc/sysconfig/modules/unic.modules
610350-1 3-Major sys-icheck reports error with /config/bigpipe/defaults.scf
610273-3 3-Major Not possible to do targeted failover with HA Group configured
605894-3 3-Major Remote authentication for BIG-IP users can fail
603149-2 3-Major Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy
602854-8 3-Major Missing ASM control option from LTM policy rule screen in the Configuration utility
602502-2 3-Major Unable to view the SSL Cert list from the GUI
601989-3 3-Major Remote LDAP system authenticated username is case sensitive
601893-2 3-Major TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.
601502-4 3-Major Excessive OCSP traffic
600558-5 3-Major Errors logged after deleting user in GUI
599816-2 3-Major Packet redirections occur when using VLAN groups with members that have different cmp-hash settings.
598443-1 3-Major Temporary files from TMSH not being cleaned up intermittently.
598039-6 3-Major MCP memory may leak when performing a wildcard query
597729-5 3-Major Errors logged after deleting user in GUI
596104-1 3-Major HA trunk unavailable for vCMP guest
595773-4 3-Major Cancellation requests for chunked stats queries do not propagate to secondary blades
594426-2 3-Major Audit forwarding Radius packets may be rejected by Radius server
592870-2 3-Major Fast successive MTU changes to IPsec tunnel interface crashes TMM
592320-5 3-Major ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1
591455-7 3-Major NTP vulnerability CVE-2016-2516
589083-2 3-Major TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
586878-4 3-Major During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.
585833-3 3-Major Qkview will abort if /shared partition has less than 2GB free space
585547-1 3-Major NTP configuration items are no longer collected by qkview
585485-3 3-Major inter-ability with "delete IPSEC-SA" between AZURE, ASA and BIGIP
584583-3 3-Major Timeout error when attempting to retrieve large dataset.
583285-5 3-Major BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
582084-1 3-Major BWC policy in device sync groups.
580500-1 3-Major /etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed.
578551-5 3-Major bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot
576305-7 3-Major Potential MCPd leak in IPSEC SPD stats query code
575649-5 3-Major MCPd might leak memory in IPFIX destination stats query
575591-6 3-Major Potential MCPd leak in IKE message stats query code
575589-5 3-Major Potential MCPd leak in IKE event stats query code
575587-7 3-Major Potential MCPd leak in BWC policy class stats query code
575176-1 3-Major Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic
575066-1 3-Major Management DHCP settings do not take effect
570818-4 3-Major Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.
568672-1 3-Major Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI
566507-4 3-Major Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment
553795-7 3-Major Differing certificate/key after successful config-sync
547479-5 3-Major Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
546145-1 3-Major Creating local user for previously remote user results in incomplete user definition.
540872-1 3-Major Config sync fails after creating a partition.
527206-5 3-Major Management interface may flap due to LOP sync error
393270-1 3-Major Configuration utility may become non-responsive or fail to load.
618421 4-Minor Some mass storage is left un-used
617124 4-Minor Cannot map hardware type (12) to HardwareType enumeration
591447-1 4-Minor PHP vulnerability CVE-2016-4070
581835-1 4-Minor Command failing: tmsh show ltm virtual vs_name detail.
567546-1 4-Minor Files with file names larger than 100 characters are omitted from qkview
564771-1 4-Minor cron sends purge_mysql_logs.pl email error on LTM-only device
564522-2 4-Minor cron is configured with MAILTO=root but mailhost defaults to 'mail'
559837-4 4-Minor Misleading error message in catalina.out when listing certificates.
551349-5 4-Minor Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade
460833-5 4-Minor MCPD sync errors and restart after multiple modifications to file object in chassis
572133-5 5-Cosmetic tmsh save /sys ucs command sends status messages to stderr
442231-4 5-Cosmetic Pendsect log entries have an unexpected severity


Local Traffic Manager Fixes

ID Number Severity Description
618905-1 1-Blocking tmm core while installing Safenet 6.2 client
616215-4 2-Critical TMM can core when using LB::detach and TCP::notify commands in an iRule
615388-1 2-Critical L7 policies using normalized HTTP URI or Referrer operands may corrupt memory
612229-1 2-Critical TMM may crash if LTM a disable policy action for 'LTM Policy' is not last
609628-2 2-Critical CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session
609199-6 2-Critical Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join
608555-1 2-Critical Configuring asymmetric routing with a VE rate limited license will result in tmm crash
607724-2 2-Critical TMM may crash when in Fallback state.
607524-2 2-Critical Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down.
607360-5 2-Critical Safenet 6.2 library missing after upgrade
606573-3 2-Critical FTP traffic does not work through SNAT when configured without Virtual Server
605865-4 2-Critical Debug TMM produces core on certain ICMP PMTUD packets
604133-2 2-Critical Ramcache may leave the HTTP Cookie Cache in an inconsistent state
603032-1 2-Critical clientssl profiles with sni-default enabled may leak X509 objects
602326-1 2-Critical Intermittent pkcs11d core when installing Safenet 6.2 software
599135-2 2-Critical B2250 blades may suffer from high TMM CPU utilisation with tcpdump
588959-2 2-Critical TMM may crash or behave abnormally on a Standby BIG-IP unit
588351-5 2-Critical IPv6 fragments are dropped when packet filtering is enabled.
586449-1 2-Critical Incorrect error handling in HTTP cookie results in core when TMM runs out of memory
584213-1 2-Critical Transparent HTTP profiles cannot have iRules configured
575011-1 2-Critical Memory leak. Nitrox3 Hang Detected.
574880-3 2-Critical Excessive failures observed when connection rate limit is configured on a fastl4 virtual server.
549329-3 2-Critical L7 mirrored ACK from standby to active box can cause tmm core on active
545810-3 2-Critical ASSERT in CSP in packet_reuse
459671-4 2-Critical iRules source different procs from different partitions and executes the incorrect proc.
617862-2 3-Major Fastl4 handshake timeout is absolute instead of relative
617824-3 3-Major "SSL::disable/enable serverside" + oneconnect reuse is broken
615143-1 3-Major VDI plugin-initiated connections may select inappropriate SNAT address
614147-1 3-Major SOCKS proxy defect resolution
614097-1 3-Major HTTP Explicit proxy defect resolution
613429-2 3-Major Unable to assign wildcard wide IPs to various BIG-IP DNS objects.
613369-4 3-Major Half-Open TCP Connections Not Discoverable
613079-4 3-Major Diameter monitor watchdog timeout fires after only 3 seconds
613065-1 3-Major User can't generate netHSM key with Safenet 6.2 client using GUI
612040-4 3-Major Statistics added for all crypto queues
611320-3 3-Major Mirrored connection on Active unit of HA pair may be unexpectedly torndown
610609-3 3-Major Total connections in bigtop, SNMP are incorrect
608024-3 3-Major Unnecessary DTLS retransmissions occur during handshake.
607803-3 3-Major DTLS client (serverssl profile) fails to complete resumed handshake.
607304-5 3-Major TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
606940-3 3-Major Clustered Multiprocessing (CMP) peer connection may not be removed
606575-6 3-Major Request-oriented OneConnect load balancing ends when the server returns an error status code.
606565-2 3-Major TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection
604977-2 3-Major Wrong alert when DTLS cookie size is 32
603236-1 3-Major 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware
602385-1 3-Major Add zLib compression
602366-1 3-Major Safenet 6.2 HA performance
602358-5 3-Major BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version
601496-4 3-Major iRules and OCSP Stapling
601178-6 3-Major HTTP cookie persistence 'preferred' encryption
598874-2 3-Major GTM Resolver sends FIN after SYN retransmission timeout
597978-2 3-Major GARPs may be transmitted by active going offline
597879-1 3-Major CDG Congestion Control can lead to instability
597532-1 3-Major iRule: RADIUS avp command returns a signed integer
597089-8 3-Major Connections are terminated after 5 seconds when using ePVA full acceleration
593530-6 3-Major In rare cases, connections may fail to expire
592784-2 3-Major Compression stalls, does not recover, and compression facilities cease.
592497-1 3-Major Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.
591659-5 3-Major Server shutdown is propagated to client after X-Cnection: close transformation.
591476-7 3-Major Stuck crypto queue can erroneously be reported
591343-5 3-Major SSL::sessionid output is not consistent with the sessionid field of ServerHello message.
589223-1 3-Major TMM crash and core dump when processing SSL protocol alert.
588115-1 3-Major TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
588089-3 3-Major SSL resumed connections may fail during mirroring
587016-3 3-Major SIP monitor in TLS mode marks pool member down after positive response.
585813-3 3-Major SIP monitor with TLS mode fails to find cert and key files.
585412-4 3-Major SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
583957-6 3-Major The TMM may hang handling pipelined HTTP requests with certain iRule commands.
582465-1 3-Major Cannot generate key after SafeNet HSM is rebooted
580303-5 3-Major When going from active to offline, tmm might send a GARP for a floating address.
579843-1 3-Major tmrouted may not re-announce routes after a specific succession of failover states
579371-4 3-Major BIG-IP may generate ARPs after transition to standby
578951-2 3-Major TCP Fast Open connection timeout during handshake does not decrement pre_established_connections
572281-5 3-Major Variable value in the nesting script of foreach command get reset when there is parking command in the script
570057-2 3-Major Can't install more than 16 SafeNet HSMs in its HA group
569288-6 3-Major Different LACP key may be used in different blades in a chassis system causing trunking failures
565799-4 3-Major CPU Usage increases when using masquerade addresses
551208-6 3-Major Nokia alarms are not deleted due to the outdated alert_nokia.conf.
550161-4 3-Major Networking devices might block a packet that has a TTL value higher than 230.
545796-5 3-Major [iRule] [Stats] iRule is not generating any stats for executed iRules.
545450-5 3-Major Log activation/deactivation of TM.TCPMemoryPressure
537553-8 3-Major tmm might crash after modifying virtual server SSL profiles in SNI configuration
534457-4 3-Major Dynamically discovered routes might fail to remirror connections.
530266-7 3-Major Rate limit configured on a node can be exceeded
506543-5 3-Major Disabled ephemeral pool members continue to receive new connections
483953-1 3-Major Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value.
472571-7 3-Major Memory leak with multiple client SSL profiles.
464801-3 3-Major Intermittent tmm core
423392-6 3-Major tcl_platform is no longer in the static:: namespace
371164-1 3-Major BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs.
225634-1 3-Major The rate class feature does not honor the Burst Size setting.
598860-4 4-Minor IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address
587676-2 4-Minor SMB monitor fails due to internal configuration issue
560471-1 4-Minor Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down
557190-3 4-Minor 'packet_free: double free!' tmm core
544033-5 4-Minor Fragmented ICMP Echo to Virtual Address may not receive response
222034-4 4-Minor HTTP::respond in LB_FAILED with large header/body might result in truncated response


Performance Fixes

ID Number Severity Description
510631-1 3-Major B4450 L4 No ePVA or L7 throughput lower than expected


Global Traffic Manager Fixes

ID Number Severity Description
603598-3 2-Critical big3d memory under extreme load conditions
587656-2 2-Critical GTM auto discovery problem with EHF for ID574052
587617-1 2-Critical While adding GTM server, failure to configure new IP on existing server leads to gtmd core
615338-2 3-Major The value returned by "matchregion" in an iRule is inconsistent in some cases.
613576-1 3-Major QOS load balancing links display as gray
613045-7 3-Major Interaction between GTM and 10.x LTM results in some virtual servers marked down
589256-1 3-Major DNSSEC NSEC3 records with different type bitmap for same name.
588289-1 3-Major GTM is Re-ordering pools when adding pool including order designation
584623-2 3-Major Response to -list iRules command gets truncated when dealing with MX type wide IP
574052-4 3-Major GTM autoconf can cause high CPU usage for gtmd
370131-4 3-Major Loading UCS with low GTM Autoconf Delay drops pool Members from config


Application Security Manager Fixes

ID Number Severity Description
609499-1 2-Critical Compiled signature collections use more memory than prior versions
603945-2 2-Critical BD config update should be considered as config addition in case of update failure
588087-1 2-Critical Attack prevention isn't escalating under some conditions in session opening mitigation
587629-2 2-Critical IP exceptions may have issues with route domain
575133-1 2-Critical asm_config_server_rpc_handler_async.pl SIGSEGV and core
622386-1 3-Major Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled
616169 3-Major ASM Policy Export returns HTML error file
613396-1 3-Major Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs
611385-1 3-Major "Learn Explicit Entities" may continue to work as if it is 'Add All Entities'
609496-2 3-Major Improved diagnostics in BD config update (bd_agent) added
608509-1 3-Major Policy learning is slow under high load
604923-5 3-Major REST id for Signatures change after update
604612-1 3-Major Modified ASM cookie violation happens after upgrade to 12.1.x
602221-2 3-Major Wrong parsing of redirect Domain
584642-1 3-Major Apply Policy Failure
584103-2 3-Major FPS periodic updates (cron) write errors to log
582683-2 3-Major xpath parser doesn't reset a namespace hash value between each and every scan
582133-1 3-Major Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.)
581315-1 3-Major Selenium detection not blocked
579917-1 3-Major User-defined signature set cannot be created/updated with Signature Type = "All"
579495-1 3-Major Error when loading Upgrade UCS
521204-2 3-Major Include default values in XML Policy Export


Application Visibility and Reporting Fixes

ID Number Severity Description
602654-2 2-Critical TMM crash when using AVR lookups
602434-1 2-Critical Tmm crash with compressed response
601056 2-Critical TCP-Analytics, error message not using rate-limit mechanism can halt TMM
622735 3-Major TCP Analytics statistics does not list all virtual servers
618944-1 3-Major AVR statistic is not save during the upgrade process
601035 3-Major TCP-Analytics can fail to collect all the activity


Access Policy Manager Fixes

ID Number Severity Description
618506 2-Critical TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.
618324-1 2-Critical Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
592868-3 2-Critical Rewrite may crash processing HTML tag with HTML entity in attribute value
591117-3 2-Critical APM ACL construction may cause TMM to core if TMM is out of memory
569563-3 2-Critical Sockets resource leak after loading complex policy
619250-1 3-Major Returning to main menu from "RSS Feed" breaks ribbon
617187-1 3-Major APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate
614891-2 3-Major Routing table doesn't get updated when EDGE client roams among wireless networks
613613-2 3-Major Incorrect handling of form that contains a tag with id=action
611922-1 3-Major Policy sync fails with policy that includes custom CA Bundle.
611240-3 3-Major Import of config with securid might fail
610224-3 3-Major APM client may fetch expired certificate when a valid and an expired certificate co-exist
608941-1 3-Major AAA RADIUS system authentication fails on IPv6 network
604767-1 3-Major Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
601905-1 3-Major POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server
600119-3 3-Major DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions
598981-3 3-Major APM ACL does not get enforced all the time under certain conditions
598211-1 3-Major Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
597431-2 3-Major VPN establishment may fail when computer wakes up from sleep
596116-3 3-Major LDAP Query does not resolve group membership, when required attribute(s) specified
595227-1 3-Major SWG Custom Category: unable to have a URL in multiple custom categories
594288-1 3-Major Access profile configured with SWG Transparent results in memory leak.
592414-4 3-Major IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
591840-1 3-Major encryption_key in access config is NULL in whitelist
591590-1 3-Major APM policy sync results are not persisted on target devices
591268-1 3-Major VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions
590820-3 3-Major Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
588888-3 3-Major Empty URI rewriting is not done as required by browser.
586718-1 3-Major Session variable substitutions are logged
586006-1 3-Major Failed to retrieve CRLDP list from client certificate if DirName type is present
585562-3 3-Major VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari
583113-1 3-Major NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event
582752-3 3-Major Macrocall could be topologically not connected with the rest of policy.
582526-3 3-Major Unable to display and edit huge policies (more than 4000 elements)
580893-2 3-Major Support for Single FQDN usage with Citrix Storefront Integration mode
573643-3 3-Major flash.utils.Proxy functionality is not negotiated
572558-1 3-Major Internet Explorer: incorrect handling of document.write() to closed document
569309-3 3-Major Clientside HTML parser does not recognize HTML event attributes without value
562636-2 3-Major Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.
525429-11 3-Major DTLS renegotiation sequence number compatibility
455975-1 3-Major Separate MIBS needed for tracking Access Sessions and Connectivity Sessions
389484-6 3-Major OAM reporting Access Server down with JDK version 1.6.0_27 or later
386517-1 3-Major Multidomain SSO requires a default pool be configured
238444-3 3-Major An L4 ACL has no effect when a layered virtual server is used.
605627 4-Minor Selinux denial seen for apmd when it is being shutdown.
584373-2 4-Minor AD/LDAP resource group mapping table controls are not accessible sometimes
573611-1 4-Minor Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs
557411-1 4-Minor Full Webtop resources appear overlapping in IE11 compatibility mode


Wan Optimization Manager Fixes

ID Number Severity Description
619757-1 2-Critical iSession causes routing entry to be prematurely freed


Service Provider Fixes

ID Number Severity Description
613297-3 2-Critical Default generic message routing profile settings may core
612135-3 2-Critical Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic
603397-2 2-Critical tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config
596631-2 2-Critical SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later
609575-5 3-Major BIG-IP drops ACKs containing no max-forwards header
609328-3 3-Major SIP Parser incorrectly parsers empty header
607713-3 3-Major SIP Parser fails header with multiple sequential separators inside quoted string.
603019-3 3-Major Inserted SIP VIA branch parameter not unique between INVITE and ACK
599521-5 3-Major Persistence entries not added if message is routed via an iRule
598854-3 3-Major sipdb tool incorrectly displays persistence records without a pool name
598700-6 3-Major MRF SIP Bidirectional Persistence does not work with multiple virtual servers
597835-3 3-Major Branch parameter in inserted VIA header not consistent as per spec
583010-4 3-Major Sending a SIP invite with "tel" URI fails with a reset
578564-4 3-Major ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response
573075-4 3-Major ADAPT recursive loop when handling successive iRule events
566576-6 3-Major ICAP/OneConnect reuses connection while previous response is in progress
401815-1 3-Major IP ToS not passing through with SIP LB
585807-2 4-Minor 'ICAP::method <method>' iRule is documented but is read-only
561500-4 4-Minor ICAP Parsing improvement


Advanced Firewall Manager Fixes

ID Number Severity Description
612874-1 2-Critical iRule with FLOW_INIT stage execution can cause TMM restart
609095-1 2-Critical mcpd memory grows when updating firewall rules
622281-1 3-Major Network DoS logging configuration change can cause TMM crash
621808-1 3-Major Proactive Bot Defense failing in IE11 with Compatibility View enabled
614284-2 3-Major Performance fix to not reset a data structure in the packet receive hotpath.
613459-1 3-Major Non-common browsers blocked by Proactive Bot Defense
610857-1 3-Major DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver.
610830-1 3-Major FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page.
608566-1 3-Major The reference count of NW dos log profile in tmm log is incorrect
606875-1 3-Major DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page
605427-1 3-Major TMM may crash when adding and removing virtual servers with security log profiles
601924-1 3-Major Selenium detection by ports scanning doesn't work even if the ports are opened
596502-1 3-Major Unable to force Bot Defense action to Allow in iRule
594869-4 3-Major AFM can log DoS attack against the internal mpi interface and not the actual interface
594075-2 3-Major Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically
586070 3-Major 'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings
585823-1 3-Major FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode)
501892-1 3-Major Selenium is not detected by headless mechanism when using client version without server


Policy Enforcement Manager Fixes

ID Number Severity Description
609005-2 1-Blocking Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67).
611467-3 2-Critical TMM coredump at dhcpv4_server_set_flow_key().
608009-1 2-Critical Crash: Tmm crashing when active system connections are deleted from cli
603825-2 2-Critical Crash when a Gy update message is received by a debug TMM
593070-2 2-Critical TMM may crash with multiple IP addresses per session
472860-5 2-Critical RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
623491-2 3-Major After receiving the first Gx response from the PCRF, the BWC action against a rule is lost.
622220-2 3-Major Disruption during manipulation of PEM data with suspected flow irregularity
618657-4 3-Major Bogus ICMP unreachable messages in PEM with ipother profile in use
617014-3 3-Major tmm core using PEM
608742-2 3-Major DHCP: DHCP renew ack messages from server are getting dropped by BIGIP in Forward mode.
608591-1 3-Major Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers
592070-5 3-Major DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied
588456-3 3-Major PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).
577863-5 3-Major DHCP relay not forwarding server DHCPOFFER and DHCPACK message after sometime


Carrier-Grade NAT Fixes

ID Number Severity Description
606066-2 2-Critical LSN_DELETE messages may be lost after HA failover
605525-1 2-Critical Deterministic NAT combined with NAT64 may cause a TMM core
587106-1 2-Critical Inbound connections are reset prematurely when zombie timeout is configured.
602171-1 3-Major TMM may core when remote LSN operations time out


Fraud Protection Services Fixes

ID Number Severity Description
617648 2-Critical Surfing with IE8 sometimes results with script error
603234-3 2-Critical Performance Improvements
597471 2-Critical Some Alerts are sent with outdated username value
617688 3-Major Encryption is not activated unless "real-time encryption" is selected
613671-2 3-Major Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation
610897-2 3-Major FPS generated request failure throw "unspecified error" error in old IE.
609098-1 3-Major Improve details of ajax failure
604885-1 3-Major Redirect/Route action doesn't work if there is an alert logging iRule
601083-1 3-Major FPS Globally Forbidden Words lists freeze in IE 11
588058-3 3-Major False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer
609114-1 4-Minor Add the ability to control dropping of alerts by before-load-function
605125-2 4-Minor Sometimes, passwords fields are readonly
592274-3 4-Minor RAT-Detection alerts sent with incorrect duration details


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
607658-1 3-Major GUI becomes unresponsive when managing GSLB Pool


Anomaly Detection Services Fixes

ID Number Severity Description
588405-1 3-Major BADOS - BIG-IP Self-protection during (D)DOS attack
608826-1 4-Minor Greylist (bad actors list) is not cleaned when attack ends


Traffic Classification Engine Fixes

ID Number Severity Description
624370-1 2-Critical tmm crash during classification hitless upgrade if virtual server configuration is modified


Device Management Fixes

ID Number Severity Description
621401 3-Major When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load


iApp Technology Fixes

ID Number Severity Description
615824-1 3-Major REST API calls to invalid REST endpoint log level change



Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
613127-3 CVE-2016-5696 K46514822 Linux TCP Stack vulnerability CVE-2016-5696


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Description
612564 1-Blocking mysql does not start
618382-4 2-Critical qkview may cause tmm to restart or may take 30 or more minutes to run
614766-1 3-Major lsusb uses unknown ioctl and spams kernel logs
612952-1 3-Major PSU FW revision not displayed correctly
611352 3-Major Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms
610307 3-Major Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber
609325 3-Major Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported
606807-1 3-Major i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error
604459-1 3-Major On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up
597309-2 3-Major Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms
561444-1 3-Major LCD might display incorrect output.
521270-1 3-Major Hypervisor might replace vCMP guest SYN-Cookie secrets
434573-6 3-Major Tmsh 'show sys hardware' displays Platform ID instead of platform name
609677-1 4-Minor Dossier warning 14
607857-1 4-Minor Some information displayed in "list net interface" will be stale for interfaces that change bundle state
607200-1 4-Minor Switch interfaces may seem up after bcm56xxd goes down
602061 4-Minor i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages
601309 4-Minor Locator LED no longer persists across reboots
592716-1 4-Minor BMC timezone value was not being synchronized by BIG-IP


Local Traffic Manager Fixes

ID Number Severity Description
597708-4 3-Major Stats are unavailable and VCMP state and status is incorrect



Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
598294-1 CVE-2016-7472 K17119920 BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472
601938-2 CVE-2016-7474 K52180214 MCPD stores certain data incorrectly


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Description
542097-4 2-Critical Update to RHEL6 kernel
601927-1 4-Minor Security hardening of control plane


Local Traffic Manager Fixes

ID Number Severity Description
602653-1 2-Critical TMM may crash after updating bot-signatures
599769 2-Critical TMM may crash when managing APM clients.
605682-2 3-Major With forward proxy enabled, sometimes the client connection will not complete.
599054-2 3-Major LTM policies may incorrectly use those of another virtual server


Application Security Manager Fixes

ID Number Severity Description
585120-1 2-Critical Memory leak in bd under rare scenario


Application Visibility and Reporting Fixes

ID Number Severity Description
596674-2 2-Critical High memory usage when using CS features with gzip HTML responses.
575170-2 2-Critical Analytics reports may not identify virtual servers correctly
590074-1 3-Major Wrong value for TCP connections closed measure


Fraud Protection Services Fixes

ID Number Severity Description
603997 2-Critical Plugin should not inject nonce to CSP header with unsafe-inline
594910-1 3-Major FPS flags no cookie when length check fails
590608-1 3-Major Alert is not redirected to alert server when unseal fails
590578-4 3-Major False positive "URL error" alerts on URLs with GET parameters
593355 4-Minor FPS may erroneously flag missing cookie
589318-1 4-Minor Clicking 'Customize All' checkbox does not work.


iApp Technology Fixes

ID Number Severity Description
603605-1 2-Critical Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active
608373-2 3-Major Some iApp LX packages will not be saved during upgrade or UCS save/restore



Cumulative fixes from BIG-IP v12.1.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
596488-1 CVE-2016-5118 K82747025 GraphicsMagick vulnerability CVE-2016-5118.
579955-6 CVE-2016-7475 K01587042 BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
587077-1 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 K37603172 Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
579220-1 CVE-2016-1950 K91100352 Mozilla NSS vulnerability CVE-2016-1950
570697-1 CVE-2015-8138 K71245322 NTP vulnerability CVE-2015-8138
580340-1 CVE-2016-2842 K52349521 OpenSSL vulnerability CVE-2016-2842
580313-1 CVE-2016-0799 K22334603 OpenSSL vulnerability CVE-2016-0799
579829-7 CVE-2016-0702 K79215841 OpenSSL vulnerability CVE-2016-0702
579085-6 CVE-2016-0797 K40524634 OpenSSL vulnerability CVE-2016-0797
578570-1 CVE-2016-0705 K93122894 OpenSSL Vulnerability CVE-2016-0705
569355-1 CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 K50118123 Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494
565895-1 CVE-2015-3217 K17235 Multiple PCRE Vulnerabilities
570667-2 CVE-2016-0701 CVE-2015-3197 K64009378 OpenSSL vulnerabilities


Functional Change Fixes

ID Number Severity Description
600811-2 3-Major CATEGORY::lookup command change in behaviour


TMOS Fixes

ID Number Severity Description
606509-4 2-Critical Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover
595605 2-Critical Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail
591119 2-Critical OOM with session messaging may result in TMM crash
579210 2-Critical VIPRION B4400N blades might fail to go Active under rare conditions.
601076 3-Major Fix watchdog event for accelerated compression request overflow
597303 3-Major "tmsh create net trunk" may fail
595693 3-Major Incorrect PVA indication on B4450 blade
591261 3-Major BIG-IP VPR-B4450N shows "unknown" SNMP Object ID
590904-1 3-Major New HA Pair created using serial cable failover only will remain Active/Active
589661 3-Major PS2 power supply status incorrect after removal
588327 3-Major Observe "err bcm56xxd' liked log from /var/log/ltm
587735 3-Major False alarm on LCD indicating bad fan
587668 3-Major LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.
585332 3-Major Virtual Edition network settings aren't pinned correctly on startup
584670 3-Major Output of tmsh show sys crypto master-key
584661 3-Major Last good master key
584655 3-Major platform-migrate won't import password protected master-keys from a 10.2.4 UCS file
583177 3-Major LCD text truncated by heartbeat icon on VIPRION
581945-2 3-Major Device-group "datasync-global-dg" becomes out-of-sync every hour
581811 3-Major The blade alarm LED may not reflect the warning that non F5 optics is used.
579529 3-Major Stats file descriptors kept open in spawned child processes
578064 3-Major tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade
578036-1 3-Major incorrect crontab can cause large number of email alerts
573584 3-Major CPLD update success logs at the same error level as an update failure
563592 3-Major Content diagnostics and LCD
555039-4 3-Major VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
539360 3-Major Firmware update that includes might take over 15 minutes. Do not turn off device.
526708 3-Major system_check shows fan=good on removed PSU of 4000 platform
433357 3-Major Management NIC speed reported as 'none'
400778 3-Major Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete
400550 3-Major LCD listener error during shutdown
587780 4-Minor warning: HSBe2 XLMAC initial recovery failed after 11 retries.
478986 4-Minor Powered down DC PSU is treated as not-present
418009 5-Cosmetic Hardware data display inaccuracies


Local Traffic Manager Fixes

ID Number Severity Description
603700 2-Critical tmm core on multiple SSL::disable calls
598052-1 2-Critical SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails
591139 2-Critical TMM QAT segfault after zlib/QAT compression conflation.
585654 2-Critical Enhanced implementation of AES in Common Criteria mode
579953 2-Critical Updated the list of Common Criteria ciphersuites
584926-1 3-Major Accelerated compression segfault when devices are all in error state.
566342 3-Major Cannot set 10T-FD or 10T-HD on management port


Performance Fixes

ID Number Severity Description
599803 1-Blocking TMM accelerated compression incorrectly destroying in-flight contexts.
588879-2 2-Critical apmd crash under rare conditions with LDAP in BIGIP 12.0 and beyond


Application Security Manager Fixes

ID Number Severity Description
588049-1 2-Critical Improve detection of browser capabilities
585352-2 2-Critical bruteForce record selfLink gets corrupted by change to brute force settings in GUI
585054-1 2-Critical BIG-IP imports delay violations incorrectly, causing wrong policy enforcement
583686-2 3-Major High ASCII meta-characters can be disallowed on UTF-8 policy via XML import
581991-1 3-Major Logging filter for remote loggers doesn't work correctly with more than one logging profile
521370-1 3-Major Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8
518201-4 3-Major ASM policy creation fails with after upgrading


Access Policy Manager Fixes

ID Number Severity Description
587419-1 3-Major TMM may restart when SAML SLO is performed after APM session is closed
585442-2 3-Major Provisioning APM to "none" creates a core file


Advanced Firewall Manager Fixes

ID Number Severity Description
596809-1 3-Major It is possible to create ssh rules with blank space for auth-info
593925-1 3-Major ssh profile should not contain rules that begin and end with spaces (cannot be deleted)
593696-1 3-Major Sync fails when deleting an ssh profile


Carrier-Grade NAT Fixes

ID Number Severity Description
584921-1 2-Critical Inbound connections fail to keep port block alive


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
581824-2 3-Major "Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link.



Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
600662-9 CVE-2016-5745 K64743453 NAT64 vulnerability CVE-2016-5745
599168-7 CVE-2016-5700 K35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
598983-7 CVE-2016-5700 K35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
580596-1 CVE-2013-0169 CVE-2016-6907 K14190 K39508724 TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Description
604211-1 2-Critical License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.
600859-2 2-Critical Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.
599033-5 2-Critical Traffic directed to incorrect instance after network partition is resolved
595394-3 2-Critical Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.
606110-2 3-Major BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.
596814-4 3-Major HA Failover fails in certain valid AWS configurations
596603-2 3-Major AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.


Application Security Manager Fixes

ID Number Severity Description
600357-2 3-Major bd crash when asm policy is removed from virtual during specific configuration change



Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
591806-8 CVE-2016-3714 K03151140 ImageMagick vulnerability CVE-2016-3714
569467-5 CVE-2016-2084 K11772107 BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
591918-2 CVE-2016-3718 K61974123 ImageMagick vulnerability CVE-2016-3718
591908-2 CVE-2016-3717 K29154575 ImageMagick vulnerability CVE-2016-3717
591894-2 CVE-2016-3715 K10550253 ImageMagick vulnerability CVE-2016-3715
591881-1 CVE-2016-3716 K25102203 ImageMagick vulnerability CVE-2016-3716


Functional Change Fixes

ID Number Severity Description
583631-2 1-Blocking ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.
590993 3-Major Unable to load configs from /usr/libexec/aws/.
576478 3-Major Enable support for the Purpose-Built DDoS Hybrid Defender Platform
544477 3-Major New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.


TMOS Fixes

ID Number Severity Description
591039 2-Critical DHCP lease is saved on the Custom AMI used for auto-scaling VE
590779 2-Critical Rest API - log profile in json return does not include the partition but needs to
588140 2-Critical Pool licensing fails in some KVM/OpenStack environments
587791-1 2-Critical Set execute permission on /var/lib/waagent
565137 2-Critical Pool licensing fails in some KVM/OpenStack environments.
554713-2 2-Critical Deployment failed: Failed submitting iControl REST transaction
592363 3-Major Remove debug output during first boot of VE
592354 3-Major Raw sockets are not enabled on Cloud platforms


Local Traffic Manager Fixes

ID Number Severity Description
592699-3 2-Critical IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance
594302-1 3-Major Connection hangs when processing large compressed responses from server
592854-1 3-Major Protocol version set incorrectly on serverssl renegotiation
592682-1 3-Major TCP: connections may stall or be dropped
531979-6 3-Major SSL version in the record layer of ClientHello is not set to be the lowest supported version.


Application Visibility and Reporting Fixes

ID Number Severity Description
582629-1 2-Critical User Sessions lookups are not cleared, session stats show marked as invalid


Access Policy Manager Fixes

ID Number Severity Description
590601-2 3-Major BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed
590428-1 3-Major The "ACCESS::session create" iRule command does not work
590345-1 3-Major ACCESS policy running iRule event agent intermittently hangs
585905-1 3-Major Citrix Storefront integration mode with pass-through authentication fails
581834-5 3-Major Firefox signed plugin for VPN, Endpoint Check, etc


Anomaly Detection Services Fixes

ID Number Severity Description
588399-1 3-Major BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated
582374-1 3-Major Multiple 'Loading state for virtual server' messages in admd.log
569121-1 3-Major Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low
547053-1 4-Minor Bad actor quarantining


Traffic Classification Engine Fixes

ID Number Severity Description
590795-1 2-Critical tmm crash when loading default signatures or updating classification signature

 

Cumulative fix details for BIG-IP v12.1.2 Hotfix 1 that are included in this release

660170-1 : tmm may crash at ~75% of VLAN failsafe timeout expiration

Component: Local Traffic Manager

Symptoms:
When VLAN failsafe is configured, and the VLAN failsafe timeout is 3/4 expired, tmm wants to generate ICMP traffic to evoke a network response. When this occurs, the system might experience a crash.

Conditions:
- VLAN failsafe is configured on a VLAN, for example with the recommended VLAN failsafe timeout of 90 sec.
- The VLAN does not observe ARP/ndp traffic for 3/4 of the timeout, 67.5 seconds.
- ICMP traffic generated to provoke a network response can under certain circumstances cause a TMM crash.

Impact:
TMM crashes, failover is triggered, as it would with a fully expired VLAN-failsafe-timeout condition (note that failover with a fully expired VLAN failsafe is correct behavior).

Traffic on other VLANs might be disrupted while TMM restarts. (Traffic on the VLAN-failsafe-triggered VLAN is already disrupted, causing the timeout to expire.)

Workaround:
1. To allow for VLAN failsafe to be updated for any frame, run the following command with VLAN failsafe enabled, run the following command:
 tmsh modify failover.vlanfailsafe.resettimeronanyframe enable

This configuration increases the confidence that in the case of a timeout expiry a real traffic disruption is detected.

2. Set the timeout of VLAN failsafe to 4/3 of the setting you want, for example, to have a timeout setting of 90, specify 120. With this setting, failover occurs at 90 seconds for a fully quiescent network.

Note: Having a fully quiescent network is a rare occurrence and likely indicates that another issue is occurring anyway.

Fix:
Generating ICMP traffic from TMM is no longer exposed to a potential crash in an invalid configuration or a completely quiet network, when generating ICMP traffic to provoke a network response on an expiring timer of VLAN failsafe, assuming the following configuration:

- VLAN failsafe is configured.
- VLAN failsafe expired 3/4 of the configured timeout (e.g., 67.5 seconds of 90 seconds ).


655500 : Rekey SSH sessions after one hour

Component: TMOS

Symptoms:
Common Criteria requires that SSH session be rekeyed at least every hour

Conditions:
SSH connections to or from the BIG-IP system.

Impact:
SSH sessions are rekeyed in response to the quantity of data transferred, or on user demand, but not on the basis of elapsed time

Workaround:
If time-based rekeying is required in your environment, edit the SSH configuration to include a RekeyLimit with both data and time parameters using a command similar to the following:
tmsh modify sys sshd include 'RekeyLimit 256M 3600s'

Outbound SSH client connections can be modified by adding the same RekeyLimit configuration to /config/ssh/ssh_config or by including that option on the command line when calling the ssh client.

Fix:
SSH sessions are now rekeyed every hour regardless of the quantity of data transferred.


653453 : ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.

Component: TMOS

Symptoms:
ARP replies reach the front panel port of the B4450 blade, but fail to reach TMMs. This is caused by a L2 defect in the Broadcom Trident2+ switch B4450 blade uses.

Conditions:
The switch learned a corrupted L2 FDB entry on internal HiGig trunk.

Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.

Workaround:
Identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.

Fix:
Resolved an issue on Broadcom Trident2+ switch B4450 blades use in which ARP replies reached the front panel port, but failed to reach TMMs.


652484-2 : tmsh show net f5optics shows information for only 1 chassis slot in a cluster

Component: TMOS

Symptoms:
When you run tmsh show net f5optics, f5optics version information is displayed for one blade of a multi-blade chassis.

Conditions:
This occurs when running the tmsh show net f5optics command on VIPRION.

Impact:
The f5optics version is not displayed for all of the blades.

Fix:
f5optics version information for all blades within a chsasis is displayed when the user issues tmsh show net f5optics from the primary blade.


652151-1 : Azure VE: Initialization improvement

Vulnerability Solution Article: K61757346


651476 : bigd may core on non-primary bigd when FQDN in use

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool member resolution, a non-primary bigd process may core under certain circumstances. A non-primary bigd is any process instance other than zero in a multi-bigd scenario, or any bigd process on a non-primary blade in a chassis.

Conditions:
FQDN is in use.

Impact:
bigd may core and be restarted in a loop, causing some monitor instances to not be serviced. This may cause node/pool member flapping, or may cause certain nodes or pool members to be effectively not monitored.

Workaround:
Use static IPs instead of FQDN for node/pool member address assignment.

Fix:
Known causes of the bug have been fixed.


651106 : memory leak on non-primary bigd with changing node IPs

Component: Local Traffic Manager

Symptoms:
On BIG-IP systems with the multiple blades, or a BIG-IP system with multiple bigd processes running (bigd.1, bigd.2, etc.), if the system has FQDN nodes configured, all secondary bigd processes will consume an unusually high amount of memory, and bigd cores may exist when the FQDN node IP addresses change frequently.

Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes causing IP addresses to change, bigd on the non-primary places memory consumption may be unusually high.

Impact:
bigd memory leak; possible bigd crash.

Workaround:
Mitigation: use static IP nodes and pool members rather than FQDN.


649933-1 : Fragmented RADIUS messages may be dropped

Component: Service Provider

Symptoms:
Large RADIUS messages may be dropped when processed by iRules.

Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.

Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:

Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""

Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.


649617-2 : qkview improvement for OVSDB management

Component: TMOS

Symptoms:
The user can configure ovsdb-server in the BIG-IP system to communicate with an OVSDB-capable controller.

If the user wants the BIG-IP system to connect to an OVSDB-capable controller via a SSL connection, the user needs to configure a certificate and a certificate key in the TMSH command "sys management-ovsdb". Later on, if the user invokes qkview to collect system information, the configured certificate key can be collected in qkview.

Conditions:
The following conditions need to be met:

- BIG-IP has the SDN services license.

- The TMSH command "sys management-ovsdb" is set to "enabled". Note that this is set to "disabled" by default.

- The TMSH command "sys management-ovsdb cert-key-file" is set to a certificate key. Note that this is set to "none" by default.

Impact:
If the user invokes qkview to collect system information, the certificate key configured in the command "sys management-ovsdb cert-key-file" will be collected in qkview.

Workaround:
If OVSDB management is currently set to "enabled" in the BIG-IP system, then the user can reset "sys management-ovsdb cert-file" and "sys management-ovsdb cert-key-file" to "none" before calling qkview to collect system information.

In general, if OVSDB management has ever been set to "enabled", the user with the bash shell access can check if the file /var/run/openvswitch/BIG-IP_ovs_cert_key exists and delete it before calling qkview to collect system information.

Fix:
The certificate key configured in the "sys management-ovsdb" will not be collected when invoking qkview.


649571-1 : Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not act on the absence of renegotiation.

Conditions:
A BIG-IP system acts as TLS client, a TLS server ignores renegotiation request. Finite TLS session data or time limits are configured in Server SSL Profile on the BIG-IP system.

An example of such a TLS server is Apache/2.4.10 on Fedora Linux.

Impact:
Limits, such as data limits ("Renegotiate Size" in Server SSL) or time limits ("Renegotiate Period" in Server SSL) are not enforced with finite "Handshake Timeout".

Workaround:
None.

Fix:
BIG-IP system acting as TLS client (Server SSL Profile) now shuts down the connection if a TLS server did not continue with TLS renegotiation within "Handshake Timeout" seconds after the ClientHello, corresponding to the renegotiation initiation, was sent by the BIG-IP system.


648990 : Serverside SSL renegotiation does not occur after block cipher data limit is exceeded

Component: Local Traffic Manager

Symptoms:
If you have a virtual server with a serverssl profile configured that serves large (>2GB) files, you may see these errors in /var/log/ltm:

info tmm[17859]: 01260034:6: Block cipher data limit exceeded.

Conditions:
This occurs when a serverssl profile is in use, and the server-side traffic exceeds 2GB.

Impact:
Serverssl renegotiation does not occur, log message is displayed.


648879-2 : Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555

Vulnerability Solution Article: K90803619


648865-2 : Linux kernel vulnerability: CVE-2017-6074

Vulnerability Solution Article: K82508682


648715-2 : BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0

Component: Local Traffic Manager

Symptoms:
LACP, STP, and LLDP PDUs sent from either of the i2x00 or i4x00 platforms have a VLAN tag added to the PDU when they shouldn't.

Conditions:
Provision any of the three protocols: LLDP, STP, or LACP and the PDU sent by the BIG-IP will incorrectly have a VLAN tag with a tag-id of 0 added to the PDU.

Impact:
Some 3rd party devices may reject the packet. This will adversely affect operation of the affected protocol.

Workaround:
None.

Fix:
This release ensures that the VLAN tag is stripped before the PDU is sent onto the wire.


648544-5 : HSB transmitter failure may occur when global COS queues enabled

Component: TMOS

Symptoms:
An HSB transmitter failure may occur if global COS queues enabled. The HSB transmitter failure is logged in the TMM log files.

Conditions:
With global COS queues enabled, the HSB's watchdog loopback packets are sent on HSB ring 2, instead of ring 0. If HSB ring 2 is heavily utilized, this could cause the loopback packets to be dropped. If this occurs, then the watchdog may trigger an HSB transmitter failure.

Impact:
If this issue occurs then the BIG-IP is rebooted.

Workaround:
Do not use global COS queues.

Fix:
Loopback packet priority is now set during runtime to guarantee transmit on mgmt ring 0.


648056-2 : bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.

Component: TMOS

Symptoms:
bcm56xxd constantly crashes, device goes off-line.

Conditions:
Reboot the system with QinQ VLANs configured and vCMP provisioned.

Impact:
Device goes off-line.

Workaround:
None.

Fix:
bcm56xxd no longer crashes when QinQ VLANs are configured and vCMP provisioned.


646760 : Common Criteria Mode Disrupts Administrative SSH Access

Component: TMOS

Symptoms:
If Common Criteria mode is enabled the administrative SSH interface on BIG-IP may become unavailable

Conditions:
CC-mode enabled

Impact:
SSH interface not available

Fix:
Correct SSH configuration when in CC mode


646511-1 : BD crashes repeatedly after interrupted roll-forward upgrade

Component: Application Security Manager

Symptoms:
After roll-forward upgrade of version 12.1.x with ASM traffic data is interrupted, BD crashes repeatedly.

Conditions:
Roll-forward upgrade with ASM traffic data from version 12.1.x (with or without hotfixes) to any 12.1.x or later is interrupted by restart/reboot.

Impact:
BD crashes repeatedly on subsequent attempts to start ASM.

Workaround:
Disable roll-forward upgrade of ASM traffic data before upgrade:

tmsh modify sys db ucs.asm.traffic_data.save value disable

Fix:
ASM completes roll-forward upgrade with traffic data correctly, even after upgrade process is interrupted.


645805 : LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain bad ethernet src mac address

Component: TMOS

Symptoms:
LACP PDUs generated by the 'lacpd' on the i4x00 & i2x00 platforms contain the wrong Ethernet source MAC address.

Conditions:
LACP configured on an trunk interface on i4x00 or i2x00 platforms.

Impact:
Some Cisco and Juniper switches discard these PDUs. They send PDUs as if the BIG-IP is not transmitting with a all-zeros 'Partner' section System ID. This renders LACP inoperable, and simply does nothing if the far end is configured for 'Passive'.

Fix:
Insure correct Source MAC address is inserted into the PDU.


644970-1 : Editing a virtual server config loses SSL encryption on iSession connections

Component: Wan Optimization Manager

Symptoms:
Editing a virtual server configuration causes iSession connection resets or unencrypted iSession connections to be established, because the virtual server's dynamically configured default server-ssl profile has been deleted.

Conditions:
A virtual server has a server-side iSession profile with data-encrypt enabled. This virtual server also lacks client-ssl and server-ssl profiles.

Impact:
After editing the virtual server, iSession connections fail to be established if the destination iSession listener has a client-ssl profile with allow-non-ssl disabled. If the destination iSession listener has allow-non-ssl enabled, unencrypted iSession connections are established.

Workaround:
Modify the virtual server's configured server-side iSession profile. For example toggle the iSession profile from A to B and then back to A.

Fix:
Editing a virtual server configuration no longer deletes
an iSession dynamically configured default server-ssl profile.


644490-1 : Finisar 100G LR4 values need to be revised in f5optics

Component: TMOS

Symptoms:
The original tuning values for the Finisar 100G LR4 optics don't support module tuning. You might see FCS errors.

Conditions:
FCS errors can be observed with the shipping Finisar 100G LR4 tuning values.

Impact:
Occasional packet loss at the 100G physical layer.

Workaround:
Use 100G SR4 optics modules on the link if possible.

Fix:
FCS errors no longer occur using the latest Finisar 100G LR4 tuning values.

For information on installing and using the latest f5optics package (build 48.0 or later) that contains these tuning values, see F5 Platforms: Accessories (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/f5-plat-accessories.html).


644489-1 : Unencrypted iSession connection established even though data-encrypt configured in profile

Component: Wan Optimization Manager

Symptoms:
iSession connections may be intermittently established as unencrypted even though they are configured to be secure.

Conditions:
Either of two scenarios can result in an unencrypted iSession connection being established:
    1) An error occurs during dynamic server-ssl profile replacement.
    2) Both the WOM local-endpoint and destination WOM remote-endpoint lack server-ssl profiles.

In both cases the virtual server must have a server-side iSession profile with data-encrypt enabled and the remote virtual must have a client-ssl profile with allow-non-ssl enabled.

Impact:
An unencrypted iSession connection may be established which is inconsistent with configuring data-encrypt as enabled in the sever-side iSession profile.

Workaround:
Configure the client-ssl profile with allow-non-ssl disabled (the default value) to reject non-SSL connections.

Fix:
The outgoing connection is aborted if the server-side iSession profile is configured with data-encrypt enabled and either of the two following scenarios occurs:
    1) The destination remote-endpoint and the local-endpoint lack server-ssl profiles.
    2) An error occurs during dynamic server-ssl profile replacement.


643547-1 : APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP

Component: Access Policy Manager

Symptoms:
Requests to /my.policy are not getting HTTP responses.

Log file '/var/log/apm' contains large number of error messages about failed XML data creation:

err apmd[5076]: 01490207:3: SAML Agent XML thread specific data creation error: ERR_FAIL.

Conditions:
The BIG-IP system is used with APM provisioned, and there are a large number of access policy agents configured across all access policies.

The issue occurs only at APMD startup time, e.g., when the BIG-IP system is reloaded, a new image is installed, or the apmd service is manually restarted.

When issue happens /var/log/apm will contain a large number of similar error messages :

 err apmd[5076]: 01490207:3: SAML Agent XML thread specific data creation error: ERR_FAIL

Impact:
APMD will not able to process any requests.

Workaround:
For some configurations and platforms, you can use the following steps to recover:

- Remove all unused access policies (if applicable).
- Restart apmd.

Fix:
APMD initialization will no longer fail at XML initialization when a large number of access policies/agents are present in the configuration.


643404-2 : "tmsh system software status" does not display properly in a specific cc-mode situation

Component: TMOS

Symptoms:
In Common Criteria mode, the system must first verify a software archive with a cryptographic signature file before using it. If that file is not available, the software change will (intentionally) not proceed. It is also intended that "tmsh system software status" will explain the condition. But instead, it simply shows "failed (reason unknown)"

Conditions:
If the system is in Common Criteria mode, and you try to initiate a software change, but there is no signature file available that corresponds to the selected software archive.

Impact:
It is difficult to ascertain why the software change cannot be made.

Workaround:
The installation log a more detailed explanation for the failure. In the case of Common Criteria mode, it is essential to have the signature file in the same images directory as the .iso image you intend to install.

To do so, copy the .sig file from the F5 Downloads site to the image location, and try the installation again.

Fix:
The "tmsh system software status" now displays the relevant issue, for example:
failed (No signature verification possible for image /shared/images/BIG-IP-12.1.2.0.0.249.iso). Although you must still download the .sig file from F5 Downloads, it's clear what the failure is and what to do next.


643396-2 : Using FLOW_INIT iRule may lead to TMM memory leak or crash

Component: Local Traffic Manager

Symptoms:
Memory leak in TMM or even crash may be observed if using FLOW_INIT event in iRules.

Conditions:
iRule triggered by FLOW_INIT event is in use. Note: The leak is difficult to observe, and the crash requires specific steps, so encountering this issue is relatively uncommon.

Impact:
TMM memory leak or crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a memory leak in the FLOW_INIT iRule event.


643187-2 : BIND vulnerability CVE-2017-3135

Vulnerability Solution Article: K80533167


642983-1 : Update to max message size limit doesn't work sometimes

Component: Device Management

Symptoms:
There is a cap on all REST request/response message size. By default it is set to 32 MB, and you can modify it to higher limit using /mgmt/shared/server/messaging/settings/8100 REST endpoint. But the REST framework may not apply this change.

When this occurs, you will see 501 Bad Gateway error from Apache and error message link "java.lang.IllegalArgumentException: 47177925 is more than 33554432" in restjavad log (/var/log/restjavad.0.log).

Conditions:
This can occur when requesting or receiving more than 32 MB of data via iControl REST.

Impact:
REST framework applies message body limit only on incoming request and response. If incoming request results in requests to iControl REST or restnoded, the same settings (message body limit) are not applied.

Workaround:
None.

Fix:
Messaging settings are applied on requests/responses, rather than on RestServer as forwarded outgoing requests/responses will not have server instance attached to request.


642874-1 : Ready to be Enforced filter for Policy Signatures returns too many signatures

Component: Application Security Manager

Symptoms:
Signatures that have not passed the staging period are shown when the filter is set to only show those that are ready to be enforced.

Conditions:
Signatures exist on a policy that have not passed their staging period and have no learning suggestions for them.

Impact:
Incorrect results are shown as a result of the filter.

Workaround:
The result should be inspected to see if the staging period has passed for each individual signature.

Fix:
The "Ready to be Enforced" filter works correctly.


642400-2 : Path MTU discovery occasionally fails

Component: Local Traffic Manager

Symptoms:
Connections using a TCP profile that receive an ICMP needsfrag message may incorrectly ignore the message. This may cause Path MTU discovery to fail.

Conditions:
TCP profile assigned to VIP. Smaller MTU on data path than on TCP endpoints.

Impact:
The connection may stall as large TCP segments are continually retransmitted.

Workaround:
Configure the MSS in the TCP profile to match the lowest MSS. Use or disable Path MTU discovery with the tm.pathmtudiscovery database key.

Fix:
Path MTU discovery functions correctly with the TCP profile.


642330-2 : GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.

Component: Global Traffic Manager

Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.

Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the BIG-IP_gtm.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the BIG-IP_gtm.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list gtm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.


642284 : Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption.

Component: Carrier-Grade NAT

Symptoms:
Memory corruption caused by closing a PCP connection while requests are being processed.

Conditions:
This can occur when a PCP client sends multiple requests and closes before receiving the replies. When the client OS receives a reply it will send an ICMP destination unreachable message which causes the BIG-IP to close the PCP connection. If the PCP connection is closed while a request is being processed, memory corruption may occur when the request completes.

Impact:
When memory corruption occurs, TMM may crash or assert. Traffic disrupted while tmm restarts.

Fix:
Closing the PCP connection will not cause memory corruption.


642221-2 : Incorrect entity is used when exporting TCP analytics from GUI

Component: Application Visibility and Reporting

Symptoms:
When exporting statistics from the TCP Analytics page, the resulted data is for the default "view by" entity rather than the one that's actually selected

Conditions:
This occurs in Statistics :: Analytics : TCP, when you are viewing any dimension other than the default, and clicking Export.

Impact:
Incorrect data is being exported.

Workaround:
Use tmsh.

Fix:
The correct entity is now used when exporting TCP analytics from GUI, so the correct data is being exported.


642058-1 : CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances

Component: TMOS

Symptoms:
CBL-0138-01 will not come up or show link on i2000/i4000/HRC-i2800 series appliances.

The following message will appear on the LCD:
0 01/30/17 09:02:59 error 0x1660016 Interface 5.0 detected a non 10GbE optic

The following message will appear in /var/log/ltm:
err pfmand[7630]: 01660016:3: Interface 5.0 detected a non 10GbE optic

The interface will report in tmsh as down:
tmsh show net interface 5.0

--------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
                In Out In Out
--------------------------------------------------------
5.0 down 0 0 0 0 0 0 none

Conditions:
i2000/i4000/HRC-i2800 series appliances and CBL-0138-01.

Impact:
The CBL-0138-01 will not work.

Workaround:
None.

Fix:
CBL-0138-01 Active Copper now works correctly on i2000/i4000/HRC-i2800 Series appliances.


642039-2 : TMM core when persist is enabled for wideip with certain iRule commands triggered.

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores with SIGSEGV.

Conditions:
This occurs when persist is enabled for wideip, and an iRule with the following commands triggered:
forward
reject
drop
discard
noerror
host

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable persist on wideip.

Note: Although this is not an ideal workaround, it provides a way that to use those iRule commands without causing a tmm core.

Fix:
TMM no longer coreswhen persist is enabled for wideip with certain iRule commands triggered.


642015-2 : SSD Manufacturer "unavailable"

Component: TMOS

Symptoms:
On systems with an SSD, the manufacturer displayed in 'tmsh show sys hardware' may appear as "unavailable"..

Conditions:
BIG-IP system with SSD installed.

Impact:
No functional impact, cosmetic only.

Workaround:
No workaround but the issue is only cosmetic and does not indicate an issue with the system.

Fix:
SSD Manufacturer now displays "Samsung" as expected.


641612-2 : APM crash

Vulnerability Solution Article: K87141725


641574 : AVR doesn't report on virtual and client IP in DNS statistics

Component: Application Visibility and Reporting

Symptoms:
On the analytics DNS page, the virtual and client IP stats will be shown as "Aggregated".

Conditions:
This can be seen in DNS analytics, when view-by virtual or client-ip is selected.

Impact:
DNS statistics show incomplete results.

Workaround:
None.

Fix:
AVR now provides the complete report results on virtual and client IP in DNS statistics.


641512-4 : DNSSEC key generations fail with lots of invalid SSL traffic

Component: Local Traffic Manager

Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.

The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.

Conditions:
DNSSEC keys configured with periodic rollover. The certificate path queues an error (situations include but not limited to lots of SSL traffic with invalid certificates).

Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.

Workaround:
Restart the TMM after the new key generation is created.

Fix:
DNSSEC key generations now complete successfully, even with a lot of SSL traffic with invalid certificates.


641482-2 : Subscriber remains in delete pending state until CCR-t ack has success as result code is received

Component: Policy Enforcement Manager

Symptoms:
BIG-IP subscriber session will remain in delete pending (stale) state if the Result-code received Acknowledgement from Gx or Gy and is marked as Failure for CCR-T request.

Conditions:
The stale session happens, during subscriber termination and if any CCR-T request for Gx or Gy receives an acknowledgement with non-SUCCESS in Result-code AVP

Impact:
The subscriber session in BIG-IP will stay in delete pending state (stale)

Workaround:
A tmm restart will cleanup all the stale sessions

Fix:
Fix will cleanup the session if a CCR-T acknowledgement is received irrespective of the Result-code AVP


641445-1 : iControl improvements

Component: Device Management

Symptoms:
iControl has been hardened to increase security.

Conditions:
iControl enabled and exposed to untrusted networks

Impact:
iControl oes not comply with hardened design standards

Fix:
In hardened versions of the BIG-IP, iControl security is improved.


641390-5 : Backslash removal in LTM monitors after upgrade

Component: TMOS

Symptoms:
After upgrading, BIG-IP fails to load the configuration and reports that a monitor failed to load.

Conditions:
This can occur on upgrade, with specific backslash escaping in LTM monitors. It is specific to LTM monitors. Example:

ltm monitor https /Common/my_https {
    adaptive disabled
    cipherlist DEFAULT:+SHA:+3DES:+kEDH
    compatibility enabled
    defaults-from /Common/https
    destination *:*
    interval 5
    ip-dscp 0
    recv "Test string"
    recv-disable \\\"Test\\\"me\\\" <-- pertinent string value (can be in recv, send or username attributes too).
    send Test
    time-until-up 0
    timeout 16
    username test\\\"me
}

Impact:
The monitor will fail to load.

Workaround:
Manually correct the string to be the way it was before upgrade, then the configuration will load.


641360-2 : SOCKS proxy protocol error

Component: Local Traffic Manager

Symptoms:
In some cases the SOCKS proxy does not properly handle unexpected changes within a single connection

Conditions:
Virtual server configured with SOCKS Proxy profile

Impact:
SOCKS proxy does not function as designed

Fix:
Improved event handling in the SOCKS proxy


641256-1 : APM access reports display error

Vulnerability Solution Article: K43523962


641248 : IPsec-related tmm segfault

Component: TMOS

Symptoms:
The tmm cores and all connections are reset.

Conditions:
Race condition during IPsec tunnel tear down.

Impact:
The tmm restarts and all connections reset. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The IPsec-related tmm segfault has been corrected.


641013-5 : GRE tunnel traffic pinned to one TMM

Component: TMOS

Symptoms:
GRE tunnel traffic can be sent to one TMM if BIG-IP doesn't proxy the GRE tunnel and uses forwarding virtual to handle GRE tunnel traffic.

Conditions:
Use forwarding virtual to handle GRE tunnel traffic.

Impact:
GRE tunnel traffic can overwhelm the one TMM and cause performance degradation.

Workaround:
None.

Fix:
Improved GRE tunnel traffic handling so traffic does not overwhelm one TMM and cause performance degradation.


640903-1 : Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen

Component: Global Traffic Manager (DNS)

Symptoms:
Extremely long page load on Link Controller Inbound Wide IP list page.

Conditions:
The preference settings "Records per screen" must be a high value. 50 or more will start causing the page to load very slowly.

Impact:
Extremely long page load time.

Workaround:
Prior to the fix, the workaround is to set the preference settings "Records per screen" to a low value. The default value of 10 is fine.

Fix:
The page can now load hundreds of records on a single screen under 3 seconds.


640824-1 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log

Component: Application Security Manager

Symptoms:
Upon first start after upgrade, the following error messages appear in asm log:
-------------------------
notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
info tsconfig.pl[21351]: ASM initial configration script launched
info tsconfig.pl[21351]: ASM initial configration script finished
info asm_start[19802]: ASM config loaded

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead

 crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted

info perl[21860]: 01310053:6: ASM starting
-------------------------

Conditions:
-- ASM provisioned.
-- Local request logging enabled.
-- Upgrade of a maintenance release, hotfix, or engineering hotfix.

Impact:
Upgrade fails.

Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.

In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.

There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) Do not load a Request Log, when loading a UCS:
    # tmsh modify sys db ucs.asm.traffic_data.load value never

2) Do not save a Request Log, when saving a UCS:
    # tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------

Fix:
Roll-forward upgrade including traffic data now works correctly.


640521-1 : EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices

Component: Access Policy Manager

Symptoms:
Connect to a public network which has Captive Portal and the Captive Portal uses jQuery library for mobile devices. EdgeClient does not render login page for such Captive Portal.

Conditions:
Use public network with Captive Portal that uses jQuery library for mobile devices.

Impact:
EdgeClient can not establish VPN connection.

Workaround:
Use a browser to authenticate to Captive Portal. For locked client, there is no suitable workaround.

Fix:
Do not use navNoHistory flag in WinInet call. When the flag is used, WebControl hangs on window.history.replaceState() API call.


640510-3 : BWC policy category attachment may fail during a PEM policy update for a subscriber.

Component: Policy Enforcement Manager

Symptoms:
The correct BWC category is not applied resulting in incorrect BWC handling of subscriber traffic.

Conditions:
PEM policies against a subscriber should be modified such that the BWC policy stays the same while the BWC category changes.

Impact:
Use cases dependent on BWC can be impacted.

Fix:
Code changes were added such that BWC policy and category changes through PEM are handled correctly.


640457-2 : Session Creation failure after HA

Component: Policy Enforcement Manager

Symptoms:
Under some HA scenarios, the subscriber session will be lost. If such a deleted session is added (the same subscriber-id), the addition attempt fails.

Conditions:
Intra-chassis HA is configured. One of the blades goes down & comes back up very rapidly & some subscriber sessions are lost.
An attempt to add the lost subscriber again fails.

Impact:
A set of subscribers lost during HA will never be added back.

Workaround:
No workaround.


640352-2 : Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet

Component: Local Traffic Manager

Symptoms:
Connflow entry memory are leaked when BIG-IP DHCP proxy is configured in forwarding mode and the DHCP relay agent between
the DHCP client and the BIG-IP system sets giaddr field to itself after connflows created are aged out in a particular order.

Conditions:
1) BIG-IP DHCP proxy is configured in forwarding mode.
2) DHCP relay agent sits between the DHCP client and the BIG-IP system sets giaddr field in DHCP renewal packet to itself (this has been observed in Cisco devices), so that DHCP renewal packet will be sent to a relay agent by DHCP servers.
3) Connflow created to giaddr(relay agent) ages out before
connflows created to DHCP clients.

Impact:
Some connflows are not freed. Memory leak occurs. Eventually memory is exhausted.

Workaround:
None.

Fix:
Ref count handing for giaddr connflows are now decremented when the client side connflow is removed, preventing the memory leak.


639750-1 : username aliases are not supported

Component: Fraud Protection Services

Symptoms:
in is a common practice to use aliases for username. for example, an app might allow users to login with either their ID, cell number, or nickname.
WebSafe doesn't support username aliases.

Conditions:
This is encountered when your application uses username aliases.

Impact:
You are unable to use username aliases in your applications.

Workaround:
None.

Fix:
providing new ANTIFRAUD irule command for setting username (replace username alias with the "real" username)


639744-1 : Memory leak in STREAM::expression iRule

Component: Local Traffic Manager

Symptoms:
If you are using the STREAM::expression iRule with APM, the stream filter can leak memory.

Conditions:
This can occur when using the STREAM::expression iRule with an APM virtual.

Impact:
This causes a memory leak in tmm.

Workaround:
None.

Fix:
This release fixes a memory leak in STREAM::expression iRule.


639236-1 : Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute

Component: Service Provider

Symptoms:
Incoming SIP REGISTER messages are rejected by the SIP MRF parser when they contain Contact header expires value set to 0 that is not the last attribute

Conditions:
If the Contact header has an expires value of 0 and it's not the last attribute, for example:
Contact: <sip:+414000400@10.0.0.42:5060>;expires=0;q=0.1.

Impact:
REGISTER is rejected with a '400 Bad request' error message

Workaround:
None.

Fix:
Updated SIP parser to handle a Contact header with an expires value set to 0 that is not the last attribute.


639193-1 : BIG-IP devices configured with Manual Sync, deleting parent policy causes sync to fail.

Component: Advanced Firewall Manager

Symptoms:
In high availability (HA) environment where BIG-IP devices are configured for Manual Sync, deleting parent policy causes sync to fail.

Conditions:
This occurs when you delete the parent of a policy that was used as the parent of another policy. For example:
1. Clone Policy A and create Policy B.
2. Clone Policy B and create Policy C.
3. Delete Policy B.

Impact:
Manual sync operation fails.

Workaround:
Use one of the following Workarounds:
A. Enable automatic sync for HA configurations.
B. Run the following commands:
   tmsh save sys config partitions all
   tmsh load sys config partitions all
   Sync

Fix:
In HA environments containing BIG-IP devices configured for Manual Sync, deleting parent policy no longer causes sync to fail.


638935-3 : Monitor with send/receive string containing double-quote may cause upgrade to fail.

Component: TMOS

Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.

Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the bigip.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the bigip.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list ltm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.

If you have an escaped quote in your configuration, and are moving to a configuration with this the dependency of this fix, you cannot reload the configuration or the license which also reloads the configuration. Doing so, will cause the config load to fail.


638799-1 : Per-request policy branch expression evaluation fails

Component: Access Policy Manager

Symptoms:
Per-request policy branch expression evaluation fails and you see the following in /var/log/ltm:

info tmm[20278]: 01870007:6: /Common/<policy>:Common:640446c9: Executed expression (expr { [mcget {perflow.category_lookup.failure}] == 1 || [mcget {perflow.response_analytics.failure}] == 1 }) from policy item (Category Lookup) with return value (Failed)

Conditions:
Per-request policy branch expression evaluation fails for any non-Access (non-APM) iRule events that are attached to the virtual server.


The evaluation does not trigger for some requests when, in the same connection, the virtual server gets a request for an internal Access whitelisted URL, and then request for backend resource URIs.

Impact:
Per-request policy branch expression evaluation fails. If Access gets a request for whitelisted URL, the system disables all iRule events except the following:

   #define ACCESS_ALLOWED_IRULE_EVENTS ( \
       ((UINT64)1 << TCLRULE_ACCESS_SESSION_STARTED) | \
       ((UINT64)1 << TCLRULE_ACCESS_SESSION_CLOSED) | \
       ((UINT64)1 << TCLRULE_ACCESS_POLICY_AGENT_EVENT) | \
       ((UINT64)1 << TCLRULE_ACCESS_POLICY_COMPLETED))

Workaround:
None.

Fix:
Per-request policy branch expression evaluation now complete successfully for non-Access (non-APM) iRule events that are attached to the virtual server.


638780-3 : Handle 302 redirects for VMware Horizon View HTML5 client

Component: Access Policy Manager

Symptoms:
Starting from v4.4, Horizon View HTML5 client is using new URI for launching remote sessions, and supports 302 redirect from old URI for backward compatibility.

Conditions:
APM webtop with a VMware View resource assigned.
HTML5 client installed on backend is of version 4.4 or later.

Impact:
This fix allows for VMware HTML5 clients v4.4 or later to work properly through APM.

Workaround:
For versions 11.6.x and 12.x:
===============================

priority 2
when HTTP_REQUEST {
    regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] vmview_html5_prefix dummy
}

when HTTP_RESPONSE {
    if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
        if { [info exists vmview_html5_prefix] } {
            set location [HTTP::header "Location"]
            set location_path [URI::path $location]
            if { $location_path starts_with "/portal/" } {
                set path_index [string first $location_path $location]
                set new_location [substr $location $path_index]
                regsub "/portal/" $new_location $vmview_html5_prefix new_location
                HTTP::header replace "Location" $new_location
            }
            unset vmview_html5_prefix
        }
    }
}

======================
For version 13.0:
priority 2
when HTTP_REQUEST {
    regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] dummy vmview_html5_prefix
}

when HTTP_RESPONSE {
    if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
        if { [info exists vmview_html5_prefix] } {
            set location [HTTP::header "Location"]
            set location_path [URI::path $location]
            if { $location_path starts_with "/portal/" } {
                set path_index [string first $location_path $location]
                set new_location "$vmview_html5_prefix[substr $location $path_index]"
                HTTP::header replace "Location" $new_location
            }
            unset vmview_html5_prefix
        }
    }
}

Fix:
Handle 302 redirects for VMware View HTML5 client are now handled properly.


638137 : CVE-2016-7117 CVE-2016-4998 CVE-2016-6828

Component: TMOS

Symptoms:
CVE-2016-4998 : An out-of-bounds heap memory access leading to a Denial of Service, heap
disclosure, or further impact was found in setsockopt().

CVE-2016-7117 : available at https://support.f5.com/kb/en-us/solutions/public/k/51/sol51201255.html

CVE-2016-6828 : available at https://support.f5.com/csp/#/article/K62442245

Conditions:
The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments.
(CVE-2016-4998, Moderate)

Impact:
An out-of-bounds heap memory access leading to a Denial of Service, heap
disclosure, or further impact was found in setsockopt(). The function call is
normally restricted to root, however some processes with cap_sys_admin may also
be able to trigger this flaw in privileged container environments.
(CVE-2016-4998, Moderate)


637559-1 : Modifying iRule online could cause TMM to be killed by SIGABRT

Component: TMOS

Symptoms:
If iRule is used by several virtual servers, and you edit the iRule online, it could cause TMM to be eventually killed by SOD (watchdog).

Conditions:
This can occur under the following conditions:
1. The iRule is used by large number of virtual servers.
2. You edit the iRule and save changes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
If iRule is used by several virtual servers, and you edit the iRule online, it no longer causes TMM to be eventually killed by SOD (watchdog).


637308-8 : apmd may crash when HTTP Auth agent is used in an Access Policy

Component: Access Policy Manager

Symptoms:
apmd may crash when HTTP Auth agent is used in an Access Policy.

Conditions:
This might occur on heavy load, when AAA HTTP Server is configured in 'Form based' or 'Custom body' mode.

The probability of occurrence is greater if there are session variables specified in the AAA HTTP Server configuration.

Impact:
apmd daemon crash. APM cannot process requests until apmd starts up again.

Workaround:
Use basic auth, or do not use HTTP Auth.

Fix:
apmd no longer crashes when HTTP Auth agent is used in an Access Policy.


637181-4 : VIP-on-VIP traffic may stall after routing updates

Component: Local Traffic Manager

Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.

Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.

Impact:
Existing connections to the outer VIP may stall.

Workaround:
None.

Fix:
Connections to VIP-on-VIP virtual servers no longer stall after routing updates.


636918-2 : Fix for crash when multiple tunnels use the same traffic selector

Component: TMOS

Symptoms:
Given multiple tunnels with the same traffic selector, a crash could sometimes occur.

Conditions:
Same traffic selector used with more than one tunnel.

Impact:
Possible tmm restart if problem happens. Traffic disrupted while tmm restarts.

Workaround:
Use different traffic selectors for different tunnels.

Fix:
Fixed a tmm crash related to traffic selectors used with more than one tunnel.


636702-3 : BIND vulnerability CVE-2016-9444

Vulnerability Solution Article: K40181790


636699-5 : BIND vulnerability CVE-2016-9131

Vulnerability Solution Article: K86272821


636535 : HSB lockup in vCMP guest doesn't generate core file

Component: TMOS

Symptoms:
If an HSB lockup occurs in a vCMP guest, the system does not generate a core file.

Conditions:
HSB lockup, which occur rarely.

Impact:
Limited ability to diagnose failures due to HSB lockups.

Workaround:
None.

Fix:
Whenever an HSB lockup occurs in a vCMP guest, the system generates a core file.


636520-3 : Detail missing from power supply 'Bad' status log messages

Component: TMOS

Symptoms:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, no detail is included which indicates which characteristic of the power supply's state is resulting in a 'Bad' overall status for the power supply.
In this scenario, the message logged at default logging level contains information similar to the following:
... crit chmand[...]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV03G): Bad

Conditions:
This occurs when the system posts an internal hardware sensor alert.

Impact:
Unable to diagnose cause of 'Bad' power supply status at default logging level to determine whether the probable cause is due to a power supply hardware fault or a possible external power source issue.

Workaround:
If power supply errors continue to be logged:

1. Set the libhal logging level to 'Debug':
tmsh mod sys db log.libhal.level { value "Debug" }

2. Let the system run in this configuration for at least a few minutes to collect a number of chmand error logs, such as:
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x3 pin:0x2 action:0xd
... debug chmand[...]: 012a0007:7: Received Sensor Alert: sensor id 0x16f slot 0xff
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x1 pin:0x2 action:0x3.

3. Set the libhal logging level back to 'Notice':
tmsh mod sys db log.libhal.level { value "Notice" }

4. Take a qkview or an archive of /var/log/ltm, and engage F5 Professional Services for further analysis.

Fix:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, additional detail is now logged to help identify the cause of the 'Bad' overall status for the power supply.


636397-1 : bd cores when persistent storage configuration and under some memory conditions.

Component: Application Security Manager

Symptoms:
bd cores. Log signature in /var/log/bd looks similar to the following:

BD_MISC|ERR |Jan 02 14:24:06.422|27867|io_manager_init.c:0395|internal_keep_alive: BD shrinking...,going down - BD will be right back.
ptr BD_MISC|CRIT |Jan 02 14:24:06.422|27867|signals.c:0073|Received SIGSEGV - Core Dumping.

Conditions:
There is persistent storage configuration. There is high memory usage.

Impact:
bd crash. Traffic resets and/or failover

Workaround:
None.

Fix:
This release fixes a bd crash due to specific memory conditions and persistent storage.


636370 : Application Layer Encryption AJAX support

Component: Fraud Protection Services

Symptoms:
WebSafe doesn't support parameters encryption in Single Page Applications (using AJAX)

Conditions:
Application uses AJAX for sending parameters to web server

Impact:
Encryption won't work for Single Page Applications

Workaround:
N/A

Fix:
Adding AJAX encryption support (full payload encryption)

for 12.1.2-hf, enabling this feature requires:

tmsh modify sys db antifraud.internalconfig.string1 value <AJAX-HEADER-NAME>

AJAX-HEADER-NAME existence will enable AJAX support for current request and its value may contain the username used in current request (if configured and exists)

Note that activating AJAX support in releases > 12.1.2-hf is done differently (configured in profile, not in db)


636290 : vCMP support for B4450 blade

Component: TMOS

Symptoms:
vCMP is not supported in the B4450 blade

Conditions:
This occurs on the B4450 blade on specific BIG-IP software versions, for more information on supported vCMP versions see K14088: vCMP host and compatible guest version matrix, available at https://support.f5.com/csp/article/K14088

Impact:
You are unable to configure vCMP on the B4450 blade.

Fix:
vCMP is supported on the B4450 blade in this version.


636254-2 : Cannot reinitiate a sync on a target device when sync is completed

Component: Access Policy Manager

Symptoms:
After a policy sync is successful, re-initating a sync fails with the following error:
"PolicySyncMgr: Sync already in progress for policy xxx"

Conditions:
This occurs rarely when performing a sync after a successful sync.

Impact:
You cannot re-sync a policy. This is a rare occurrence, and after waiting a small amount of time sync should start working again.


636044-1 : Large number of glob patterns affects custom category lookup performance

Component: Access Policy Manager

Symptoms:
The number of glob patterns in a custom category linearly affects custom category lookup compute times. For example, twice as many glob patterns will roughly double the CPU resources required to compute a match.

Conditions:
A large number of custom category glob patterns. The precise number is not so important as the observed effect of slow response times. However, more than 1000 glob patterns is known to cause a significant observed performance degradation.

Impact:
Slow response times to HTTP requests.

Workaround:
It may be possible to compress the large collection of glob patterns into fewer patterns.


635961-1 : gzipped and truncated files may be saved in qkview

Component: TMOS

Symptoms:
When looking at the files in the qkview, some files might be both gzipped and truncated, when only one or the other is expected.

Conditions:
This occurs for certain files that are large enough to require truncation and gzipping.

Impact:
Minimal impact, as the extra file can be ignored. This is primarily an issue of wasting image space.

Workaround:
Ignore the extra copy of the file.

Fix:
Files are no longer both gzipped and truncated.


635933-3 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable

Vulnerability Solution Article: K23440942 K13361021


635754-1 : Wildcard URL pattern match works inncorectly in Traffic Learning

Component: Application Security Manager

Symptoms:
In the policy with URL learning mode set to ALWAYS, wildcard URL matching for *.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]" will prevent you from adding other wildcard destinations using policy builder.

Conditions:
Policy builder enabled. PolicyBuilder creates the wildcard urls "*.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]".
If you need to manually create another wildcard url "/polo/images/*", the pattern match will be incorrect and you will not be able to accept the learning suggestion.

Impact:
You will not be able to accept the learning suggestion to the correct wildcard URL.

Workaround:
In order to get suggestions on the correct wildcard match, remove "png" from the URL list in the policy: To do so, navigate to Security :: Application Security :: Policy Building :: Learning and Blocking Settings :: URLs :: File types for which wildcard HTTP URLs will be configured (e.g., *.jpg).

Also make sure that you have correct wildcard order. Go to
Security :: Application Security :: URLs :: Wildcards Order :: HTTP URLs.

"/polo/images/*" should be above "*.[Pp][Nn][Gg]" in the list. If it is not, move it using "Up" button".

Fix:
Wildcard URL pattern match now works as expected in Traffic Learning


635561-1 : Heavy URLs statistics are not shown after upgrade.

Component: Application Visibility and Reporting

Symptoms:
Heavy URLs statistics are not shown after upgrade.

Conditions:
Upgrading to newer version

Impact:
Missing statistics.

Workaround:
No workaround

Fix:
Upgrade and verify all heavy URLs statistics are shown.


635541 : "Application CSS Locations" is not inherited if changing parent profile

Component: Fraud Protection Services

Symptoms:
"Application CSS Locations" is not inherited if changing parent profile, which can cause to the following error while saving: Application CSS Locations cannot be empty.

Conditions:
This occurs in the GUI when FPS provisioned when the system is configured with phishing detection license.

Impact:
Cannot use FPS GUI to configure Application CSS Locations.

Workaround:
Use tmsh or the REST API to configure Application CSS Locations.

Fix:
"Application CSS Locations" is inherited if parent profile is changed. No errors are shown while saving.


635412 : Invalid mss with fast flow forwarding and software syn cookies

Vulnerability Solution Article: K82851041


635252-1 : CVE-2016-9256

Vulnerability Solution Article: K47284724


635233-3 : Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages

Component: Policy Enforcement Manager

Symptoms:
CCR-u send in response to a non-existent policy may be missing some of the custom AVPs such as IMSI, E164 etc even if the AVPs are marked mandatory. The same will be true in the case of CCR-t.

Conditions:
This situation happens in the case when BIG-IP send a CCR-u when the policy name received from PCRF is non-existent in bigip. Also in the case of CCR-t

Impact:
CCR-u and CCR-t may miss some of the subscriber attributes such as IMSI, E164

Workaround:
No Workaround

Fix:
Add the custom AVPs in the case of CCR-u as well CCR-t, if those attributes are enabled for reporting in the protocol profile


635129 : Chassis systems in HA configuration become Active/Active during upgrade

Component: TMOS

Symptoms:
When devices in a Device Service Cluster are upgraded, multiple devices will become Active simultaneously.

The affected versions erroneously clear their management-ip during reboot and synchronize this to other members of the Device Service Cluster. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the Device Service Cluster members lose contact with each other, and all become Active.

Conditions:
This problem occurs on VIPRION chassis systems, either running natively, or as a VCMP guest, when upgrading from the affected versions (12.1.0, 12.1.1, 12.1.2), to any other version. The problem occurs on any upgrade, whether on the list of affected versions, or a later version.

Impact:
When multiple devices become Active simultaneously, traffic is disrupted.

Workaround:
There is no workaround other than to remain in Active/Active state until all Chassis are finished upgrade. See https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.

Fix:
The erroneous management-ip change is not made, and the HA failover mechanism operates correctly across upgrade.


635116-1 : Memory leak when using replicated remote high-speed logging.

Component: TMOS

Symptoms:
As a result of a known issue when a system uses a High Speed Logging (HSL) configuration with replication across the HSL pool TMM may leak memory.

Conditions:
Remote HSL setup with distribution set to replicated in the log destination configuration.
More than one poolmember, and one of them becomes unavailable.

Impact:
TMM will leak memory at a rate proportional to the amount of logging.
Over time this may cause an outage should TMM run out of memory.

Workaround:
Do not use replication in the HSL destination configuration.

Fix:
TMM no longer leaks memory when using a replicated HSL setup.


634576 : TMM core in per-request policy

Component: Access Policy Manager

Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.

Conditions:
APM or SWG per-request policy with reject ending.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when per-request policy encounters reject ending.


634252 : TMM crash with per-request policy in SWG explicit

Component: Access Policy Manager

Symptoms:
TMM crash is seen intermittently when evaluating per-request access policies for SWG-explicit use cases.

Conditions:
Although the exact conditions required for this issue are unknown, evaluating per-request access policies for SWG-explicit use cases might be related.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM crash is no longer seen when evaluating per-request access policies for SWG-explicit use cases.


634215-1 : False detection of attack after restarting dosl7d

Component: Application Visibility and Reporting

Symptoms:
False detection of an attack.

Conditions:
Restarting dosl7d during traffic.

Impact:
False attack is reported.

Workaround:
No workaround

Fix:
Restart dosl7d during moderate traffic and verify no false attack is reported.


634115-1 : Not all topology records may sync.

Component: TMOS

Symptoms:
Some GTM topology records may silently not be synchronized to other devices in the sync group.

Conditions:
One known case occurs when topology records have overlapping subnet specifiers (such as 1.0.0.0/8 and 1.0.0.0/9). It is possible that there are other conditions that might cause this issue.

Impact:
Other devices in the GTM sync group will have an incomplete set of topology records, so the returned DNS answers may differ from the expected values.

Workaround:
After updating topology records, run the following command to force a push of all GTM objects: run cm config-sync force-full-load-push to-group gtm.

Fix:
Some GTM topology records may have silently not been synchronized to other devices in the sync group. This is now resolved; all topology objects will be synchronized to all expected devices.


634001-2 : ASM restarts after deleting a VS that has an ASM security policy assigned to it

Component: Application Security Manager

Symptoms:
ASM restarts with the following errors:

'ltm' log error:
--------
err mcpd[9458]: 0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------

'ts_debug.log' error:
--------
asm|INFO|0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------

Conditions:
ASM provisioned
Deleting a virtual server that has an ASM security policy assigned to it.

Impact:
ASM restart

Workaround:
None.

Fix:
ASM no longer restarts when deleting a virtual server that has an ASM security policy assigned to it.


633879-1 : Fix IKEv1 md5 phase1 hash algorithm so config takes effect

Component: TMOS

Symptoms:
BIG-IP does not recognize the choice of md5 as hash algorithm in phase1 negotiation for IKEv1, but the GUI indicates it is available and configured.

Conditions:
Using either the command line or web UI to change hash algorithm to md5 in IKEv1 phase1.

Impact:
You are unable to configure md5 as hash algorithm in IKEv1, despite the UI and command line indicating this as an option.

Workaround:
You may be able to select md5, then save and then restart, this would set up the daemon from a config file instead of via incremental config parsing. So while it would not work right after being changed in the UI, the md5 option may work after a restart.

Fix:
The choice of md5 for hash algorithm now works correctly and immediately for an IKEv1 peer. The message causing this is now parsed correctly so md5 is recognized and used.


633723-3 : New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot

Component: Local Traffic Manager

Symptoms:
A new db variable has been added to print diagnostic information when Cavium Nitrox devices encounter a "request queue stuck" error.

Conditions:
A Cavium Nitrox "request queue stuck" error occurs and the db variable "crypto.ha.action" is set to reboot.

I.e., when log message such as:
Feb 27 07:39:07 localhost crit tmm1[19936]: 01010260:2: Hardware Error(Co-Processor): cn1 request queue stuck

Impact:
Under the above conditions, the system will automatically run "nitrox_diag" to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

The system will immediately failover to the standby system, but will then spend approximately one minute gathering diagnostic information beffore rebooting.

See https://support.f5.com/csp/article/K95944198 for more information about nitrox_diag.

Behavior Change:
Under rare conditions, the system will take approximately one additional minute to reboot.

If a Cavium Nitrox "request queue stuck" error occurs and the db variable "crypto.ha.action" is set to reboot, the system will automatically run "nitrox_diag" to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

When the error happens, failover to the standby system will still happen immediately. The delay is only on rebooting the system which has already gone to standby mode.


633512-1 : HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.

Component: TMOS

Symptoms:
When a preferred device becomes available and takes over due to an Auto-Failback configuration, the takeover is not performed as a smooth handoff, but instead results in both devices becoming Active for the network failover timeout period (3 seconds).

Conditions:
This problem affects traffic groups on VIPRION systems configured with HA Order and Auto-Failback enabled.

Impact:
Since both nodes are Active for (by default) 3 seconds, this may cause network traffic to be dropped or interrupted during the overlap interval. In addition, the Active/Active overlap may not resolve in favor of the preferred device. When this happens, the preferred device attempts to Auto-Failback again after the Auto-Failback expires, and the process repeats forever.

Workaround:
Do not configure Auto-Failback on VIPRION.

Fix:
The devices perform a clean handoff during Auto-Failback, with no Active/Active overlap.


633413-1 : IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI

Component: TMOS

Symptoms:
IPv6 addr can't be deleted; not able to add ports to addr in a data-group using the GUI. System posts an error similar to the following:
err mcpd[31438]: 01070378:3: The requested data group IP member network address (10.10.12.184) does match the netmask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff).

Conditions:
Modify IPv6 data-group in the GUI on the Local Traffic :: iRules :: Data Group List.

Impact:
Get error with unrelated IPv4 address.

Workaround:
Use tmsh to delete data group IP addresses in an iRules data group.

Fix:
You can now add/remove/edit IPv6 and IPv4 within an existing iRules data group.


633391-1 : GUI Error trying to modify IP Data-Group

Component: TMOS

Symptoms:
While trying to add/remove/edit IPv6&IPv4 within an existing data group list for iRules, the properties page throws a parsing error.

Conditions:
Try to modify the value field under Address Records Row whether string/int, and click Update

Impact:
There is an "Error parsing IP address" messave at the top of the page. You cannot modify internal data groups using GUI. You can delete and re-create the entry, but cannot modify it.

Workaround:
Use tmsh to modify the record field of the data groups.

Fix:
You can now modify the IPv6&IPv4 value within an existing data group.

Behavior Change:
users would be able to modify and update data groups


633349 : localdbmgr hangs and eventually crashes

Component: Access Policy Manager

Symptoms:
localdbmgr hangs and eventually crashes due to a rare condition where the program is trapped inside an internal infinite loop upon logging configuration changes.

Conditions:
Rare condition upon logging configuration changes.

Impact:
localdbmgr crashes.

Workaround:
localdbmgr restarts and recovers from this crash.

Fix:
Added safety check in logging configuration code to protect against unwanted config insertions.


633181-1 : A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section

Component: TMOS

Symptoms:
Certificate signing requests generated from the Configuration Utility or in tmsh on affected versions may have an empty 'Attributes' or 'Requested Extensions' section if no data was supplied for these fields during CSR generation. The correct behavior is to supply an empty set (a0:00) for the Attributes section and to omit the 'Requested Extensions' section if no data were supplied for these fields.

Conditions:
- Running an affected version of BIG-IP software
- Using tmsh or the Configuration Utility to generate the CSR
- Not filling in 'E-mail Address' and/or 'Subject Alternative Name' sections while generating the CSR

Impact:
Impact varies according to the CA signing the request. An empty attribute section is generally well-tolerated but may be incompatible with some CA's.

Workaround:
Use openssl from the bash command line to generate CSR's.
Solution article K14534 contains the appropriate procedure.


632731-2 : specific external logging configuration can cause TMM service restart

Component: Advanced Firewall Manager

Symptoms:
When external logging is configured for ACL rule hits, and the logging server connection is routed through a Forwarding Virtual, the ACL logging causes a TMM crash and service disruption.

Conditions:
The problem is seen when all the following conditions match:

1. External Logging server configured for ACL rule match.

2. External logging server is routed through a Forwarding Virtual (the destination IP of the external logging server matches a Forwarding Virtual's destination address/mask and hence gets routed through the Forwarding VIP).

3. The forwarded logging destination connection causes a crash in TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use one of the following workarounds:
--Avoid configuring remote logging to be forwarded through a Forwarding Virtual.
-- Do not have logging enabled on the forwarding Virtual.

Fix:
Connections originated from the BIG-IP to the remote logging server are not subjected to ACL checks, which prevents generation of logs for log server connection, which prevents the error conditions.


632685 : bigd memory leak for FQDN nodes on non-primary bigd instance

Component: Local Traffic Manager

Symptoms:
On BIG-IP systems with the multiple blades, or a BIG-IP system with multiple bigd processes running (bigd.1, bigd.2, etc.), if the system has FQDN nodes configured, all secondary bigd processes will consume an unusually high amount of memory, and bigd cores may exist.

Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes, bigd on the non-primary places memory consumption may be unusually high.

Impact:
bigd memory leak; possible bigd crash.

Workaround:
None.


632668-5 : When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds

Component: TMOS

Symptoms:
When a BIG-IP using statically configured BFD sessions (i.e. "bfd session <IP> <IP>" in the ZebOS configuration) is forced offline, it continues to send "State Up" BFD packets for an additional ~30 seconds.

Conditions:
System is using statically configured BFD sessions. System is forced offline.

Impact:
The BFD peer thinks the BIG-IP is still online and may send packets to it.

Fix:
Ensure BFD "State Up" packets are not sent when the BIG-IP is forced offline.


632504-1 : APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list

Component: Access Policy Manager

Symptoms:
Non-LSO resources such as webtop, even they are assigned via a normal resource assign agent, are listed under dynamic resource as opposed to static one.

Conditions:
- Create a webtop resource.
- Create an access profile.
- Launch VPE to assign webtop resource via a normal resource assign agent ("Advanced Resource Assign").
- Click on "Sync policy" button to bring up the policy sync dialog, click on "Advanced Settings" drop-down button and select "Static resources".

Impact:
No impact when default settings are configured for policy sync. Only in advanced setting is it confusing that a static resource is only listed in the dynamic resource list, with a prompt to include it as dynamic resource. Doing so does not cause any harm, but is unnecessary.

Workaround:
If it is a static resource, do not select it as dynamic resource.

Fix:
Static non-LSO resources such as webtop will be listed in static resource list in the advanced setting dialog for policy sync.


632499-1 : APM Policy Sync: Resources under webtop section are not sync'ed automatically

Component: Access Policy Manager

Symptoms:
Resources put under webtop section such as webtop link, portal access requires to be included as dynamic resource or else sync will fail.

Conditions:
- Create a webtop section source such as portal access.
- Create a webtop section and add the above-create portal access to it.
- Create an access profile and add the webtop section resource via a resource assign agent in VPE.
- Sync the profile.

Impact:
Sync will fail and some configured resources will not be available on the other devices.

Workaround:
Includes those resources as dynamic resources in Policy Sync advanced settings.

Fix:
User can sync profile with resources under webtop section without including them manually as dynamic resources.


632472-1 : Frequently logged "Silent flag set - fail" messages

Component: Access Policy Manager

Symptoms:
APM logs excessive messages similar to the following:

2016-12-07,21:46:10:864, 1740,884,APPCTRL, 2, \UBindSecurityMgr.h, 119, UBindSecurityMgrImpl::GetWindow, Silent flag set - fail

Conditions:
This can occur when connecting to APM via the Edge Client.

Impact:
Excessive messages are logged. These messages can be ignored.


632423-4 : DNS::query can cause tmm crash if AXFR/IXFR types specified.

Component: Global Traffic Manager (DNS)

Symptoms:
Passing "AXFR" or "IXFR" as the type to the DNS::query iRule command can cause a tmm crash.

Conditions:
DNS Express must be enabled when one of the XFR types is used in the DNS::query iRule command.

Impact:
tmm will crash and restart every time this command is issued. Traffic disrupted while tmm restarts.

Workaround:
Do not explicitly use AXFR or IXFR query types.

If the [DNS::question type] command is being used to dynamically pass in the type, add a preceding check similar to the following:

if { not [DNS::question type] ends_with "XFR" } {
    set rrs [DNS::query dnsx [DNS::question name] [DNS::question type]]
}

Fix:
The iRule now provides an error message in /var/log/ltm indicating that AXFR and IXFR are not valid types to use with the DNS::query command, and no tmm crash occurs as a result.


632386-1 : EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists

Component: Access Policy Manager

Symptoms:
When a iClient control connection, between Edge Client and BIG-IP, exists for a given session id, a new iClient control connection for the same session id cannot be established until the existing connection is torn down. When the client interface is down or the client changes networks, it takes time for the BIG-IP to detect that the existing control connection is down. During this time, if the client attempts to establish a new control connection (interface up or different network), BIG-IP rejects the new connection request.

Conditions:
EdgeClient attempts to open a new iClient control connection with the same session id as that of an existing control connection and without explicitly closing the current connection. This could happen when the client interface is down or clients changes the network it is on.

Impact:
Edge Client cannot establish a iClient control connection and hence a tunnel to the BIG-IP.

Fix:
When BIG-IP sees a new iClient control connection request for a session id for which another iClient control connection exists, the existing connection is closed and the new connection request is attempted to be accepted.


632344-2 : POP DIRECTIONAL FORMATTING causes false positive

Component: Application Security Manager

Symptoms:
ASM reports false positive violation for the XML request.

Conditions:
This occurs when using "%E2%80%AC" POP DIRECTIONAL FORMATTING as a input in the XML request.

Impact:
When one of the following 3 byte chars arrives to the XML parser, the payload considered as malformed XML:
LEFT-TO-RIGHT EMBEDDING (202a).
RIGHT-TO-LEFT EMBEDDING (202b).
POP DIRECTIONAL FORMATTING(202c).

Workaround:
None.

Fix:
This release now supports the following 3 byte chars within the XML parser:
LEFT-TO-RIGHT EMBEDDING (202a).
RIGHT-TO-LEFT EMBEDDING (202b).
POP DIRECTIONAL FORMATTING(202c).


632326-2 : relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation

Component: Application Security Manager

Symptoms:
You observe Malformed XML violations on valid XML, even with the relax_unicode_in_xml flag set. The same can apply to JSON with the relax_unicode_in_json flag.

Conditions:
Valid XML containing unicode characters is passed through ASM, and the relax_unicode_in_xml flag is enabled.

Impact:
False positive Malformed XML violations may still be reported.

Workaround:
N/A

Fix:
XML and JSON unicode now operates as expected when using the relax_unicode_in_xml or relax_unicode_in_json internal parameter.
To set these parameters, run the following commands:
/usr/share/ts/bin/add_del_internal add relax_unicode_in_xml 1.
/usr/share/ts/bin/add_del_internal add relax_unicode_in_json 1.
bigstart restart asm.


632324-2 : PVA stats does not show correct connection number

Component: Local Traffic Manager

Symptoms:
do command tmsh show sys pva-traffic global

The current connection number showed up may not be correct

Conditions:
This occurs when there is PVA Traffic

Impact:
Wrong stats number for current PVA connections

Fix:
Fixed incorrect statistics for PVA Traffic


632069-3 : Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076

Component: TMOS

Symptoms:
On VE platforms, under certain conditions, the sudo utility does not correctly enforce all restrictions specified in its configuration file.

Conditions:
VE platform
Authenticated user with advanced shell access

Impact:
BIG-IP does not depend on the restrictions related to these vulnerabilities, and sudo is only present on VE platforms. Only VE users who have modified the sudo configuration by editing its configuration file directly are impacted.

Fix:
Update sudo package to improve security


632005-1 : BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML Service provider (SP), IdP connector creation can be automated using list of URIs containing IdP metadata.

Symptom for this issue:
When remotely published metadata changes - BIG-IP will not be able to modify previously created idp-connector object(s) to reflect the changes.

When issue happens, the error similar to following is logged in /var/log/saml_automation.log :

"apm aaa saml-idp-connector *NAME* import-metadata only supports create operations."

Conditions:
BIG-IP is used as SP. IdP connector creation is automated. Metadata published on automation URIs changes.

Impact:
BIG-IP configuration will not contain the latest changes reflected in published IdP metadata.

This may have different impact based on how metadata is changed.
Impact can be from none to user authentication failure (e.g. when IdP signing certificate is changed).

Workaround:
When error is encountered:
- Manually remove affected idp-connector configuration object
- Restart samlidpd service : "bigstart restart samlidpd"

As a result, SAML connector automation will re-create new idp-connector objects will current up-to-date metadata files.

Fix:
BIG-IP is able to modify previously created idp-connector object(s) to reflect the changes when connector automation is deployed.


631862-1 : Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk

Component: Local Traffic Manager

Symptoms:
When OWS sends a chunked response and the only chunk has a zero size, HTTP2 profile receives neither the response's body nor indication that the response has zero size.

Conditions:
A virtual server must have HTTP2 profile, and OWS must serve a response with Transfer-Encoding: chunked and a zero size chunk (empty body).

Impact:
On a stream with such response, BIG-IP doesn't generate a frame which would have END_STREAM flag. Some browsers may not handle the response properly. For example, a redirect may not be performed when the stream is not finalized. It results in incorrect page rendering on a client.

Workaround:
Use following iRule for broken URLs:

when HTTP_RESPONSE {
  if {[HTTP::header exists "Transfer-Encoding"] && [HTTP::status] eq 301} {
    HTTP::respond 301 -version 1.1 noserver Location [HTTP::header Location] Date [HTTP::header Date] Content-Type [HTTP::header Content-Type] Connection [HTTP::header Connection]
  }
}

A condition may be changed to narrow the iRule for specific URLs.
HTTP::respond may be modified to include other important headers and serve a proper status code.

Fix:
When OWS serves Transfer-Encoding chunked with zero size chuck, BIG-IP properly handles the response and sends END_STREAM flag finalizing the response.


631841-7 : NTP vulnerability CVE-2016-9311

Vulnerability Solution Article: K55405388


631737-1 : ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations

Component: Application Security Manager

Symptoms:
ArcSight cs4 (attack_type) is reported as "N/A" for a violation whose sub-violation does not have a specific attack_type_code.

Conditions:
This occurs when there are HTTP Compliance sub-violations such as "Header name with no header value" that do not correlate to any attack_type. Other attack types are as follows:
-- HTTP Protocol Compliance/ High ASCII characters in headers.
-- HTTP Protocol Compliance/ Host header contains IP address.
-- HTTP Protocol Compliance/ CRLF characters before request start.
-- HTTP Protocol Compliance/ Header without header value.
-- HTTP Protocol Compliance/ Body in GET/HEAD requests.
-- Evasion technique/ directories traversals.

Impact:
When one of these violations occurs, the system does not assign the appropriate attack type to the logged request in the log or in the remote logger. The system reports the ArcSight remote logger message as attack_type="N/A". (If no other violation was found.)

Workaround:
None.

Fix:
Now, when ArcSight cs4 (attack_type) HTTP Compliance sub-violations do not correlate to any attack_type, the system assigns the parent violation's attack type when reporting the violation.


631722 : Some HTTP statistics not displayed after upgrade

Component: Application Visibility and Reporting

Symptoms:
Some statistics will disappear after upgrade due to bug in HTTP statistics backup.

Conditions:
Upgrading to newer version

Impact:
Not all statistics are shown.

Workaround:
No workaround

Fix:
Fixed an issue where some ASM HTTP statistics would disappear after upgrade.


631688-7 : Multiple NTP vulnerabilities

Vulnerability Solution Article: K55405388 K87922456 K63326092 K51444934 K80996302


631627-4 : Applying BWC over route domain sometimes results in tmm not becoming ready on system start

Component: TMOS

Symptoms:
Rebooting after applying BWC to route domain stops vlan traffic on VCMP guest. You will experience connection failures when bandwidth Controller (bwc) and Web Accelerator are enabled.

Running the tmsh show sys ha-status all-properties command will indicate that tmm is in "ready-for-world", but the Fail status will read "Yes" when this is triggered.

Conditions:
BWC enabled and associated with a route domain, Web Accelerator is enabled, and the system is rebooted.

Impact:
The system does not comes up fully. TMM does not reach a ready state and will not pass traffic.

Workaround:
Remove BWC from route domain and then reapply the BWC back.

Fix:
BWC enabled and associated with a route domain, Web Accelerator enabled, and the system is rebooted, now results in the system and TMM coming up fully and passing traffic.


631582 : Administrative interface enhancement

Vulnerability Solution Article: K55792317


631472-1 : Reseting classification signatures to default may result in non-working configuration

Component: Traffic Classification Engine

Symptoms:
Configuration will not load when running "tmsh load ltm classification signature default" or clicking Reset to Defaults button on Traffic Intelligence :: Applications : Signature Update page.

Conditions:
1. You upgrade classification signatures to an IM package, and reference one of the newly added applications / categories in your configuration (e.g., PEM classification filter).
2. You reset classification signatures back to default by running "tmsh load ltm classification signature default" or selecting "Reset To Defaults" on the Traffic Intelligence :: Applications : Signature Update page.

Impact:
Configuration will not load.

Workaround:
Remove application that came with the new IM from the configuration.

Fix:
The release solves the problem of potentially non-working configurations after classification signatures were reset to default.


631131-3 : Some tmstat-adapters based reports stats are incorrect

Component: Advanced Firewall Manager

Symptoms:
Stats are being collected in a wrong way for tmstat tables that are using partial-key. This leads to wrong values on reports.

Conditions:
Using partial key from tmstat-table on tmstat-adapter

Impact:
Wrong stats values for some reports.

Fix:
Tmstat-Adapters is now using the correct API from tmstat-framework which simulate a 'group-by' function on the query, and thus provide the correct result-set.


631025-1 : 500 internal error on inline rule editor for certain firewall policies

Component: Advanced Firewall Manager

Symptoms:
While attempting to use the inline rule editor on a firewall policy, the system returns a 500 internal error. Viewing and editing the same policy in tmsh works as expected.

Conditions:
This occurs when editing certain firewall policies in the GUI.

Impact:
Unable to view or edit the policy, page returns an error

Workaround:
You can view these rules in the GUI by disabling the inline rule editor.

Fix:
Fixed an issue with certain AFM rules generating a 500 internal error in the GUI.


630929-1 : Attack signature exception list upload times-out and fails

Component: Application Security Manager

Symptoms:
httpd_errors log:
------------
err httpd[<PID>]: [error] [client <client_IP>] PHP Fatal error: Maximum execution time of 30 seconds exceeded in /var/ts/dms/common/classes/Thrift/packages/asmconfig/f5_thrift.php on line <line_ID>, referer: https://<BIG-IP_MGMT_IP>/dms/policy/pl_header_normalization.php
------------

Conditions:
ASM provisioned.
Attack signature exception list uploaded.

Impact:
Attack signature exception list upload times-out and fails.

Workaround:
N/A

Fix:
Improved the Attack signature exception list upload process to take much less time.


630661-2 : WAM may leak memory when a WAM policy node has multiple variation header rules

Component: WebAccelerator

Symptoms:
When a WAM policy node has multiple variation header rules, a memory leak occurs upon evaluation of each request.

Conditions:
WAM policy with node utilizing multiple variation header rules.

Impact:
Potential per-request memory leakage driven by client traffic.

Workaround:
The only workaround is to ensure that individual WAM policy nodes have fewer than two header variation rules.

Fix:
WAM no longer leaks memory when evaluation policy nodes which utilize two or more header variation rules.


630622-1 : tmm crash possible if high-speed logging pool member is deleted and reused

Component: TMOS

Symptoms:
When deleting and then re-using a high-speed logging pool member that is in use, a rare tmm crash may occur.

Conditions:
High-speed logging profile configured, high-speed logging pool configured, and a pool member is removed and re-added while the pool is in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Rare tmm crash no longer occurs if high-speed logging pool member is deleted and reused.


630611-1 : PEM module crash when subscriber not fund

Component: Policy Enforcement Manager

Symptoms:
Under rare circumstances, PEM usage reporting for a subscriber will cause a crash.

Conditions:
PEM subscriber info is missing for the current tmm, e.g., after a CMP state change.

Impact:
PEM/TMM SIGSEV.

Workaround:
None.

Fix:
PEM usage reporting for a subscriber no longer causes a crash when PEM subscriber info is missing for the current tmm.


630610-5 : BFD session interface configuration may not be stored on unit state transition

Component: TMOS

Symptoms:
'bfd session' statements missing in ZebOS 'running-config'.

Conditions:
State transitions from online to offline.

Impact:
BFD configuration will become missing in ZebOS running config and no BFD sessions will be established.

Workaround:
Re-add statements manually.

Fix:
BFD session interface configuration is now stored on unit state transition.


630571-1 : Edge Client on Mac OSX Sierra stuck in a reconnect loop

Component: Access Policy Manager

Symptoms:
Upon waking laptop Edge Client stuck in a reconnect loop.

Conditions:
Full-Tunnel, no Local LAN Access profile; when opening the device lid, which attempts to reconnect to the VPN service. This occurs only with MAC OS X 10.12.1.

Impact:
Cannot connect to VPN, and the Edge Client gets stuck in a reconnect loop.

Workaround:
Allow local subnet access set to enabled.

Fix:
In this release, using MAC OS X 10.12.1 now resumes a connection to VPN using the Edge Client.


630546-1 : Very large core files may cause corrupted qkviews

Component: TMOS

Symptoms:
If a large core file exists, the qkview command may generate a corrupted qkview.

Conditions:
qkview is run when core files greater than 2.4 GB exist in /var/core.

Impact:
qkview is unusable.

Workaround:
None.

Fix:
qkview files run when core files greater than 2.4 GB exist in /var/core now complete as expected.


630475-5 : TMM Crash

Component: Local Traffic Manager

Symptoms:
In some cases TMM may crash when processing TCP traffic.

Conditions:
In some cases TMM may crash when processing TCP traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Enable Verified Accept.

Fix:
TMM no longer produces a core.


630306-1 : TMM crash in DNS processing on UDP virtual server with no available pool members

Component: Local Traffic Manager

Symptoms:
TMM crash when processing requests to a DNS virtual server.

Conditions:
The issue can occur if a UDP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.

Ensure datagram LB mode is enabled on UDP DNS virtuals.

Fix:
This release prevents a crash in DNS processing on UDP virtual server with no available pool members.


630150-1 : Websockets processing error

Vulnerability Solution Article: K51351360


629871-2 : FTP ALG deployment should not rewrite PASV response 464 XLAT cases

Component: Carrier-Grade NAT

Symptoms:
Deploying NAT64 part of a 464 XLAT solution may overwrite PASV response 464 XLAT cases.

Conditions:
FTP ALG deployment.

Impact:
PASV response 464 XLAT cases overwritten.

Workaround:
None.

Fix:
Deploying NAT64 part of a 464 XLAT solution no longer overwrites PASV response 464 XLAT cases.


629845-2 : Disallowing TLSv1 connections to HTTP causes iControl/REST issues

Component: Device Management

Symptoms:
When HTTP disallows TLSv1 connections, UCS via iControl/REST fails with the following in the logs:

[SEVERE][86][08 Nov 2016 16:47:20 UTC][com.f5.rest.icontrol.IControlRunnable] (iControl execution) AxisFault[; nested exception is:
          javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]:
[WARNING][87][08 Nov 2016 16:47:20 UTC][8100/tm/shared/sys/backup/52d67805-3aab-4260-8770-a690154c698e/worker UcsBackupTaskWorker] Failed to restore from backup: backup_test.ucs

Conditions:
This occurs when TLSv1 is explicitly disallowed in the HTTP profile.

Impact:
iControl REST clients are unable to connect.

Workaround:
None.

Fix:
Explicitly disallowing TLSv1 in the HTTP profile no longer causes iControl/REST issues.


629801-2 : Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain.

Component: Access Policy Manager

Symptoms:
After syncing an access policy, the access policy change on the other device should be prompting you to apply the policy, but instead it applies the policy automatically.

Conditions:
Two or more devices configured in a trust group, one device group is a failover device group, and one device group is a sync-only device group with automatic sync enabled.

A key component that triggers this symptom is that the failover device group is listed first in the configuration. When this occurs, the policy will be applied automatically, which shouldn't occur.

Impact:
Policy changes are automatically applied, when they should only be synced with a prompt to apply after the sync.

Workaround:
None.

Fix:
After syncing an access policy, the access policy change on the other device in the trust group now prompts you to apply the policy, which is correct behavior.


629698-1 : Edge client stuck on "Initializing" state

Component: Access Policy Manager

Symptoms:
It takes a lot of time to reestablish the VPN connection when the Edge Client switches to network with Captive Portal authentication. Edge client freezes on "Initializing" state for around 1 minute.

Conditions:
This can occur on the Edge Client with Captive Portal configured.

Impact:
Edge client is stuck on "Initializing" for an excessive amount of time.


629663-1 : CGNAT SIP ALG will drop SIP INVITE

Component: Service Provider

Symptoms:
SIP INVITE message is dropped.

Conditions:
Subscriber registers and then attempts to call out.

Impact:
Subscriber not able to make calls.

Workaround:
None.

Fix:
The system now uses the expiration value from the SIP message i.e. either from expires parameter or the Expire header to update the timeout of the registration record.


629627-1 : FPS Log Publisher is not grouped nor filtered by partition

Component: Fraud Protection Services

Symptoms:
If there are several log publishers assigned to different partitions, it is not clear which log publisher is assigned to which partition.

All log publishers are displayed regardless of the partition selected.

Conditions:
Provision FPS.
Two or more partitions
Two or more log publishers assigned to different partitions

Impact:
All log publishers are displayed regardless of partition.

Workaround:
None.

Fix:
Log publishers are now grouped in GUI and filtered by the currently selected partition.


629530-2 : Under certain conditions, monitors do not time out.

Component: Global Traffic Manager

Symptoms:
Some monitored resources are marked as "Unknown" when the actual status is "offline".

Conditions:
This can rarely occur when the monitor timeout period elapses when either no response has been received, or a response has been received indicating that the resource is "down" and the monitor is configured to ignore down responses. It is more likely to occur when many monitor timeout periods elapse at the same time, and the monitor timeout value is evenly divisible by the monitor's monitor interval.

Impact:
The status of the monitored resource is incorrect. This does not materially affect the operation of the system since resources marked "Unknown" will not be used.

Workaround:
Disable the affected resources, and then enable them again.

Fix:
The resource status is now correct under all monitor timeout conditions.


629499-9 : tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"

Component: TMOS

Symptoms:
When you run the command tmsh show sys perf, you get an error:
011b030d:3: Graph 'dnsx' not found

This can also occur with other tmsh commands related to performance statistics, like show sys perf dnssec and show sys perf dnsexpress.

Conditions:
It is not known what exactly triggers this, it is caused by a timing issue that occurs during system initialization of multi-blade chassis.

Impact:
Certain tmsh sys perf commands fail to work and give an error.

Workaround:
Restart statsd on all blades once the chassis is up.

e.g.

"bigstart restart statsd" on each blade.

Fix:
statsd has been updated to reparse the statsd config file before rebuild it's config so that it doesn't lose the unsupported tables in it's list.


629412-3 : BIG-IP closes a connection when a maximum size window is attempted

Component: Local Traffic Manager

Symptoms:
HTTP2 provides flow control options which allow you to limit the amount of data on flight. A client can send an increment for a window size to an initial value set by standard to 65,535 bytes. BIG-IP used 64K value inherited from SPDY, causing overflow when the client tried to increment the value to its maximum.

Conditions:
HTTP2 profile is configured on a virtual, and client sends a WINDOW_UPDATE frame to increment the value to its maximum.

Impact:
BIG-IP considers the window size overflow as a protocol violation thus it shuts the connection down not serving any request.

Workaround:
None.

Fix:
With a correct value for initial window size (for both a connection and a stream) BIG-IP correctly processes an increment request of the window size to its maximum.


629145-1 : External datagroups with no metadata can crash tmm

Component: Local Traffic Manager

Symptoms:
If a large data group exists or the db variable tmm.classallocatemetadata is set to disabled, tmm may crash if the class match iRule matches 9 or more items in the datagroup.

Conditions:
External datagroups in use, a class match iRule will produce at least 9 matches, and the datagroup is extremely large or the db variable tmm.classallocatemetadata is set to disabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash related to large datagroups.


629127-1 : Parent profiles cannot be saved using FPS GUI

Component: Fraud Protection Services

Symptoms:
Any parent profile (profile that has bee inherited) cannot be saved in FPS GUI.

Conditions:
Provision FPS
License FPS.
1 or more child profiles.

Impact:
User configurations may not be saved.

Workaround:
Can use TMSH or REST.


629085-1 : Any CSS content truncated at a quoted value leads to a segfault

Component: TMOS

Symptoms:
Any CSS content truncated at a quoted value leads to a segfault.

Example:
...
.c1 {background-image: url('some

Conditions:
CSS ends without closing quote in value.

Example:
...
.c1 {background-image: url('some

Impact:
TMM or rewrite segfault. Traffic disrupted while tmm restarts.

Workaround:
Use a particular iRule.

Fix:
CSS content truncated at a quoted value no longer leads to a segfault.


629069-2 : Portal Access may delete scripts from HTML page in some cases

Component: Access Policy Manager

Symptoms:
If JavaScript uses Range.createContextualFragment() call to insert new scripts into HTML document, in some cases Portal Access may delete one of the scripts in the page.

Conditions:
JavaScript with Range.createContextualFragment() call which is used to add new scripts by subsequent insertBefore()/insertAfter() calls.

Impact:
Web application may not work correctly.

Workaround:
None.

Fix:
Now adding new scripts via Range.createContextualFragment() call does not cause deletion of any scripts in HTML page.


628972-2 : BMC version 2.51.7 for iSeries appliances

Component: TMOS

Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to BMC version 2.51.7.

Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- Upgrading firmware.

Impact:
This is a firmware upgrade.

Workaround:
None.

Fix:
This release contains BMC version 2.51.7 which includes the fix for a BMC firmware update failure on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

Behavior Change:
This release contains BMC version 2.51.7 which includes the fix for a BMC firmware update failure on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.


628897-1 : Add Hyperlink to gslb server and vs on the Pool Member List Page

Component: Global Traffic Manager (DNS)

Symptoms:
Hyperlinks to the GSLB Server and Virtual-server are missing from the GSLB Pool Member list page.

Conditions:
This can be seen in the DNS :: GSLB : Pools : Pick a pool : Members tab

Impact:
You are unable to to quickly get to the server and virtual server from this page.

Workaround:
Manually navigate to associated server and Virtual Server.

Fix:
Hyperlinks for associated server and VS are not showing on the Pool Member list page.


628890-1 : Memory leak when modifying large datagroups

Component: Local Traffic Manager

Symptoms:
When modifying large external datagroups, a significant memory leak may occur.

Conditions:
This can occur when a large datagroup is in use and is modified.

Impact:
Memory is leaked, and the amount of memory leaked can be significant.

Workaround:
None.

Fix:
Fixed a memory leak related to modifying large datagroups.


628869-4 : Unconditional logs seen due to the presence of a PEM iRule.

Component: Policy Enforcement Manager

Symptoms:
TMM log files will fill up.

Conditions:
Execution of an iRule with the following iRule command:

PEM::subscriber config policy get <subscriber-id> <e164 | imsi | nai | private | mac-address | dhcp | mac-dhcp | dhcp-custom | sip-uri>.

Impact:
Limits the gathering and traversal of relevant data from the TMM logs if the condition is encountered several times.

Workaround:
Do not use an iRule containing the following iRule command: PEM::subscriber config policy get.

Fix:
Unconditional logs are no longer seen in response to the presence of a PEM iRule.


628836-4 : TMM crash during request normalization

Vulnerability Solution Article: K22216037


628832-4 : libgd vulnerability CVE-2016-6161

Vulnerability Solution Article: K71581599


628687-2 : Edge Client reconnection issues with captive portal

Component: Access Policy Manager

Symptoms:
Edge Client stuck at 'Reconnecting' when losing connection to Captive Portal with certificate warning.

Conditions:
Connect to APM through a captive portal.

Impact:
EdgeClient stuck at "Reconnecting".

Workaround:
None.

Fix:
Edge Client no longer hangs at 'Reconnecting' when losing connection to Captive Portal with certificate warning.


628685-2 : Edge Client shows several security warnings after roaming to a network with Captive Portal

Component: Access Policy Manager

Symptoms:
Network is blocked by a captive portal. Captive portal uses HTTPS. Periodic-session-check reports SSL certificate is not trusted because access to APM is redirected (to captive portal).

Conditions:
Create a VPN tunnel over WiFi.
Place the computer in sleep/hibernate.
Move to a new network with Captive Portal with SSL and resume from sleep/hibernate.

Impact:
Numerous security warnings.

Workaround:
None.

Fix:
Edge Client no longer shows several security warnings after roaming to a network with Captive Portal.


628623-1 : tmm core with AFM provisioned

Component: Advanced Firewall Manager

Symptoms:
tmm cores on the secondary blade while passing traffic.

Conditions:
This can occur intermittently with AFM provisioned while passing traffic, even if AFM is not in use.

Impact:
Traffic disrupted while tmm restarts.


628348-1 : Cannot configure any Mobile Security list having 11 records or more via the GUI

Component: Fraud Protection Services

Symptoms:
Any item added to a list with more than 10 records in Mobile Security section is ignored.

Conditions:
Provision FPS
License mobilesafe
add 11 records to a list

Impact:
User configuration may not be saved.

Workaround:
Use TMSH or Rest.

Fix:
GUI allows adding items to lists with more than 10 records.


628337-1 : Forcing a single injected tag configuration is restrictive

Component: Fraud Protection Services

Symptoms:
Injected tags configuration in profile is globally controlled from the db variable antifraud.injecttags, and forces all protected pages to have a common set of HTML tags. If your web application has pages that do not work with the injected tags, then this will cause the application to work improperly.

Conditions:
This occurs when the injected tags db variable (antifraud.injecttags) is configured.

Impact:
Your web application may have pages that do not handle the tags properly and may malfunction.

Workaround:
Configure injected tags in a way which can applied to all URLs protected in a profile. If it is not possible due to some URL HTML structure, HTML must be modified.

Fix:
Injected tags configuration has been moved to the URL level.


628202-4 : Audit-forwarder can take up an excessive amount of memory during a high volume of logging

Component: TMOS

Symptoms:
During a period where a lot of data is logged (such as the loading of a large configuration), audit_forwarder can use up a large amount of memory.

Conditions:
audit_forwarder is used with config.auditing.forward.type set to either "none" or "radius" and config.auditing set to "verbose" or "all".

Impact:
The excessive memory usage may result in processes getting restarted. Once the logging is done, audit_forwarder will not release all of the used memory.

Workaround:
Setting config.auditing value to "enable" or "disable" will slow or stop the excessive memory usage.

Fix:
Prevented audit_forwarder from using more memory than it needs.


628164-3 : OSPF with multiple processes may incorrectly redistribute routes

Component: TMOS

Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.

Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.

Impact:
Incorrect routing information in the network when OSPF converges.

Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.

Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.


628009-1 : f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800

Component: TMOS

Symptoms:
The f5optics functionality is not initialized on Herculon iSeries variants.

Conditions:
This occurs on the following Herculon iSeries platforms: HRC-i2800, HRC-i5800, HRC-i10800.

Impact:
None. No f5optics optics module database is presently provided for Herculon platforms. Herculon uses no optics modules that require tuning (e.g., 100G).

Workaround:
None.

Fix:
With the fix, if an optics module data base is provided via an f5optics install, f5optics will become operational on Herculon. An f5optics database will be provided if optics modules requiring tuning are ever used with Herculon.


627972-2 : Unable to save advanced customization when using Exchange iApp

Component: Access Policy Manager

Symptoms:
When Policy created using Microsoft Exchange iApp script, Advanced Customization (usually of logon page) might fail with error similar to the following: 01020066:3: The requested Customization Template File (/Common/Exchange.app/exch_custom_logon_ag logon.inc) already exists in partition Common.

Conditions:
Usually: HA Pair, iApp exchange created profile, in general any advanced customization where name not equals customization_group_name:filename is affected.

Impact:
Unable to edit advanced customization, functionality is unaffected.

Workaround:
edit bigip.conf
apm policy customization-group /Common/Exchange_2010.app/exch_custom_logon_ag {
    templates {
        logon.inc {
            name /Common/Exchange_2010.app/exch_custom_logon:logon.inc
        }
    }
}
change
name /Common/Exchange_2010.app/exch_custom_logon:logon.inc
to customizaton_group_name:filename i.e.

name /Common/Exchange_2010.app/exch_custom_logon_ag:logon.inc

Fix:
Can now save advanced customization when using Microsoft Exchange iApp.


627961-3 : nic_failsafe reboot doesn't trigger if HSB fails to disable interface

Component: TMOS

Symptoms:
The HSB driver attempts a nic_failsafe in the case of failing to disable the interface.

Conditions:
The driver disables nic_failsafe prior to triggering the nic_failsafe. This is in hsb_ifdown_go_dead.

Impact:
TMM may restart continuously resulting in interfaces bouncing constantly.

Workaround:
Reboot the device.

Fix:
This release fixes issues where nic_failsafe reboot did not happen on HSB failures.


627916-1 : Improve cURL Usage

Component: Policy Enforcement Manager

Symptoms:
In some cases, cURL usage within PEM does not comply with standards.

Conditions:
TAC-DB in use

Impact:
Non-compliant cURL usage

Fix:
Improve cURL usage


627914-1 : Unbundled 40GbE optics reporting as Unsupported Optic

Component: TMOS

Symptoms:
When a 40G interface is configured "bundle disabled" the optic module in use on the interface will be declared as an "Unsupported optic" module even though the optic module is F5 branded.

Conditions:
Using unbundled 40GbE optics.

Impact:
This is a cosmetic problem. The interface is able to function as intended.

Workaround:
No workaround, problem is cosmetic.

Fix:
The fix for the defect results in no longer declaring an otherwise supported optics module as unsupported when bundling is configured disabled on the interface.


627907-1 : Improve cURL usage

Component: Advanced Firewall Manager

Symptoms:
In some cases, cURL usage within AFM does not comply with standards.

Conditions:
AFM active and configured to use external credentials

Impact:
Non-compliant cURL usage

Fix:
Improve cURL usage


627898-2 : TMM leaks memory in the ECM subsystem

Component: TMOS

Symptoms:
TMM leaks memory in the ECM subsystem.

Conditions:
This issue occurs when the user has imported one or more SSL certificates onto the system and named them in such a way that the "ca-bundle.crt" string appears in their names. For example, "my-ca-bundle.crt". With this configuration in place, TMM leaks memory each time the configuration is modified.

Impact:
TMM will run out of free memory. This will initially impact traffic and could eventually lead to TMM crashing. Traffic disrupted while tmm restarts.

Workaround:
You can work around this issue by renaming your SSL certificates so that their names don't contain the "ca-bundle.crt" string.

Fix:
TMM no longer leaks memory in the ECM subsystem.


627798-3 : Buffer length check for quota bucket objects

Component: Policy Enforcement Manager

Symptoms:
For quota bucket (Rating Groups) object, BIG-IP allocates a large buffer locally, and doesn't expect it to be over-run as the objects are expected to be smaller

Conditions:
Any quota bucket objects which are being inserted in PEM database

Impact:
For quota bucket objects which are in PEM database, the buffer is usually large enough, so there should not be any impact. But if the quota bucket ever gets larger, then potential corruption of the quota bucket information could occur. This could trigger a tmm core. Traffic disrupted while tmm restarts.

Workaround:
quota bucket with fewer rules


627747-1 : Improve cURL Usage

Component: Advanced Firewall Manager

Symptoms:
In some cases, cURL usage within AFM does not comply with standards.

Conditions:
AFM active and configured to use external credentials

Impact:
Non-compliant cURL usage

Fix:
Improve cURL usage


627433-1 : HSB transmitter failure on i2x00 and i4x00 platforms

Component: TMOS

Symptoms:
On the BIG-IP i2x00 and i4x00 platforms, tmm enters an infinite 'restart' loop after a 'bigstart restart' or 'bigstart restart tmm' command if traffic is actively flowing through the TMM. This is the result of an HSB transmitter failure.

Conditions:
Traffic actively flowing through the tmm and you issue 'bigstart restart' or 'bigstart restart tmm'.

Another instance occurs when syncing the datasync-global-dg device-group for an HA configuration on iSeries platforms.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure all traffic is stopped before issuing the 'bigstart restart' or 'bigstart restart tmm' commands.

Set HSB::failures_before_reset in /config/tmm_init.tcl to a high value, such as 1000 (default is 50) may resolve the issue, depending on the conditions this issue occurred.

Fix:
TMM restart loop no longer occurs following 'bigstart restart' on i2x00 and i4x00 platforms.


627403-2 : HTTP2 can can crash tmm when stats is updated on aborting of a new connection

Component: Local Traffic Manager

Symptoms:
HTTP2 allocates a block of memory for collecting stats on a connection. If the connection is aborted for any reason, tmm may try to update stats prior the memory is allocated.

Conditions:
HTTP2 profile is configured and assigned to a virtual.

Impact:
Traffic disrupted while tmm restarts.

Fix:
A fix stops HTTP2 from accessing stats prior memory is allocated preventing TMM crash for this reason.


627360-1 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log

Component: Application Security Manager

Symptoms:
These errors come up in asm log, upon first start after upgrade:
-------------------------
2016-11-02T08:33:09-06:00 localhost notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
Nov 2 08:35:34 c5af5ltm1b info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
Nov 2 08:36:03 c5af5ltm1b info tsconfig.pl[21351]: ASM initial configration script launched
Nov 2 08:36:17 c5af5ltm1b info tsconfig.pl[21351]: ASM initial configration script finished
Nov 2 08:36:23 c5af5ltm1b info asm_start[19802]: ASM config loaded

Nov 2 08:37:40 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined

Nov 2 08:38:28 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead

Nov 2 08:38:28 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted

Nov 2 08:38:33 c5af5ltm1b info perl[21860]: 01310053:6: ASM starting
-------------------------

Conditions:
ASM provisioned
Local request logging enabled
Upgrade of a maintenance release, HF or EHF

Impact:
Upgrade fails

Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.

In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.

There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) do not load a Request Log, when loading a UCS:
    # tmsh modify sys db ucs.asm.traffic_data.load value never

2) do not save a Request Log, when saving a UCS:
    # tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------


627279-2 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
tmm on a blade may crash during a CMP and PEM change.

Conditions:
Multi-blade chassis undergoing a CMP state change. Additionally requires PEM policy changes resulting in usage record updates.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use an HA pair and have the active chassis fail over during a CMP state change. Allow for the new stand by chassis to complete its CMP state change activity.

Fix:
Handle sessionDB failures gracefully.


627257-2 : Potential PEM crash during a Gx operation

Component: Policy Enforcement Manager

Symptoms:
Tmm may core during a Gx operation

Conditions:
Requires a PEM virtual with Gx, Sd or Gy enabled. This occurs when tmm starts.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Perform proper validation checks as part of API processing.


627246-1 : TMM memory leak when ASM policy configured on virtual

Component: Local Traffic Manager

Symptoms:
TMM memory leak in hud_oob when ASM policy configured on virtual server.

Conditions:
Memory leak could be observed via output of this TMSH command:
tmctl -c memory_usage_stat | grep -P '^name|hud_oob'
when ASM policy is configured on a virtual server. However this condition is not unique.

Impact:
TMM might run out of memory and eventually crash.

Workaround:
Try to disable ASM policy configuration on virtual server.

Fix:
A memory leak in hud_oob when ASM policy configured on virtual server has been fixed.


627214-3 : BGP ECMP recursive default route not redistributed to TMM

Component: TMOS

Symptoms:
ECMP recursive routes are not properly redistributed to TMM, resulting in an incorrect routing table.

Conditions:
Dynamic routing configured with multiple equal cost paths reachable through a recursive nexthop.

Impact:
Packets are not routed to all ECMP nexthops.

Workaround:
None.

Fix:
ECMP routes with a recursive nexthop are now used correctly by TMM.


627117-1 : crash with wrong ceritifcate in WSS

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
Web services security is turned on.
a bad / wrong / missing certificate is attached.

Impact:
Traffic drop until the BD is back (or failover).

Workaround:
The workaround would be to fix the attached certificate.

Fix:
Fix an issue with wrong certificates.


627059-1 : In some rare cases TMM may crash while handling VMware View client connection

Component: Access Policy Manager

Symptoms:
TMM crashes.

Conditions:
VMware View client uses PCoIP to connect to backend via APM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed rare TMM crash during handling of VMware View client PCoIP connection


626910-1 : Policy with assigned SAML Resource is exported with error

Component: Access Policy Manager

Symptoms:
If Access Profile's Access Policy has saml resource assigned export is failing with error.

Conditions:
1. Access profile/access policy
2. Saml resource is assigned

Impact:
Unable to Export Policy

Fix:
Work order is restored


626851-2 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
CMP state change can result in a blade crash.

Conditions:
CMP state change with a PEM profile enabled on a virtual. The former can be triggered using a TMM restart/unrelated crash, blade insertion or blade administrative state change.

Impact:
Blade crash resulting in potential loss of service.

Workaround:
Deploy PEM in an HA-pair with a chassis fail over configured to occur if at most one blade on the active chassis fails.

Fix:
The system now gracefully handles sessionDB errors due to a CMP state change.


626839 : sys-icheck error for /var/lib/waagent in Azure.

Component: TMOS

Symptoms:
On a BIG-IP deployed in Azure cloud, sys-icheck reports readlink error for /var/lib/waagent directory as following:

ERROR: ....L.... /var/lib/waagent

Conditions:
BIG-IP deployed in Azure cloud.

Impact:
sys-icheck reports "rpm --verify" errors for /var/lib/waagent. This doesn't have any functional impact on the product but looks like factory RPM settings were modified externally and incorrectly.

Workaround:
No workaround exists for this issue.

Fix:
sys-icheck error for /var/lib/waagent in Azure.


626721-5 : "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart

Component: TMOS

Symptoms:
Running the command "tmsh reset-stats auth login-failures <username>" on a bladed system can cause the mcpd process to restart on secondary blades if the <username> is not an actual user on the system. The /var/log/ltm log file will contain errors messages similar to:

Configuration error: Configuration from primary failed validation: 01020036:3: The requested username (username) was not found.... failed validation with error 16908342

Conditions:
This occurs on VIPRION systems when running the command for a user that doesn't exist on the other blades.

Impact:
mcpd processes on secondary blades restart, possibly causing loss of traffic and a failover (if in a device cluster).

Workaround:
Run the command "tmsh reset-stats auth login-failure <username>" using only valid usernames.

Fix:
Prevented the command "tmsh reset-stats auth login-failure <username>" from restarting mcpd instances on secondary blades when <username> is an unknown user. The bad command is intercepted at the primary blade and is dealt with there.


626542-2 : Unable to set maxMessageBodySize in iControl REST after upgrade

Component: Device Management

Symptoms:
After upgrading and attempting to set maxMessageBodySize via iControl REST, you get an error indicating the command is not implemented:

{"code":400,"message":"onPut Not implemented","originalRequestBody":"{\"maxMessageBodySize\": \"111111111\"}","referer":"127.0.0.1","restOperationId":216941,"kind":":resterrorresponse"}

Conditions:
This occurs when upgrading from v11.6.1 to v12.1.0, v12.1.1,or v12.1.2, and applying the UCS from the 11.6.1 release. The error is generated because new defaults were added but they are not set on UCS restore.

Impact:
Command fails, unable to set maxMessageBodySize.

Workaround:
If you encounter this after an upgrade and UCS restore, you can run the following commands from the BIG-IP command line:

1. curl -X DELETE http://localhost:8100/shared/storage?key=shared/server/messaging/settings/8100.
2. bigstart restart restjavad.

Fix:
You can now set maxMessageBodySize via iControl REST after upgrading.


626438-1 : Frame is not showing in the browser and/ or an error appears

Component: Advanced Firewall Manager

Symptoms:
frame going blank when ASM policy enabled. this will trigger the following JS error in clients console:
Uncaught TypeError: Cannot read property '3' of undefined

Conditions:
Asm policy enabled. Device id is enabled theough one of the supporting features

Impact:
Site not operating correctly.

Workaround:
N/a

Fix:
Fixed device id javascript issue that prevented a frame from being displayed .


626386-1 : SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled

Component: Local Traffic Manager

Symptoms:
On a BIG-IP device, whenever a large-sized client certificate is sent by an SSL client to a virtual service, and SSL persistence is enabled, the SSID parser does not reassemble fragmented ClientKeyExchange messages correctly. It interprets the next incoming fragment - part of the CertificateVerify message - as a new record, incorrectly calculates its length and ends up waiting endlessly for more bytes to receive the record.

Conditions:
When SSL persistence is enabled and a large-sized client
certificate is sent by the SSL client to the BIG-IP device.

Impact:
Client connection hangs during the handshake. No impact to any other module.

Workaround:
Disable SSL persistence.

Fix:
SSL now reassembles fragments correctly with a large-sized client certificate when SSL persistence is enabled.


626360 : TMM may crash when processing HTTP2 traffic

Component: Local Traffic Manager

Symptoms:
In some cases TMM may crash when processing HTTP2 traffic.

Conditions:
A virtual configured with HTTP2 and ClientSSL profiles

Impact:
Traffic disrupted while tmm restarts.

Fix:
Improve HTTP2 processing.


626106-3 : LTM Policy with illegal rule name loses its conditions and actions during upgrade

Component: Local Traffic Manager

Symptoms:
BIG-IP version 12.0.0 introduced more strict checking on the characters allowed in policy and rule names, and it also introduced an auto-migration feature to convert any disallowed characters to an underscore (_). Allowed characters in policy and rule names are:
  A-Z a-z 0-9 . / : % -
Spaces are allowed between these characters.

When there is a pre-v12.0 Policy that contains an illegal character, the rule has each illegal character converted to a legal one. But conditions and actions, which are joined to the rule by name were not similarly adjusted. After migration, LTM Policy rule does not have any conditions or actions referring to its new name.

Conditions:
- Pre-v12.0 BIG-IP
- Policy and/or rule names contain illegal characters like: * < > ( ) [ ]
- Upgrade to v12.0 or later

Impact:
Policy rule name is changed, illegal characters converted to benign underscore (_). The upgraded configuration will load successfully, but the Rule's associated conditions and actions are not changed, and still point to the policy by its former name, effectively becoming orphaned. Inspecting rule using UI or tmsh shows conditions and actions missing.

Workaround:
The bigip.conf file can be manually edited to fix illegal characters and configuration reloaded.


625832-4 : A false positive modified domain cookie violation

Component: Application Security Manager

Symptoms:
An unexpected modified domain cookie violation on system that has more than 127 policies configured.

Conditions:
This occurs when more than 127 policies are configured. The violation modified domain cookie is turned on and there are enforced cookies.

Impact:
A false positive violation.

Workaround:
Remove the modified domain cookie violation from blocking.

Fix:
Fixed a false positive modified domain cookie violation.


625824-1 : iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory

Component: TMOS

Symptoms:
iControl calls related to Management::KeyCertificate might leak memory slowly, that causes swap space to increase continuously and might lead to exhaustion of swap space

Conditions:
This occurs with the iControl command bigip.Management.KeyCertificate.certificate_export_to_pem

Impact:
iControlPortal.cgi memory increases

Workaround:
Restart httpd to reload the iControl daemon.

Fix:
Fixed a memory leak associated with iControl


625784 : TMM crash on BigIP i4x00 and i2x00 with large ASM configuration.

Component: TMOS

Symptoms:
With large ASM configurations (50 virtual servers, 50 ASM policies), TMM will continuously crash on boot-up or restart.

Conditions:
Large ASM configurations (50 virtual servers, 50 ASM policies).

Impact:
TMM continuously crashes and restarts, system is unusable.

Workaround:
None

Fix:
None


625783-1 : Chassis sync fails intermittently due to sync file backlog

Component: Application Security Manager

Symptoms:
Chassis sync may fail intermittently if policies are changed and applied in a short interval.

Conditions:
Policies are changed and applied in a short interval on a chassis platform.

Impact:
Disk partition /var may fill up and synchronized changes may not appear on secondary blades.

Fix:
ASM configuration sync on chassis platform now works more reliably.


625703-2 : SELinux: snmpd is denied access to tmstat files

Component: TMOS

Symptoms:
When a custom SNMP MIB is created by using Tcl scripts or other methods, the snmpwalk will fail to access the created MIB data.

Conditions:
Custom created MIBs.

Impact:
Access to that MIB is denied.

Workaround:
None.

Fix:
When a custom SNMP MIB is created by using a Tcl scripts or other methods, the snmpwalk no longer fails to access the created MIB data.


625671-4 : The diagnostic tool dnsxdump may crash with non-standard DNS RR types.

Component: Global Traffic Manager (DNS)

Symptoms:
If the dnsxdump diagnostic tool is run when the DNS Express database has a DNS resource record using a non-standard type, the process may crash providing incomplete diagnostic output.

Conditions:
Running dnsxdump with a DNS Express database containing non-standard resource record types.

Impact:
dnsxdump provide incomplete diagnostic output, stopping on the zone containing the resource record with the non-standard type.

Workaround:
This is primarily known to be caused by non-standard RR types created for WINS records. Removing the WINS records from the master nameserver, will allow dnsxdump to work again after the next zone transfer.

Fix:
dnsxdump handles non-standard resource record types.


625542-1 : SIP ALG with Translation fails for REGISTER refresh.

Component: Service Provider

Symptoms:
SIP-MBLB-ALG-Translation mode doesn't translate SIP REGISTER refresh message when arriving on the original flow.

Conditions:
1. LSN Pool selected on CLIENT_ACCEPTED event.
2. SIP REGISTER request refresh happens on the original flow.

Impact:
SIP Register message egressed will not have translation applied i.e. the CONTACT and VIA header will not be translated.

Workaround:
None

Fix:
SIP REGISTER refresh processing identifies the translation used for the original SIP REGISTER and applies that translation to the SIP REGISTER refresh message.


625474-1 : POST request body is not saved in session variable by access when request is sent using edge client

Component: Access Policy Manager

Symptoms:
POST body sent by Edge Client is not saved in the session db session variable by access hudfilter.

Conditions:
- Configure BIG-IP as SAML Service Provider. To simplify reproduction change Access Policy execution timeout to few seconds.
- Use Edge Client to connect to BIG-IP.
- Saml Agent will redirect user for authentication to IdP
- Wait for few seconds for access policy to time out on BIG-IP.
- Enter credentials/complete authentication on IdP
- User will be redirected back to BIG-IP as SP. At this moment APM will create a new session, and will evaluate access policy again.

Impact:
SAML Agent will now fail with the following error:
SAML Agent: <AgentNameHere> cannot find assertion information in SAML request

Workaround:
Removing the ‘Origin’ header from the request with iRule does fix the issue, and the POST body becomes available to access hudfilter.

Fix:
Check for receipt of HUDEVT_REQUEST_DONE before falling through from EV_ACCESS_TCL_COMPLETION to EV_ACCESS_REQUEST_DONE in client wait for request body to ensure proper storage of POST request body in sessiondb.


625372-5 : OpenSSL vulnerability CVE-2016-2179

Vulnerability Solution Article: K23512141


625275-1 : Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI

Component: Fraud Protection Services

Symptoms:
When trying to add URL parameters containing square brackets "[]" in FPS GUI >> URL the parameters name become "0". If trying to modify, the parameters are not saved.

Conditions:
Provision FPS
Create URL

Impact:
FPS GUI

Workaround:
via tmsh, an example:

tmsh modify security anti-fraud profile criteria urls modify { /xml.php { parameters add { "mouse\[2]" } } }

Fix:
It is now possible to add parameters containing square brackets in FPS GUI.


625198-1 : TMM might crash when TCP DSACK is enabled

Component: Local Traffic Manager

Symptoms:
TMM crashes

Conditions:
All of the below are required to see this behavior:

DSACK is enabled

MPTCP, rate-pace, tail-loss-probe, and fast-open are disabled.

cmetrics-cache-timeout is set to zero; congestion control is high-speed, new-reno, reno, or scalable; AND Nagle is not set to 'auto'.

an iRule exists that changes any of the conditions above besides DSACK.

various client packet combinations interact in certain ways with the iRule logic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change any of the conditions above.

Fix:
TCP maintains state appropriately to avoid crash.


625172-1 : tmm crashes when classification is enabled and ftp traffic is flowing trough the box

Component: Traffic Classification Engine

Symptoms:
tmm crash

Conditions:
1. classification profile attached to the virtual server
2. ftp traffic flows through the system
3. complex configuration with iRules and multiple modules enabled

Impact:
Traffic disrupted while tmm restarts.

Workaround:
remove classification profile from the virtual server

Fix:
Incorrect memory management in one of classification matching mechanisms led to a crash.


625159-1 : Policy sync status not shown on standby device in HA case

Component: Access Policy Manager

Symptoms:
After policy sync, policy sync statuses are not shown in admin GUI on standby device in a failover device group.

Conditions:
- Create a failover device group whose members are in a bigger sync-only device group for policy.
- Initiate a policy sync from an active device
- Check policy sync stats on standby device

Impact:
It does not affect sync functionality and user still can see the sync status on an active device.

Workaround:
Check sync status on an active device in the group.

Fix:
User will be able to see the sync statuses on a standby device, including itself as well as the list of devices in the whole sync-only group where sync is performed.


625106-2 : Policy Sync can fail over a lossy network

Component: Local Traffic Manager

Symptoms:
Policy Sync fails.

Conditions:
BIG-IPs are connected over a lossy link.

Impact:
HA redundancy fails.

Workaround:
tmsh modify sys db TM.TCPProgressive.AutoBufferTuning value disabled

Fix:
Change configuration as described.


625098-3 : SCTP::local_port iRule not supported in MRF events

Component: Service Provider

Symptoms:
SCTP::local_port iRule not supported in MRF events

Conditions:
If MRF events are used, such as MR_INGRESS, MR_EGRESS and MR_FAILED events are used.

Impact:
SCTP::local_port won't work under MR events.

Fix:
After the fix, SCTP::local_port iRule will be supported in MRF events.


625085 : lasthop rmmod causes kernel panic

Component: TMOS

Symptoms:
If someone attempts to unload the lasthop kernel module, it will cause a kernel panic.

Conditions:
Attempting to unload the lasthop kernel module.

Impact:
The system reboots.

Workaround:
Avoid running the following command:

# rmmod lasthop

Fix:
The lasthop kernel module should never be unloaded. The system now prevents the lasthop kernel module from being unloaded, so no kernel panic occurs.


624966-2 : Edge client starts new APM session when Captive portal session expire

Component: Access Policy Manager

Symptoms:
When a Captive portal session expires during Network Access,
Edge-Client shows the Captive portal Authentication page. If the user doesn't authenticate for some amount of time (30-60sec) the Edge Client tries to disconnect the current session. When the user successfully authenticates, Edge Client starts new APM session instead of waiting until the user authenticates on Captive page.

Conditions:
This can occur when Captive portal is configured and the session expires.

Impact:
The Edge Client starts a new session when it should re-use the existing session.


624876-1 : Response Policy Zones can trigger even after entry removed from zone

Component: Global Traffic Manager (DNS)

Symptoms:
If an entry (resource record) is removed from a response policy zone it is possible that it may still trigger as a match for RPZ.

Conditions:
An RPZ zone contains an entry, for example badzone.example.com, that is subsequently removed.

Impact:
Entries that encounter this problem will continue to be blocked by RPZ.

Workaround:
Delete /var/db/zxfrd.bin and /var/db/tmmdns.bin and "bigstart restart zxfrd".

This recreates the databases without the remnants of the deleted entries.

Fix:
The deleted entries are now properly handled and no longer trigger incorrect matches.


624831-2 : BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps

Component: TMOS

Symptoms:
tmm crashes while using Bandwidth Control (BWC) dynamic policies.

Conditions:
max-user-rate is set at 2gbps or higher.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
Use a maximum of 1gbps for dynamic BWC policy max-user-rate.

Fix:
tmm crashes while using Bandwidth Control (BWC) dynamic policies with max-user-rate set at 2gbps or higher.

Behavior Change:
no


624744-1 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash resulting in flows being impacted.

Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.

Impact:
Traffic disrupted while tmm restarts.

Fix:
NULL check has been added prior to calling a callback for asynchronous handling.


624733-1 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash resulting in flows being impacted.

Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.

Impact:
Traffic disrupted while tmm restarts.

Fix:
NULL check has been added to facilitate a graceful failure during asynchronous handling.


624616-1 : Safenet uninstall is unable to remove libgem.so

Component: Local Traffic Manager

Symptoms:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, it can't remove libgem.so and generates the following error:

rm: cannot remove `/usr/lib64/openssl/engines/libgem.so': Read-only file system.

Conditions:
This can be triggered when uninstalling the safenet client using the command safenet-sync.sh -u.

Impact:
Uninstall is unable to complete.

Workaround:
None.

Fix:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, the system can now remove libgem.so, so there is no error condition, and uninstall can complete as expected.


624570-1 : BIND vulnerability CVE-2016-8864

Vulnerability Solution Article: K35322517


624526-3 : TMM core in mptcp

Component: Local Traffic Manager

Symptoms:
When MPTCP is enabled on a virtual server, TMM may generate a core file and restart.

Conditions:
MPTCP must be in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP.

Fix:
Prevented TMM core.


624457-5 : Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195

Component: TMOS

Symptoms:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html

Conditions:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html

Impact:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html

Fix:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html


624370-1 : tmm crash during classification hitless upgrade if virtual server configuration is modified

Component: Traffic Classification Engine

Symptoms:
tmm crash

Conditions:
1. classification hitless upgrade is triggered
2. pending (not saved) changes on any of the virtual servers

Impact:
Traffic disrupted while tmm restarts.

Fix:
Change of virtual server configuration triggers new library to be loaded during upgrade which wasn't expected by hitless upgrade mechanism and led to tmm crash. This is fixed in versions starting with 12.1.2.


624361-1 : Responses to some of the challenge JS are not zipped.

Component: TMOS

Symptoms:
Performance is affected on the JS challenge.

Conditions:
The following is turned on in the application dos configuration :
CS challenge, or PBD challenge when Suspicious browsers are disabled or the Device-ID challenge.

Impact:
1. These responses consume more CPU and more Bandwidth than needed.
2. Client-side latency is degraded.
3. More disk space is utilized than needed

Workaround:
None.

Fix:
Some of the JS challenge have better performance now.


624263-4 : iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response

Component: TMOS

Symptoms:
For profiles, iControl REST does not provide visibility for profile property override when "none" is specified, including references, passwords, and array of strings.

Conditions:
-- Use iControl REST API.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.

Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for profile property overrides.

Workaround:
None.

Fix:
iControl REST API now returns elements (i.e., string, enum, or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.


624228-1 : Memory leak when using insert action in pem rule and flow gets aborted

Component: Policy Enforcement Manager

Symptoms:
Memory keeps increasing in PEM after several hours of live service.

Conditions:
Insert action in pem rule and response spawning multiple segments. Connection gets aborted midway.

Impact:
Connections can get reset once memory usage increases beyond threshold

Fix:
free xfrags when aborting flows


624198-1 : Unable to add multiple User-Defined alerts with the same search category

Component: Fraud Protection Services

Symptoms:
Adding 2 or more User-Defined alerts causes to DB exception error.

Conditions:
Provision FPS
Malware Detection license

Add multiple User-Defined alerts with the same "Search In" category.

Impact:
Can impact detection of certain malware.

Workaround:
Adding single record each time.
Use TMSH or Rest.

Fix:
GUI allows adding multiple User-Defined alerts of the same search category.


624193-2 : Topology load balancing not working as expected

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, load balancing decisions can result in an unequal or unexpected distribution.

Conditions:
Occurs when topology load balancing is used for a wide IP and more than one pool share the highest assigned score for a particular load balancing decision.

Impact:
The resulting load balancing decisions can lead to an unequal or unexpected distribution of pool selections.

Workaround:
Topology records and pools can be configured to avoid the conditions which cause the condition.

Fix:
A system DB variable, gtm.wideiptoporandom, has been added. When this system DB variable is assigned the value of "enable" and more than one pool shares the highest assigned score for a given load balancing decision, a random pool is selected.


624023-3 : TMM cores in iRule when accessing a SIP header that has no value

Component: Service Provider

Symptoms:
When used an iRule to access a SIP header attribute with no value, TMM cores.

Conditions:
Use iRule to access the value of SIP message header attribute with no value.
Eg:
"Supported: " IEOL
"Session-Expires:" IEOL

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No Workaround.

Fix:
Fix includes adjusting the buffer offset properly to handle the empty header attributes while parsing the SIP message.


623930-3 : vCMP guests with vlangroups may loop packets internally

Component: TMOS

Symptoms:
If a vlangroup is configured within a vCMP guest, under some circumstances unicast packets may be looped between the switchboard and the BIG-IP guest. This is most likely to occur when the guest is part of an HA pair.

Conditions:
vCMP guest, vlangroups.

Impact:
High CPU utilization and potentially undelivered packets.

Workaround:
Correctly configure proxy ARP excludes on the vlangroup and increase the FDB timeout by setting the vlan.fdb.timeout database key to a larger value such as 3600.

Fix:
Packets are no longer looped between vlangroup children on vCMP guests.


623927-2 : Flow entry memory leaked after DHCP DORA process

Component: Policy Enforcement Manager

Symptoms:
After DHCP discover/offer/request/ack process (DORA), client side connection flow entry memory is not freed.

Conditions:
Run the DHCP DORA process through BIG-IP (in relay mode or forwarding mode, and wait for client connection flow entry ages out.

Impact:
The system leaks flow entry memory. Over a long period of time, system memory will eventually run out.

Workaround:
None.

Fix:
After DHCP discover/offer/request/ack process (DORA), client side connection flow entry memory is now freed, so no memory leak occurs.


623922-5 : TMM failure in PEM while processing Service-Provider Disaggregation

Component: Policy Enforcement Manager

Symptoms:
TMM failure in PEM while processing Service-Provider Disaggregation.

Conditions:
System crashes when traffic flows and rules get executed on the flow.

Impact:
System crashes.

Workaround:
Set Service-Provider Disaggregation to sp as suggested by documentation.

Fix:
There is no longer a TMM failure in PEM while processing Service-Provider Disaggregation.


623885-4 : Internal authentication improvements

Vulnerability Solution Article: K41107914


623562-3 : Large POSTs rejected after policy already completed

Component: Access Policy Manager

Symptoms:
When the policy has already completed, access still rejects POSTs greater than 64k. Client will see a reset, and these error messages will appear on the BIG-IP:

/var/log/ltm
Oct 18 19:10:04 bigip6 err tmm[14242]: 01230140:3: RST sent from 10.2.61.80:8080 to 10.2.61.10:55280, [0x1d4cb2c:2863] APM HTTP body too big

/var/log/apm
Oct 19 09:42:37 bigip3922mgmt err tmm1[7636]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 2960

Conditions:
Policy has already been fully evaluated to allow. Then the client sends a large POST. Only applies to POSTs made to '/'. Would not apply if the URL is something else like '/test'. Also does not apply to clientless modes, where the db key tmm.access.maxrequestbodysize can be used to increase the maximum POST body size allowed.

Impact:
Clients are unable to send POST bodies to '/' that are larger than 64kb, even though the policy has already been evaluated to allow.

Workaround:
Move the resource from '/' to another URL.

Fix:
The logic of '/' in this area was changed to be consistent with other URLs.


623518-1 : Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition

Component: Fraud Protection Services

Symptoms:
If a profile is assigned to a user-defined partition, it is not possible to add users to User Enforcement list.

Also, if a user-defined partition is selected, the GUI will not display a message if a there are available signatures/engine updates.

Conditions:
Provision and license FPS.
Create user-defined partition.

Impact:
You are unable to manage the profile in the user-defined partition.

Workaround:
Use tmsh to add users.

Fix:
Users can be added to User Enforcement list and a message will be displayed if a new update is available.


623491-2 : After receiving the first Gx response from the PCRF, the BWC action against a rule is lost.

Component: Policy Enforcement Manager

Symptoms:
The BWC action against a rule is lost and the traffic flow is capped at the maximum bandwidth configured in the BWC policy.

Conditions:
A flow should be associated with a PEM rule that has atleast a BWC action along with a Gx reporting action.

Impact:
The traffic flow is not capped by the correct BWC action, instead it is capped by the maximum configured bandwidth in the BWC policy.

Fix:
The BWC policy is restored correctly after a policy update.


623401-1 : Intermittent OCSP request failures due to non-optimal default TCP profile setting

Component: TMOS

Symptoms:
The connection between BIG-IP and OCSP responder is not reliable since it uses the default internal TCP configuration which doesn't fit the usage well.

Conditions:
When the OCSP stapling option is enabled in the clientSSL profile that is in use by a virtual server.

Impact:
The BIG-IP as a SSL server fails to staple the OCSP response to the SSL client. In other words, the certificate status messages are not added in the Server Hello message in the TLS handshakes to the SSL client.

Workaround:
The fix proposed an optimal TCP configuration used by the connection between BIG-IP and OCSP responder which makes the connection reliable now. Therefore the virtual server can now always correctly staple the certificate status in the Server Hello message to the SSL client.


623336-4 : After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS

Component: TMOS

Symptoms:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check is performed incorrectly, and the old bundle may accidentally be chosen.

Conditions:
This happens when /config/ssl/ssl.crt/ca-bundle.crt in the old version contains an RCS revision number near the top of the file, and the newer TMOS version does not contain a revision number. (This is a change in the format of the file generated by the organization providing F5 with this bundle.)

Impact:
Upgrades to versions that ship the "non-RCS" files will incorrectly retain the ca-bundle.crt from the previous version, instead of keeping the newer version that shipped with those versions.

This can result in certificate verification failures (e.g. for an OCSP stapling profile), or a BIG-IP creating an inconsistent/incomplete certificate chain for a virtual server.

Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:

1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
   cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

2. Reboot the system and clear the MCPD binary database. Refer to SOL13030, but essentially:
    touch /service/mcpd/forceload && reboot

3. After reboot, verify that the two files match (they should have the same checksum):
   md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

Fix:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check was performed incorrectly, and the old bundle could accidentally have been chosen. This has been fixed, and the newer version of the file is correctly chosen.


623119 : Linux kernel vulnerability CVE-2016-4470

Component: TMOS

Symptoms:
For more information, see SOL55672042: Linux kernel vulnerability CVE-2016-4470, available at https://support.f5.com/kb/en-us/solutions/public/k/55/sol55672042.html

Conditions:
For more information, see SOL55672042: Linux kernel vulnerability CVE-2016-4470, available at https://support.f5.com/kb/en-us/solutions/public/k/55/sol55672042.html

Impact:
For more information, see SOL55672042: Linux kernel vulnerability CVE-2016-4470, available at https://support.f5.com/kb/en-us/solutions/public/k/55/sol55672042.html

Fix:
For more information, see SOL55672042: Linux kernel vulnerability CVE-2016-4470, available at https://support.f5.com/kb/en-us/solutions/public/k/55/sol55672042.html


623093-1 : TIFF vulnerability CVE-2015-7554

Vulnerability Solution Article: K38871451


623055-1 : Kernel panic during unic initialization

Component: TMOS

Symptoms:
During system initialization, the kernel panics during unic initialization.

Conditions:
This can occur on BIG-IP Virtual Edition if an error (on memory allocation, io etc.) occurs during unic initialization.

Impact:
The kernel panics, system will not boot.

Fix:
Initialize resources to fail gracefully on error.


623023-1 : Unable to set DNS Topology Continent to Unknown via GUI

Component: Global Traffic Manager (DNS)

Symptoms:
No option in dropdown menu to select Unknown Continent when configuring DNS Topology Record via GUI. Existing Topology Records will be displayed as "Continent is", instead of "Continent is Unknown".

Conditions:
Attempting to configure a DNS Topology Record via the GUI.

Impact:
Unable to set the Continent field to 'Unknown' via GUI.

Workaround:
Set the continent via tmsh using the command `create gtm topology ldns: continent -- server: continent --`

Fix:
The dropdown menu now has an option to select an "Unknown" Continent.


622913-2 : Audit Log filled with constant change messages

Component: Application Security Manager

Symptoms:
Frequent changes by Policy Builder fill the audit log too quickly and can affect viewing the Security Logs:

Error 502 Bad Gateway when clicking "Application Security" logs

Conditions:
Frequent Policy Builder changes occur and no ASM device group is configured.

Impact:
Disk space usage and errors viewing the Application Security logs

Workaround:
Workarounds:
1) Turn off "Recommend Sync when Policy is not applied". (Security ›› Options : Application Security : Preferences)

2) Enable ASM sync on a device group.

Fix:
Updates to the audit log are throttled at max 1/minute.


622877-1 : i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away

Component: TMOS

Symptoms:
Messages like the following in /var/log/ltm:

Oct 14 12:22:26 localhost err pfmand[5637]: 01660011:3: DDM interface: 6.0 transmit power too low alarm. Transmit power:0.0515 mWatts
Oct 14 12:22:26 localhost err pfmand[5637]: 01660011:3: DDM interface:6.0 receive power too low alarm. Received power:0.0000 mWatts
Oct 14 12:23:29 localhost err pfmand[5637]: 01660013:3: DDM interface:6.0 transmit power too low alarm cleared
Oct 14 12:23:29 localhost err pfmand[5637]: 01660013:3: DDM interface:6.0 receive power too low alarm cleared
'

Conditions:
i2000 or i4000 series appliances with DDM enabled and a reboot or restart of the pfmand daemon

Impact:
No functional impact, these are not valid DDM alarms or warnings.

Workaround:
Ignore DDM errors that clear right away after powerup or pfmand restart.

Fix:
During DDM initialization clear any alarms or warnings cached in the hardware registers.


622856-1 : BIG-IP may enter SYN cookie mode later than expected

Component: Local Traffic Manager

Symptoms:
BIG-IP entry to SYN cookie mode may not occur even though traffic pattern would dictate that it should.

Conditions:
Verified accept enabled on a Virtual IP.
Large volume of traffic being processed by BIG-IP.

Impact:
BIG-IP does not enter SYN cookie mode at the expected time.

Workaround:
Disable verified accept on all VIP TCP profiles.

Fix:
BIG-IP correctly enters SYN cookie mode when traffic pattern
dictates that it should.


622790-1 : EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP

Component: Access Policy Manager

Symptoms:
Edge Client takes a lot of time to disconnect when machine is moved to network with no connectivity to BIG-IP

Conditions:
* VPN is established
* Machine is moved to different network (with no BIG-IP) connectivity
* EdgeClient stays in "Disconnecting..." state for few minutes

Impact:
User have to wait until Disconnect procedure is complete

Fix:
Now Edge Client uses 5000msec timeout in order to complete logout HTTP request. This is enough in normal conditions


622735 : TCP Analytics statistics does not list all virtual servers

Component: Application Visibility and Reporting

Symptoms:
In "Statistics :: Analytics : TCP", displaying the stats by virtual server will only allow the option of "Aggregated".

Conditions:
This occurs on virtual servers with the TCP Analytics profile attached.

Impact:
GUI does not list all virtual servers that have the TCP Analytics profile attached.

Fix:
Fixed an issue with displaying TCP Analytics statistics for virtual servers.


622662-7 : OpenSSL vulnerability CVE-2016-6306

Vulnerability Solution Article: K90492697


622496 : Linux kernel vulnerability CVE-2016-5829

Vulnerability Solution Article: K28056114


622386-1 : Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled

Component: Application Security Manager

Symptoms:
Internet Explorer browsers will get into an endless loop of requests, never reaching the back-end server, when accessing a Virtual Server which is enabled with both the Web Scraping feature, and the Proactive Bot Defense, if the mode of Proactive Bot Defense is set to During Attacks.

Conditions:
1. ASM Security Policy is attached to the Virtual Server, and has Web Scraping's Bot Detection set to Alarm & Block.
2. Within Web Scraping, both Fingerprint and Persistent Client Identification are disabled.
3. DoS profile is attached to the Virtual Server, and has Proactive Bot Defense set to During Attacks.
4. Users are using the Internet Explorer browser.

Impact:
Internet Explorer browser users are getting blocked from accessing the back-end server.

Workaround:
Two options for workaround:
1. Set Proactive Bot Defense to Always instead of During Attacks.
2. Enable either Fingerprint or Persistent Client Identification in the Web Scraping configuration.

Fix:
Internet Explorer users are no longer blocked when accessing a Virtual Server which has both Web Scraping enabled, and Proactive Bot Defense set to During Attacks.


622281-1 : Network DoS logging configuration change can cause TMM crash

Component: Advanced Firewall Manager

Symptoms:
Whenever a DoS Network logging profile is assigned or removed from a Virtual Server, it could cause random TMM crash.

Conditions:
The problem happens only with runtime config change.

Any logging profile config settings which was configured already and which gets loaded on TMM startup does not have this problem. Since this problem is a one time event on config change, TMM restart will pickup the config change and will work without any problem after the one time crash and TMM restart.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Invalid memory reference after free resulted in crash, which is fixed.


622244-2 : Edge client can fail to upgrade when always connected is selected

Component: Access Policy Manager

Symptoms:
Attempt to upgrade an Edge client may fail if the Always Connected mode is enabled

Conditions:
Always Connected is selected in BIG-IP when upgrading the client

Impact:
Upgrade will fail

Workaround:
Disable the Always Connected mode

Fix:
Upgrade functions as intended regardless of connection mode


622220-2 : Disruption during manipulation of PEM data with suspected flow irregularity

Component: Policy Enforcement Manager

Symptoms:
tmm crashes.

Conditions:
It is not known exactly what conditions trigger this; it was observed with Policy Enforcement Manager configured. It may occur when a new blade is added or HA event occurs and flows get rebalanced before the session is established.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash related to manipulating Policy Enforcement Manager data.


622199 : sys-icheck reports error with /var/lib/waagent

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /var/lib/waagent.

On BIG-IP version 12.0.0:
ERROR: ....L.... /var/lib/waagent
L - readLink(2) path mismatch

On BIG-IP version 12.1.0 and 12.1.1:
ERROR: .M....... /var/lib/waagent

M - Mode differs (includes permissions and file type)

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with waagent that was causing sys-icheck to fail.


622194 : sys-icheck reports error with ssh_host_rsa_key

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /config/ssh/ssh_host_rsa_key and ssh_host_rsa_key.pub

ERROR: SM5...... /config/ssh/ssh_host_rsa_key
ERROR: SM5...... /config/ssh/ssh_host_rsa_key.pub

Conditions:
This occurs on BIG-IP running on Azure cloud when running the sys-icheck utility.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with ssh_host_rsa_key and ssh_host_rsa_key.pub that was causing sys-icheck to generate an error.


622183-5 : The alert daemon should remove old log files but it does not.

Component: TMOS

Symptoms:
When the utilization of the log filesystem goes above the configuration setting 'sys db logcheck.alertthres' (default 90%), it is intended that the alert daemon should delete old log files. It does not.

Conditions:
System activity generates a high number of log messages, and/or a user puts large files in /var/log.

Impact:
The log filesystem may become completely full, and new log messages cannot be saved.

Fix:
The alert daemon will now remove old log files as intended.


622126-1 : PHP vulnerability CVE-2016-7124

Vulnerability Solution Article: K54308010


621976-4 : OneDrive for Business thick client shows javascript errors when rendering APM logon page

Component: Access Policy Manager

Symptoms:
OneDrive for Business thick client shows javascript errors when rendering APM logon page

Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses OneDrive for Business thick client to authenticate.

Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working OneDrive for Business app.

Workaround:
Click thru javascript error dialogs.

Fix:
OneDrive for Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.


621974-4 : Skype For Business thick client shows javascript errors when rendering APM logon page

Component: Access Policy Manager

Symptoms:
Skype For Business thick client shows javascript errors when rendering APM logon page

Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses Skype For Business thick client to authenticate.

Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working Skype For Business app.

Workaround:
Click thru javascript error dialogs.

Fix:
Skype For Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.


621957-2 : Timezone data on AOM not syncing with host

Component: TMOS

Symptoms:
Updating the timezone on the host does not sync to the AOM, because certain tzdata files are placed in the wrong directories.

Conditions:
A system using tzdata version v2016i-1 may encounter this problem. If the following files exist:

/usr/share/zoneinfo/posix/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/zoneinfo/right/F5zone.tab
/usr/share/zoneinfo/zoneinfo/F5zone.tab

then the system has this problem.

Impact:
Time on the AOM is incorrect.

Workaround:
If the following files exist:

/usr/share/zoneinfo/posix/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/zoneinfo/right/F5zone.tab
/usr/share/zoneinfo/zoneinfo/F5zone.tab

move them to:

/usr/share/zoneinfo/F5zone.tab
/usr/share/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/F5zone.tab

Fix:
Timezone data on AOM now syncs correctly with host again


621937-1 : OpenSSL vulnerability CVE-2016-6304

Vulnerability Solution Article: K54211024


621935-6 : OpenSSL vulnerability CVE-2016-6304

Vulnerability Solution Article: K54211024


621909-4 : Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members

Component: TMOS

Symptoms:
When a trunk on the BIG-IP 5000 or 10000 platforms has an odd number of members, the traffic distribution to those interfaces will be unbalanced. Some interfaces will see more traffic than others.

Conditions:
This can occur for two reasons:
-- Purposefully configuring an odd number of members.
-- A port goes down in a trunk that has an even number of members.

Impact:
Uneven traffic distribution.

Workaround:
None.

Fix:
This release fixes uneven egress trunk distribution on the BIG-IP 5000 or 10000 platforms when there is an odd number of ports.


621870-2 : Outage may occur with VIP-VIP configurations

Component: Local Traffic Manager

Symptoms:
In some VIP-VIP configurations, a system outage may occur while processing traffic.

Conditions:
VIP-VIP configuration

Impact:
System outage

Workaround:
None.


621808-1 : Proactive Bot Defense failing in IE11 with Compatibility View enabled

Component: Advanced Firewall Manager

Symptoms:
Internet Explorer 11 browsers which have "Compatibility View" enabled (under Compatibility View Settings IE menu), will fail the JavaScript challenge, when Proactive Bot Defense is enabled and the "Block requests from suspicious browsers" checkbox is checked.

The challenged request will be blocked using a TCP_RST flag, and the browser will show "This page can’t be displayed" is seen in the browser.

Conditions:
1. DoS profile that is attached to the Virtual Server has Proactive Bot Defense is enabled and "Block requests from suspicious browsers" checkbox is checked.
2. Internet Explorer 11 browsers in which the site's domain is inserted to the "Compatibility View Settings" in the browser's menu.

Impact:
Legitimate browsers get blocked when accessing the site.

Workaround:
None

Fix:
Internet Explorer 11 browsers with "Compatibility View" enabled on the site no longer get blocked when Proactive Bot Defense is enabled on the DoS profile.


621524-2 : Processing Timeout When Viewing a Request with 300+ Violations

Component: Application Security Manager

Symptoms:
When attempting to view a request that triggered hundreds or thousands of violations, a timeout is encountered.

Conditions:
Attempting to view a request that triggered hundreds or thousands of violations

Impact:
A timeout is encountered.

Workaround:
increase the "max_execution_time" timeout in /usr/loca/lib/php.ini from 30 to 240 seconds.

Fix:
Processing high violation requests is now more efficient.


621447-1 : In some rare cases, VDI may crash

Component: Access Policy Manager

Symptoms:
VDI process crashes and connections to VDI resources are aborted.

Conditions:
VDI receives unexpected session variable result which is meant for some other VDI thread.

Impact:
Existing VDI connections are aborted and the user needs to login again.

Fix:
VDI should gracefully handle the error condition and should not crash


621423 : sys-icheck reports error with /config/ssh/ssh_host_dsa_key

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /config/ssh/ssh_host_dsa_key and other files:

ERROR: missing /config/ssh/ssh_host_dsa_key
ERROR: missing /config/ssh/ssh_host_dsa_key.pub
ERROR: missing /config/ssh/ssh_host_key
ERROR: missing /config/ssh/ssh_host_key.pub

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with files in /config/ssh/ that was causing sys-icheck to report errors.


621422 : i2000 and i4000 series appliances do not warn when an incorrect optic is in a port

Component: TMOS

Symptoms:
A 1G optic is inserted in a port that only supports 10G optics, or a 10G optic is inserted in a port that only supports 1G optics.

The invalid optic may show a link light, and no warning appears on the LCD.

Conditions:
i2000 or i4000 platforms ports do not auto-negotiate between 1G and 10G optics. Ports are assigned to one or the other speed.

Impact:
User may not understand why optic is not working correctly

Workaround:
Move the optic to the correct port.


621401 : When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load

Component: Device Management

Symptoms:
When BIG-IQ is monitoring more than 1 BIG-IP in a HA clustser, AVR reporting on the BIG-IQ may fail if one of the BIG-IPs is under heavy load.

Conditions:
BIG-IQ monitoring BIG-IPs in a HA cluster
BIG-IPs running AFM and/or ASM
BIG-IQ used to monitor AFM and/or ASM reporting.
At least one of the BIG-IPs is under significant load so as to cause delays in responding to BIG-IQ requests.

Impact:
AVR reporting will stop functioning.

Workaround:
bigstart restart restjavad


621371-2 : Output Errors in APM Event Log

Vulnerability Solution Article: K43523962


621337-6 : XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469

Vulnerability Solution Article: K97285349


621273-1 : DSR tunnels with transparent monitors may cause TMM crash.

Component: TMOS

Symptoms:
The TMM may crash if the BIG-IP system is configured with a DSR tunnel with a transparent monitor.

Conditions:
The BIG-IP system is configured with a DSR tunnel with a transparent monitor and the DB variable tm.monitorencap is set to "enable".

Impact:
Traffic disrupted while tmm restarts.

Fix:
The TMM does not crash.


621242-1 : Reserve enough space in the image for future upgrades.

Component: TMOS

Symptoms:
Increased the reserved free space in VM image from 15% to 30% to accommodate upgrades to future versions. Each next version tends to be bigger and require more disk space to install. The increased reserved space will allow upgrading to at least next 2 versions.

Conditions:
VE in local hypervisors and VE in the Cloud (AWS, Azure).

Impact:
Extends the disk image to reserve more disk space for upgrades.

Workaround:
N/A

Fix:
Increased the reserved free space on VE images.


621239-2 : Certain DNS queries bypass DNS Cache RPZ filter.

Component: Global Traffic Manager (DNS)

Symptoms:
A DNS query with the DO-bit set to 1 will bypass the RPZ filter on a DNS Cache.

Conditions:
A DNS Cache configured with RPZ.

Impact:
Queries with DO-bit set to 1 will bypass the RPZ filter and be answered normally.

Fix:
The DO-bit is now ignored with respect to RPZ filtering.


621225 : LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0"

Component: TMOS

Symptoms:
When BIG-IP is initially booted or re-started, there are certain conditions under which the LTM log may report the following message for front panel interfaces, "PCI Device not found for Interface <X.0>", where X can be in the range of 1-6. These messages are misleading because the front panel interfaces do not have any PCI devices associated with them and should not have been flagged as errors.

Conditions:
i2600/i2800 products intermittently produce these messages upon power-up or BIG-IP re-start.

Impact:
They are false alarms in the log. The associated interfaces do not have said PCI devices.

Fix:
Removed the possibility of getting false alarm messages in the LTM log for front panel interfaces 1.0-6.0 that claim, "PCI Device not found for Interface X.0".


621210-2 : Policy sync shows as aborted even if it is completed

Component: Access Policy Manager

Symptoms:
After syncing a policy in a sync-only device group, the policy appears to be synced to the target successfully, however, the remote HA pair devices show status as canceled/aborted.

Conditions:
It is not known exactly what triggers this condition. It was observed in a 4-device trust group consisting of 2 sync/failover groups and a single sync-only device group for all 4 devices. After the sync the status reported as cancelled/aborted.

Impact:
Sync status is displayed incorrectly, even after the sync was successful.

Workaround:
None.

Fix:
Policy sync now shows as completed when it is completed.


621126-2 : Import of config with saml idp connector with reuse causes certificate not found error

Component: Access Policy Manager

Symptoms:
Export and then Import with reuse of config that has SAML Idp Connector as part of configuration would fail with Object not found or Certificate not found error:

Import Error: 01070734:3: Configuration error: /Common/my_cert.crt certificate not found.

Conditions:
Exporting and then importing with "Reuse existing objects" checked. Normal import is ok.

Impact:
Importing fails.

Workaround:
On From box:Disconnect Idp configuration, export config.
On To box:Recereate Idp configuration, import, reconnect it.

Fix:
Importing with reuse is fixed.


621115-1 : IP/IPv6 TTL/hoplimit may not be preserved for host traffic

Component: Performance

Symptoms:
Traffic to and from the Linux host has TTL set to 255 or hop limit set to 64. This may impact any protocols that scrutinize the TTL such as IGMP or BGP.

Conditions:
IP/IPv6 TTL/hoplimit for host traffic.

Impact:
IGMP packets will not be passed from TMM to the Linux host and remote routers may reject IGMP packets from the BIG-IP.

BGP neighbors may reject packets from the BIG-IP.

Workaround:
Adjust TTL verification restrictions on peer devices.

Fix:
The IP/IPv6 TTL/hoplimit of host traffic is no longer modified when it traverses TMM.


620829-2 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly

Component: Access Policy Manager

Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.

Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:

var a = { default: 1, continue: 2 };

Impact:
JavaScript code is not rewritten and may not work correctly.

Workaround:
None.

Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.


620801-3 : Access Policy is not able to check device posture for Android 7 devices

Component: Access Policy Manager

Symptoms:
APM identifies Android devices based on their MAC address. With Android 7, it is not possible to retrieve device MAC address and hence APM is not able to check for device compliance against configured Endpoint Management System (EMS) using the Managed Endpoint Status Policy Item.

If the Access Policy is configured to restrict access based on APM's Managed Endpoint Status, and the user attempts to connect to APM using an Android 7 device with the F5 Edge Client app, access will be disallowed.

Conditions:
- Access policy is configured to deny access on endpoint compliance failure with Managed Endpoint Status
- User accesses APM from an Android 7 device using F5 Edge Client app.

Impact:
Connection is denied because F5 Edge Client is not able to determine the device MAC address to transmit to APM. The lookup for endpoint posture will result in a compliance check failure.

Workaround:
This workaround only applies to IBM Maas360:

Add Variable Assign agent just before Managed Endpoint Status agent with the following variables:

session.client.platform_tmp = expr {[mcget session.client.platform]}
session.client.platform = expr {"iOS"}
session.client.unique_id = expr {"Android[mcget session.client.unique_id]"}

And add Variable Assign agent after Managed Endpoint Status agent to reset session.client.platform to its original state:
session.client.platform = expr {[mcget session.client.platform_tmp]}

Fix:
Access policy now uses multiple fallback types to correlate the device identity with endpoint management systems: Device Serial Number, IMEI number, and MAC address, respectively.


620782 : Azure cloud now supports hourly billing

Component: TMOS

Symptoms:
Prior to 12.1.2 hourly billing was not supported in Azure cloud.

Conditions:
Any version prior to 12.1.2 in Azure Cloud

Impact:
Hourly billing not possible

Fix:
With 12.1.2 hourly billing is now supported in Azure.


620659-3 : The BIG-IP system may unecessarily run provisioning on successive reboots

Component: TMOS

Symptoms:
After the first boot, the system runs provisioning and boots successfully, but there is a file left on the system /mprov_firstboot. This will appear in /var/log/ltm:
  info mprov:4614:: \'\'provision.initialized\' indicates force TMOS only provisioning - forcing.\'

During a subsequent boot, provisioning will run again, potentially unnecessarily, due to the existence of this file. The following will appear in /var/log/ltm during the second boot:
  info mprov:4609:: \'Existence of file \'/mprov_firstboot\' indicates force TMOS only provisioning - forcing.\'

Conditions:
The memory size of the host changes and there is some other need for reprovisioning (for example a new configuration load).

Impact:
On a vCMP host, the second provisioning may not complete properly and guest systems will not pass traffic.

The vCMP host will continually try to start more than one tmm and fail when there should only be one tmm running. The /var/log/tmm logfile on the vCMP host will contain:
  <13> Sep 25 01:33:28 vcmphost1 notice Too small memsize (60) -- need at least 136 MB

The /var/log/tmm logfile on the vCMP guest will contain:
  <13> Sep 25 01:38:21 bigip1 notice Failed to write /var/run/libdag.so_2, err: -30
  <13> Sep 25 01:38:21 bigip1 notice panic: vdag failed to attach
  <13> Sep 25 01:38:21 bigip1 notice ** SIGFPE **

Workaround:
If the vCMP host is in a tmm restart loop due to this issue, reboot the vCMP host to allow the system to come up properly.

Fix:
The BIG-IP software now always removes the /mprov_firstboot file when the system is reprovisioned.


620635-2 : Request having upper case JSON login parameter is not detected as a failed login attempt

Component: Application Security Manager

Symptoms:
Not able to detect failed login attempt if ASM policy is case insensitive, and incoming JSON string contains upper case.

Conditions:
ASM provisioned
ASM policy is case-insensitive
JSON profile, w/ JSON login parameter with an upper-case character

Impact:
Not able to detect failed login attempt if ASM policy is case insensitive, and incoming JSON string contains upper case.

Workaround:
N/A

Fix:
We've made sure that JSON login parameter are always treated as case sensitive, regardless of the ASM policy case sensitivity setting.


620625-2 : Changing Connection.VlanKeyed may cause asymmetric/npath connections to fail

Component: Local Traffic Manager

Symptoms:
When Connection.VlanKeyed is modified, asymmetric/npath connections may fail.

Conditions:
Connection.VlanKeyed bigd key is modified.

Impact:
Asymmetric/npath routed connections may fail.

Workaround:
Restarting TMM will resolve the issue, though this will interrupt traffic so should be performed during a maintenance window. To do so, run one of the following tmsh commands:

-- on an appliance (BIG-IP platform): bigstart restart tmm
-- on a clustered system (a VIPRION or VIPRION-based vCMP guest): clsh bigstart restart tmm

Fix:
Changing Connection.VlanKeyed no longer causes asymmetric/npath connections to fail.


620614-4 : Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account

Component: Access Policy Manager

Symptoms:
iOS Citrix receiver fails to add new store account and touching on the Save option after providing the credentials displays "Loading" and comes back to previous save option.

/var/log/apm displays "An exception is thrown: EVP_CipherFinal_ex failed: EVP_DecryptFinal_ex:bad decrypt" from VDI.

The above error, otherwise, below error which deletes the session id abruptly.

Oct 24 16:33:12 slot2/vip-guest7-test notice tmm[11547]: 01490567:5: /Common/mvdi-r_ap:Common:e19516fd: Session deleted (internal_cause).

Conditions:
APM is configured with Citrix replacement mode. Provide wrong passcode values for RSA SecurId auth for continuously three times which trigger the next token input for the fourth time entering the right passcode. APM rotate session is enabled.

Impact:
iOS Citrix receiver could not add the account after providing wrong token values for two factor auth

Workaround:
Kill the iOS Citrix receiver application and click on the receiver again to add the account.

Fix:
Use the right session id for decrypting the password.


620400-1 : TMM crash during TLS processing

Component: Local Traffic Manager

Symptoms:
In some cases, TMM may crash during TLS processing

Conditions:
SSL profile in use

Impact:
Failover event during TMM restart

Fix:
TMM no longer crashes during TLS processing


620366-4 : Alertd can not open UDP socket upon restart

Component: TMOS

Symptoms:
alertd fails to restart due to the following error:
Sep 29 18:29:44 B2200-R76-S19 err alertd[16882]: 01100009:3: Couldn't open file UDP listener

Conditions:
alertd has spawned a long-running process (e.g. ntpd) which does not close inherited file descriptors.

Impact:
alertd fails to restart

Fix:
Mark alertd file descriptors for automatic closure in child processes.


620215-5 : TMM out of memory causes core in DNS cache

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.

Conditions:
This can occur when the TMM memory is exhausted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Provision sufficient memory for the TMM or reduce load.

Fix:
The fix was to properly handle the failure allocating memory.


620079-3 : Removing route-domain may cause monitors to fail

Component: Local Traffic Manager

Symptoms:
Removing route-domain may cause icmp and gateway-icmp monitors in unrelated route-domains to fail.

Conditions:
Route-domain is removed and icmp/gateway-icmp monitor is used.

Impact:
Monitor marking node down resulting in partial service outrage.

Workaround:
Restart bigd (bigstart restart bigd).


620056-1 : Assert on deletion of paired in-and-out IPsec traffic selectors

Component: TMOS

Symptoms:
When two traffic-selectors, one in and one out, mirror each other by reversing source and destination addresses, then deleting one can miss-fire an assert, restarting tmm.

Conditions:
Defining two clearly related traffic selectors, one for in and one for out, can confuse a later check of their names.

Impact:
When a traffic selector is deleted, from such a pair, an assert can fail that restarts tmm processes. Traffic disrupted while tmm restarts.

Workaround:
Using one traffic selector with direction=both would avoid the problem, before this change appears in a release.

Fix:
The confusion of over names for such paired traffic selectors is now fixed, so the assert cannot occur. Such traffic selectors -- just like each other execpt for reversed source and destination -- will work correctly for IKEv1 configs. For IKEv2 it is still best to use single TS insances with direction=both.


619879-1 : HTTP iRule commands could lead to WEBSSO plugin being invoked

Component: Access Policy Manager

Symptoms:
With SSO logs set to 'Debug' in Access log configuration, the following log messages are seen in '/var/log/apm':
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: constructor
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext constructor ...
Sep 30 12:46:17 bigip3900mgmt err websso.3[14520]: 014d0005:3: Unsupported SSO Method
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914b510, SERVER: TMEVT_REQUEST
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914a718, CLIENT: TMEVT_ABORT_PROXY
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext destructor ...
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: webssoConfig destructor

With 'rstcause' enabled, the following log message is seen in '/var/log/ltm':
Sep 30 12:46:17 bigip3900mgmt err tmm2[13116]: 01230140:3: RST sent from 172.17.90.92:57611 to 127.0.0.1:10001, [0x24ccbbc:820] Internal error (APM::WEBSSO requested abort (Unsupported SSO Method))

Conditions:
HTTP::disable followed by HTTP::enable.

when CLIENT_ACCEPTED {
    HTTP::disable
    // do some other stuff
    HTTP::enable
}

Impact:
client receives a HTTP 503 reset

Workaround:
When the access profile is added to the virtual server, the websso plugin profile is automatically added. Manually removing the websso plugin fixes this bug.

Fix:
The server-side access hudfilter was mistakenly enabling the websso plugin. The logic has been updated so that this does not happen.


619849-4 : In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGABRT (killed by sod)

Conditions:
TCP (full proxy) virtual servers with verified-accept enabled in the TCP profiles, that must be handling traffic.

This issue occurs extremely rarely.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
disable verify accept.

Fix:
the loop is fixed.


619811-2 : Machine Cert OCSP check fails with multiple Issuer CA

Component: Access Policy Manager

Symptoms:
If there are multiple CAs in the CA bundle and issuing CA is not first in it, the OCSP responder returns "unauthorized" response.

Conditions:
This can only happen when issuing CA is not first in the CA file.

Impact:
OSCP check in machine cert will fail and user won't be able to follow successful branch in Access Policy. This might result in Authentication failure even though the machine cert is valid.

Workaround:
Use iRule Event and variable Assign agent in between Machine Cert and OCSP Auth agent.

Follow these steps:

iRule:

1) Loop through the CA bundle until you find matching issuer cert
2) Set this new issuer cert to "session.check_machinecert.last.cert.issuer.cert"

Variable Assign:

3) Read this issuer cert from the session db and assign it back to the same session variable:

session.check_machinecert.last.cert.issuer.cert = expr { [mcget -nocache {session.check_machinecert.last.cert.issuer.cert}] }

Fix:
Issuer cert is now looked up and set properly from the CA bundle. So there is no longer any failure response from OCSP responder.


619757-1 : iSession causes routing entry to be prematurely freed

Component: Wan Optimization Manager

Symptoms:
iSession may cause TMM to prematurely free a routing entry resulting in memory corruption and TMM restarting.

Conditions:
iSession-enabled virtual.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
No reasonable workaround short of not using iSession functionality.

Fix:
iSession no longer causes routing entries to be prematurely freed.


619663-3 : Terminating of HTTP2 connection may cause a TMM crash

Component: Local Traffic Manager

Symptoms:
TMM crashes when an HTTP2 connection is being terminating on client and server sides concurrently.

Conditions:
-- HTTP2 profile is configured and assigned to a virtual server.
-- A client SSL profile is also used on the same virtual server.
-- Client interrupting a connection and server terminating a connection at the same time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
A fix stops HTTP2 from further processing when a connection is terminating preventing TMM crash for this reason.


619528-4 : TMM may accumulate internal events resulting in TMM restart

Component: Local Traffic Manager

Symptoms:
Under some uncommon circumstances, long-lived connections may cause internal events to be accumulated causing excessive memory usage potentially resulting in TMM restarting.

Conditions:
HTTP virtual with long-lived connections.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
The issue can be mitigated by setting the HTTP 'max-requests' profile option to a reasonably low value - this value will depend on application requirements.

Fix:
Internal events are no longer accumulated thus avoiding low memory conditions.


619486-3 : Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self

Component: Access Policy Manager

Symptoms:
Attempts to call some JavaScript methods (such as XMLHttpRequest.open) on a page accessed through Portal Access could fail if application modifies window.self builtin object. As a result, the application will stop working and optionally log an undefined variable/reference exception into Developer Tools console.

To verify that window.self is modified, run 'window.self == window' command in Developer Tools console of the page with error and check if it returns 'false'.

Conditions:
This can occur if a web application has javascript that modifies the value of window.self.

Impact:
Affected web-applications will not work when accessed through Portal Access.

Workaround:
None

Fix:
Scripts on pages accessed through Portal Access are no longer failing when web application code modifies window.self.


619473-2 : Browser may hang at APM session logout

Component: Access Policy Manager

Symptoms:
Browser hangs at logout from APM session with RDP client and/or VMware View client.

Conditions:
- APM Virtual server with RDP client and/or VMware View client on webtop;
- active session on this webtop with opened client.

Impact:
Logout from APM session may take a long time (several minutes). In some cases, it may be necessary to restart browser.

Fix:
Now browser does not hangs at logout from APM session with RDP client and/or VMvare View client.


619410-1 : TMM hardware accelerated compression not registering for all compression levels.

Component: TMOS

Symptoms:
DEFLATE/gzip/zlib compression levels other than level 1 were bypassing the hardware accelerator and being serviced in software, resulting in higher CPU utilization and slower compression times.

Conditions:
Compression requests for DEFLATE/gzip/zlib levels other than level 1.

Impact:
Compression requests serviced by software are scheduled on local CPUs. During heavy compression traffic, overall system traffic flow may be reduced. Compression requests serviced in software may take significantly longer to complete.

Fix:
Hardware accelerator correctly registers for all DEFLATE/gzip/zlib compression levels, not just level 1.


619398-7 : TMM out of memory causes core in DNS cache

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.

Conditions:
This can occur when the TMM memory is exhausted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Provision sufficient memory for the TMM or reduce load.

Fix:
The fix was to properly handle the failure allocating memory.


619250-1 : Returning to main menu from "RSS Feed" breaks ribbon

Component: Access Policy Manager

Symptoms:
When you go to "RSS Feed" configuration page for Document, Picture Library, List etc. and go back to SharePoint Dashboard using link at the top pointing to "RSS FEED for ..." and then click any option on the ribbon, you got "500 Internal Server Error" and ribbon stops working. When you use built-in browser button "go back" instead, everything works Ok.

Conditions:
"500 Internal Server Error" occurred. Ribbon stop working.

Impact:
Ribbon stop working.

Workaround:
Use built-in browser "go back" button instead.

Fix:
Returning to main menu from "RSS FEED for ...", ribbon continue to work. No more "500 Internal Server Error".


619071-3 : OneConnect with verified accept issues

Component: Local Traffic Manager

Symptoms:
System may experience an outage.

Conditions:
Verified Accept enabled in TCP profile
hardware syncookies enabled
OneConnect profile on VIP
Syncookie threshold crossed

Impact:
System outage.

Workaround:
Disabled verified accept when used with OneConnect on a VIP.

Fix:
Verified accept, OneConnect and hardware syncookies work
correctly together.


618944-1 : AVR statistic is not save during the upgrade process

Component: Application Visibility and Reporting

Symptoms:
All AVR statistics will be lost after upgrade from 12.1.0 or 12.1.1.

Conditions:
AVR statistic was collected on 12.1.0 or 12.1.1.
The BIG-IP was upgraded.

Impact:
Old AVR statistics will be lost

Workaround:
1. before upgrade edit the following file:
./usr/libdata/configsync/avr_save_pre
2. change the following line " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 $(is_provisioned asm) -eq 1 ] && "

with " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 -o $(is_provisioned asm) -eq 1 ] && "

Fix:
AVR upgrade script fixed


618905-1 : tmm core while installing Safenet 6.2 client

Component: Local Traffic Manager

Symptoms:
tmm core while installing Safenet 6.2 client.

Conditions:
Safenet 6.2 client installation

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm core related to Safenet 6.2 client installation.


618779-1 : Route updates during IPsec tunnel setup can cause tmm to restart

Component: TMOS

Symptoms:
During the setup of IPsec tunnel flows, tmm depends on a valid route being available towards a remote peer to correctly create the IPsec inbound tunnel flows. The absence of the route at this stage, causes tmm to crash and restart. This is more likely to happen if the route towards the endpoint is dynamic.

Conditions:
IPsec tunnels are being set up with a given remote peer and the route towards that peer is not reliably present (as is in the case of dynamic route updates)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure that there is always a valid route towards each of the remote peers.

Fix:
The tmm process no longer restarts if there is no valid route towards the remote peer during IPsec tunnel setup.


618771-1 : Some Social Security Numbers are not being masked

Component: Application Security Manager

Symptoms:
ASM does not block or mask some SSN numbers.

Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains social security numbers with specific ranges.

Impact:
The traffic passes neither masked nor blocked to the end client.

Workaround:
None.

Fix:
The system now correctly masks and/or blocks all relevant social security numbers.


618657-4 : Bogus ICMP unreachable messages in PEM with ipother profile in use

Component: Policy Enforcement Manager

Symptoms:
The ipother virtual server will send bogus ICMP unreachable messages caused by incorrect error handling in the PEM filter.

Conditions:
A VS with ipother profile configured together with the PEM profile. In the field defect the additional piece needed was the missing classification, but this is due to code ordering, so in non-fixed versions this can also happen with the classification profile present.

Impact:
Unnecessary ICMP traffic

Fix:
Fixed an issue related to unnecessary ICMP traffic in the PEM filter.


618549-1 : Fast Open can cause TMM crash CVE-2016-9249

Vulnerability Solution Article: K71282001


618517-1 : bigd may falsely complain of a file descriptor leak when it cannot open its debug log file

Component: Local Traffic Manager

Symptoms:
- On 11.6.1, bigd will report erroneously mark pool members down and messags similar to the following will be seen in the ltm log file:

Sep 23 10:45:59 bipve1 warning bigd[7413]: 01060154:4: Bigd PID 7413 throttling monitor instance probe because file descriptor limit 65436 reached.

- On 12.1.x, this bug has negligible impact.

Conditions:
Monitoring must be in use, bigd debug logging must be enabled, and the bigd debug log file (/var/log/bigdlog) must be full.

Impact:
- On 11.6.1 this can cause bigd to stop monitoring, resulting in pool members being marked down erroneously.

- In 12.1.x, some of the underlying logging code changed and there is no real impact.

Workaround:
You can rotate the log file, using the following command:
logrotate -f bigdlog

Fix:
Stopped bigd from thinking it was out of file descriptors when it was unable to open its debug log file.


618506 : TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.

Component: Access Policy Manager

Symptoms:
TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.

Conditions:
APM is provisioned and access profile is attached to the virtual.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Correctly handle session DB data in APM to prevent memory segmentation fault.


618430-2 : iRules LX data not included in qkview

Component: Local Traffic Manager

Symptoms:
Qkview does not contain any of the iRuleLX information.

Conditions:
N/A

Impact:
Support engineers will have to ask for the iRuleLX information separately. No iHealth heuristics possible at the moment.

Fix:
The following ILX information was added to the qkview:

TMSH commands:
  list ilx workspace all-properties
  list ilx plugin all-properties
  list ilx global-settings (13.0.0+)
  list ltm profile ilx all-properties (13.0.0+)
  show ilx plugin all
  show ltm profile ilx all (13.0.0+)

The files in the following folders:
  /var/ilx - master copies of workspaces
  /var/sdm - running files of the plugins
  /var/log/ilx - ILX specific logs


618428 : iRules LX - Debug mode does not function in dedicated mode

Component: Local Traffic Manager

Symptoms:
In case if the debug option is enabled in the dedicated mode, sometimes some of the nodejs process can be allocated a "in-use" port, which prevents it from starting successfully.
By design every process is guaranteed a debug port in the configured range as long as there are enough ports available in the system. In-use ports are skipped, so consecutive port allocation is not guaranteed.

Conditions:
some of the ports in the range are busy.

Impact:
Some of the nodejs processes fail to start which prevents normal iRuleLX operation.

Workaround:
Consult with netstat output and set the debug-port-range-low to a higher value (eg. 10000+) to minimise the change of a port conflict.


618421 : Some mass storage is left un-used

Component: TMOS

Symptoms:
It is intended that all mass storage capacity be available for use by application data, site-local configuration, or sofwtare. In some conditions, about 10% of the mass storage capacity is not made available for application data.

Conditions:
This occurs on the BIG-IP i-Series platforms.

Impact:
Applications that use a lot of storage may not function optimally.

Fix:
The storage is optimally reallocated.


618404-1 : Access Profile copying might end up in invalid way if series of names.

Component: Access Policy Manager

Symptoms:
After copying an access policy, you receive an error when trying to open the copy: "Unable to load accessPolicy '/Common/my_policy_access_1_1' from source."

Conditions:
When items with names ending with _#_#_1 and _#_#_2, _# reduction is working.

Impact:
Unable to copy policy properly.

Workaround:
Export policy, import with reuse.

Fix:
Copying is fixed for this conditions.


618382-4 : qkview may cause tmm to restart or may take 30 or more minutes to run

Component: TMOS

Symptoms:
When taking a qkview on a heavily loaded BIG-IP device (with lots of connections) running 12.1.0 or 12.1.1, the qkview utility may take a very long time to complete (30+ minutes) or cause tmm to restart. This is due to a new qkview command that was added to gather a list of recent connections with the tmsh show sys connection command, which has a significant performance impact when run while the BIG-IP is heavily loaded.

Conditions:
This can occur on the following versions:

- 12.1.0 including 12.1.0 HF1 and 12.1.0 HF2
- 12.1.1 including 12.1.1 HF1

This can occur when the BIG-IP is heavily loaded and while running the qkview command.

Impact:
Qkview command can take an exceedingly long time to run (30+ minutes).
Traffic disrupted while tmm restarts.

Workaround:
Do not run the qkview command if the device is heavily loaded.

Fix:
Removed offending "show sys connection" command from qkview utility.


618324-1 : Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor

Component: Access Policy Manager

Symptoms:
When upgrading from OPSWAT SDK V3 to V4, opening Access Policy in VPE if one of the opswat checker (e.g. Anti-Virus checker) contains an Undefined (i.e. previously defined but out of support) ID it will display as "Any." The correct display should be "Unsupported" or "Invalid" product.

Conditions:
Wrongful information displayed.

Impact:
Wrongful information displayed.

Workaround:
N/A

Fix:
Correct (*** Invalid ***) information displayed.


618306-2 : TMM vulnerability CVE-2016-9247

Vulnerability Solution Article: K33500120


618263-1 : OpenSSL vulnerability CVE-2016-2182

Vulnerability Solution Article: K01276005


618261-6 : OpenSSL vulnerability CVE-2016-2182

Vulnerability Solution Article: K01276005


618254-4 : Non-zero Route domain is not always used in HTTP explicit proxy

Component: Local Traffic Manager

Symptoms:
Customer may experience connectivity failure in certain situations where a sideband communications are required as part of the transaction.

Conditions:
BIG-IP has http-explicit configuration, where a sideband connection is required, say in the case of getting an OCSP response or a DNS resolver response when those services are associated with a different route domain.

Impact:
End-to-end connectivity failure.

Workaround:
Change configuration so that all services required are on the default route domain, 0.


618170-3 : Some URL unwrapping functions can behave bad

Component: Access Policy Manager

Symptoms:
Some URL unwrapping functions can behave incorrectly with different web application malfunctions as a result.

Conditions:
JavaScript with "location.pathname" like fields at the right side of an expression.

Impact:
Different web application malfunctions. One example is SharePoint 2010 using IE11, clicking the Edit button results in "Only secure content is displayed" at the bottom of the page.

Fix:
Fixed.


617986-2 : Memory leak in snmpd

Component: TMOS

Symptoms:
Memory usage in snmpd is increases until the OOM process kills snmpd.

Conditions:
BIG-IP configured with virtual servers that have the same destination IP address

Impact:
snmp disrupted while snmp restarts.

Workaround:
No workaround

Fix:
Fixed memory leaks.


617901-1 : GUI to handle file path manipulation to prevent GUI instability.

Component: TMOS

Symptoms:
Request file path may be incorrectly processed

Conditions:
Authenticated administrative user makes a GUI request

Impact:
The GUI becomes unstable because it cannot process the request.

Fix:
Redirect the user to a No Access page.


617862-2 : Fastl4 handshake timeout is absolute instead of relative

Component: Local Traffic Manager

Symptoms:
TCP connections that are pending completion of the three-way handshake are expired based on the absolute value of handshake timeout. For example, if handshake timeout is 5 seconds, then the connection is reset after 5 seconds of receiving the initial SYN from the client.

Conditions:
A TCP connection in three-way handshake.

Impact:
Connections are expired prematurely if they are still in three-way handshake.

Workaround:
Disable handshake timeout.

Impact of workaround: Your TCP handshake will not prematurely timeout and connections remains open until the Idle Timeout expires.

Fix:
The handshake timeout now expires based on idleness of the connection, taking into consideration of any SYN retransmissions, etc., that might occur.


617858-2 : bigd core when using Tcl monitors

Component: Local Traffic Manager

Symptoms:
If a Tcl monitor encounters an error, it may exit with an assert which causes bigd to core.

Conditions:
This can occur rarely when Tcl monitors are in use (specifically, SMTP, FTP, IMAP, POP3 monitors).

Impact:
bigd can core, which temporarily suspends monitoring while bigd restarts.

Workaround:
None.

Fix:
Now, when a Tcl monitor encounters an error, it no longer exits with an assert, so bigd no longer cores.


617824-3 : "SSL::disable/enable serverside" + oneconnect reuse is broken

Component: Local Traffic Manager

Symptoms:
If "SSL::disable/enable serverside" is configured in an iRule and oneConnect is configured in the iRule or in the Virtual Server profile, BIG-IP may not receive the backend server's HTTP response for every client's HTTP Request.

Conditions:
1. "SSL::disable/enable serverside" exists in the iRule
2. OneConnect is configured in the iRule or in the VS profile
3. apply the iRule and oneConnect Profile to the VS.

Impact:
The oneConnect behavior is unexpected, and may not get the backend Server's HTTP response for every client's HTTP Request.

Workaround:
You can work around the problem by disabling oneConnect.


617688 : Encryption is not activated unless "real-time encryption" is selected

Component: Fraud Protection Services

Symptoms:
Encryption is not activated as expected

Conditions:
Encryption enabled
Real-time encryption disabled

Impact:
Encryption error alert received in alert server

Workaround:
Enable "real-time encryption"

Fix:
Encryption on submit is now supported better.


617648 : Surfing with IE8 sometimes results with script error

Component: Fraud Protection Services

Symptoms:
Slow devices running Internet Explorer 8 can suffer performance issues on websafe protected sites.

Conditions:
Slow device running Internet Explorer 8.
Large number of configured or updated malware signatures.

Impact:
Clientside slowness.
In extreme cases, a popup asking the user whether to stop the script.

Workaround:
Reduce the number of malware signatures

Fix:
Compressed signatures


617628-1 : SNMP reports incorrect value for sysBladeTempTemperature OID

Component: TMOS

Symptoms:
SNMP reports incorrect value for sysBladeTempTemperature OID, while TMSH reports the corresponding value correctly.

# snmpwalk -v2c -c public localhost .1.3.6.1.4.1.3375.2.1.3.2.4.2.1.2.8.1
F5-BIGIP-SYSTEM-MIB::sysBladeTempTemperature.8.1 = Gauge32: 4294967245

# tmsh show sys hardware

Sys::Hardware
Blade Temperature Status
  Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
...
  1 8 0 -48 0 Blade CPU #1 TControl Delta tem
...

The negative "Blade CPU #1 TControl Delta" temperature is being incorrectly reported as a large positive temperature by SNMP.

Impact:
A negative temperature may be incorrectly reported by SNMP as an impossibly high positive value.

Workaround:
Use tmsh show sys hardware to view blade temperatures. Negative temperatures are properly reported.

config # tmsh show /sys hardware
Sys::Hardware
Blade Temperature Status
  Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
  1 1 0 19 49 Blade air outlet temperature 1
  1 2 0 14 41 Blade air inlet temperature 1
  1 3 0 21 57 Blade air outlet temperature 2
  1 4 0 16 41 Blade air inlet temperature 2
  1 5 0 25 60 Mezzanine air outlet temperatur
  1 6 0 27 72 Mezzanine HSB temperature 1
  1 7 0 17 63 Blade PECI-Bridge local tempera
  1 8 0 -48 0 Blade CPU #1 TControl Delta tem
  1 9 0 25 68 Mezzanine BCM56846 proximity te
  1 10 0 22 69 Mezzanine BCM5718 proximity tem
  1 11 0 19 57 Mezzanine Nitrox3 proximity tem
  1 12 0 16 46 Mezzanine SHT21 Temperature


617622 : In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure

Component: TMOS

Symptoms:
In TMSH, when trying to save the AAM configuration, TMSH removes value from matching rule. It corrupts bigip.conf and causes system loading configuration failure, with the following error in /var/log/ltm:

01070734:3: Configuration error: Policy "/Common/Drafts/<policy>", node "test_node", matching rule "path:Path": Must have a value.
Unexpected Error: Validating configuration process failed.

Conditions:
-- Use TM Shell to load configuration.
-- AAM configuration is loaded on BIG-IP and it is saved

Impact:
TMSH fails to load system configuration file.

Before the configuration save the policy would look like this:
matching {
  path {
    values {
      / { }
    }
  }
}

After the save it is converted to
matching {
  path { }
}

Workaround:
None.

Fix:
TMSH now saves AAM configuration without removing values from matching rules. Saving/loading system configuration succeeds.


617481-1 : TMM can crash when HTML minification is configured

Component: TMOS

Symptoms:
When AAM is provisioned and is used to cache dynamic pages, it can be configured to use HTML Minification to improve performance and optimize memory utilization. In some cases, HTML may incorrectly process the HTML code and cause TMM to crash.

Conditions:
1) AAM has to be provisioned and
2) AAM policy has to be configured and
3) has HTML minification enabled and
4) be applied to a virtual.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disabling minification prevent TMM from crashing for this reason.


617310-2 : Edge client can fail to upgrade when Always Connected is selected

Component: Access Policy Manager

Symptoms:
Attempt to upgrade from an Edge client version to a current version fails when Always Connected is enabled

Conditions:
Always Connected is selected in BIG-IP when upgrading the client.

Impact:
Upgrade fails. Must turn off Always Connected to upgrade client.

Workaround:
Turn off Always Connected before upgrading.

Fix:
Edge client now succeeds during upgrade when Always Connected is selected.


617229-1 : Local policy rule descriptions disappear when policy is re-saved

Component: TMOS

Symptoms:
Local policy rule descriptions disappear when policy is re-saved.

Conditions:
A rule with description exists, and the policy it's under is saved.

Impact:
An existing rule description disappears when the policy it's under is saved.

Workaround:
Use TMSH to modify the policy's properties.

Fix:
Local policy rule descriptions now remain visible when policy is re-saved.


617187-1 : APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate

Component: Access Policy Manager

Symptoms:
If APM server uses untrusted SSL certificate/or it is accessed using IP address CustomDilaer, access is refused and there is no prompt to confirm the security warning.

Conditions:
APM has invalid certificate
User uses CustomDialer to access VPN

Impact:
VPN connection can't be established

Workaround:
Use valid SSL certificate on APM or add particular invalid certificate to trusted store on Windows

Fix:
Now CustomDialer warns user about invalid certificate and allows to proceed with invalid certificate.


617124 : Cannot map hardware type (12) to HardwareType enumeration

Component: TMOS

Symptoms:
iControl-SOAP throws an error whenever a method call to SystemInfo::get_hardware_information() is made.

Conditions:
This is reproducible in under all conditions.

Impact:
iControl-SOAP crashes when this call is made.

Workaround:
Don't call this SystemInfo::get_hardware_information().

Fix:
Call this method no longer leads to a crash.


617063-1 : After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel

Component: Access Policy Manager

Symptoms:
After VPN tunnel is established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel.

Conditions:
VPN tunnel is established. Place the computer in hibernation. Resume from hibernation and connect to a new network where a Captive Portal is present, e.g. Starbucks.

Impact:
EdgeClient may show an error page for captive portal or stay in Reconnecting state for extended period. Disconnect button may not be responsive.

Fix:
If captive portal is detected during reconnect, close VPN resources before showing captive portal authentication page.


617014-3 : tmm core using PEM

Component: Policy Enforcement Manager

Symptoms:
tmm core when using PEM with cloning monitored traffic

Conditions:
Using PEM with iRules and cloning traffic

Impact:
Traffic disrupted while tmm restarts.

Fix:
The problem with PEM and cloning traffic via iRule has been corrected.


617002-1 : SWG with Response Analytics agent in a Per-Request policy fails with some URLs

Component: Access Policy Manager

Symptoms:
SWG with Response Analytics agent in a Per-Request policy fails with some URLs

Conditions:
Response analytics agent is added to per-request policy and per-request policy is attached to the virtual. APM and SWG are provisioned and licensed.

Impact:
Client might receive resets for some URLs when response analytics doesn't function correctly.

Workaround:
Remove response analytics agent from the per-request policy and perform categorization based only on URLs.

Fix:
Correctly handle the response analytics for these URLs and dont send resets to client.


616918-1 : BMC version 2.50.3 for iSeries appliances

Component: TMOS

Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to BMC version 2.50.3.

Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- PXE boot.

Impact:
This is a firmware upgrade.

Workaround:
None.

Fix:
This release contains BMC version 2.50.3 which includes support for PXE boot on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

Behavior Change:
This release contains BMC version 2.50.3 which includes support for PXE boot on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.


616864-1 : BIND vulnerability CVE-2016-2776

Component: TMOS

Symptoms:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html

Conditions:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html

Impact:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html

Fix:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html


616838-3 : Citrix Remote desktop resource custom parameter name does not accept hyphen character

Component: Access Policy Manager

Symptoms:
While adding the custom parameter in Citrix Resource would give parser error as following,

01070734:3: Configuration error: apm resource remote-desktop /Common/ctx_resource: Parse error on line 1: DesktopViewer-ForceFullScreenStartup=On"

Conditions:
Having Citrix resource with custom parameter name with hyphen character

Impact:
Custom parameter can not be used with hyphen character

Workaround:
None

Fix:
Accept custom parameter name with hyphen character


616242-3 : basic_string::compare error in encrypted SSL key file if the first line of the file is blank

Component: TMOS

Symptoms:
Trying to load a configuration that references an encrypted SSL key file may fail if the first line of the SSL key file is blank. When this occurs, the system will report a vague error message:

    01070711:3: basic_string::compare

If this happens during an upgrade, the system will not load the configuration under the new software version, and will remain inoperative.

Conditions:
This can occur if an affected configuration is present on a system running BIG-IP v11.3.0 or earlier, and is upgraded to BIG-IP v11.4.0 through v12.1.1.

Impact:
Configuration fails to load on upgrade with extremely unhelpful error message, and absolutely no indication as to what file was being processed at the time (or that this relates to a filestore file).

Workaround:
Remove the newlines at the beginning of any SSL key files that begin with a newline. During an upgrade scenario, edit the files in the filestore.


616215-4 : TMM can core when using LB::detach and TCP::notify commands in an iRule

Component: Local Traffic Manager

Symptoms:
TMM cores when running an iRule that has the LB::detach command before the TCP::notify command.

Conditions:
A virtual server with an iRule that has the LB::detach command executed before the TCP::notify command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the combination of the TCP::notify and LB::detach commands.

Fix:
TMM no longer cores in this instance.


616169 : ASM Policy Export returns HTML error file

Component: Application Security Manager

Symptoms:
When attempting to export an ASM Policy the resulting file contains an HTML error page.

Conditions:
It is not known what triggers this condition.

Impact:
Unable to export ASM Policies.

Workaround:
A) Restarting the asm_config_server.pl process, or restarting ASM usually clears up the issue.

B) Run "umask 0022" on the device

C) Download the file from the shell.

Fix:
Permissions are now explicitly set on exported ASM Policies so the GUI PHP process can successfully download it.


616059-1 : Modifying license.maxcores Not Allowed Error

Component: TMOS

Symptoms:
Your sync-failover device group status says 'Sync Failed' and reports the following error in Device Management :: Overview: Sync error on <device name>: Load failed from /Common/BIG-IP1 0107178a:3: Modifying license.maxcores to a value other than 8 is not allowed.

Conditions:
-- Non-homogeneous Virtual Edition (VE) configured with different licenses in a device group, or with hardware-based BIG-IP systems.
-- License variable perf_VE_cores is different among licenses.

Impact:
The device group fails to sync.

Workaround:
If you are using VEs in a device group, ensure that their licenses are the same.

Fix:
The license variable perf_VE_cores no longer syncs, so there is no error message.


616022-2 : The BIG-IP monitor process fails to process timeout conditions

Component: Local Traffic Manager

Symptoms:
Pool members that are down are not marked down by the monitor. The BIG-IP system continues to attempt to monitor the object.

Conditions:
It is not known exactly what triggers this condition. It was encountered on an HTTPS monitor.

Impact:
Incorrect monitor state. Pool members may not be marked down even though the target pool-member is down.

Workaround:
No known workaround.

Fix:
The monitor process no longer inadvertently skips processing monitor timeouts and correctly marks monitored objects down.


615970-1 : SSO logging level may cause failover

Component: Access Policy Manager

Symptoms:
SSO logging level may cause failover.

Conditions:
SSO logging level set to "Debug".

Impact:
TMM may crash. Core file may be generated.

Workaround:
Lower the SSO log level from "Debug" to either "Info" or "Notice".

Fix:
The SSO logging level of "Debug" no longer causes failover.


615934-1 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.

Conditions:
If there is an existing key/certificate, and the key/certificate management iControl functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.

Impact:
Key/certificate overwrite using iControl operations might fail.

Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.


615824-1 : REST API calls to invalid REST endpoint log level change

Component: iApp Technology

Symptoms:
In Big-IP 12.x versions before 12.1.2 invalid requests to a REST endpoint were being recorded in the FINE level logs, making it difficult to audit when an invalid request to a REST endpoint was coming in. In version 12.1.2, the log level was changed to INFO so that these messages are more easily consumed by users attempting to audit the log.

Conditions:
Any request made to an invalid REST endpoint will trigger a log message at the FINE level indicating that a request came in to an invalid REST endpoint.

Impact:
Auditing the REST Framework logs is more difficult, requiring you to look at messages logged at the FINE level.

Workaround:
Users can increase the log level of the REST Framework to FINE by making the following change to the file '/etc/restjavad.log.conf':

Before:
.level=FINE
After:
.level=INFO

Fix:
This message is included in the INFO log level on BIG-IP v12.1.2.


615388-1 : L7 policies using normalized HTTP URI or Referrer operands may corrupt memory

Component: Local Traffic Manager

Symptoms:
TMM may restart when using a L7 policy that contains the 'normalized' keyword for HTTP URI or Referrer operands.

Conditions:
Normalized HTTP URI or Referrer operands used in L7 policies.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
No workaround short of removing use of normalization for HTTP URI and Referrer instances in L7 policies.

Fix:
Use of URI or Referrer normalization in L7 policies no longer results in memory corruption.


615377-3 : Unexpected rate limiting of unreachable and ICMP messages for some addresses.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system might fail to send RSTs, ICMP unreachable, or ICMP echo responses for some addresses.

/var/log/ltm might contain messages similar to the following:
-- Limiting icmp unreach response from 251 to 250 packets/sec.
-- Limiting icmp ping response from 251 to 250 packets/sec.
-- Limiting closed port RST response from 251 to 250 packets/sec.

Conditions:
Certain traffic patterns to addresses in two or more different traffic-groups.

Impact:
Certain response messages from addresses in one or more traffic-groups (but not all) might be rate limited by the BIG-IP system even though the level of traffic has not exceeded the tm.maxrejectrate setting.

Workaround:
None known.

Fix:
The rate limiting messages in the ltm log will now include the name of the traffic group that is being rate limited.

Example old log message:
  warning tmm[6167]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec.
Example new log message:
  warning tmm[19109]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec for traffic group /Common/traffic-group-1.

Behavior Change:
The rate limiting messages in the ltm log will now include the name of the traffic group that is being rate limited.

Example old log message:
  warning tmm[6167]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec.
Example new log message:
  warning tmm[19109]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec for traffic group /Common/traffic-group-1.


615338-2 : The value returned by "matchregion" in an iRule is inconsistent in some cases.

Component: Global Traffic Manager

Symptoms:
The value returned by "matchregion" in an iRule is inconsistent when the GTM global setting, "cache-ldns-servers", is set to "yes" and the region contains a region, continent, country, state, or ISP.

Conditions:
The GTM global setting, "cache-ldns-servers" must be set to "yes" and the region must contain a region, continent, country, state, or ISP.

Impact:
The value returned by "matchregion" in an iRule is inconsistent and may lead to inconsistent behavior in the iRule.

Workaround:
Set the GTM global setting, "cache-ldns-servers" to "no".

Fix:
"Matchregion" returns the correct value under all conditions.


615267-2 : OpenSSL vulnerability CVE-2016-2183

Vulnerability Solution Article: K13167034


615254-2 : Network Access Launch Application item fails to launch in some cases

Component: Access Policy Manager

Symptoms:
If access policy has multiple network resources with application launch configured, applications will launch only from first network resource.

Conditions:
Multiple Network access resources are configured with application launch.

Impact:
Applications will launch only from first network resource. Applications will not launch for other network resources

Workaround:
Launch applications manually after VPN is established.

Fix:
Applications from all network resources are now detected and launched correctly.


615143-1 : VDI plugin-initiated connections may select inappropriate SNAT address

Component: Local Traffic Manager

Symptoms:
When the VDI plugin makes outgoing connections, the source address is selected from a SNAT pool. Should the connection pass through another matching virtual before reaching the external network, the selected SNAT address may be inappropriate for the egress vlan.

Conditions:
APM configuration with VDI functionality enabled and additional virtual matching the VDI-initiated connections.

Impact:
Return traffic from destination may not be able to return to the BIG-IP, thus breaking the VDI functionality.

Workaround:
No workaround short of removing the additional virtual matching the VDI traffic.

Fix:
Outgoing VDI connections now select an appropriate SNAT address even when passing through additional matching virtuals before reaching the external network.


615107-1 : Cannot SSH from AOM/SCCP to host without password (host-based authentication).

Component: TMOS

Symptoms:
Issuing commands from the AOM/SCCP menu to the host do not function, or password is required when SSH from AOM/SCCP to the host.

Conditions:
Presence of /etc/ssh directory on host.

Impact:
AOM/SCCP unable to connect to host without password.

Workaround:
None.

Fix:
Can now SSH from AOM/SCCP to host without password (host-based authentication).


614891-2 : Routing table doesn't get updated when EDGE client roams among wireless networks

Component: Access Policy Manager

Symptoms:
Clients using the EDGE client report that they are unable to reach the VPN when they switch wifi networks.

Conditions:
This is triggered when a device running the EDGE client is on a wifi network, then roams to another wifi network that has a different default route.

Impact:
Clients have an incorrect route to the VPN and are forced to re-connect.


614865-5 : Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Specifically, the functions are:
key_import_from_pem()
certificate_import_from_pem()
key_import_from_pem_v2()
certificate_import_from_pem_v2()

Conditions:
When there is an existing key or certificate on the BIG-IP system, and you want to overwrite them using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls, it results in errors stating that the key or certificate already exists on the BIG-IP system.

Impact:
Cannot overwrite the key/certificate file-objects using these iControl calls.

Workaround:
There are two workarounds:
- Delete and import the key/certificate using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls.

- Use key_import_from_file and certificate_import_from_file iControl calls as an alternative to import key/certificate from a file.

Fix:
Overwrite flag in iControl functions key/certificate_import_from_pem_v2() functions are now processed correctly and no longer produce errors.


614766-1 : lsusb uses unknown ioctl and spams kernel logs

Component: TMOS

Symptoms:
RHEL6 version of lsusb and associated libusb1 libraries
are using an ioctl that isn't properly supported by the kernel in the 32-bit syscall path.

Conditions:
RHEL6 version of lsusb and associated libusb1 libraries.

Impact:
Spamming of kernel logs.

Workaround:
None.

Fix:
kernel.el6.5: fix missing ia32 compat mapping for USBDEVFS_GET_CAPABILITIES.


614563-3 : AVR TPS calculation is inaccurate

Component: Advanced Firewall Manager

Symptoms:
The TPS that AVR calculates for DoS is 11% more than the real TPS.

Conditions:
DoS profile attached to the virtual server.

Impact:
Attack can wrongly be detected.

Workaround:
None.

Fix:
TPS that AVR calculates for DoS now reflects the actual TPS.


614530-2 : Dynamic ECMP routes missing from Linux host

Component: TMOS

Symptoms:
When an ECMP route is learned via dynamic routing, it is not added to the Linux host and local processes may not be able to reach the destination prefix. Load balanced traffic is not affected.

Conditions:
Dynamic routing in use, ECMP configured, ECMP route received from neighbors.

Impact:
Monitors may fail, other host-originated traffic may be sent out the wrong interface or nowhere at all.

Workaround:
Disable ECMP in ZebOS by setting "maximum-paths 1" in imish.

Fix:
ECMP routes are correctly added to the Linux host.


614509-1 : iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart

Component: Local Traffic Manager

Symptoms:
When the 'all' keyword is used with 'class match' on large external datagroups, the results will be incorrect and may result in TMM restarting.

Conditions:
iRule utilizing 'all' keyword with 'class match' on large external datagroups. A more unusual case is external datagroups with the tmm.classallocatemetadata bigdb entry set to the non-default 'disable' value.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No reasonable workaround short of not using 'all' keyword with 'class match' in iRules.

Fix:
'all' keyword with 'class match' now returns the correct results and TMM does not restart.


614296-1 : Dynamic routing process ripd may core

Component: TMOS

Symptoms:
As a result of a known issue the dynamic routing protocol daemon ripd, used for the RIP protocol may produce a core file when configuring it to use a interface configured with multiple self IP addresses on different subnets on the same VLAN.

Conditions:
- Use the RIP dynamic routing on an affected version.
- Have multiple self IP addresses belonging to different subnets on the same VLAN
- Add one of the subnets with the network command within the "router RIP" stanza.

Impact:
ripd will core and the configuration will not be allowed.

Workaround:
Configure one subnet/self IP address per VLAN.

Fix:
ripd no longer cores when configured with multiple subnets on the same VLAN.


614284-2 : Performance fix to not reset a data structure in the packet receive hotpath.

Component: Advanced Firewall Manager

Symptoms:
No symptoms. This is a performance fix.

Conditions:
This will happen always in the packet receive hotpath.

Impact:
No impact. Without this fix BIG-IP could have 0.5% (hard to measure) performance impact.

Workaround:
No workaround.

Fix:
Made an optimization to the packet receive hotpath.


614180-1 : ASM is not available in LTM policy when ASM is licensed as the main active module

Component: TMOS

Symptoms:
ASM is not available in LTM policy rule creation when ASM is licensed as the main active module

Conditions:
ASM is licensed as the main active module

Impact:
ASM is not available in LTM policy rule creation

Workaround:
Use a license that has ASM as a sub-module. For example, LTM with Best Bundle.

Fix:
Fixed license data parsing so that the main module is also included in the license map used to determine whether a module is licensed or not.


614147-1 : SOCKS proxy defect resolution

Component: Local Traffic Manager

Symptoms:
Internal F5 code review found potential errors.

Conditions:
Virtual server configured with SOCKS proxy.

Impact:
Erroneous behavior of SOCKS proxy

Fix:
Resolved issues found in SOCKS proxy.


614097-1 : HTTP Explicit proxy defect resolution

Component: Local Traffic Manager

Symptoms:
Internal F5 code reviewed found potential errors.

Conditions:
Virtual server configured with HTTP Explicit proxy.

Impact:
Erroneous behavior of HTTP Explicit proxy

Fix:
Resolved issues found in HTTP Explicit proxy.


613765-3 : Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.

Component: TMOS

Symptoms:
Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.

Conditions:
When a virtual server with a destination address of 0.0.0.0:0 is in the list, sorting the list is slow because of extra name resolution performed.

Impact:
Degraded user experience waiting for the extra logic and misleading error in logs.

Workaround:
None.

Fix:
Creating 0.0.0.0:0 Virtual Server in TMUI no longer results in slow-loading virtual server page and name resolution errors.


613671-2 : Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation

Component: Fraud Protection Services

Symptoms:
Wrong handling of nonexistent parameter configured with Encryption and Obfuscation

Conditions:
nonexistent parameter configured with Encryption and Obfuscation

Impact:
Error in console

Fix:
Ignore nonsexist parameter


613613-2 : Incorrect handling of form that contains a tag with id=action

Component: Access Policy Manager

Symptoms:
In some cases, a form with an absolute path in the action is handled incorrectly in Internet Explorer (IE) versions 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.

Conditions:
This issue occurs under these conditions:
-- HTML Form with absolute action path.
-- A tag with id=action inside this form.
-- A submit button in the form.
-- IE versions 7 through 9.

Impact:
The impact of this issue is that the web application can not work as expected.

Workaround:
This issue has no workaround at this time.

Fix:
Forms with absolute action paths and tag with id=action inside are handled correctly.


613576-1 : QOS load balancing links display as gray

Component: Global Traffic Manager

Symptoms:
All links in all data centers appear gray. After this patch all link appear to be green and the functional of load balancing to the first available link in each pool is restored.

Conditions:
This bug only affects devices licensed after 9/1/2016 which contain the gtm_lc: disabled field.

Impact:
Any GTM/LC devices licensed after 9/1/2016 and using links as part of their configuration will have the links reported as gray.

Workaround:
Remove all ilnks from configuration or install this hotfix.


613536-5 : tmm core while running the iRule STATS:: command

Component: TMOS

Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.

Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED


613459-1 : Non-common browsers blocked by Proactive Bot Defense

Component: Advanced Firewall Manager

Symptoms:
Some non-common browsers may get blocked by the Proactive Bot Defense feature. This has been seen in rare cases, and causes these browsers to remain in a white page while the request is not being sent to the back-end server.

Conditions:
Proactive Bot Defense enable on the DoS profile.

Impact:
In rare cases, some non-common browsers may get blocked.

Workaround:
None

Fix:
Non-common browsers no longer get blocked when Proactive Bot Defense is enabled.


613429-2 : Unable to assign wildcard wide IPs to various BIG-IP DNS objects.

Component: Local Traffic Manager

Symptoms:
Assigning a wide IP with wildcard characters in the name to a DHS distributed application may not work properly when done via tmsh, and such configurations created via the GUI will result in configuration files that fail to load.

Conditions:
A wide IP with a wildcard character in its name.

Impact:
Unable to assign wide IP to BIG-IP DNS distributed-app.

Workaround:
None.

Fix:
Fixed issue preventing wide IPs to be assigned to BIG-IP DNS distributed apps if those wide IPs have a wildcard character in their name.


613396-1 : Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs

Component: Application Security Manager

Symptoms:
Exported Policy in XML format cannot be imported.

Conditions:
Metacharacter overrides are defined on a Websocket URL in the policy.

Impact:
Exported XML policies cannot be imported back into the system without manual manipulation

Workaround:
If such a policy has already been exported only manual manipulation would allow it to be imported again.

Fix:
Policy export now correctly creates valid XML Policies for configurations with metachar overrides configured on Websocket URLs.


613369-4 : Half-Open TCP Connections Not Discoverable

Component: Local Traffic Manager

Symptoms:
New TCP connection requests are reset after a specific sequence of TCP packets.

Conditions:
A TCP connection in half-open state.

Impact:
Half-open TCP connections are not discoverable

Fix:
Properly acknowledge half-open TCP connections.


613326-1 : SASP monitor improvements

Component: Local Traffic Manager

Symptoms:
A SASP monitor created in versions earlier than 13.0.0 might exhibit problems in certain situations, such as:
-- Attempting to connect multiple times with GWM pairs.
-- Dropping and reconnecting frequently with GWM pairs.
-- Problematic behavior with mixed Push/Pull workgroups on the same GWM.
-- Overly-chatty use of the SASP protocol when establishing/reestablishing connections.
-- Marking pool members down during GWM switch-over.
.-- Inability to handle many hundreds of workgroups/workloads

Conditions:
Using versions of the SASP monitor created in versions earlier than 13.0.0.

Impact:
Might cause flapping pool members or unstable pools.

Workaround:
None.

Fix:
A significantly improved SASP monitor has been developed in version 13.0.0. It properly handles the SASP protocol, GWM pairs, and connection semantics. In addition, it has the ability to briefly delay node down on GWM switchover, resulting in no interrupted traffic in most cases, and has vastly improved scalability.

When run in push mode (now the default), it is more efficient with the SASP protocol, only asking for changes from GWM, and pinging GWM infrequently if no traffic has been received.

The improved monitor uses Pool name rather than Monitor name as the Workload name. This allows a single Monitor definition to be shared among many Pools, where previously a single unique Monitor was required for each SASP Pool.


613297-3 : Default generic message routing profile settings may core

Component: Service Provider

Symptoms:
If a virtual is created using the default generic message profile, the first packet received will produce an infinite number of messages and overflow the internal buffers.

Conditions:
The default generic message profile has the internal parser enabled but a zero byte message separator pattern. This causes the parser when receiving traffic to create an infinite number of empty packets and overflow the system.

Impact:
The infinite number of message will cause an internal panic producing a core. Traffic disrupted while tmm restarts.

Workaround:
Each usage of generic message should either provide a separator pattern or disable the internal parser.

Fix:
In this release, the system automatically disables the internal parser if no separator is provided, so if a virtual is created using the default generic message profile, the first packet received no longer produces an infinite number of messages and overflows the internal buffers.


613282-2 : NodeJS vulnerability CVE-2016-2086

Vulnerability Solution Article: K15311661


613225-7 : OpenSSL vulnerability CVE-2016-6306

Vulnerability Solution Article: K90492697


613127-3 : Linux TCP Stack vulnerability CVE-2016-5696

Vulnerability Solution Article: K46514822


613079-4 : Diameter monitor watchdog timeout fires after only 3 seconds

Component: Local Traffic Manager

Symptoms:
The Diameter monitor has a 3-second timeout that overrides the interval and timeout settings configured for the monitor.

Conditions:
A Diameter monitor must be configured.

Impact:
If the Diameter server takes longer than 3 seconds to reply to requests, it will be marked down.

Workaround:
None.

Fix:
Removed the 3-second Diameter monitor watchdog timeout so that interval and timeout can be used like other external monitors.


613065-1 : User can't generate netHSM key with Safenet 6.2 client using GUI

Component: Local Traffic Manager

Symptoms:
With Safenet6.2, creating key using GUI may hang and timeout. The GUI eventually quits with error message.

Conditions:
Installing Safenet6.2 client and attempting to create netHSM key from the GUI

Impact:
netHSM key creation fails, GUI hang.

Workaround:
You can use the corresponding tmsh command to create key.

Fix:
NetHSM key waiting time has been increased and you can now create a netHSM key using GUI.


613045-7 : Interaction between GTM and 10.x LTM results in some virtual servers marked down

Component: Global Traffic Manager

Symptoms:
Some GTM virtual servers are never marked up when interacting with 10.x LTM.

Conditions:
1. On a GTM server, with autoconf off, manually create a virtual server that is using translated IP/port and either no LTM virtual server name or an incorrect LTM virtual server name.
2. Make sure the LTM virtual server is available.

Impact:
On the GTM side, that LTM virtual server will never get marked up.

Workaround:
None.

Fix:
Interaction between GTM and 10.x LTM now works, so virtual servers are correctly marked up.


612952-1 : PSU FW revision not displayed correctly

Component: TMOS

Symptoms:
When EUD displays the PSU FW revison it is truncated from 16 bytes to 14 bytes.

Conditions:
This occurs when using a Murata REV02 M1845 PSU with AOM FW less than 2.7.14

Impact:
Incomplete PSU FW rev.

Workaround:
Infer the last 2 characters of the PSU FW rev from the 14 that are displayed and the HW revision of the PSU.


612874-1 : iRule with FLOW_INIT stage execution can cause TMM restart

Component: Advanced Firewall Manager

Symptoms:
If you have an iRule that has FLOW_INIT stage execution, it is likely to result in random TMM crashes.

Conditions:
iRule that has FLOW_INIT stage action in it.

The FLOW_INIT stage iRule could be executed either because it was attached to a Virtual Server or configured on an AFM ACL Rule.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use iRule with FLOW_INIT action. Other stage iRules does not cause this problem.

Fix:
Memory allocation and release during iRule FLOW_INIT execution was not handled right in a specific scenario, which was corrected.


612809-1 : Bootup script fails to run on on a vCMP guest due to a missing reference file.

Component: TMOS

Symptoms:
Script /etc/sysconfig/sysinit/10virtual-platform.sysinit fails to run. sod log spamming.

Conditions:
Startup in a vCMP guest.

Impact:
vCMP guests shows dbg_echo related errors in /var/log/boot.log.

Workaround:
Disable sys db variable "failover.usetty01" and restart sod.

If unable to restart sod at the moment, apply a filter with no publisher matching message-id 012a0003:
    sys log-config filter no-serial-failover-logs {
        message-id 012a0003
    }

Fix:
This release adds a separate sysinit file for vCMP instead of using sysinit-virtual-platform.


612769-1 : Added better search capabilities on the Pool Members Manage page.

Component: Global Traffic Manager (DNS)

Symptoms:
With hundreds of potential pool members the GUI was not making it easy to search for them. The combobox was only allowing for searches that matched the beginning of the pool member's name.

Conditions:
Have more than just a few potential pool members.

Impact:
Frustrating user experience.

Workaround:
No workaround.

Fix:
Added better search capabilities on the Pool Members Manage page.


612694-5 : TCP::close with no pool member results in zombie flows

Component: Local Traffic Manager

Symptoms:
'tmsh show sys conn all-properties' shows connections whose idle time exceeds the timeout.

Conditions:
There is no pool member, and a TCP::close iRule activates (typically after a TCP::respond).

Impact:
Connection does not tear itself down.

Workaround:
Make TCP::close conditional on pool failure, and rely on the pool failure to RST the connection rather than perform a clean TCP close.

Fix:
The system now properly handles TCP teardown when TCP::close has already torn down the rest of the stack.


612564 : mysql does not start

Component: TMOS

Symptoms:
ASM storage initialization does not happen.

Conditions:
BIG-IP iSeries platforms; this occurs after new software install.

Impact:
Application is non-functional.

Workaround:
remove the sentinel file ;
/appdata/mprov/local/HD1.4/mysqldb/.moved.to.asmdbvol.
and reboot.


612419-1 : APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))

Component: Access Policy Manager

Symptoms:
When there are multiple network access resources, and users switch between them within the same connection, a small memory leak happens.

Conditions:
Network access; full webtop, multiple Network Access resources.

Impact:
Memory usage increases over time.

Workaround:
There is no workaround. It is a relatively slow leak though. In the case where it was observed, the leak was about 130MB per month.

Fix:
Fixed a memory leak related to network access.


612229-1 : TMM may crash if LTM a disable policy action for 'LTM Policy' is not last

Component: Local Traffic Manager

Symptoms:
TMM may crash while processing an LTM policy.

Conditions:
- VIP with LTM policy attached.
- LTM policy contains rule with 2 or more actions.
- Policy action of disable - LTMN Policy is not the last one in the list of actions.

Impact:
TMM crash with the following in one of the /var/log/tmm log files:
notice ** SIGABRT **
Traffic disrupted while tmm restarts.

Workaround:
Ensure any LTM policy disable action is the last in the list of actions.

Fix:
TMM no longer crashes if LTM a disable policy action for 'LTM Policy' is not last in the list of actions in the rule.


612135-3 : Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic

Component: Service Provider

Symptoms:
Configuring a virtual server with generic message profile without message routing profile will core when a packet is received by the virtual.

Conditions:
Configuring a virtual server with generic message profile without message routing profile.

Impact:
The system will core when a packet is received by the virtual server. Traffic disrupted while tmm restarts.

Workaround:
Each virtual server that contains a generic message profile should also have a message routing profile.

Fix:
Validation has been improved to fail unless both a generic message profile and a message routing profile are used.


612040-4 : Statistics added for all crypto queues

Component: Local Traffic Manager

Symptoms:
Requests for crypto operations that have been issued but not yet actively queued in the crypto hardware will not show up in the "tmm/crypto" statistics table.

Conditions:
Crypto requests issued but not actively queued in the crypto hardware.

Impact:
Crypto requests do not show up in the "tmm/crypto" statistics table.

Fix:
New rows have been added to the "tmm/crypto" statistics table that will count requests that have been issued but not actively queued to the crypto hardware.


611968-3 : JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow

Component: Access Policy Manager

Symptoms:
JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow.

Conditions:
- IE8 only.
- Significant number of links: >1000.
- JavaScript event handlers presence.

Impact:
Web application performance slowdown.

Workaround:
None

Fix:
Fixed.


611922-1 : Policy sync fails with policy that includes custom CA Bundle.

Component: Access Policy Manager

Symptoms:
Policy sync fails with a policy that includes a custom CA Bundle with an error similar to the following: mcpd[6191]: 01070710:3: Database error (65), Can't set attribute value, type:certificate_summary attribute:name.

Conditions:
- Add a custom certificate bundle
- Add it to a policy, e.g. create an LTM SSL CA profile and add it to the endpoint security check agent in the access policy.
- Initiate a policy sync.

Impact:
Policy sync fails.

Workaround:
Use a built-in certificate bundle on source device and sync the policy.

Import the custom certificate bundle to all devices

Replace the built-in certificate bundle with the custom one in the policy.

Fix:
Policy sync now succeeds when the policy includes a custom certificate bundle.


611669-4 : Mac Edge Client customization is not applied on macOS 10.12 Sierra

Component: Access Policy Manager

Symptoms:
Mac Edge Client's Icon, application name, company name amongst other things can be customized on BIG-IP before deploying on end user's machine. But on Mac Edge Client on macOS 10.12 Sierra this customization is not applied.

Conditions:
macOS Sierra 10.12, Edge client, customization

Impact:
Mac Edge Client customization is not applied on macOS 10.12 Sierra. Functionally there should be no impact except that user will see default application visually.

Workaround:
run following command on Terminal and re-launch Edge client:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"

Fix:
Edge client honors customization on macOS Sierra 10.12 now.


611658-3 : "less" utility logs an error for remotely authenticated users using the tmsh shell

Component: TMOS

Symptoms:
when using 'less' Syntax Error: unexpected argument "/usr/bin/lesspipe.sh"

Conditions:
admin user configured with tmsh shell

Impact:
admin user cannot use the less command from shell

Workaround:
configure admin user to use the bash shell


611512-1 : AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name.

Component: TMOS

Symptoms:
In AWS, Pool member autoscaling in BIG-IP fails to add pool members when pool name in BIG-IP is same as Autoscaling Group name in AWS.

Conditions:
- BIG-IP is configured to perform autoscaling of pool members in AWS.
 - Pool name in BIG-IP is same as the autoscaling group name in AWS attached with it.

Impact:
- Pool member autoscaling doesn't occur correctly without user intervention.

Workaround:
When configuring pool member auto-scaling in AWS, you must choose a different name for the pool compared to the autoscaling group name attached with it.

Fix:
Choose different names for Pool in BIG-IP and autoscaling group in AWS to correctly configure Pool member autoscaling in BIG-IP .


611487-3 : vCMP: VLAN failsafe does not trigger on guest

Component: TMOS

Symptoms:
vCMP: VLAN failsafe does not trigger on guest due to IPv6 link-local neighbor discovery traffic from host.

Conditions:
vCMP host configured, VLAN failsafe enabled on a VLAN, one or more VCMP guests enabled that use that VLAN

Impact:
Since the heartbeat messages going over IPv6 link-local addresses continue to be successfully passed from host to guest, VLAN failsafe does not trigger if a downstream router or switch goes down that's connected to the VLAN.

Workaround:
If you are able to, disabling IPv6 on the host will allow VLAN failsafe to work as expected.


611469-3 : Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector

Vulnerability Solution Article: K95444512


611467-3 : TMM coredump at dhcpv4_server_set_flow_key().

Component: Policy Enforcement Manager

Symptoms:
TMM coredump at dhcpv4_server_set_flow_key().

Conditions:
1. You are using Policy Enforcement Manager (PEM) DHCP to discover subscribers.
2. You have configured a DHCP relay virtual server.
3. Two PEM DHCP subscriber connections share the same connection to a remote DHCP server.
4. One of the PEM DHCP subscriber connections expires.
5. The non-expired PEM DHCP subscriber connection sends a new DHCP request.
6. The remote PEM DHCP server responds to the new PEM subscriber request.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The client uses broadcast to do DHCP renewal is an indication the client did not get ACK from DHCP server when it uses unicast to talk to DHCP server directly. The most likely reason for this to happen is the server routing table is not configured to send DHCP ACK packets back to the client.

You can work around this problem by configuring DHCP server routing table so that it knows how to send DHCP ACK to the client.


611385-1 : "Learn Explicit Entities" may continue to work as if it is 'Add All Entities'

Component: Application Security Manager

Symptoms:
Under some scenarios, setting "Learn Explicit Entities" to 'Never' has no effect; it continues to work as if it is 'Add All Entities'

Conditions:
Steps to Reproduce:
1) Create a default policy, set "Learn New HTTP URLs" to "Add All Entities".
2) Create a non-pure wildcard URL "/in*".
3) Send the following request:
     GET /index.html HTTP/1.1\r\n
     Host: <Host URL>\r\n
     \r\n
4) There will be no suggestion to add /index.html URL since learning mode on "/in*" wildcard is "Never" by default.
5) Set "Learn Explicit Entities" to "Add All Entities" on "/in*" wildcard.
6) Send the same traffic again; there will be suggestion to add /index.html URL (which is still correct).
7) Delete all suggestions.
8) Set "Learn Explicit Entities" to "Never" on "/in*" wildcard.
9) Send the same traffic again.

Impact:
There is suggestion to add /index.html URL when there should be no such suggestion since the wildcard is in 'Never' mode now.

Workaround:
Go to "Learning and Blocking Settings", set "Learn New HTTP URLs" to "Never" press "Save", then set it back to "Add All Entities". press "Save" again.

Fix:
"Learn Explicit Entities" to 'Never' now works as expected.


611352 : Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms

Component: TMOS

Symptoms:
In /var/log/sel you see these errors:
0082 11/23/16 08:23:11 MAJ CPU 0 PCI/DMI Error B:D:F 0x1a: corerrsts: replay_num_rollover_status
0083 11/23/16 08:23:11 MAJ CPU 0 PCI/DMI Error B:D:F 0x1a: rperrsts: correctable_error_received

Conditions:
This can be seen on BIG-IP iSeries platforms.

Impact:
This error message is benign and can be safely ignored.

Workaround:
N/A

Fix:
Benign message "replay num rollover error condition correctable errors" counter is no longer seen.


611320-3 : Mirrored connection on Active unit of HA pair may be unexpectedly torndown

Component: Local Traffic Manager

Symptoms:
Mirrored connection on Active unit is torn down. TCP connection is RST with cause of 'HA Expire flow'.

Conditions:
Mirrored connection on Standby unit times out due state mismatch with connection on Active unit.

Impact:
Traffic loss.

Workaround:
Disable mirroring.

Fix:
The system no longer mirrors connflow expiration from Standby to Active. This is correct behavior.


611240-3 : Import of config with securid might fail

Component: Access Policy Manager

Symptoms:
Import of the profile used for securid auth might fail if the profile has already been used for auth purposes at the moment of export.

Conditions:
This occurs when the following conditions are met:
-- Profile configured for securid authenticaiton with securid server attached.
-- Profile has been used for authentication more than 0 times.
-- Full import (no reuse) or Reuse import when secureid server under the same name is not present.

Impact:
Unable to import certain configurations.

Workaround:
1. In VPE, open securid auth item and set server to none before export.
2. Export profile.
3. Import profile.
4. Re-create the aaa securid server.
5. In VPE, open the securid auth item and set server to one from step #4.

Or
1. Export profile.
2. Create aaa securid server under the same name.
2. Import profile with reuse.

It is also possible to remove securid entry from config-files of securid server configuration in .conf.tar.gz, which would also work.

Fix:
It is now possible to successfully export and the import profile using securid in any state.


611161-3 : VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.

Component: Local Traffic Manager

Symptoms:
VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.

Conditions:
VLAN failsafe configured on a non-default cmp-hash VLAN.
When the VLAN failsafe situation occurs, and the generated arp requests are not being answered, VLAN failsafe resorts to ICMP.

Impact:
There are very rare situations in which failsafe triggers but it should have not.

Workaround:
None.

Fix:
VLAN failsafe no longer generates traffic using ICMP, and now supports non-default cmp-hash on VLAN.


611151-2 : An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive

Component: Application Security Manager

Symptoms:
If you configure a sensitive parameter with an upper-case character (like "Password"), the data masking does not take place. When the sensitive parameter is all lower-case (like "password"), the data masking takes place as expected.

Conditions:
ASM provisioned
ASM policy is case-insensitive
JSON profile, w/ a sensitive parameter with an upper-case character

Impact:
no data masking for a JSON sensitive parameter

Workaround:
N/A

Fix:
We've made sure that JSON parameters are always treated as case sensitive, regardless of the ASM policy case sensitivity setting.


610897-2 : FPS generated request failure throw "unspecified error" error in old IE.

Component: Fraud Protection Services

Symptoms:
If FPS generated request sent and failed in old IE, it will throw "unspecified error" error.

Conditions:
FPS generated request sent and failed in old IE

Impact:
The browser will show error message in the left bottom side.

Workaround:
N\A

Fix:
N\A


610857-1 : DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver.

Component: Advanced Firewall Manager

Symptoms:
When selenium client webdriver is detected running a browser Chrome or Firefox it is not being blocked due to low score being assigned by PBD (Suspicious Browsers) mechanism.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.

Impact:
A bot which running selenium Chrome or Firefox webdriver isn't mitigated by DoSL7 PBD mechanism.

Workaround:
N/A

Fix:
Adjusted scoring for selenium detection to trigger CAPTCHA upon an attempt to access a website without TSPD101 cookie (usually occurs upon accessing a website's first page)


610830-1 : FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page.

Component: Advanced Firewall Manager

Symptoms:
When an end-user accesses a web-site's first page there is a noticeable latency until it gets the page content.

Conditions:
This occurs when ASM is provisioned and to a virtual sever assigned dos application profile where Device ID mitigation configured or ASM policy with WebScraping and FingerPrint detection enabled.

Impact:
Bad user experience when accessing the website's first page.

Workaround:
tmsh modify sys db dosl7.fp_fonts_enabled disabled

Fix:
The javascript slowness bottleneck is fonts collection, to improve the performance the number of font reduced from 300 to 50. If you wish to eliminate the slowness of the fonts collection at all, a new sys db has been added. tmsh list sys db dosl7.fp_fonts_enable. Note, that eliminating the fonts collection for the fingerprint can reduce the its entropy.


610609-3 : Total connections in bigtop, SNMP are incorrect

Component: Local Traffic Manager

Symptoms:
While looking at total connections for the active BIG-IP using bigtop or SNMP, the connections are reported too high. For example if you sent a single connection through BIG-IP it is reported as 2 connections. Meanwhile, the standby device with mirroring configured accurately shows the number of connections.

Conditions:
This occurs on PVA-enabled hardware platforms.

Impact:
The total connection count statistic is incorrect.


610441-3 : When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.

Component: TMOS

Symptoms:
When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.

Conditions:
This occurs when adding a new member to an existing pool using iControl REST.

Impact:
Unable to tell if the request has succeeded or failed via iControl REST.

Workaround:
Add the following to partitionInfo in icrd.conf.

{"gtm/pool/a/members":[true, true]},
{"gtm/pool/aaaa/members":[true, true]}


610429-5 : X509::cert_fields iRule command may memory with subpubkey argument

Component: Local Traffic Manager

Symptoms:
The X509::cert_fields iRule command can leak memory in the 'method' memory subsystem if called with the 'subpubkey' argument, when the 'subpubkey' argument is not the last argument.

Conditions:
Create an iRule using X509::cert_fields where the subpubkey is not the last argument.

Example/signature to look for:
ltm rule rule_leak {
    when HTTP_REQUEST {
        if { [SSL::cert 0] ne "" } {
            HTTP::respond 200 content "[X509::cert_fields [SSL::cert 0] 0 subpubkey hash]\n"
        } else {
            HTTP::respond 200 content "no client cert (WRONG!)"
        }
    }
}

Impact:
Memory will leak, eventually impacting the operation of tmm.

Workaround:
Ensure that 'subpubkey' is the last argument to X509::cert_fields


610417-1 : Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.

Component: TMOS

Symptoms:
When adding a device to the trust, the SSL connection can use insecure ciphers. Also it will use the undesirable TLSv1 protocol instead of negotiating to the highest safest protocol available which is TLSv1.2

If the peer device is configured to use TLSv1.1 or TLSv1.2 only, device trust will not be established

Conditions:
This exists when configuring devices in a device cluster.

Impact:
Unable to configure stronger ciphers for device trust.

If the peer device is modified to not use TLSv1.0, it is impossible to establish Device Trust.

Workaround:
None.

Fix:
Advertised client ciphers reduced to what the common criteria compliance standard approves.
Changed the initial OpenSSL call to use the correct one to negotiate to the highest available TLS protocol (1.2).


610354-1 : TMM crash on invalid memory access to loopback interface stats object

Component: TMOS

Symptoms:
TMM can crash with segmentation fault when TMM drops packets on its internal loopback interface. TMM needs to update interface stats associated with the loopback interface when dropping packets on that interface. The interface stats object for loopback interface is not allocated yet. That results in segmentation fault.

Conditions:
TMM drops packets on its internal loopback interfaces.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No Workaround.


610352-1 : sys-icheck reports error with /etc/sysconfig/modules/unic.modules

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /etc/sysconfig/modules/unic.modules:

ERROR: S.5...... /etc/sysconfig/modules/unic.modules

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with files in /etc/sysconfig/modules/unic.modules that was causing sys-icheck to report errors.


610350-1 : sys-icheck reports error with /config/bigpipe/defaults.scf

Component: TMOS

Symptoms:
n Azure cloud, running sys-icheck may report an error with /config/bigpipe/defaults.scf and /usr/share/defaults/defaults.scf:

ERROR: S.5...... c /config/bigpipe/defaults.scf (no backup)
ERROR: S.5...... /usr/share/defaults/defaults.scf

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with files in /config/bigpipe/defaults.scf that was causing sys-icheck to report errors.


610307 : Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber

Component: TMOS

Symptoms:
This error message may be generated once or twice at shutdown:

01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.

Conditions:
Occurs once or twice per boot as a BIG-IP is being shut down or restarted.

Impact:
None. This can be ignored.

Workaround:
No workaround necessary. This message indicates no ill effects and can be ignored.

Fix:
This error message could have been generated once or twice at shutdown:

01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.

It no longer appears. Note that even when it was present, it only occurred at system shutdown and could be ignored.


610302-1 : Link throughput graphs might be incorrect.

Component: Local Traffic Manager

Symptoms:
The link throughput performance graphs available in the GTM, DNS or Link Controller modules might show the throughput for the wrong link in the graph.

Conditions:
Multiple links exist and one of the links has a name that is a prefix for the name of one or more other links.

For example, there are two links defined and named "mylink" and "mylink2".

Impact:
The graphs for all links that contain the prefix might show the throughput for the link whose name matches the prefix.

For example, the throughput graphs for both "mylink" and "mylink2" might both show the throughput data for "mylink"

As a result of this issue, the historical link throughput data is gathered and stored incorrectly. This data is used to generate the throughput graphs.

Workaround:
Do not create links where the name of one link forms a prefix for the name of other links.

Fix:
Link throughput graphs now collect and show the throughput for the proper link when one link name is a prefix of one or more other links. Note that historical information gathered before the fix will not be corrected.


610295-1 : TMM may crash due to internal backplane inconsistency after reprovisioning

Component: TMOS

Symptoms:
In some scenarios on VE platforms TMM may crash due to backplane inconsistency shortly after a provisioning change.

Conditions:
- BigIP VE with performance limited license.
- Additional licensing/provisioning of modules raises performance limits. New TMM processes are started.
- No reboot has occurred after provisioning.

Impact:
TMM may core with panic: "Unexpected backplane address" in /var/log/tmm log files. Traffic disrupted while tmm restarts.

Workaround:
Reboot after provisioning if new license add-on keys raises performance of the BigIP.


610273-3 : Not possible to do targeted failover with HA Group configured

Component: TMOS

Symptoms:
With a traffic-group configured to use HA Group, it is not possible to disable the HA Group to perform targeted failover. Running tmsh run sys failover standby traffic-group traffic-group-1 produces an error:
"Unexpected Error: SOD command standby may not be issued for traffic group /Common/traffic-group-1 because it is configured to use HA group."

Conditions:
Traffic-group configured to use HA Group. Versions prior to 12.0.0 allowed you to disable the HA Group to do targeted failover.

Impact:
Unable to force the traffic-group to standby if HA Group is configured. You would need to change it to use a different mode, such as HA Order.

Workaround:
Temporarily change the traffic group to use a different Failover Method such as Load Aware or HA Order in order to failover. Note that this will disable HA Group functionality until the Failover Method is restored.


610255-1 : CMI improvement

Component: TMOS

Symptoms:
CMI has been hardened to increase security.

Conditions:
CMI is configured.

Impact:
CMI does not comply with hardened design standards

Fix:
In hardened versions of the BIG-IP, the security of CMI is improved.


610224-3 : APM client may fetch expired certificate when a valid and an expired certificate co-exist

Component: Access Policy Manager

Symptoms:
APM client does not consider the expiration when it matches certificates for Machine Cert Check. If a matching but expired certificate is found before a valid certificate, the expired certificate is used for Machine Cert Check on Windows.

Conditions:
A valid and an expired certificate co-exist in the certificate store.

Impact:
Machine Certificate check fails.

Workaround:
Remove the expired certificate from the store.

Fix:
When a valid and an expired certificate co-exist, the system now matches the valid certificate.


610180-2 : SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML SP, and SLO is not properly configured on associated saml-idp-connector objects, IdP initiated SAML SLO may result in memory leak in SSO plugin.

Conditions:
- BIG-IP is used as SP.
- Associated saml-idp-connector object has 'single-logout-uri' property configured, but 'single-logout-response-uri' property is empty.
- User performs IdP initiated SAML SLO

Impact:
SSO plugin leaks memory

Workaround:
There are two possible workarounds:
- Fix misconfiguration: Configure SLO correctly by adding value to 'single-logout-response-uri' property of IdP connector object.
- Disable SLO by removing single-logout-uri' property of IdP connector object.

Fix:
When fixed, memory will no longer leak in SSO plugin even when SLO is misconfigured.


610129-3 : Config load failure when cluster management IP is not defined, but instead uses address-list.

Component: Advanced Firewall Manager

Symptoms:
In Cluster setup with multiple blades, if configurations do not have management IP addresses assigned to individual blades, but instead assign a cluster management IP address list to the cluster of blades. The configuration load will fail. System posts an error message similar to the following: err mcpd[24235]: 01071824:3: The address list is referenced by one of the rules of the admin IP either directly or in a nested manner, and the entry is of a different address family from that of the Admin IP.

Conditions:
1. Cluster setup with multiple blades.
2. No management IP assigned to individual blades.
3. Assign cluster management IP address list to the cluster of blades.

Impact:
After reboot, configuration load failure on secondary blades.

Workaround:
Define the cluster management IP address as the destination (in rule) without using address list.

Fix:
Config load failure no longer occurs when cluster management IP is not defined, but instead uses address-list.


609788 : PCP may pick an endpoint outside the deterministic mapping

Component: Carrier-Grade NAT

Symptoms:
When PCP is picking an endpoint for a LSN pool in deterministic mode and the initial pick fails due to an existing mapping, the subsequent picks are from the entire LSN pool translation port range. This may result in a mapping that violates the deterministic mapping algorithm.

Conditions:
With PCP configured and enabled with a lsn-pool in deterministic mode.

Impact:
Deterministic mapping restriction may be violated causing reverse mapping of public IP address to private IP address to not identify the correct subscriber.

Workaround:
Configure PCP with a NAPT pool (such as the DNAT mode's backup pool) and enable logging. Do not use an lsn-pool in deterministic mode.

Fix:
PCP no longer picks mappings outside of a client's DNAT range after the first mapping attempt fails.


609691-1 : GnuPG vulnerability CVE-2014-4617

Vulnerability Solution Article: K21284031


609677-1 : Dossier warning 14

Component: TMOS

Symptoms:
After each boot, the var/log/ltm log file contains messages similar to the following: warning mcpd[6296]: 01070267:4: Dossier warning 14.

Conditions:
This occurs upon reboot after licensing and management port configuration is complete on i5000/i7000/i10000-Series platforms.

Impact:
There is no functional impact. This is a benign message that can be safely ignored.

Workaround:
None.

Fix:
The var/log/ltm log file no longer contains the benign messages similar to the following: warning mcpd[6296]: 01070267:4: Dossier warning 14.


609628-2 : CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session

Component: Local Traffic Manager

Symptoms:
When a client performs an abbreviated handshake by reusing the session from a previously established full handshake, the SSL forward proxy does not raise the CLIENTSSL_SERVERHELLO_SEND event.

Conditions:
This occurs when the following conditions are met:
-- SSL forward proxy configured
-- Session cache is enabled.

Impact:
iRule commands inside of the CLIENTSSL_SERVERHELLO_SEND are only executed for full handshakes but not for abbreviated handshakes; thus any logic that's applied per SSL connection should not run inside of CLIENTSSL_SERVERHELLO_SEND event since it is not reliably raised under all types of handshakes.

Workaround:
To make sure that the CLIENTSSL_SERVERHELLO_SEND event is reliably raised, disable session cache in the client SSL profile.


609614-3 : Yafuflash 4.25 for iSeries appliances

Component: TMOS

Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to Yafuflash 4.25.

Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- Yafuflash.

Impact:
This is a firmware upgrade.

Workaround:
None.

Fix:
This release contains Yafuflash v4.25 for BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

Behavior Change:
This release contains Yafuflash v4.25 for BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.


609575-5 : BIG-IP drops ACKs containing no max-forwards header

Component: Service Provider

Symptoms:
When a sip profile is in use and receives an acknowledgment packet missing the Max-Forwards header, BIG-IP will treat the packet as un-forwardable and does not forward the ACK. This can be experienced as a specific cilent being unable to make a call.

Conditions:
This would only be seen when BIG-IP is connected to specific clients that fail to populate the Max-Forwards header on an ACK.

Impact:
BIG-IP treats packets with the missing header as having a value of 0, which means "Do not forward".


609499-1 : Compiled signature collections use more memory than prior versions

Component: Application Security Manager

Symptoms:
Compiled signature collections use more memory than prior versions.

Conditions:
Different signature sets are used for different policies.

Impact:
BD memory usage for compiled signature collections is increased.

Fix:
Compiled signature collections memory usage was consolidated and reduced.


609496-2 : Improved diagnostics in BD config update (bd_agent) added

Component: Application Security Manager

Symptoms:
Improved diagnostics in BD config update (bd_agent) are needed.

Conditions:
Further troubleshooting of BD config update transmission is needed.

Impact:
No diagnostics are available.

Workaround:
None.

Fix:
Improved diagnostics in BD config update (bd_agent) were added.


609328-3 : SIP Parser incorrectly parsers empty header

Component: Service Provider

Symptoms:
If a SIP message contains an empty header, the following header will be included as the value of the empty header.

Conditions:
A SIP header without any value will incorrectly cause the next header to be used as the value.

Impact:
If the following header is needed for processing the message, it will not be seen (since it is incorrectly considered the value of the previous header).

Fix:
Parser has been corrected to terminate an empty header when a line ending is seen.


609325 : Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported

Component: TMOS

Symptoms:
QSFP modules that do not support DDM (Digital Diagnostic Monitoring), write messages to /var/log/ltm indicating DDM is not supported, however, there are certain unsupported DDM F5-branded SFP modules that do not write a message to the log.

Conditions:
Upon inserting the unsupported DDM SFP modules.

Impact:
DDM is not reporting information for the following optics:

Unsupported DDM 1Gb-10GB SFP modules:

OPT-0004
OPT-0007
OPT-0011
OPT-0015
OPT-0051
OPT-0033

Workaround:
None.

Fix:
All DDM SFP 1Gb-10GB modules now log in /var/log/ltm that DDM is not supported with that optical transceiver.


609244-4 : tmsh show ltm persistence persist-records leaks memory

Component: Local Traffic Manager

Symptoms:
A small memory leak is detected when running the following command: tmsh show ltm persistence persist-records.

Conditions:
This occurs when running tmsh show ltm persistence persist-records.

Impact:
The memory leak is small, however if the command is run constantly the memory growth can become large.

Workaround:
None.

Fix:
tmsh show ltm persistence persist-records no longer leaks memory.


609199-6 : Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join

Component: Local Traffic Manager

Symptoms:
If an MPTCP connection times out while a subflow is still performing the three-way handshake, the TMM produces a core. This only affects the debug TMM, not the default one.

Conditions:
An MPTCP connection times out while a subflow is still performing the three-way handshake with MP_JOIN. This only affects the debug TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP.

Fix:
Remove unestablished joining subflows when freeing the MPTCP connection structure.


609119-7 : Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:

Component: TMOS

Symptoms:
Occasionally the logging system prints out a blank message, similar to the following example:

-- err mcpd[19114]: 01070711:3:

For this log statement, there is text associated with the error in the bigip_mcpd_error_defs.in file, so something should be logged.

Conditions:
The problem is the result of an exception handler issue in mcpd's File Object validator. The damaged logs can come from anywhere in mcpd, but appear only after a File Object configuration change fails validation. If the problem occurs, it will happen only once per validation error. The damage caused by the exception handler is automatically corrected when the system rewrites the log.

Impact:
Except for the missing log text, the state and behavior of the BIG-IP system is unaffected.

Workaround:
None. The problem corrects automatically when the system rewrites the log.

Fix:
The logging system prints out a blank message in response to failed file object configuration change validations.


609114-1 : Add the ability to control dropping of alerts by before-load-function

Component: Fraud Protection Services

Symptoms:
Too many alerts prevents you from enabling FPS. If it does get enabled, a large number of 'missing component' alerts are generated.

Conditions:
This can occur when enabling FPS will trigger a high number of alerts.

Impact:
FPS is disabled, or alerts are not categorized.

Fix:
Add before-load-function capability to drop alert on client.


609107-1 : mcpd does not properly validate missing 'sys folder' config in bigip_base.conf

Component: TMOS

Symptoms:
If a 'sys folder' is manually removed from bigip_base.conf, and the config is then reloaded, mcpd does not produce any warning or error messages, and allows the config to load.

Conditions:
A folder is removed from a previously valid configuration file.

Impact:
Inconsistent configuration between devices in the same device-group, shows in-sync when they are not, prevents config loading after mcpd has been reset.

Workaround:
Do not remove folders from the configuration file.

Fix:
mcpd now properly validates missing 'sys folder' config in bigip_base.conf, so the config performs as expected.


609098-1 : Improve details of ajax failure

Component: Fraud Protection Services

Symptoms:
When AJAX request fails, insufficient information is provided to debug the failure.

Conditions:
AJAX failure

Impact:
Difficult to diagnose the failure.

Workaround:
Not relevant

Fix:
Add information to alert about AJAX failure.


609095-1 : mcpd memory grows when updating firewall rules

Component: Advanced Firewall Manager

Symptoms:
While updating firewall rules such as adding/deleting a blacklist, mcpd memory grows by a small amount with each update.

Conditions:
This can occur when making changes to firewall policies.

Impact:
mcpd memory grows unbounded; over a significant amount of time with many changes and no restarts, mcpd can run out of memory and oom killer can trigger a failover.


609084-2 : Max number of chunks not configurable above 1000 chunks

Component: Application Security Manager

Symptoms:
If you want to support requests larger than 1000 chunks, the request is blocked and the system posts the following message in the ASM event log:

Unparsable request content Chunks number exceeds request chunks limit: 1000.

Conditions:
This occurs when the request exceeds 1000 chunks.

Impact:
Requests that are valid from the server side are being rejected.

Workaround:
None.

Fix:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000

Behavior Change:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000


609027-1 : TMM crashes when SSL forward proxy is enabled.

Component: Local Traffic Manager

Symptoms:
TMM crashes when SSL forward proxy is enabled.

Conditions:
This can occur when SSL forward proxy is enabled and there is a server handshake done when client SSL handshake is not ongoing.

Impact:
Traffic disrupted while tmm restarts.

Fix:
SSL forward proxy now ignores server handshake done when client SSL handshake is not ongoing, so an intermittent TMM crash no longer occurs.


609005-2 : Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67).

Component: Policy Enforcement Manager

Symptoms:
Two client side DHCP packets with giaddr field set, one with source port 67 and another client side packet with source port 68 (not conforming to RFC since giaddr set DHCP packet (from relay agent) should use 67 as source port per RFC),
tmm will crash during err message logging.

Conditions:
1) Two client side DHCP packets arrive one after another.
2) Both DHCP packets have giaddr fields set
3) One packet uses 67 as source port, the other uses 68

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The conditions that cause the crash should not happen in a normal network setup. A DHCP relay agent should only use 67 as source port.


608941-1 : AAA RADIUS system authentication fails on IPv6 network

Component: Access Policy Manager

Symptoms:
APM supports RADIUS authentication to IPv6 servers for APM clients if the IPv6 servers are in a pool, but using RADIUS for system authentication directly to a RADIUS server fails on invalid IP address. The signature in the log file is as follows:

err apmd[13481]: 01490108:3: /Common/profilename: RADIUS module: authentication with 'aa' failed: Invalid Server IP(0)/Port(0) (1)

Conditions:
RADIUS authentication configured for system authentication direct to a RADIUS server, and the RADIUS server is an IPv6 server.

Impact:
RADIUS is unable to connect directly to the IPv6 RADIUS server, clients unable to log into the system.


608826-1 : Greylist (bad actors list) is not cleaned when attack ends

Component: Anomaly Detection Services

Symptoms:
When attack ends the greylist (detected bad actors) remains till the timeout expiration.

Conditions:
Detected bad actors and attack end.

Impact:
If new attack will start sooner than greylist expiration time, greylist member will be mitigated even if they are not related to the current attack.

Workaround:
It it's necessary it's possible to clear greylist manually using ipidr utility.

Fix:
Clear the greylist upon attack end.


608742-2 : DHCP: DHCP renew ack messages from server are getting dropped by BIGIP in Forward mode.

Component: Policy Enforcement Manager

Symptoms:
When BIGIP is configured in Forwarding mode, renewal ack message from server in response to unicast renewal message from DHCP clients is getting dropped.

Conditions:
BIG IP in forwarding mode. DHCP clients sending unicast renewal message to DHCP server

Impact:
Unicast DHCP renewal requests are not acked. DHCP clients will send broadcast renewal messages and will be acked by servers.

Workaround:
After unable to receive acks from DHCP servers for unicast DHCP renewal messages, DHCP client will send broadcast DHCP renewal messages and will be acked by DHCP server and acks forwarded by BIGIP and received by DHCP clients.


608591-1 : Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers

Component: Policy Enforcement Manager

Symptoms:
CCR-I requests from PEM to PCRF have subscriber ID type set to 6 (UNKNOWN) for DHCP subscribers instead of 3 (NAI).

Conditions:
Occurs for DHCP discovered subscribers on a BIG-IP system that uses a PCRF for policy determination.

Impact:
Might impact the way policies are provided from the PCRF.

Workaround:
None

Fix:
Subscrbier ID type is marked as NAI for DHCP discovered subscribers.


608566-1 : The reference count of NW dos log profile in tmm log is incorrect

Component: Advanced Firewall Manager

Symptoms:
In certain circumstances when virtual servers are configured with security log profiles, the log message in tmm log is showing incorrect reference cnt to the log profiles.

Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.

Impact:
This may lead to issues such as TMM crash if the reference count is not calculated correctly

Fix:
The reference count now is showing correct number in the log message after the fix


608555-1 : Configuring asymmetric routing with a VE rate limited license will result in tmm crash

Component: Local Traffic Manager

Symptoms:
Configuring asymmetric routing with a VE rate limited license results in tmm crash.

Conditions:
Asymmetric routing is configured (i.e., client and/or server ingress and egress travel on different VLANs), and a VE rate limited license is used.

Impact:
tmm might continually crash when passing traffic. Traffic disrupted while tmm restarts.

Workaround:
Do not use asymmetric routing with a rate limited license.

Fix:
The VE rate shaper now works correctly when asymmetric routing is configured, tmm does not crash.


608551-3 : Half-closed congested SSL connections with unclean shutdown might stall.

Component: Local Traffic Manager

Symptoms:
Half-closed congested SSL connections with unclean shutdown might stall.

Conditions:
If SSL egress is congested and the client FINs with no Close Notify, connection might stall as SSL does not request more egress data from HTTP.

Impact:
Possible stalled flow.

Workaround:
Use SSL client that sends clean shutdown.

Fix:
Resolved half-closed congested SSL connections with unclean shutdown, so connections no longer stall.


608509-1 : Policy learning is slow under high load

Component: Application Security Manager

Symptoms:
On systems with high load, policy learning is slow and learning suggestions are slow to arrive.

Conditions:
Policy builder generates many learning suggestions on a system that processes intense traffic.

Impact:
Learning suggestions appear with considerable delay, policy learning speed goes down.

Workaround:
No workaround

Fix:
Fixed an issue with slow policy learning on heavily loaded systems.


608424-2 : Dynamic ACL agent error log message contains garbage data

Component: Access Policy Manager

Symptoms:
Starting in BIG-IP version 12.0.0, Dynamic ACL error log messages might contain garbage data.

Conditions:
This occurs when Dynamic ACL detects incorrect syntax of an ACL entry.

Impact:
The system logs garbage data.

Workaround:
Make sure the ACL entry is correct.

Fix:
Dynamic ACL error log messages no longer contain garbage data when Dynamic ACL detects incorrect syntax of an ACL entry.


608408-2 : TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library

Component: Access Policy Manager

Symptoms:
TMM may restart when new SAML SSO configuration is created on BIG-IP systems as SAML IdP. This could also happen when BIG-IP is restarted, or a saved configuration containing SAML SSO objects is loaded on running BIG-IP.

Conditions:
All of the following
- The BIG-IP system is used as SAML IdP
- New SAML SSO configuration is added on BIG-IP
- Rarely occurring internal tmconf error happens when processing newly added configuration.

Impact:
TMM may restart.

Workaround:
None.

Fix:
TMM no longer restarts when internal error happens upon adding new SAML SSO configurations. Instead, the system logs the following error in /var/log/apm to indicate problematic configuration object: Internal error processing sso config <name>.


608373-2 : Some iApp LX packages will not be saved during upgrade or UCS save/restore

Component: iApp Technology

Symptoms:
iApp LX packages that include dependencies on system utilities (like /bin/sh, /bin/bash, python etc.) cannot be imported to iApp LX RPM database.

Conditions:
oApp LX packages that depends on system utilities.

Impact:
iApp LX packages with dependencies will not be restored during upgrade or UCS restore process.

Workaround:
None.

Fix:
iApp LX UCS save process is updated turn off automatic dependency generation by rpmbuild so iApp LX package can be imported during UCS restore or upgrade.


608320-3 : iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response

Component: TMOS

Symptoms:
For persistence profiles, iControl REST does not provide visibility for property override when "none" is specified, including references, passwords, and array of strings.

Conditions:
-- Use iControl REST API with persistence profiles.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.

Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for persistence profile property overrides.

Workaround:
None.

Fix:
iControl REST API now returns persistence profile elements (i.e., string, enum , or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.


608304-1 : TMM crash on memory corruption

Component: Local Traffic Manager

Symptoms:
In rare cases tmm might crash on memory corruption.

Conditions:
It is not known what sequence of events triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes on memory corruption in rare cases.


608245 : Reporting missing parameter details when attack signature is matched against parameter value

Component: Application Security Manager

Symptoms:
A parameter is shown without parameters details or with garbled parameter details in the local logging GUI.

Conditions:
An attack signature was detected in a parameter value.

Impact:
Bad reporting

Workaround:
N/A


608024-3 : Unnecessary DTLS retransmissions occur during handshake.

Component: Local Traffic Manager

Symptoms:
Unnecessary DTLS retransmissions occur during handshake.

Conditions:
During DTLS handshake, unnecessary retransmissions of handshake message may occur on VE platform.

Impact:
Possible DTLS handshake failure on VE platform.

Workaround:
None.

Fix:
This release fixes a possible failed DTLS handshake on VE platforms.


608009-1 : Crash: Tmm crashing when active system connections are deleted from cli

Component: Policy Enforcement Manager

Symptoms:
When the BIG-IP is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address by relay agent, tmm may crash when active system connections are deleted from cli or via aging.

Conditions:
1) BIG-IP in forwarding mode
2) giaddr field in unicast DHCP renewal packet is set to IP address of relay agent (Typically, it is set to 0 by the DHCP client)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This is not a typical network setup. Usually DHCP relay agent will not modify DHCP renewal packet to insert its own address as giaddr.


607857-1 : Some information displayed in "list net interface" will be stale for interfaces that change bundle state

Component: TMOS

Symptoms:
Changing the bundling on an interface does not clear the following fields in the previously configured interface:
module-description, serial, vendor, vendor-oui, vendor-partnum, vendor-revision.

That information will be correct for the active interface, it is just not cleared for the previously configured interface.

Module description is not correctly reported on unbundled interfaces.

Conditions:
Bundling change on an interface

Impact:
"list net interface" on previously configured interfaces will show stale information. May be confusing.
Module description is missing from "list net interface" on unbundled interfaces.

Workaround:
Stale data will clear on a reboot. This is purely a display issue, it does not affect the functionality of the currently configured interfaces.


607803-3 : DTLS client (serverssl profile) fails to complete resumed handshake.

Component: Local Traffic Manager

Symptoms:
DTLS client (serverssl profile) fails to complete resumed handshake.

Conditions:
This occurs when the BIG-IP system acts as a DTLS client.

Impact:
Possible failed resumed handshake.

Workaround:
Disable session reuse.

Fix:
This release fixes a possible failed resumed DTLS handshake.


607724-2 : TMM may crash when in Fallback state.

Component: Local Traffic Manager

Symptoms:
There is a chance, when HTTP in Fallback mode, that the HTTP filter will send an Abort event to the TCP filter (causing tear down) prematurely while the Aborting that was triggered by the upper filter/proxy is occurring.

TMM may crash when this happens.

Conditions:
It is not known exactly what conditions trigger this, but it has been known to occur when issuing HTTP::respond in the LB_FAILED event in an iRule, and it has been seen only rarely.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a rarely occurring tmm crash that might be related to issuing HTTP::respond in the LB_FAILED event in an iRule.


607713-3 : SIP Parser fails header with multiple sequential separators inside quoted string.

Component: Service Provider

Symptoms:
SIP Parser fails header with multiple sequential separators inside quoted string.

Conditions:
If a SIP header contains multiple attribute separators ',' or ';' in an attribute.

Impact:
The SIP parser flags the message as an error. If this occurs in a quote within the attribute, it should be allowed, but it will still fail, Valid SIP messages are failing to be parsed.

Workaround:
None.

Fix:
The SIP parser has been improved to ignore multiple sequential separators if within quotes.


607658-1 : GUI becomes unresponsive when managing GSLB Pool

Component: Global Traffic Manager (DNS)

Symptoms:
GUI Locks Up and becomes unresponsive. Most major web browsers will complain about slow javascript and prompt you to kill the script.

Conditions:
Managing an A type GSLB pool when hundereds of virtual servers exist. These virtual servers do not have to be associated with the pool you are attempting to manage.

Impact:
Page takes a significantly long time to load.

Workaround:
Manage pools through tmsh, or wait for it to load.


607524-2 : Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down.

Component: Local Traffic Manager

Symptoms:
When the last member of a list of multiple DHCP servers is down, the original DHCP packet from client is not freed and memory is leaked.

Conditions:
Multiple DHCP servers are configured, and the last DHCP server configured is down.

Impact:
Packet memory is leaked.

Workaround:
Remove the last DHCP server that is down, or move it to the middle or front of the server member list.

Fix:
Free the original packet memory when last DHCP server is down.


607360-5 : Safenet 6.2 library missing after upgrade

Component: Local Traffic Manager

Symptoms:
After upgrading BIG-IP, a symbolic link is missing to the core Safenet library.

Conditions:
This occurs when a BIG-IP installation with Safenet 6.2 already installed is upgraded.

Impact:
Safenet 6.2 is not functional.

Workaround:
Reinstall Safenet 6.2. Or,

run this command at all blades of BIG-IP after the installation.

ln -sf /shared/safenet/toolkit/libgem.so /usr/lib64/openssl/engines/libgem.so

Fix:
Add symbolic link to libgem at time of pkcs11d daemon start/restart.


607314-1 : Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508

Vulnerability Solution Article: K25075696


607304-5 : TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Component: Local Traffic Manager

Symptoms:
TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Conditions:
This can occur under normal operation, while running the geo_update command.

Impact:
Traffic disrupted while tmm restarts.


607200-1 : Switch interfaces may seem up after bcm56xxd goes down

Component: TMOS

Symptoms:
'tmsh show net interface' may show that switch ports are still up after bcm56xxd is brought down. This is because bcm56xxd does not notify mcpd that bcm56xxd will go down.

Conditions:
If the switch ports are up and bcm56xxd is brought down, 'tmsh show net interface' will show that the switch ports are still up.

Impact:
The switch ports may seem up, but traffic can't be sent/received.

Workaround:
None.

Fix:
Fix for bcm56xxd to notify mcpd that all ports become uninitialized before it goes down has already been implemented.


607152-1 : Large Websocket frames corrupted

Component: Local Traffic Manager

Symptoms:
If large Websocket frames are being sent by the end-point and this transfer is interleaved with frames being sent by the other endpoint, corrupted frames could be sent by BIG-IP.

Conditions:
Websocket profile is attached to the virtual. Large Websocket frames are sent by the end-point. This transfer is interleaved with frames being sent in the other direction.

Impact:
Connection reset because of corrupted frames being received by the end-point.


606940-3 : Clustered Multiprocessing (CMP) peer connection may not be removed

Component: Local Traffic Manager

Symptoms:
- High memory usage due to connflow allocations
 - conn_remove_cf_not_found stat is non-zero

Conditions:
CMP with multiple TMMs. CMP peer connection is removed before it has been established.

Impact:
Low memory may lead to allocation failures that may lead to tmm core

Fix:
Fix validation performed on parsed CMP flow keys that allows unknown CMP connections to be removed.


606875-1 : DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page

Component: Advanced Firewall Manager

Symptoms:
When an end-user accesses a web-site's first page there is a noticeable latency until it gets the page content.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled, when accessing the page for a first time.

Impact:
Bad user experience when accessing the website's first page.

Workaround:
N/A

Fix:
The javascript has improved as much as possible to reduce the time to get the website's first page.


606807-1 : i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error

Component: TMOS

Symptoms:
If the LCD is not communicating with BIG-IP when the chassis manager daemon starts occasionally LCD errors will be displayed using the sensor number rather than the name "LCD"

Conditions:
chmand restart and LCD unable to commuicate

Impact:
cosmetic

Fix:
LCD error will show name "LCD" rather than sensor number in communication error.


606771-2 : Multiple PHP vulnerabilities

Vulnerability Solution Article: K35799130


606710-10 : Mozilla NSS vulnerability CVE-2016-2834

Vulnerability Solution Article: K15479471


606575-6 : Request-oriented OneConnect load balancing ends when the server returns an error status code.

Component: Local Traffic Manager

Symptoms:
Request-oriented OneConnect load balancing ends when the server returns an error status code.

Conditions:
OneConnect is enabled and the server responds with a HTTP error status code.

Impact:
The client remains connected to the server, and no further load-balancing decisions are made.

Workaround:
It may be possible to detect the HTTP status code in the response, and manually detach the client-side.

To do so, use an iRule similar to the following:

when HTTP_RESPONSE {
    if { [HTTP::status] == 200 } { return }
    if { [HTTP::status] == 401 } {
        set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]]
        if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } {
            # Connection-oriented auth. System should already be doing the right thing
            unset auth_header
            return
        }

        unset auth_header
    }

    catch { ONECONNECT::detach enable }
}.

Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).

Fix:
With OneConnect, the client-side remains detachable when the server-side returns an HTTP error status code.


606573-3 : FTP traffic does not work through SNAT when configured without Virtual Server

Component: Local Traffic Manager

Symptoms:
After upgrading to 12.1.0 or 12.1.1, FTP traffic no longer works correctly with SNAT, when SNAT is configured without a virtual server.

Conditions:
The BIG-IP system configured to allow FTP traffic through, and SNAT is configured without a virtual server.

Impact:
The BIG-IP system does not SNAT port 21 traffic. In rare circumstances this can cause tmm to restart.

Workaround:
None.

Fix:
FTP traffic now works through SNAT when SNAT is configured without a virtual server.


606565-2 : TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection

Component: Local Traffic Manager

Symptoms:
When the /sys db tm.simultaneousopen variable is set to 'reset' or 'drop_connection', TMM may crash during a TCP simultaneous 4 way handshake.

Conditions:
1. The /sys db tm.simultaneousopen variable is set to 'reset' or 'drop_connection'.
2. A TCP 4 way handshake (simultaneous open) occurs as described in RFC 793.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The crash can be avoided, while still mitigating TCP 4 way handshakes, by setting the /sys db tm.simultaneousopen variable to 'drop_pkt'.


606518-3 : iControl REST with 3rd party auth does not function as expected with '@' / email addresses as username.

Component: Device Management

Symptoms:
Cannot use username containing an 'at' ( @ ) character, or specify the email address when requesting authentication token using iControl REST when 3rd party authentication provider being used.

Conditions:
Set-up the BIG-IP system to use 3rd party RADIUS or LDAP authentication and configure a username containing an 'at' ( @ ) character, or specify the email address.

Impact:
Cannot authenticate and get authentication token using iControl REST.

Workaround:
Do not use username with special characters, such as 'at' ( @ ), period ( . ), and so on).

Fix:
Updated logic to allow any special characters in username and password when 3rd party authentication system is used on the BIG-IP system.


606509-4 : Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover

Component: TMOS

Symptoms:
Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover.

Conditions:
This occurs when the following conditions are met:
* vCMP provisioned.
* vCMP hypervisor (host) running 12.1.0
* vCMP guest with 2 or more cores deployed and running 11.5.0 or greater.
* vCMP guest has HT-Split enabled (tmsh list sys db scheduler.splitplanes.ltm).

Impact:
vCMP guests may experience control-plane issues (such as failures to send or receive network failover traffic in an HA-pair, causing a failover).

Fix:
This release restores the process nice value of VCMP guest control-plane, so the vCMP guest no longer experiences potential frequent failovers.


606257-3 : TCP FIN sent with Connection: Keep-Alive header for webtop page resources

Component: Access Policy Manager

Symptoms:
When using customized webtops (for example, using custom images for the webtop links), sometimes a TCP FIN flag will be sent with a packet with an HTTP "Connection: Keep-Alive" header. Not all clients recover from this.

Conditions:
Use a customized webtop link.

Impact:
The webtop links page does not render correctly.

Fix:
Weptop page resources no longer send FIN flags with Keep-Alive headers.


606110-2 : BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.

Component: TMOS

Symptoms:
On AWS and Azure, dataplane interfaces use socket-based networking instead of UNIC modules. After upgrading a version later than 12.1.0, the default module for dataplane interfaces is UNIC modules instead of socket-based networking.

Conditions:
Upgrading BIG-IP VE on AWS or Azure running versions 12.0.0 or 12.1.0.

Impact:
The raw socket-based tmm driver is replaced by a UNIC driver. The socket-based driver eliminates kernel driver dependencies and provides better portability during kernel/driver upgrades.

Workaround:
None.

Fix:
BIG-IP VE socket-based networking driver retained after upgrade on AWS or Azure.


606066-2 : LSN_DELETE messages may be lost after HA failover

Component: Carrier-Grade NAT

Symptoms:
After a failover, an LSN_DELETE message may be lost if the connection continued after the failover.

Conditions:
CGNAT configured as an HA pair, with session logging enabled.

Impact:
An LSN_DELETE message may be missing from the logs.

Fix:
After the fix, the LSN_DELETE message will not be lost.


605894-3 : Remote authentication for BIG-IP users can fail

Component: TMOS

Symptoms:
While trying to log into the command line of BIG-IP as a remotely authenticated user, login will intermittently fail. You may see the following in /var/log/secure: "err httpd[19596]: pam_ldap: ldap_simple_bind Can't contact LDAP server" but the LDAP server is up and is accessible by the BIG-IP

Conditions:
Remote authentication configured, users configured to use remote authentication, ssl-check-peer is enabled and one or more of these properties are different than "none": ssl-ca-cert-file, ssl-client-cert, ssl-client-key.

Impact:
The remote authentication service will fail to initiate a connection to the LDAP server with the ssl-check-peer setting enabled, even if the ssl-ca-cert-file is valid. It will terminate the connection and remote authentication will fail.

Workaround:
Disabling ssl-check-peer and setting ssl-ca-cert-file, ssl-client-cert and ssl-client-key to "none" can work around this issue.


605865-4 : Debug TMM produces core on certain ICMP PMTUD packets

Component: Local Traffic Manager

Symptoms:
The debug TMM will produce a core on the assert "cwnd or ssthresh too low" when receiving an ICMP PMTUD packet with an MTU larger than the current MTU. This does not affect the default TMM.

Conditions:
While using the debug TMM, an ICMP PMTUD packet is received with an MTU larger than the current MTU.

Impact:
Debug TMM crashes on assert "cwnd or ssthresh too low." Traffic disrupted while tmm restarts.

Workaround:
Block incoming ICMP PMTUD packets. Note that this will cause Path MTU Discovery to fail, and IP packets sent by the BIG-IP system with the Don't Fragment (DF) bit set may be dropped silently if the MTUs of the devices on the path are configured incorrectly.

Fix:
The system now always updates TCP MSS after an ICMP PMTUD packet, so there is no debug TMM core.


605682-2 : With forward proxy enabled, sometimes the client connection will not complete.

Component: Local Traffic Manager

Symptoms:
If forward proxy is enabled, and a required forged certificate is not in the cache, the connection might not complete.

Conditions:
Forward proxy is enabled, and a required forged certificate is not in the cache.

Impact:
Degraded service due to connections not completing.

Workaround:
None.

Fix:
The stalling caused by a missing forged certificate no longer happens.


605627 : Selinux denial seen for apmd when it is being shutdown.

Component: Access Policy Manager

Symptoms:
When Apmd process is stopped, you observe a selinux related log which indicates that apmd process does not have the getattr permission for shared memory component owned by tmm.

Conditions:
When apmd is stopped or restarted.

Impact:
No Impact to APMD functionality. APMd stops and starts normally.


605525-1 : Deterministic NAT combined with NAT64 may cause a TMM core

Component: Carrier-Grade NAT

Symptoms:
TMM crashes when a virtual is configured with nat64 enabled, and a deterministic NAT lsn-pool, and there is traffic.

Conditions:
lsn-pool in deterministic mode is attached to a virtual server with nat64 enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Deterministic NAT is not supported with nat64, and should not be configured.


605476-3 : istatsd can core when reading corrupt stats files.

Component: TMOS

Symptoms:
-- The istatsd process produces a core file in the /shared/core directory.

Conditions:
This issue occurs when the following condition is met:

The istatsd process attempts to read a corrupt iStats segment file with duplicate FIDs.

Under these conditions, the istatsd process continually consumes memory which produces a core causing the istatsd process to restart.

Impact:
iStatsd process will restart due to resource exhaustion.

Workaround:
To work around this issue, you can remove the iStats files and restart the istatsd processes. To do so, perform the following procedure:

Impact of workaround: This workaround will cause all statistics in the iStats files to reset.

1. Log in to the BIG-IP command line.
2. To stop the istatsd and related processes, type the following command:
tmsh stop sys service istatsd avrd merged.

3. To delete the iStats files, type the following command:
find /var/tmstat2/ -depth -type f -delete.

4. To start the istatsd and related processes, type the following command:
tmsh start sys service istatsd avrd merged.

Fix:
Added a fix to protect against a continually reading a segment file that is corrupted and has Duplicate Fids.


605427-1 : TMM may crash when adding and removing virtual servers with security log profiles

Component: Advanced Firewall Manager

Symptoms:
In certain circumstances when virtual servers are configured with security log profiles TMM may crash.

Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.

Impact:
TMM may crash with the following log in /var/log/tmm:
<13> Apr 18 13:23:04 <hostname> notice panic: ../base/fw_log_profile.c:3368: Assertion "fw_log_profile_protocol_sip_dos ref non-zero" failed.

Traffic disrupted while tmm restarts.

Fix:
TMM no longer crashes with multiple creation, modification and deletion of many virtual servers with security log profiles attached.


605420-5 : httpd security update - CVE-2016-5387

Component: TMOS

Symptoms:
It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests

Conditions:
none

Impact:
A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.

Workaround:
none

Fix:
Install latest build that includes httpd-2.2.15-54.el6_8 or higher.


605125-2 : Sometimes, passwords fields are readonly

Component: Fraud Protection Services

Symptoms:
Sometimes, passwords fields are readonly so the user won't be able to type any password.

Conditions:
WebSafe protection enabled on a site

Impact:
the user won't be able to type any password on the site.

Workaround:
N/A

Fix:
N/A


605039-3 : lwresd and bind vulnerability CVE-2016-2775

Vulnerability Solution Article: K92991044


605010-1 : Thrift::TException error

Component: Application Visibility and Reporting

Symptoms:
Trying to send a scheduled report might fail in some cases with the error "Thrift::TException=HASH(0x9a65410)".

Conditions:
This occurs when sending scheduled reports.

Impact:
Failure on sending scheduled-report.

Workaround:
Modify the script to use the explicit address instead of the 'localhost' value. This can be achieved with the following command:

mount -o remount -rw /usr
sed -i 's/localhost/127\.0\.0\.1/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm
mount -o remount -r /usr

Fix:
Changing script to use explicit address instead of 'localhost'.


604977-2 : Wrong alert when DTLS cookie size is 32

Component: Local Traffic Manager

Symptoms:
When ServerSSL profile using DTLS receives cookie with length of 32 bytes it throws fatal alert.

Conditions:
Another LTM with ClientSSL profile issues 32byte long cookie.

Impact:
DTLS with cookie size 32 is not supported.


604923-5 : REST id for Signatures change after update

Component: Application Security Manager

Symptoms:
The REST id of existing signatures are unexpectedly modified after updating a User Defined Signature, or downloading an Attack Signature Update that modifies existing signatures.

Conditions:
A User-Defined Signature is updated, or an ASU containing updated signatures is downloaded.

Impact:
The REST id of the modified signatures is changed which may confuse REST clients.

Workaround:
Execution of the following script will repair an affected device:

perl -MF5::Utils::Rest -MF5::DbUtils -MF5::ASMConfig::Entity::Signature -e '$dbh = F5::DbUtils::get_dbh(); $dbh->begin_work(); $dbh->do("UPDATE PLC.NEGSIG_SIGNATURES SET rest_uuid = \"\" "); F5::Utils::Rest::populate_uuids(dbh => $dbh, rest_entities => ["F5::ASMConfig::Entity::Signature"]); $dbh->commit();'

Fix:
Updated Signatures now retain the correct REST id.


604885-1 : Redirect/Route action doesn't work if there is an alert logging iRule

Component: Fraud Protection Services

Symptoms:
When "Trigger iRule Events" is enabled in FPS profile and there are configured FPS rules with Route/Redirect actions, the actions will not be performed.

Conditions:
"Trigger iRule Events" is enabled in FPS profile and the virtual server has at least one iRule with ANTIFRAUD_ALERT or ANTIFRAUD_LOGIN events.

Impact:
Configured FPS rules with Route/Redirect actions will not be performed.

Workaround:
Disabling the "Trigger iRule Events" in FPS profile.

Fix:
"Trigger iRule Events" no longer breaks FPS rules with configured Route/Redirect actions.


604767-1 : Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.

Component: Access Policy Manager

Symptoms:
When importing SAML IdP's metadata, certificate object might not be assigned as 'idp-certificate' value of saml-idp-connector object.

Conditions:
BIG-IP is used as SAML SP.

Impact:
Described behavior will result in misconfiguration. SAML WebSSO will subsequently fail.

Workaround:
Manually assign imported certificate as a 'idp-certificate' value of saml-idp-connector object.


604727-1 : Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4.

Component: TMOS

Symptoms:
Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4. After upgrade from 10.2.4 to 12.1.x, you are unable to use the GUI. The system posts the following message: The configuration has not yet loaded. CLI login works, and /var/log/ltm shows that the following message was recorded during the device bootup phase:

emerg load_config_files: "/usr/libexec/bigpipe base daol" - failed. -- BIGpipe parsing error (/config/bigpipe/bigip_sys.conf Line 113): 012e0010:3: The requested value ({ i192_168_0_20_1) is invalid (<trapsess list> ` none) [add ` delete]) for 'trapsess' in 'snmpd'.

Conditions:
Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4. The root cause is that the host parameter in the trap is encapsulated in quotation marks.

Impact:
The upgrade completes, but the configuration does not load when the system restarts.

Workaround:
After the configuration fails to load in this case, you can remove the SNMP trap destination configuration by editing the /config/bigpipe/bigip_sys.conf file, and performing a manual configuration conversion and reload to recover.

Alternatively, to prevent the configuration load failure from occurring, you can remove the SNMP trap destination configuration before you upgrade to BIG-IP 12.1.x. Both procedures require that you re-create the SNMP trap destination configuration once the upgrade to BIG-IP 12.1.x and/or configuration load are complete.

Fix:
Upgrade from 10.2.4 now completes successfully when the host parameter exists in the 10.2.4 configuration includes SNMP traps.


604612-1 : Modified ASM cookie violation happens after upgrade to 12.1.x

Component: Application Security Manager

Symptoms:
False positive modified ASM cookie violation. Perhaps other false positive cookie related violations.

Conditions:
System upgraded to 12.1.x. Existing end users are connected with their browsers to the site.

Impact:
False positive violations. A blocking page will be shown in case the modified ASM cookie is set to blocking (which is the default for this violation in case the policy is in blocking state).

Workaround:
There are three options:
A. Set the modified ASM cookie violation to transparent after an upgrade for some time after the upgrade.
B. Use the erase cookie blocking page as the default blocking page for some time after the upgrade.
C. Use an iRule similar to the following:
when ASM_REQUEST_DONE {
    if {[ASM::violation names] contains "VIOLATION_MOD_ASM_COOKIE"} {
        log local0. "remove TS01d2cce8 cookie"
        HTTP::respond 302 Location "http://sub.some_domain.com/index.html?[ASM::support_id]" "Set-Cookie" "TS01d2cce8=deleteOldTSCookie;expires=Thu, 01 Jan 1970 00:00:01 GMT"
    }

Fix:
Modified ASM cookie violation no longer happens after upgrade to this version.


604496-4 : SQL (Oracle) monitor daemon might hang.

Component: Local Traffic Manager

Symptoms:
SQL (Oracle) monitor daemon might hang with high monitoring load (hundreds of monitors). DBDaemon debug log contains messages indicating hung connection aborting and that the address in use, unable to connect.

Conditions:
High number of SQL (Oracle, MSSQL, MySQL, PostgresSQL) monitors. Slow SQL responses might make the condition worse.

Impact:
Flapping pool members connected to SQL monitors. Frequent aborts and restarts of SQL monitor daemon.

Workaround:
You can mitigate this issue in the following ways:
-- Reduce number of monitored pool members.
-- Reduce frequency of monitor interval.
-- Split monitors among multiple devices.
-- Run monitors on bladed systems.

Fix:
This release fixes the address-in-use issue, and contains multiple monitor improvements to handle aborts and restarts of the SQL monitor daemon as well so that the system handles hung connections without aborting.


604459-1 : On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up

Component: TMOS

Symptoms:
The following message appears on the console shortly after the system boots:

emerg logger: Re-starting bcm56xxd.

Conditions:
This occurs as a result of a possible race condition on On i5x00, i7x00 and i10x00 platforms.

Impact:
No functional impact, bcm56xxd daemon restarts successfully.

Workaround:
None.


604237-3 : Vlan allowed mismatch found error in VCMP guest

Component: TMOS

Symptoms:
Your vCMP guests are unable to reach the network. You see in /var/log/ltm "mcpd[5503]: 01071322:4: Vlan allowed mismatch found: hypervisor "

Conditions:
When a VLAN exists in the vlan-allowed list contains a VLAN which matches the suffix of another VLAN in the list and both VLANs are configured on the VCMP guest. For example, xyz and abc_xyz will produce the error "warning mcpd[6374]: 01071322:4: Vlan allowed mismatch found: hypervisor (abc_xyz:1860), guest (/Common/xyz:1850)."

Impact:
Unable to use VLAN.

Workaround:
Rename the VLANs such that no VLAN matches suffix of any other VLAN.


604211-1 : License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.

Component: TMOS

Symptoms:
On Azure, after upgrading to any version other than 12.0.0 HF1-EHF14 or 12.1.0-HF1-EHF22, the system boots up as Not Licensed and Inoperative.

Although certain cloud-specific 12.x EHFs such as BIG-IP Virtual Edition 12.1.0 HF1 EHF1 is intended for AWS only, BIG-IP does not prevent you from accidentally downloading and installing it into Azure environments. If you upgrade Azure from BIG-IP Virtual Edition 12.0.0 HF1 EHF14 to the 12.1.0 HF1 EHF1 or 12.0.0-hf4 or 12.1.1, the Azure license becomes nonoperational and gets invalidated.

Conditions:
Upgrading a BYOL instance on Azure to 12.1.0 HF1 EHF1 or 12.1.1. The Azure-specific versions are as follows:
- 12.0.0-HF1-EHF14.
- 12.1.0-HF1-EHF22.

Impact:
License becomes unusable. Re-licensing the instance gets an invalid license.

Workaround:
The workaround for this issue is to boot back into previous boot volume, and then upgrade to 12.1.0-HF1-EHF22 in Azure.

To change default boot volume, choose one of the following methods:
1. tmsh reboot volume volume-name.
2. switchboot utility (interactive mode by default).
3. Admin UI.

For more information about the switchboot utility, see SOL5658: Overview of the switchboot utility, available here: https://support.f5.com/csp/#/article/K5658

Fix:
This release fixes the issue that occurred when the Azure license become nonoperational after upgrading to BIG-IP Virtual Edition 12.1.0 HF1 EHF1 from 12.0.0 HF1 EHF14.

Note: Do not use BIG-IP 12.1.0 HF1 EHF1 in the Azure environments.


604133-2 : Ramcache may leave the HTTP Cookie Cache in an inconsistent state

Component: Local Traffic Manager

Symptoms:
Ramcache may re-use internal HTTP data without clearing the cookie cache. If other filters later inspect that cache they may read corrupted cookie information, or cause a TMM crash.

Conditions:
Ramcache + another filter or iRule inspecting/modifying cookies in a Ramcache response.

Impact:
The modifications of the corrupt cookie cache may cause HTTP headers to be malformed. Inspecting the cookie cache may cause the TMM to crash with an assert. Traffic disrupted while tmm restarts.

Fix:
Ramcache clears the HTTP cookie cache in its responses.


604061-2 : Link Aggregation Control Protocol May Lose Synchronization after TMM Crash

Component: TMOS

Symptoms:
Traffic does not pass through a trunk interface and /var/log/ltm contains messages such as:

lacpd[6636]: 01160011:6: Link 2.2 Actor Out of Sync
lacpd[6636]: 01160012:6: Link 2.2 Partner Out of Sync

Conditions:
1) BIG-IP 2000/4000 or similar platform where "qprop tmos.lacpd_depends_on_tmm == true"
2) Passive LACP trunk
3) tmm has crashed after box has come up
4) tmm startup delayed by dumping large core file
5) tmm startup delayed by large config or busy control plane

Impact:
Trunks created by LACP do not pass traffic.

Workaround:
Restart lacpd after tmm has come up again: "bigstart restart lacpd"

Alternatively, modify /etc/bigstart/scripts/tmm.finish to restart lacpd on tmm going down

Modify this line:
for d in admd asm avrd dosl7d; do

With these:
for d in lacpd admd asm avrd dosl7d; do
        if [ `$BIGSTART singlestatus $d` = "run" ]; then
            $BIGSTART restart $d &
        fi
    done


603997 : Plugin should not inject nonce to CSP header with unsafe-inline

Component: Fraud Protection Services

Symptoms:
When injecting CSP header values to enable FPS Plugin to work, unnecessary injections may break user's 'allow inline script' policy, since the more restrictive directive is always applied.

Conditions:
Server response contains either header from the "Content-Security-Policy" header.= family

Impact:
User's inline scripts will refuse to run since FPS Plugin injects nonce. This breaks user's application.

Workaround:
A fix has been deployed which makes 'unsafe-inline' and 'nonce' directives mutually exclusive. If user's CSP header allows inline scripts, we do not inject nonce.

Fix:
CSP header's 'unsafe-inline' and 'nonce' directive injection has been made mutually exclusive.


603979-4 : Data transfer from the BIG-IP system self IP might be slow

Component: Local Traffic Manager

Symptoms:
When a large amount of data needs to be transferred using a selp IP address, the BIG-IP system might send out fragmented IP packets with both the DF and MF bits set. Setting both bits is RFC compliant and valid, however some routers drop such packets. This might result in retransmissions and low throughput

Conditions:
This occurs when a self IP address processes large data transfers, and the router between the two endpoints does not process the IP fragments that have both the DF and MF bits set.

Impact:
Data transfer from the BIG-IP system's self IP might be slow.

Workaround:
Run the following command: ethtool -K tmm tso off.

Note: This has a different effect from setting db key tm.tcpsegmentationoffload to "disable" (which will not workaround the issue).

Note: To persist the effect of this command across reboots, use the solution specified in K14397: Running a command or custom script based on a syslog message, available here: https://support.f5.com/csp/#/article/K14397. For example,

alert tmmready "Tmm ready" {
exec command="/sbin/ethtool -K tmm tso off"
}


603945-2 : BD config update should be considered as config addition in case of update failure

Component: Application Security Manager

Symptoms:
A configuration update fails when the system cannot find the item to update. Configuration failures are shown in bd.log.

Conditions:
The condition that leads to this scenario is not clear and is still under investigation.

Impact:
The update fails and the entity is not added.

Workaround:
Delete the faulty entity and re-add, and then issue the following command: restart asm.

This fixes the issue in the cases in which it is a single entity.

Fix:
A configuration update no longer fails when the system cannot find the item to update. Now, the system adds the item with its updated value if the entity does not already exist. Otherwise, the operation updates the value of the existing entry.


603825-2 : Crash when a Gy update message is received by a debug TMM

Component: Policy Enforcement Manager

Symptoms:
Debug TMM will crash when a Gy update message is received.

Conditions:
- Need a Debug TMM running
- Gy update message must be received by the BIG-IP

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use non-debug TMM.

Fix:
Added checks to detect Gy udpate messages and handle them accordingly in the debug TMM. Thus, preventing a crash in the debug TMM.


603723-2 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup

Component: Local Traffic Manager

Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.

Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.

Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.

Workaround:
None.

Fix:
The system now successfully handles TLS v1.0 fallback when pool members are configured to use TLS v1.2 only, so pool members are correctly marked as being up.


603700 : tmm core on multiple SSL::disable calls

Component: Local Traffic Manager

Symptoms:
tmm can crash if SSL::disable is called repeatedly in an iRule event.

Conditions:
Invoking SSL::disable multiple times in the same iRule event

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a crash related to multiple calls of SSL::disable


603667-2 : TMM may leak or corrupt memory when configuration changes occur with plugins in use

Component: Local Traffic Manager

Symptoms:
TMM may leak memory when plugins are in use and the plugin is re-initialized (typically due to configuration changes). In rare cases, memory corruption may occur causing TMM to restart.

Conditions:
Plugin-based functionality configured (ASM, APM, etc.) and configuration changes occur.

Impact:
The memory leakage generally occurs infrequently and at a rate that TMM operations are not affected. However, when memory corruption occurs, a traffic interruption may occur due to TMM restarting.

Workaround:
No workaround except disabling plugin-based functionality (such as ASM, APM, etc.).

Fix:
TMM now properly manages plugin memory, and no longer leaks or corrupts this memory.


603605-1 : Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active

Component: iApp Technology

Symptoms:
After installation, the rpm on active device applications will be replicated to the standby. If standby does not have DHD installed, the installation page is never shown.

Conditions:
HA setup for DoS Hybrid Defender, with DHD only installed on Active.

Impact:
HA cannot be supported for DHD application on 12.1.0 and 12.1.1.

Workaround:
None.

Fix:
Can now install DoS Hybrid Defender on standby device in HA pair if it's already installed on active.


603598-3 : big3d memory under extreme load conditions

Component: Global Traffic Manager

Symptoms:
big3d memory consumption can grow if big3d is unable to process monitor requests in a timely fashion.

This can be seen by monitoring the memory consumption of big3d using standard OS tools such as top.

Conditions:
big3d maintains a queue for monitor requests.
Incoming monitor requests are first placed in the Pending queue.
Requests are moved from the Pending queue to the Active queue, if there is room in the Active queue.

When the Pending queue is full, there is no room for the Monitor Request. big3d attempts to clean up the Monitor request, but fails to completely free the memory.
This might result in a significant memory leak.

For this to happen, the Active queue must be full as well as the Pending queue.

One possible condition that might cause this is if multiple Monitors time out. This results in Monitors having long life times, which keeps the Active queue full.

Thus the Pending queue might become full and the memory leak can occur.

In BIG-IP 11.1.0 versions of big3d,
the Active queue has 256 slots and
the Pending queue has 4096 slots.

In BIG-IP 11.1.0-hf3, the queue sizes were expanded to
2048 for the Active queue and 16384 for the Pending queue.

Since the queues were smaller n versions prior to
11.1.0-hf3, this leaks is more likely to manifest itself.

In later versions, the leak is still possible, but is less likely to occur.

Impact:
big3d memory consumption grows unbounded. This might result in a big3d restart or memory starvation of other processes.

Workaround:
This can be partially mitigated by ensuring that monitors
settings are reasonable and that big3d is not overloaded.

This will minimize the chances that the Pending queue
does not become full.

There is no mechanism to resize the queues.

Fix:
When a monitor request is unable to be placed in the queue, the memory for the request is freed properly.


603550-1 : Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.

Component: Local Traffic Manager

Symptoms:
Virtual server remains in syncookie mode even after the syn flood stops.

As a result of this issue, you might see the following symptoms:
-- Virtual servers that use both FastL4 and HTTP profiles might show incorrect 'Current SYN Cache' stats.

-- Virtual stats 'Current SYN Cache' does not decrease.

Conditions:
This issue occurs when the configuration contains a virtual server that uses FastL4 as a filter (for example, has both the FastL4 profile and layer 7 profile (HTTP) syn flood to the virtual server).

Impact:
The virtual server stays stuck in syncookie mode after the synflood is over, and does not recover.

Workaround:
None.

Fix:
Virtual servers that use both FastL4 and HTTP profiles will have correct syn cache stats.


603397-2 : tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config

Component: Service Provider

Symptoms:
tmm will core if the transport config specified in a MR::message route iRule command does not exist.

Conditions:
the transport config specified in a MR::message route iRule command does not exist.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use the correct name for the trasnport-config object.

Fix:
fixed a tmm core.


603236-1 : 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware

Component: Local Traffic Manager

Symptoms:
Creating 1024 and 4096 size keys fail when the SafeNet client version installed on BIG-IP is 6.2 and SafeNet appliance firmware is 6.10.9.

Conditions:
-- SafeNet appliance: 6.2.
-- SafeNet client: 6.2.
-- SafeNet firmware: 6.10.9.

Impact:
Cannot create 1024 or 4096 size RSA keys.

Workaround:
None.

Fix:
Removed the config line, RSAKeyGenMechRemap = 1, that was conflicting with 6.10.9 firmware.


603234-3 : Performance Improvements

Component: Fraud Protection Services

Symptoms:
Certain detection algorithms can slow down the client application.

Conditions:
FPS enabled, full AJAX encryption enabled

Impact:
Client side AJAX detection can be slow.

Fix:
The performance of some detection algorithms has been improved


603149-2 : Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy

Component: TMOS

Symptoms:
Setting max data limit transmitted (in kilobytes) to a very large limit results in a smaller limit, causing SAs to expire too quickly. Values for ike-phase2-lifetime-kilobytes inside ipsec-policy can reach 2^32-1 kilobytes, but will be processed incorrectly, as if the value were smaller.

Conditions:
When lifetime-kilobytes is large enough, it can act as though it were smaller.

Impact:
Negotiated SAs expire too quickly when size lifetime is calculated too small.

Workaround:
Before the fix, decrease lifetime-kilobytes until properly stable.

Fix:
The fix should make every value no more than 4294967295 kilobytes work correctly, without becoming some smaller value. (Note this value is 2^32-1.) If the size of ike-phase2-lifetime-kilobytes becomes 64-bit in the future, this will also work, causing a 64-bit value for kilobytes to occur in isakmp negotiation.


603082-3 : Ephemeral pool members are getting deleted/created over and over again.

Component: Local Traffic Manager

Symptoms:
When fqdn nodes are configured, you may see ephemeral pool members getting created and deleted continuously. In severe cases, this can cause mcpd to run out of memory and crash.

Conditions:
It is not known exactly what triggers this condition, but it has been observed after running bigstart restart in a configuration containing many fqdn nodes.

Impact:
Traffic disrupted while mcpd restarts.


603032-1 : clientssl profiles with sni-default enabled may leak X509 objects

Component: Local Traffic Manager

Symptoms:
SSL memory consumption grows when virtuals with sni-default-enabled clientssl profiles are modified.

Conditions:
clientssl profile with sni-default enabled combined with configuration manipulations of virtuals with such profiles.

Impact:
The amount of leakage will depending on the number of virtuals with sni-default-enabled clientssl profiles and frequency of configuration manipulations. For large configurations, the leakage can be very noticeable over time.

Workaround:
No workaround short of not using sni-default.

Fix:
SSL now handles sni-default-enabled clientssl profiles without leaking the X509 objects.


603019-3 : Inserted SIP VIA branch parameter not unique between INVITE and ACK

Component: Service Provider

Symptoms:
The branch parameter of the inserted VIA header is sometimes the same between an INVITE and ACK message.

Conditions:
If the CSEQ number of a SIP message is the same, the inserted VIA header will contain the same branch parameter.

Impact:
SIP proxy servers which perform strict message validations may reject the call.

Fix:
Included a hash of the branch parameter of the received top-most via header into the branch parameter of the inserted via header. Thus is the received top-most via conforms to the spec and generates a different branch parameter between INVITE and ACK, the inserted via will have a different branch parameter.


602854-8 : Missing ASM control option from LTM policy rule screen in the Configuration utility

Component: TMOS

Symptoms:
In the Configuration utility, when creating or editing a LTM policy, the ASM control option may be missing from the rule screen.

Conditions:
Whether the ASM control option is present or missing purely depends on the license installed on the system.

The system incorrectly reports certain licensed modules to the Configuration utility, which fails to parse them and ultimately to display the ASM control option. If you wish to determine whether you are affected by this issue, SSH to the advanced shell of the BIG-IP system and run this command:

# grep -E '^active module : [^|]*\|[^|]*$' /config/bigip.license

If any output is returned, then you are affected by this issue.

Impact:
ASM cannot be enabled in LTM policies using the Configuration utility.

Workaround:
Use the TMSH utility to enable ASM in LTM policies.

Fix:
ASM can now be enabled in LTM policies using the Configuration utility regardless of the license installed on the system.


602830-1 : BIG-IP iSeries appliance LCD does not indicate when BIG-IP is in platform_check diagnostic mode

Component: TMOS

Symptoms:
The LCD display does not indicate diagnostic mode when you stop BIG-IP daemons(bigstart stop) and run platform_check diagnostic command.

Conditions:
Dignostic mode is not displayed on LCD.

Impact:
There is no visible indication on LCD display to indicate when system in diagnostic mode.

Fix:
Diagnostic message display on LCD when system is diagnostic mode.


602654-2 : TMM crash when using AVR lookups

Component: Application Visibility and Reporting

Symptoms:
When trying to find/insert data into AVR lookups TMM/AVR core might occur.

Conditions:
AVR lookups in use.

Impact:
tmm crashes. The crash occur when two processes simultaneously try to access the same cell in the lookup. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when using AVR lookups.


602653-1 : TMM may crash after updating bot-signatures

Component: Local Traffic Manager

Symptoms:
TMM may crash after DOSL7 bot signatures config has changed.

Conditions:
This is likely to happen after DOSL7 bot signatures config has changed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Try adding/removing some signatures, this should avoid the crash.

Fix:
Fixed a memory corruption when updating bot signatures.


602502-2 : Unable to view the SSL Cert list from the GUI

Component: TMOS

Symptoms:
When you try to see information about any SSL certificates in the GUI, it displays an error: An error has occurred while trying to process your request.

Conditions:
Can not view any SSL certificates in the GUI if at least one certificate has a double extension(like test.crt.crt) in its name.

Impact:
Unable to view the any SSL Cert from the GUI

Workaround:
Delete such certificate through TMSH and reimport without .crt extension in the certificate name.

delete sys file ssl-cert test.crt.crt

Fix:
Should be able to view/delete/export certificates from GUI.


602434-1 : Tmm crash with compressed response

Component: Application Visibility and Reporting

Symptoms:
AVR decompressed all the traffic in order to do classification.
This can cause tmm core due to too many decompress request.

Conditions:
Sending stressed compressed traffic on virtual with dos profile.

Impact:
Traffic disrupted while tmm restarts.

Fix:
AVR will ask no more than 10 decompressed request simultaneously.


602385-1 : Add zLib compression

Component: Local Traffic Manager

Symptoms:
Current driver supports only compress GZip and compress deflate.

Conditions:
APM Network Access tunnel has an option for compression. Compression is implemented in GZIP hudfilter which uses COMPRESS_ZLIB compression method. Currently only 'zlib' compression provider (software based) is implementing this method. None of the hardware providers (such as Coleto Creek) support it; they support COMPRESS_DEFLATE and COMPRESS_GZIP. GZIP hudfilter could use all 3 methods, but only ZLIB is compatible with current and older versions of the client. To preserve backward compatibility it must use ZLIB.

Impact:
Current compression hardware (such as Coleto Creek) is needed to support ZLIB method, otherwise compression in APM Network Access tunnel does not scale.

Workaround:
None.

Fix:
zLib compression is now supported.


602376-1 : qkview excludes files

Component: TMOS

Symptoms:
When running the qkview command to generate a diagnostic file, some files are omitted from the qkview.

Conditions:
This occurs when running qkview, when the configuration settings for qkview for the admin user include the --exclude flag. For example if the setting has --exclude core then none of the core files will be included in the qkview even if it is run without the --exclude parameter.

Impact:
Debugging of issues impaired if the missing files were needed to resolve the problem.

Workaround:
None.

Fix:
Corrected errors and made sure all files are included or excluded as designed.


602366-1 : Safenet 6.2 HA performance

Component: Local Traffic Manager

Symptoms:
With Safenet 6.2 HA setup, you only sees the performance of one HSM.

Conditions:
Safenet 6.2 client is installed and Safenet HA is used.

Impact:
Only one HSM is used for the HA setup.

Workaround:
Add primary hsm to the newly created ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>

or
echo "copy" | /shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>

Add following hsm to the ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup addMember -serialNumber 470379014 -group ha_test -password <pw>

Enable HAonly
/shared/safenet/lunasa/bin/lunacm -c hagroup HAOnly -enable

Delete ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup deleteGroup -label ha_test

Fix:
Installation script is updated for Safenet 6.2 HA.


602358-5 : BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version

Component: Local Traffic Manager

Symptoms:
During SSL/TLS renegotiation, the TLS standard requires that the new ClientHello version matches the first session.

Usually, SSL/TLS servers require the new ClientHello version to match the previous negotiated (ServerHello) version. The BIG-IP ServerSSL default behavior is to match this requirement.

The problem occurs if the SSL/TLS server requires the ClientHello (both in the Record layer and Handshake Protocol) in the new ClientHello to be exactly the same as the SSL/TLS version of the first ClientHello; that is:
************************************************************
1st ClientHello record layer version == 2nd ClientHello record layer version;
1st ClientHello Handshake Protocol version == 2nd ClientHello Handshake Protocol version.
************************************************************
As a result, the SSL/TLS server will reject the renegotiation handshake, causing the connection to terminate.

Conditions:
This occurs when using virtual servers configured with one or more ServerSSL profiles, and an SSL/TLS renegotiation occurs, and the server requires the new ClientHello version to match the first ClientHello instead of the previous ServerHello version.

Impact:
SSL/TLS renegotiation between BIG-IP ServerSSL profile and server may fail, resulting in an unexpected connection close or reset.

Workaround:
Manually setting the ciphers in the ServerSSL to TLS1.0 can solve the issue.

Fix:
A new db variable called ssl.RenegotiateWithInitialClientHello has been added to control the SSL/TLS version in the 2nd ClientHello:

1. The default is disable, which means that the 2nd ClientHello SSL/TLS version will be set to the negotiated version in the 1st round ServerHello.

2. If it is set to enable, both ClientHello versions will be exactly the same.


602326-1 : Intermittent pkcs11d core when installing Safenet 6.2 software

Component: Local Traffic Manager

Symptoms:
Sometimes you may see pkcs11d core when stopping/restarting pkcs11d service.

Conditions:
bigstart issues "stop" to pkcs11d while pkcs11d receives message.

Impact:
pkcs11d may core intermittently.

Workaround:
pkcs11d may automatically restart without intervention.

Fix:
Fixed pkcs11d signal handler and avoid sys_call in the signal handler.


602221-2 : Wrong parsing of redirect Domain

Component: Application Security Manager

Symptoms:
ASM learns wrong domain names

Conditions:
no '/' after domain name in the redirect domain

Impact:
wrong learning suggestion can lead to wrong policy

Workaround:
N/A

Fix:
Fixing an issue with parsing the URL in the location header


602171-1 : TMM may core when remote LSN operations time out

Component: Carrier-Grade NAT

Symptoms:
TMM configured with LSN may core during high utilization, when local endpoint resources are exhausted, and request for remote resources times out.

Conditions:
LSN remote operation time out. LSN can request remote TMM for resources when local resources are exhausted, when such request time out, this can result in a core in affected versions.

Impact:
Traffic disrupted while tmm restarts.

Fix:
TMM LSN remote operations will no longer cause core.


602136-5 : iRule drop command causes tmm segfault or still sends 3-way handshake to the server.

Component: Local Traffic Manager

Symptoms:
If you have a client-side iRule that drops a client-side connection, either tmm will segfault or the BIG-IP system still sends the SYN to the server, and then a RST. The reset cause will be 'TCP 3WHS rejected'.

Conditions:
Client-side iRule that drops a connection.

Impact:
TMM segfaults or the BIG-IP system still sends a SYN to the server.

Workaround:
None.


602061 : i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages

Component: TMOS

Symptoms:
When firmware is updated on a i5000, i7000, i10000 series series appliance messages appear on the console indicating the update is in progress. The messages are inconsistent, some give an expected time the update will take and some do not.

Conditions:
Firmware update following the installation of a new iso with new firmware that must be programmed.

Impact:
cosmetic

Workaround:
None


601989-3 : Remote LDAP system authenticated username is case sensitive

Component: TMOS

Symptoms:
Unable to login via ssh, with cause being reported as "user account has expired". Wrong role being assigned for remote-user.

Conditions:
The character-case for the username returned from LDAP must match the login username and the configured account name. This can be exposed on an upgrade from 11.6.0 to 12.1.0 or later.

Impact:
Unable to login via ssh with remote-user or remote-user being assigned incorrect role when multiple accounts exists with the same name and mixed case.

Workaround:
Avoid configure same account username with different case and the authenticated user account in TMOS and used to login should exactly match the user account name returned from LDAP.

Fix:
When logging in to BIG-IP via ssh, the case of the logged-in user name is preserved when authenticating against an LDAP source, and matched in a case-sensitive manner to the appropriate locally defined user role.


601938-2 : MCPD stores certain data incorrectly

Vulnerability Solution Article: K52180214


601927-1 : Security hardening of control plane

Component: TMOS

Symptoms:
File permissions changes needed as found by internal testing

Conditions:
N/A

Impact:
N/A

Fix:
Apply latest security practices to control plane files.


601924-1 : Selenium detection by ports scanning doesn't work even if the ports are opened

Component: Advanced Firewall Manager

Symptoms:
When selenium server package is running on an end point and a traffic being sent from there, proactive bot defense mechanism doesn't see selenium server opened ports.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.

Impact:
Low impact as the selenium detection by ports scan has a low score and doesn't mitigate a client, unless it has another suspicious client properties (for example tor browser)

Workaround:
N/A

Fix:
Ports scanning has fixed - wider range of ports are scanned.


601905-1 : POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server

Component: Access Policy Manager

Symptoms:
POST requests appear to hang when they are sent through a virtual server with EAM plugin enabled.

Conditions:
Most likely, the POST request contains large post data.

Impact:
The POST request will fail.

Workaround:
The following iRule will workaround the issue:

 when HTTP_REQUEST {

  if {[HTTP::method] eq "POST"}{
    # Trigger collection for up to $max_collect of data
    set max_collect 1000000
    if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= $max_collect}{
      set content_length [HTTP::header "Content-Length"]
    } else {
        set content_length $max_collect
    }
    # Check if $content_length is not set to 0
    if { $content_length > 0} {
      HTTP::collect $content_length
    }
  }


601893-2 : TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.

Component: TMOS

Symptoms:
Tmm cores. There might be messages similar to the following notice in /var/log/ltm just before the crash: notice BWC: instance already exist. This is an extremely rarely occurring issue.

Conditions:
This extremely rare issue occurs when the following conditions are met:
Dynamic BWC use with dynamic change in rate for each instance.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use dynamic modification of rates for dynamic policies.

Fix:
You can now successfully use dynamic modification of rates for dynamic policies.


601828-1 : An untrusted certificate can cause TMM to crash.

Component: Local Traffic Manager

Symptoms:
If the certificate sent by an SSL server to the server-side bigip profile is untrusted, TMM might crash.

Conditions:
A server-side SSL profile is attached to a virtual server, and the SSL server sends an untrusted certificate to the BIGIP.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The BIGIP will now log the certificate name `unknown' if an SSL server sends an untrusted certificate.


601527-4 : mcpd memory leak and core

Component: TMOS

Symptoms:
Mcpd can leak memory during config update or config sync.

Conditions:
All of the conditions that trigger this are not known but it seems to occur during full configuration sync and is most severe on the config sync peers. It was triggered making a single change on the primary by configuring a monitor rule, e.g., tmsh create ltm pool p members { 1.2.3.4:80 } monitor http

Impact:
Loss of memory over time, which may result in out-of-memory and mcpd core.

Fix:
Fixed a memory lean in mcpd


601502-4 : Excessive OCSP traffic

Component: TMOS

Symptoms:
With OCSP configured on a virtual server, you see excessive OCSP requests going to the OCSP server.

Conditions:
Virtual server configured with an OCSP profile

Impact:
OCSP responses are not cached properly and excessive requests are sent to the server.

Workaround:
None.

Fix:
OCSP responses are now cached properly, so excessive requests are no longer sent to the server.


601496-4 : iRules and OCSP Stapling

Component: Local Traffic Manager

Symptoms:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile might cause OCSP requests to be reissued, resulting in a memory leak.

You may notice warning messages similar to the following in /var/log/ltm:
warning tmm[11300]: 011e0003:4: Aggressive mode sweeper: /Common/default-eviction-policy (0) (global memory) 115 Connections killed.

Conditions:
This occurs when the following conditions are met:
-- Virtual server with OCSP Stabling enabled.
-- iRule attached to the virtual server that uses SSL::renegotiate.

Impact:
TMM memory used increases gradually, eventually the aggressive mode sweeper is activated.

Workaround:
None.

Fix:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile no longer causes OCSP requests to be reissued, so there is no associated memory leak.


601378-2 : Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons

Component: Application Security Manager

Symptoms:
These errors can be observed in '/var/log/asm':
-------------------------
The caller:[F5::ASMConfig::Entity::Charset::get_policy_encoding_type] did not pass in a value for 'encoding_name' to retrieve the 'encoding_type' for -- aborting.

ASM subsystem error (asm_config_server.pl,): ASM Config server died unexpectedly

ASM subsystem error: (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: pabnagd, Failure: Insufficient number of threads.

ASM subsystem error: (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: asm_config_server.pl, Failure: Insufficient number of threads.
-------------------------

Conditions:
ASM provisioned.
Create security policy with "Auto accept" language.

Impact:
ASM daemons restart, numerous errors in asm log.

Workaround:
None.

Fix:
Creating an ASM security policy with "Auto accept" language no longer leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons


601309 : Locator LED no longer persists across reboots

Component: TMOS

Symptoms:
The Locator LED (blinking F5 logo ball) state could be retained across reboots if the TMSH config was saved. The intended behavior is to default to disabled on reboot.

Conditions:
Setting the Locator to "enabled" via either the LCD or TMSH, then saving the TMSH config.

Impact:
i5600, i5800, i7600, i7800, i10600, and i10800 appliances

Workaround:
Disable the Locator LED and save the TMSH config

Fix:
Fixed Locator LED state persisting through reboots


601268-5 : PHP vulnerability CVE-2016-5766

Component: TMOS

Symptoms:
See SOL43267483: PHP vulnerability CVE-2016-5766, available at https://support.f5.com/kb/en-us/solutions/public/k/43/sol43267483.html

Conditions:
See SOL43267483: PHP vulnerability CVE-2016-5766, available at https://support.f5.com/kb/en-us/solutions/public/k/43/sol43267483.html

Impact:
See SOL43267483: PHP vulnerability CVE-2016-5766, available at https://support.f5.com/kb/en-us/solutions/public/k/43/sol43267483.html

Fix:
See SOL43267483: PHP vulnerability CVE-2016-5766, available at https://support.f5.com/kb/en-us/solutions/public/k/43/sol43267483.html


601255-4 : RTSP response to SETUP request has incorrect client_port attribute

Component: Service Provider

Symptoms:
- Clientside data is sent to UDP port 0
- RTSP response to SETUP request contains incorrect 'client_port' attribute (0)

Conditions:
- Virtual with RTSP profile.
- 200/OK is received from server in response to the initial SETUP request
- SETUP request was the initial message received on a new connection

Impact:
Unicast media may forwarded to incorrect UDP port (0).

Fix:
Initialize 'client_port' attribute to value received from server when re-writing response to client.


601180-2 : Link Controller base license does not allow DNS namespace iRule commands.

Component: Global Traffic Manager

Symptoms:
The Link Controller base license was improperly preventing DNS namespace iRule commands.

Conditions:
A Link Controller license without an add-on that allowed Layer 7 iRule commands.

Impact:
An administrator would not be able add DNS namespace commands to an iRule or upgrade from a pre-11.5 configuration where the commands were working to 11.5.4 through 12.1.1.

Workaround:
To address the inability to upgrade, removal of DNS namespace commands from the configuration prior to upgrade will allow the upgrade to proceed. The commands will then be able to be re-added after a fixed version is installed.

Fix:
DNS namespace iRule commands are now properly accepted with a Link Controller base license.


601178-6 : HTTP cookie persistence 'preferred' encryption

Component: Local Traffic Manager

Symptoms:
When encryption is 'preferred' in the http cookie persistence profile, when the client presents a plain-text route domain formatted cookie the BIG-IP will ignore the cookie and re-load balance the connection.

Conditions:
This occurs when route-domain-compatible cookies are sent in plaintext.

Impact:
Cookie does not get accepted by the persistence profile and flow does not persist.


601083-1 : FPS Globally Forbidden Words lists freeze in IE 11

Component: Fraud Protection Services

Symptoms:
When attempting to move more than 1 item in Globally Forbidden Words in Internet Explorer 11 browser, the lists freeze.

Conditions:
FPS Provisioned
Add 2 or words in "Search for malicious words in the HTML or JavaScript code"

Impact:
FPS GUI freezes

Workaround:
Add 1 item each time and save.
Use tmsh.

Fix:
Internet Explorer 11 will not freeze if moving more than one item at a time.


601076 : Fix watchdog event for accelerated compression request overflow

Component: TMOS

Symptoms:
Accelerated compression requests that exceed 128 in-flight requests can cause a watchdog event.

Conditions:
Very rapid queuing of concurrent accelerated compression requests.

Impact:
TMM generates an HA failover driven by the accelerated compression watchdog timer.

Workaround:
Disable accelerated compression by disabling hardware accelerated compression with:

  % tmsh modify sys db compression.strategy value softwareonly

Fix:
Apply a constraint on accelerated compression request DMA ring so no more than 128 in-flight requests are queued at any one time.


601059-6 : libxml2 vulnerability CVE-2016-1840

Vulnerability Solution Article: K14614344


601056 : TCP-Analytics, error message not using rate-limit mechanism can halt TMM

Component: Application Visibility and Reporting

Symptoms:
An error message is displayed when TCP-Analytics fails to save new data. This error message should be rate-limited, like all TMM error messages, so that if taken place very frequently, it will be displayed only once in a while and not for every error event.
Since the error message is not rate-limited, hitting this error many times can lead to TMM halt.

This is also part of bug: 601035, which is the root-cause for hitting the error case.

Conditions:
TCP-Analytics is assigned to virtual server, and hitting bug: 601035.

Impact:
TMM can halt

Workaround:
Remove TCP-Analytics from virtual servers.

Fix:
Error message is performed with rate-limiting mechanism.


601035 : TCP-Analytics can fail to collect all the activity

Component: Application Visibility and Reporting

Symptoms:
When the traffic reaching BIG-IP comes from very large number of different client-ips and subnets, the TCP-Analytics table can get full which leads to ignoring the activity that follows, until next snapshot of data.

Conditions:
TCP-Analytics profile is attached to a virtual server, incoming traffic from large amounts of client-ips and subnets (exact number to cause full table depends on machine type and provisioned modules).

Impact:
TCP Analytics is showing only some of the activity, not all of it.
There is also another impact described in bug: 601056,which is frequent errors in log.

Workaround:
Disable TCP-Analytics.

Fix:
Aggregation method of TCP Analytics was fixed, we are no longer reaching full table situation, no matter the distribution of the client-ips.


600982-5 : TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"

Component: Local Traffic Manager

Symptoms:
When SSL is configured, the TMM might rarely crash, logging the following error in /var/log/ltm: notice panic: ../modules/hudfilter/ssl/ssl_session.c:538: Assertion "cached" failed.

Conditions:
No conditions to be set, however this is very rare in which a random number generator can technically generate the number Zero ( 0 ) Which would trigger this.

Impact:
Traffic disrupted while TMM restarts and failover occurs if a pair exists. Mirroring and LB may be lost with renegotiation for certain types of traffic.

Workaround:
None.

Fix:
When SSL is configured, the TMM no longer intermittently crashes with the message: Assertion "cached" failed.


600894-1 : In certain situations, the MCPD process can leak memory

Component: TMOS

Symptoms:
In certain situations, the MCPD process can leak memory. This has been observed, for example, while updating large external data-group file objects. Each time an external data-group file is updated, MCPD's memory utilization grows a little bit. Once enough iterations have occurred, the system may no longer be able to update the external data-group file, but instead return the following error message:

err mcpd[xxxx]: 01070711:3: Caught runtime exception, std::bad_alloc.

Conditions:
So far, this issue has only been observed while updating a large external data-group file object.

Impact:
The system may no longer be able to update the external data-group file object. It is also possible for MCPD to crash, or be killed by the Linux OOM killer, as a result of the memory leak.


600859-2 : Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.

Component: TMOS

Symptoms:
After upgrading 11.6.0 Hourly instances to 12.1.0 EHF Hourly instances with Instance Registration support, instance license becomes invalid and BIG-IP is unable to acquire a new hourly license.

Conditions:
Upgrading 11.6.0, or earlier Hourly Licensing instance to 12.1.0 HF1 EHF.

Impact:
License is invalidated and instance becomes unusable.

Workaround:
- Run "/usr/libexec/autoLicense -l" from command-line.

Fix:
Module licenses correctly after upgrade from 11.6.0 to 12.1.0 HF2 or later.


600827-8 : Stuck nitrox crypto queue can erroneously be reported

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Nitrox systems (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The message "Hardware Error(Co-Processor): n3-crypto0 request queue stuck" will appear in the ltm log file.

Conditions:
Nitrox based system performing SSL under heavy load.

Impact:
Device errors reported in logs and crypto HA action is taken, possibly resulting in failing over.

Fix:
The Nitrox crypto driver uses a proper timeout value for crypto requests.


600811-2 : CATEGORY::lookup command change in behaviour

Component: Access Policy Manager

Symptoms:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM and URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions.

Only a valid hostname can be used and have its category returned.

In versions prior to v12.1.1, the following iRule command is valid:

when HTTP_REQUEST {
  set this_uri http://[HTTP::host][HTTP::uri]
  set reply [CATEGORY::lookup $this_uri]
  log local0. "Category lookup for $this_uri returns $reply"
}

Starting in v12.1.1, the previous example you need to remove the HTTP::uri statement. If an HTTP::uri is provided to the command, an error will be returned

err tmm2[12601]: 01220001:3: TCL error: /Common/_1_categ_test <HTTP_REQUEST> - Categorization engine returned an error. invoked from within "CATEGORY::lookup $this_uri"

Correcting the iRule for post-v12.1.1 installation, the example must be modified to pass in the HTTP::host only, as follows:

when HTTP_REQUEST {
  set this_uri http://[HTTP::host]
  set reply [CATEGORY::lookup $this_uri]
  log local0. "Category lookup for $this_uri returns $reply"
}

Note: If APM and SWG are licensed and provisioned, the CATEGORY::lookup iRule command will accept an HTTP URI as a part of the argument to the command.

Conditions:
- BIG-IP licensed and provisioned for:
 o APM and URL Filtering
 o URL Filtering (used for SSL Bypass decisions in SSL Air-Gap deployments).
- An iRule that supplies a URI path to the CATEGORY::lookup iRule command.
- Upgrading from pre-v12.1.1 versions that use the CATEGORY::lookup iRule command and use an HTTP::uri or pass in a plain text string that contains anything other than an HTTP hostname.

Impact:
There is an error returned from the command. This can cause errors in existing deployments.

Workaround:
Update the iRule to only pass an HTTP hostname to the CATEGORY::lookup iRule command

Fix:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM and URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions.

Only a valid hostname can be used and have its category returned.

Behavior Change:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM and URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions.

Only a valid hostname can be used and have its category returned.

In versions prior to v12.1.1, the following iRule command is valid:

when HTTP_REQUEST {
  set this_uri http://[HTTP::host][HTTP::uri]
  set reply [CATEGORY::lookup $this_uri]
  log local0. "Category lookup for $this_uri returns $reply"
}

Starting in v12.1.1, the previous example you need to remove the HTTP::uri statement. If an HTTP::uri is provided to the command, an error will be returned

err tmm2[12601]: 01220001:3: TCL error: /Common/_1_categ_test <HTTP_REQUEST> - Categorization engine returned an error. invoked from within "CATEGORY::lookup $this_uri"

Correcting the iRule for post-v12.1.1 installation, the example must be modified to pass in the HTTP::host only, as follows:

when HTTP_REQUEST {
  set this_uri http://[HTTP::host]
  set reply [CATEGORY::lookup $this_uri]
  log local0. "Category lookup for $this_uri returns $reply"
}

Note: If APM and SWG are licensed and provisioned, the CATEGORY::lookup iRule command will accept an HTTP URI as a part of the argument to the command.


600662-9 : NAT64 vulnerability CVE-2016-5745

Vulnerability Solution Article: K64743453


600593-1 : Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests

Component: Local Traffic Manager

Symptoms:
After a CONNECT request is sent to the BIG-IP system and processed, if the client disconnects before a response is received from the server, the FIN is not propagated to the server-side and that connection remains open. If a client sends another CONNECT request to the same destination, the previous server-side flow is reused for the new request. Inspection of packet captures reveals that the BIG-IP system does not process the new CONNECT request as such, but instead forwards it to the server using the old server-side flow. This behaviour is incorrect. The CONNECT method should disable connection reuse, and the BIG-IP should close the server-side flow if the client disconnects first.

Conditions:
Use of HTTP Explicit Proxy and OneConnect together. CONNECT requests must arrive to the virtual server. The client must disconnect before the server responds.

Impact:
Some connections may fail. Depending on what data is sent to the server over an unintended connection, unpredictable results may be experienced.

Workaround:
You can apply the following iRule to the HTTP Explicit Proxy virtual server to mitigate the issue:

when HTTP_PROXY_REQUEST {
   if { [HTTP::method] equals "CONNECT" } {
      ONECONNECT::reuse disable
   }
   else {
      ONECONNECT::reuse enable
   }
}


600558-5 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may be observed:

1. After approximately 10 minutes, an error similar to the following appears in the LTM log (/var/log/ltm):

mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests

This message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.

Fix:
Errors are no longer logged after deleting user in GUI.


600357-2 : bd crash when asm policy is removed from virtual during specific configuration change

Component: Application Security Manager

Symptoms:
BD restarts and produces a core file

Conditions:
A configuration change which involves headers configuration or a policy re-configuration and at the same time, while this update is taking place the ASM policy is removed from the virtual.
This is more likely to happen in scripted tests than in the field.

Impact:
Traffic gets dropped while the ASM gets restarted.

Workaround:
Don't change ASM configuration at the same time as changing the virtual server configuration.

Fix:
System will still restart but will not produce a core file when this happens.


600232-9 : OpenSSL vulnerability CVE-2016-2177

Vulnerability Solution Article: K23873366


600223-2 : OpenSSL vulnerability CVE-2016-2177

Vulnerability Solution Article: K23873366


600205-9 : OpenSSL Vulnerability: CVE-2016-2178

Vulnerability Solution Article: K53084033


600198-2 : OpenSSL vulnerability CVE-2016-2178

Vulnerability Solution Article: K53084033


600119-3 : DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions

Component: Access Policy Manager

Symptoms:
When connected to the vpn and wifi adapter is enabled (not connected to any wlan) access to websites outside the vpn is very slow.
Access is fine when wifi interface is disabled.

Conditions:
- number of DNS servers configured for active network adapters matches the number of DNS servers configured in Network Access resource

Impact:
User experience while navigating servers outside of VPN scope is impacted by increased connection time

Workaround:
Disable unused adapters or change the number of configured DNS servers

Fix:
DNS requests for names outside the VPN scope sent to VPN DNS server are redirected to DNS servers from NIC using Round Robin algorithm


600052-1 : GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system

Component: Local Traffic Manager

Symptoms:
Cannot access SSL certs/keys using the GUI. GUI displays "Internal Server Error" page.

Conditions:
Having large (~3k) number of SSL certs/keys in the system.

Impact:
Cannot use the GUI to view/edit the SSL certs/keys.

Workaround:
User tmsh to access SSL certs/keys.

Fix:
Can now access SSL certs/keys using the GUI


599858-7 : ImageMagick vulnerability CVE-2015-8898

Vulnerability Solution Article: K68785753


599839-3 : Add new keyords to SIP::persist command to specify how Persistence table is updated

Component: Service Provider

Symptoms:
SIP::persist command keywords were not present prior to 12.1.2

Conditions:
Using the SIP::persist command in an iRule

Impact:
Limited control via SIP::persist

Workaround:
N/A

Fix:
The following new keywords were introduced with SIP::persist command that improve some key entry issues.

-reset: remove any persistence entry associated with the key stored with the message.
-use: normal persistence and routing operation.
-replace: replace any persistence existing with the result of the routing operation used on this message.
-bypass: route the message ignoring any persistence entry, if no entry exists, add a new entry based on the result of this message
-ignore: route the message ignoring any persistence entry. Do not add or update the persistence entry.

Behavior Change:
The following new keywords were introduced with SIP::persist command that improve some key entry issues.

-reset: remove any persistence entry associated with the key stored with the message.
-use: normal persistence and routing operation.
-replace: replace any persistence existing with the result of the routing operation used on this message.
-bypass: route the message ignoring any persistence entry, if no entry exists, add a new entry based on the result of this message
-ignore: route the message ignoring any persistence entry. Do not add or update the persistence entry.


599816-2 : Packet redirections occur when using VLAN groups with members that have different cmp-hash settings.

Component: TMOS

Symptoms:
Packets arriving on members of the VLAN group are CMP redirected. Redirections may be tracked with the tmm/flow_redir_stats table.

Conditions:
VLANs in the VLAN group must have different cmp-hash settings. For example, one VLAN may configure src-ip and another dst-ip.

Impact:
Throughput drops because of the redirections. However, because this is an error in the software disaggregator, components and features which depend on correct disaggregation may fail. Some features of PEM may fail.

Fix:
Packets are correctly disaggregated without redirections.


599803 : TMM accelerated compression incorrectly destroying in-flight contexts.

Component: Performance

Symptoms:
You see a tmm core while using compression profiles.

Conditions:
Related to use of hardware compression.

Impact:
Report of a watchdog event, or an ASSERT generated by the compression layer. Traffic disrupted while tmm restarts.

Workaround:
Disable accelerated compression using the following command:

% tmsh modify sys db compression.strategy value softwareonly.

Fix:
The system now correctly dispatches cancelled in-flight accelerated compression contexts when cancellation comes while hardware is still actively compressing.


599769 : TMM may crash when managing APM clients.

Component: Local Traffic Manager

Symptoms:
When managing APM clients it is possible to encounter a rare tmm crash.

Conditions:
APM enabled and actively managing clients.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
There is no longer a rarely encountered TMM crash when managing APM clients.


599720-2 : TMM may crash in bigtcp due to null pointer dereference

Component: Local Traffic Manager

Symptoms:
TMM crashed in bigtcp_queue_pkt() due to null pointer dereference of clientside flow.

Conditions:
This only occurs for serverside flow whose peer no longer exists.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fix:
A problem of null pointer dereferece in bigtcp has been fixed.


599536-1 : IPsec peer with wildcard selector brings up wrong phase2 SAs

Component: TMOS

Symptoms:
If a remote IPsec peer sends a wildcard (0.0.0.0/0 <-> 0.0.0.0/0) traffic-selector in phase2, the BIG-IP system will find a match against a non-wildcard selector and use that policy to complete phase2 negotiation.

You may encounter this problem if you have one or more remote peers attempting to negotiate phase2 with wildcard traffic-selectors. An IPsec tunnel may start but fail to pass data and at the same time another IPsec tunnel may stop working.

Conditions:
The remote IPsec peer sends a wildcard (0.0.0.0/0 <-> 0.0.0.0/0) traffic-selector in phase2. Phase1 must be established first.

Impact:
A tunnel will start, but data communication (over ESP or AH) will fail.
Other tunnels may be subject to an accidental DOS when a peer establishes phase1 but uses wildcard traffic-selectors in phase2. A traffic-selector matched by wildcard might be bound to a tunnel already in use, which is then taken offline by the new Security Associations.

Fix:
Ensure that phase2 negotiation using a wildcard (0.0.0.0/0 <-> 0.0.0.0/0) traffic-selector does not establish a Security Association with an ipsec-policy associated with a non-wildcard traffic-selector.

Behavior Change:
Previously, a wildcard selector was able to match a non-wildcard selector, and thus engage the wrong (IPsec) tunnel to attempt negotiation, usually failing.

In effect, a wildcard selector was able to bind to the wrong peer; but after this change only the right peer should bind. This cleans up behavior of selector as identity key, and prevents subjecting random wrong peers from noise.


599521-5 : Persistence entries not added if message is routed via an iRule

Component: Service Provider

Symptoms:
MRF SIP route table implementation does not add a persistence entry if the message was routed via an iRule.

Conditions:
If the message is routed via an iRule, a SIP persistence entry will not be created.

Impact:
Since MRF SIP persistence may be bidirectional, not having the persistence entry will keep message flowing in the opposite direction from being automatically routed via persistence.

Workaround:
An iRule could be used to route messages directed towards the original client.

Fix:
MRF SIP will add a persistence entry for message routed via an iRule.


599285-2 : PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095

Vulnerability Solution Article: K51390683


599191-2 : One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card

Component: TMOS

Symptoms:
When running the tmsh show sys crypto fips command, you notice stale keys that you have previously deleted are left behind on the FIPS card.

Conditions:
This occurs when you have BIG-IPs with FIPS HSMs, configured in manual sync mode, under the following set of actions:
- Create a key-cert pair
- Associate the new key-cert pair with a clientssl profile
- Config sync to the peers
- Associate the clientssl profile with the default key and cert
- Delete the key and cert
- Manual sync

Impact:
A stale key is left on the FIPS card. There is no impact to functionality.

Workaround:
Check for the handles/key-ids of the keys in configuration using tmsh. Then remove the key that is not in use using the command tmsh delete sys crypto key <keyname>


599168-7 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Vulnerability Solution Article: K35520031


599135-2 : B2250 blades may suffer from high TMM CPU utilisation with tcpdump

Component: Local Traffic Manager

Symptoms:
B2250 blades may suffer from continuous TMM CPU utilization when tcpdump has been in use.

Conditions:
Run tcpdump on a B2250 platform

Impact:
Increment in TMM CPU utilization with every run of tcpdump.

Workaround:
Restart TMM, avoid the use of tcpdump.

Fix:
B2250 blades no longer suffer from high TMM CPU utilisation with tcpdump


599121-2 : Under heavy load, hardware crypto queues may become unavailable.

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system is under heavy load, it may erroneously determine that the hardware crypto queues are unavailable and trigger an HA failover event.

Conditions:
BIG-IP system under heavy load and using hardware crypto.

Impact:
HA failover. You might see messages similar to the following:
 -- crit tmm2[22560]: 01010025:2: Device error: crypto codec cn-crypto-2 queue is stuck.
 -- warning sod[6892]: 01140029:4: HA crypto_failsafe_t cn-crypto-2 fails action is failover.
 -- notice sod[6892]: 010c0052:5: Standby for traffic group /Common/traffic-group-1.

Workaround:
None.

Fix:
BIG-IP system now performs an extra check to determine whether the crypto hardware queues are available.


599054-2 : LTM policies may incorrectly use those of another virtual server

Component: Local Traffic Manager

Symptoms:
LTM policies may use policies configured on another virtual server.

Conditions:
- A configurations with several virtual servers and several configured ltm policies attached to those virtual servers.
- Configuration load: manually using the command tmsh load sys conf, or automatically by an upgrade or full config-sync.

Impact:
LTM policies get incrementally added to virtual servers as the policies are compiled, causing unexpected traffic handling decisions based on other policies.

Workaround:
Do not run tmsh load sys conf if you have policies configured. After an upgrade or full config-sync issuing a bigstart restart command or restarting the device will fix this condition.

Fix:
LTM policies no longer incorrectly use those of another virtual server


599033-5 : Traffic directed to incorrect instance after network partition is resolved

Component: TMOS

Symptoms:
After a network partition is resolved, the BIG-IP high availability subsystem may select a different device to handle traffic than the external network.

Conditions:
If the external network does not respond to GARP (Gratuitous ARP) messages to direct IP traffic to the correct device after an Active/Active condition is resolved, then it may continue to send traffic to a device that is now in Standby mode.

Impact:
Traffic will be interrupted since the upstream network is sending traffic to a device that won't process it.

Workaround:
The administrator might be able to manually run a script or command to redirect traffic to the correct device that is hosting the virtual service.

Fix:
When a network partition is resolved, and an Active/Active high availability pair chooses a single Active node, it now invokes a script that can be used to automatically notify the external network infrastructure of the new location for the virtual service. This new script is located in /config/failover/tgrefresh, and is invoked in addition to the transmission of GARP messages.


598983-7 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Vulnerability Solution Article: K35520031


598981-3 : APM ACL does not get enforced all the time under certain conditions

Component: Access Policy Manager

Symptoms:
APM ACL does not get enforced all the time under certain conditions

Conditions:
The following conditions individually increase the chances for this problem to occur:
1. The device is very busy. (Construction of ACL windows is prolonged.)
2. Concentration of connections into one TMM. (e.g., VPN feature.)
3. Small number of TMMs (e.g., BIG-IP low-end platform, Virtual Edition (VE) configurations.)
4. Application starts with a high number of concurrent connections.

Impact:
ACL is not applied for subsequent connections for that TMM. This issue does not consistently reproduce.

Workaround:
Mitigation:
Administrator can kill the affected session, which forces the user to re-login, and ultimately restarts the ACL construction process.

Fix:
Switching context when applying ACL is properly processed, and no longer cause ACL to be not enforced.


598874-2 : GTM Resolver sends FIN after SYN retransmission timeout

Component: Local Traffic Manager

Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.

Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.

Impact:
Firewalls may log the FIN as a possible attack.

Fix:
Do not send anything in response to a SYN retransmission timeout.


598860-4 : IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address

Component: Local Traffic Manager

Symptoms:
The IP::addr iRule can be used to translate an IPv6 address containing an IPv4 address, but instead it converts it into an IPv4 compatible IPv6 address.

Example:
ltm rule test_bug {
    when CLIENT_DATA {
    log local0. "[IP::addr 2A01:CB09:8000:46F5::A38:1 mask ::ffff:ffff]"
}

Expected result:
Rule /Common/test_bug <CLIENT_DATA>: 10.56.0.1

Actual result:
Rule /Common/test_bug <CLIENT_DATA>: ::10.56.0.1

Conditions:
using IP::addr to convert an IPv6 to an IPv4 address

Impact:
Address is converted into an IPv4-compatible IPv6 address.


598854-3 : sipdb tool incorrectly displays persistence records without a pool name

Component: Service Provider

Symptoms:
MRF SIP persistence records added for a forwarding route (a peer object without a pool), will not be displayed properly by sipdb

Conditions:
If a persistence record is added for a route that does not contain a pool, this persistence entry will not be displayed correctly.

Impact:
The persistence entry is correctly stored in the persistence table and will operate correctly. Due to the bug in the sipdb tool, this entry will not be viewable for debugging purposes.

Fix:
The fix corrects the sipdb tool so that entries which do not have a pool name will display correctly.


598748 : IPsec AES-GCM IVs are now based on a monotonically increasing counter

Component: TMOS

Symptoms:
IPsec was using random IVs.

With random IVs and shortest packets the complete integrity loss will happen before 8 Gb of data are exchanged over the security association in one direction (assuming probability of collision at 0.1%).

Conditions:
Use of AES-GCM or GMAC in IPsec.

Impact:
The use of random IVs limits the amount of traffic that can be sent with AES-GCM in IPsec.

Workaround:
The workaround is to limit the amount of traffic per above guidelines for long-lived security associations in IPsec.

A re-key before 10 Gbyte of data are exchanged is recommended. For 1 Gbps connection the rekey should happen in under 1 min (100 Mbps -- 15 min, 10 Gbps -- 10 sec).

Fix:
Changed IPsec AES-GCM IV scheme to use a counter-based IV.

This is an improvement that allows maximum amount of traffic to be sent on the same security association for AES-GCM in IPsec.


598700-6 : MRF SIP Bidirectional Persistence does not work with multiple virtual servers

Component: Service Provider

Symptoms:
Messages received by different virtual servers (sharing the same router) are not able to be properly routed using the call-id persistence.

Conditions:
A router with multiple virtual servers bridging between networks are not able to use the same call-id persistence entry for routing messages. Messages trying to use a persistence entry created by a different virtual server may be routed to the wrong device.

Impact:
Messages received on another virtual server trying to use the persistence entry will be routed to the wrong device.

Fix:
Fix corrects problems identifying which end of the bi-directional persistence the message has arrived on so that it can be forwarded to the proper device.


598697-1 : vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created

Component: TMOS

Symptoms:
After installing v12.1.0 on a vCMP host system the guests don't start anymore and remain in "failed" state.

Errors similar to these are logged in the ltm log file:

Jun 10 08:17:22 slot1/VIP4480-R68-S26 crit vcmpd[14354]: 01510003:2: User "qemu" doesn't exist
<..>
Jun 10 08:17:22 slot1/VIP4480-R68-S26 err vcmpd[14354]: 01510004:3: Guest (test-guest): Failure - Error starting VM.
Jun 10 08:17:22 slot1/VIP4480-R68-S26 info vcmpd[14354]: 01510007:6: Guest (test-guest): VS_STARTING->VS_FAILED

Conditions:
Upgrade vCMP host to v12.1.0 or higher
vCMP host system was originally installed with v11.6.0 or older builds.

Impact:
After installing v12.1.0 on a vCMP host system the guest don't start anymore and remain in "failed" state.

Workaround:
Workaround is to run the following command:

useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu

then:
 
bigstart restart vcmpd


598498-7 : Cannot remove Self IP when an unrelated static ARP entry exists.

Component: TMOS

Symptoms:
Cannot remove a self-IP when an unrelated static ARP entry exists. The system produces an error similar to the following: err mcpd[6743]: 01071907:3: Cannot delete IP <addr> because it would leave a static neighbor (ARP/NDP) entry unreachable.

Conditions:
Static arp entry exists, and there are no Self IP addresses on the same subnet as the static ARP entry. When in this condition, none of the Self IP addresses can be deleted.

Impact:
Must delete static ARP entries in order to delete Self IP addresses.

Workaround:
None.

Fix:
In this release, you can delete Self IP addresses if unrelated static ARP entries exist.


598443-1 : Temporary files from TMSH not being cleaned up intermittently.

Component: TMOS

Symptoms:
/var/tmp/tmsh and /var/system/tmp/tmsh can have left over unused directories if there was an abrupt termination wherein TMSH does not get a chance to clean up remaining directories.

Conditions:
This can occur if a running task creates a TMSH tmp file, then gets killed before it finishes its clean-up.

Impact:
This can cause the directories /var/tmp/tmsh and /var/system/tmp/tmsh to fill up and cause out of memory exceptions.

Workaround:
Manually delete all unused files in /var/tmp/tmsh and /var/system/tmp/tmsh.

Fix:
TMSH now removes all temporary files as expected.


598294-1 : BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472

Vulnerability Solution Article: K17119920


598211-1 : Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.

Component: Access Policy Manager

Symptoms:
During the logon to Citrix StoreFront through an APM virtual server, after the login page, the BIG-IP system sends the client the following error: Error 404 file or directory not found.

Conditions:
This occurs when the following conditions are met:
- Citrix Android receiver 3.9.
- APM is in integration mode with Citrix StoreFront.
- Storefront unified experience mode is enabled.

Impact:
Cannot access Citrix StoreFront unified UI through Android Receiver 3.9.

Workaround:
For StoreFront integration mode, there is an iRule that is created by the iApp that redirects the root page to the store's URI. The workaround is to add an additional redirect for the receiver_uri ending with receiver.html. The iRule below contains this workaround.
It is also recommended to delete and recreate the existing store account.

when HTTP_REQUEST {
    if { [regexp -nocase {/citrix/(.+)/receiver\.html} [HTTP::path] dummy store_name] } {
        log -noname accesscontrol.local1.debug "01490000:7: setting http path to /Citrix/$store_name/"
        HTTP::path "/Citrix/$store_name/"
    }
}

Fix:
Citrix Android Receiver 3.9 now works through APM in StoreFront integration mode.


598134-1 : Stats query may generate an error when tmm on secondary is down

Component: TMOS

Symptoms:
Querying for stats results in an error and further iControl messages are incorrect.

Conditions:
Must be on a chassis. The query must be for stats generated by tmm. A secondary tmm must be down.

Impact:
The iControl session must be restarted.

Workaround:
Ensure all tmms are up and running.

Fix:
The request is handled appropriately even if a tmm is down and no unexpected error is generated.


598052-1 : SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails

Component: Local Traffic Manager

Symptoms:
When enabling the SSL Forward Proxy "Cache Certificate by Addr-Port" on the client SSL profile, later flows on cached certificate lookups by "Addr-Port" do not hit the cache.

Conditions:
Enable SSL Forward Proxy and use "Cache certificate by Addr-Port".

Impact:
The client side certificate lookup failed, it may trigger the server side SSL handshake.

Fix:
With this fix, the certificate lookup by "Addr-Port" may have a cache hit.


598039-6 : MCP memory may leak when performing a wildcard query

Component: TMOS

Symptoms:
MCP's umem_alloc_80 cache (visible using tmctl -a) increases in size after certain wildcard queries. Accordingly, the MCP process shows increased memory usage.

Conditions:
Folders must be in use, and the user must execute a wildcard query for objects that are in the upper levels of the folder hierarchy (i.e. not at the very bottom of the folder tree).

Impact:
MCP loses available memory with each query. MCP could eventually run out of memory and core, resulting in an outage or failover (depending on whether or not the customer is running in a device cluster).

Workaround:
Do not perform wildcard queries.

Fix:
Stopped MCP leaking when wildcard queries are performed.


598002-10 : OpenSSL vulnerability CVE-2016-2178

Vulnerability Solution Article: K53084033


597978-2 : GARPs may be transmitted by active going offline

Component: Local Traffic Manager

Symptoms:
GARPs may be transmitted by the active when going offline. As the standby which takes over for the active will also transmit GARPs, it is not expected that this will cause impact.

Conditions:
Multiple traffic-groups configured and active goes offline.

Impact:
It is not expected that this will cause any impact.

Workaround:
Make the unit standby before forcing offline.


597879-1 : CDG Congestion Control can lead to instability

Component: Local Traffic Manager

Symptoms:
Debug TMM crashes when the TCP congestion window allows an abnormally high or low congestion window. You can see this by looking at the bandwidth value in "tmsh show net cmetrics" if cmetrics-cache is enabled in the TCP profile.

Conditions:
Running the Debug TMM with CDG Congestion Control.

Impact:
Traffic disrupted while tmm restarts.
In the default TMM, the allowed sending rate will be abnormally high or low.

Workaround:
Use a congestion control algorithm other than CDG.

Switch to the default TMM.

Fix:
Fixed congestion window calculation in CDG.


597835-3 : Branch parameter in inserted VIA header not consistent as per spec

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This VIA header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP spec states that all messages in the same transaction should contain the same branch header. The code used to encrypt the branch field returns a different value each time.

Conditions:
Enabling SIP Via header insertion on the BIGIP on SIP MRF profile and need to cancel an INVITE

Impact:
Some servers have code to verify the brach fields in the VIA header do not change within a transaction. These servers complain when they see the fields change.

Fix:
The code has been improved to ensure the branch field in the via header does not change.


597828-1 : SSL forward proxy crashes in some cases

Component: Local Traffic Manager

Symptoms:
SSL forward proxy crashes when a check in the state machine is called with something other than a fwdp lookup result

Conditions:
SSL forward proxy is enabled.

Impact:
SSL forward proxy crashes sometimes.

Workaround:
None.

Fix:
Fixed a crash in the SSL forward proxy.


597729-5 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may potentially be observed:

1. After approximately 10 minutes, an error similar to the following may appear in the LTM log (/var/log/ltm):

mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests

Such message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
It is possible that this error could be encountered when deleting local users (Access Policy :: Local User DB : Manage Users), and may theoretically be encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.


597708-4 : Stats are unavailable and VCMP state and status is incorrect

Component: Local Traffic Manager

Symptoms:
Unable to retrieve statistics or statistics are all 0 (zero) when they should not be zero.

This is VCMP related.

Guest Virtual-disk always show in-use even when guest not in the running state.

When the guest OS is shut down, the GUI and TMSH do not show accurate information about status.

Conditions:
If a directory is removed from /shared/tmstat/snapshots merged might run at 100% CPU utilization and become unresponsive.

Impact:
No statistics are available. Some statistics, such as traffic stats from TMM, will not be updated, though they may be non-zero. Others, such as system CPU stats that are calculated by merged, will be zero. This will be evident through all management interfaces such as TMSH, TMUI, SNMP, etc.

VCMP guest O/S status is reportedly incorrectly.

Workaround:
If merged is hung, restart the daemon using the following command:
bigstart restart merged.

To prevent the issue from occurring, disable tmstat snapshots using the following command:
tmsh modify sys db merged.snapshots value false.

Fix:
The merged process no longer becomes unresponsive when a directory is removed from /shared/tmstat/snapshots.


597532-1 : iRule: RADIUS avp command returns a signed integer

Component: Local Traffic Manager

Symptoms:
iRules that process attribute-value pairs from RADIUS treat integers as signed when they should be treated as unsigned.

Conditions:
iRules using RADIUS::avp to retrieve data

Impact:
iRules using the RADIUS::avp command will not work as expected.

Workaround:
The result can be casted to an unsigned integer after obtaining the value, as follows:

ltm rule radius_avp_integer {
    when CLIENT_DATA {
                set charid_integer [RADIUS::avp 26 "integer" index 0 vendor-id XXXXX vendor-type Y]
                set unsigned_charid_integer [expr {$charid_integer & 0xFFFFFFFF}]
}
}

Note that tmm internally treats avp values as signed integers so this might not completely correct the issue.

Fix:
Ensure that we are using unsigned integers for RADIUS AVPs.


597471 : Some Alerts are sent with outdated username value

Component: Fraud Protection Services

Symptoms:
user-defined, components validation and vtrack Alerts are sent with outdated username value

Conditions:
Log in, then log in again with different user (with conditions to generate an alert)

Impact:
Alert is sent with username of the first login

Fix:
Alerts sending is blocked until after parameters processing is done


597431-2 : VPN establishment may fail when computer wakes up from sleep

Component: Access Policy Manager

Symptoms:
EdgeClient doesn't cleanup routing table before windows goes to hibernate. This may result in establishment of VPN when computer wakes up. It may also result in other network connectivity issues

Conditions:
-VPN connection is not disconnected
-Computer goes in hibernation

Impact:
Issues with Network connectivity

Workaround:
Renew DHCP lease by running
ipconfig/renew.

or

reboot the machine.


597394-2 : Improper handling of IP options

Vulnerability Solution Article: K46535047


597309-2 : Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms

Component: TMOS

Symptoms:
The Maximum Members Per Trunk limits is 8 or 16 depending on platform. This is due to

1. The limitation of an SDK from a third party vendor.
2. The number of external interfaces actually provided by the platform.

Conditions:
These platform limits are on the BIG-IP 10000 appliance and B2400, B4300, and B4450 blades.

Impact:
The number of interfaces per trunk is limited to either 8 or 16.

Workaround:
None.

Fix:
New limit of 32 is implemented for the BIG-IP 10000 appliance, and on VIPRION 2400 and VIPRION 4300. New limit 64 is implemented for VIPRION 4450N.


597303 : "tmsh create net trunk" may fail

Component: TMOS

Symptoms:
When a trunk is created with "tmsh create net trunk", with LACP enabled or disabled, the addition of a trunk member may fail. When it fails, there will be log in /var/log/ltm like

Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: bs_trunk_addr_set: unit=0 Invalid parameter bs_trunk.cpp(2406)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: Trouble setting trunk 1, unit 0 bs_trunk.cpp(2591)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: SDK error Invalid parameter bs_trunk.cpp(2592)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0010:3: Trouble setting trunk: unit=0, trunk=testTrunk bs_trunk.cpp(1886)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0010:3: Trouble adding interface to trunk=testTrunk bsx.c(3109)

Conditions:
The problem tends to happen when a trunk is created right after it is deleted. If you wait for over 30 seconds, it is unlikely to happen.

Impact:
A trunk can't be created, and no trunk members can be added.

Workaround:
Wait for over 30 seconds before adding back the same trunk.

Fix:
A fix is already staged, and may show up in a hot fix later.


597270-2 : tcpdump support missing for VXLAN-GPE NSH

Component: TMOS

Symptoms:
The tcpdump utility does not support VxLAN (Virtual eXtensible Local Area Network) GPE (Generic Protocol Extension) Network Service Header (NSH).

Conditions:
Running tcpdump on BIG-IP systems.

Impact:
No support for VXLAN-GPE NSH.

Workaround:
None.

Fix:
tcpdump now has support for VXLAN-GPE NSH.

Behavior Change:
tcpdump now has support for VxLAN (Virtual eXtensible Local Area Network) GPE (Generic Protocol Extension) Network Service Header (NSH).


597214-5 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly

Component: Access Policy Manager

Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.

Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:

var a = { default: 1, continue: 2 };

Impact:
JavaScript code is not rewritten and may not work correctly.

Workaround:
It is possible to use iRule to rename field names in original code.

Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.


597089-8 : Connections are terminated after 5 seconds when using ePVA full acceleration

Component: Local Traffic Manager

Symptoms:
When using a fast L4 profile with ePVA full acceleration configured, the 5-second TCP 3WHS handshake timeout is not being updated to the TCP idle timeout after the handshake is completed. The symptom is an unusually high number of connections getting reset in a short period of time.

Conditions:
It is not known all of the conditions that trigger this, but it is seen when using the fast L4 profile with pva-acceleration set to full.

Impact:
High number of connections get reset, longer than expected idling TCP connections, and potential performance issues.

Workaround:
Disabling the PVA resolves the issue.


597023-1 : NTP vulnerability CVE-2016-4954

Vulnerability Solution Article: K82644737


597010-1 : NTP vulnerability CVE-2016-4955

Vulnerability Solution Article: K03331206


596997-1 : NTP vulnerability CVE-2016-4956

Vulnerability Solution Article: K64505405


596814-4 : HA Failover fails in certain valid AWS configurations

Component: TMOS

Symptoms:
Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Conditions:
AWS deployments where there are multiple coincidences for the provided IP address (corresponding to other Amazon VPCs in the same Availability Zone containing unrelated instances but having the same IP address as the BIG-IP's floating IP address.

Impact:
Potential traffic disruption. Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Workaround:
Do not have AWS deployments with multiple VPCs sharing the same IP address as the BIG-IP's floating IP address.

Fix:
Failover now narrows network description by filtering with VPC id.


596809-1 : It is possible to create ssh rules with blank space for auth-info

Component: Advanced Firewall Manager

Symptoms:
In tmsh it is possible to create profile actions that contain blank spaces, such as in this example:

create security ssh profile ssh-test actions add { " " } rules add { " " { actions add { " " } identity-users add { " "} identity-groups add { " " } } } auth-info add { " " }

Conditions:
This occurs when creating profile actions.

Impact:
Actions can be created with blank spaces in them, you should be receiving a validation error. These rules also cannot be deleted.

Workaround:
Do not create profile actions with blank spaces.

Fix:
BIG-IP will now throw a validation error if you create a profile action containing only a blank space.


596674-2 : High memory usage when using CS features with gzip HTML responses.

Component: Application Visibility and Reporting

Symptoms:
AVR use consumes a lot of memory while trying to decompress responses. This can cause tmm core during stress traffic.

Conditions:
-- Enabled Dosl7d virtual server with CS features.
-- The server is sending compressed responses.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
High memory usage no longer occurs when using CS features with gzip HTML responses.


596631-2 : SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later

Component: Service Provider

Symptoms:
A SIP media flow deny-listener was to have been deleted but an unrelated listener was deleted instead due to an incorrect address/port match.

For example, when the wrongly deleted listener is later meant to be deleted, there might be a SIGFPE with assertion failure "Assertion "bound listener" failed.".

Conditions:
A SIP MRF media flow existed and was deleted.
An unrelated flow exists with an address/port with wildcards such that it includes that of the media flow.

Impact:
Later when the wrongly deleted listener is referenced, the TMM crashes.

Fix:
When a SIP media flow deny-listener is searched for deletion, an exact match is required that uniquely identifies the deny-listener, so that an unrelated listener is not deleted.


596603-2 : AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.

Component: TMOS

Symptoms:
When deploying BIG-IP VE in AWS with c4.8xlarge instance type, the system never boots and remains in "Stopped" state after briefly trying to start-up.

Conditions:
BIG-IP VE is deployed with c4.8xlarge instance type in AWS.

Impact:
c4.8xlarge instance type are not supported for BIG-IP VE in AWS.

Workaround:
Choose c4.4xlarge or other instance types in AWS.

Fix:
Issue corrected so that BIG-IP VE will work with c4.8xlarge instance type AWS.


596502-1 : Unable to force Bot Defense action to Allow in iRule

Component: Advanced Firewall Manager

Symptoms:
When a request is being blocked (or challenged with CAPTCHA) due to being a suspicious browser, the action cannot be forced to allow in the iRule

Conditions:
This occurs when a bot defense action is triggered on suspicious browser, and you wish to allow the request to go through anyway and not send a RST.

Impact:
The bot defense action cannot be forced to "allow", the RST will still be sent.


596488-1 : GraphicsMagick vulnerability CVE-2016-5118.

Vulnerability Solution Article: K82747025


596450-1 : TMM may produce a core file after updating SSL session ticket key

Component: Local Traffic Manager

Symptoms:
When regenerating SSL session ticket key, TMM may restart unexpectedly, leaving a core file.

Conditions:
When the value of ssl.sessionticketkey.regen is reached (every 3 days by default), TMM will regenerate its SSL session ticket key. This operation may lead to an assert: "shared random data inited".

Impact:
TMM core and restart.

Workaround:
None.

Fix:
Resolved a problem that could cause TMM to restart when regenerating the SSL session ticket key


596340-8 : F5 TLS vulnerability CVE-2016-9244

Vulnerability Solution Article: K05121675


596116-3 : LDAP Query does not resolve group membership, when required attribute(s) specified

Component: Access Policy Manager

Symptoms:
Corresponding session variable session.ldap.last.memberOf contains only the groups user has explicit membership.

Conditions:
This occurs when the following conditions are met:
-- When APM LDAP Query is configured with option "Fetch groups to which the user or group belong" is set to "All".
-- The Required Attribute includes the "memberOf" LDAP attribute.

Impact:
Only groups the user is a direct member of will be populated to the APM 'session.ldap.last.memberOf' variable.

Workaround:
Add the following attribute to the "Required Attributes" list:

"objectClass"

If APM is communicating via LDAP with Microsoft Active Directory, consider adding this attribute to the list:

"primaryGroupID"

Note: Adding the "primaryGroupID" attribute will cause APM to fetch all groups Microsoft Active Directory, including the primary group.

Fix:
LDAP Query now retrieves groups from the backend server in accordance with option "fetch groups to which the user or group belong". it doesn't matter if any required attribute set or not set.


596104-1 : HA trunk unavailable for vCMP guest

Component: TMOS

Symptoms:
If a vCMP guest is configured with a high availability (HA) trunk with a threshold value greater than 0, the HA trunk configuration fails with a message similar to the following:

err mcpd[5926]: 01071569:3: Ha group ha_group threshold for trunk _your_trunk_name_here_ 1 is greater than the maximum number of members 0.

Conditions:
This occurs when an HA trunk is configured a vCMP guest, with a threshold value greater than 0. This may occur by any of the following means:
1) Attempting to upgrade a guest to an affected version of BIG-IP, with an HA trunk configured with a threshold value greater than 0. The upgrade fails with the indicated error message.
2) Attempting to load a UCS from a guest with an HA trunk configured with a threshold value greater than 0. The UCS load fails with the indicated error message.
3) Creating an HA group and then attempting to modify the threshold value for the HA trunk. The modify command fails with the indicated error message.

Impact:
HA trunks do not work.
You cannot upgrade the vCMP guest to an affected version of BIG-IP or load a configuration with an HA trunk configured with a threshold value greater than 0.

Workaround:
To allow the upgrade to succeed or the configuration to load, configure the HA trunk threshold to 0.

Important! This disables the HA trunk feature.

Fix:
HA trunks with a threshold value greater than 0 are supported on vCMP guests.


596067-2 : GUI on VIPRION hangs on secondary blade reboot

Component: TMOS

Symptoms:
After rebooting a VIPRION chassis, the GUI suddenly becomes unresponsive several minutes after the reboot.

Conditions:
It is not known exactly triggers this as it is a race condition that occurs on system start, but it is believed that Enterprise Manager making queries against the VIPRION for non-chunked statistics while the blade(s) has not fully started will trigger this condition.

Impact:
GUI becomes unresponsive

Workaround:
bigstart restart httpd will clear this condition if it occurs.


595819-1 : Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached,

Component: Access Policy Manager

Symptoms:
Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a HTTP/2 enabled browser and HTTP/2 profile attached.

Conditions:
This occurs when the following conditions are met:
- An HTTP/2 enabled browser is in use.
- APM and HTTP/2 are enabled on the same virtual.

Impact:
APM statistics for bytes in and out are not updated.

Workaround:
None.

Fix:
Access session 'Bytes In' and 'Bytes Out' are now getting updated when accessed with a http/2 enabled browser and HTTP/2 profile attached,


595773-4 : Cancellation requests for chunked stats queries do not propagate to secondary blades

Component: TMOS

Symptoms:
Canceling a request for a chunked stats query (e.g. hitting ctrl-c during "tmsh show sys connection") does not stop data flowing from secondary blades.

Conditions:
A chassis-based system with multiple blades. Users must execute a chunked stats query (e.g. "tmsh show sys connection") and then cancel it before it finishes (e.g. with ctrl-c in tmsh).

Impact:
Unnecessary data will be sent from TMM to secondary mcpd instances, as well as from secondary mcpd instances to the primary mcpd instance. This could cause mcpd to restart unexpectedly.

Fix:
Cancellations for chunked stats queries are now propagated to secondary blades.


595712-1 : Not able to add remote user locally

Component: TMOS

Symptoms:
When a user has logged in remotely, using tmsh to add a user with the same name will fail:

01020066:3: The requested user role partition (raduser TestPartition) already exists in partition Common.

Conditions:
Remote authentication is configured and a remote user has logged in.

Impact:
Changing remote user to local fails.

Workaround:
Use "replace-all-with" for partition access:

create auth user raduser password raduser1 partition-access replace-all-with { TestPartition {role manager }}


595693 : Incorrect PVA indication on B4450 blade

Component: TMOS

Symptoms:
When you run guishell -c "select HAS_PVA, PVA_VERSION from platform" on a B4450 blade (which includes PVA), the output indicates that it does not have PVA.

Conditions:
This occurs when looking at platform information on B4450 blades.

Impact:
PVA acceleration is not detected properly

Fix:
PVA service is now indicated properly on the B4450 blade.


595605 : Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail

Component: TMOS

Symptoms:
An upgrade to BIG-IP v12.0.0 will fail when all of the following conditions are met:
- AVR provisioned
- Upgrading to v12.0.0 from the following versions :
  - 11.6.1

Certain engineering hotfixes are also affected.

Conditions:
The following Engineering Hotfixes are affected.

- 11.6.0-hf5 EHF index 110 (Hotfix-BIGIP-11.6.0.5.110.429-HF5-ENG.iso)
- 11.6.0-hf5 EHF Index 214
- 11.6.0-hf5 EHF index 233
- 11.6.0-hf6 EHF index 240

11.6.1 is also affected.

Impact:
The upgrade to 12.0.0 will succeed but the configuration will fail to load.

This can be detected by running tmsh load sys config verify. You will see the following signature:

Unexpected Error: "Can't load keyword definition (analytics-report.device_group)"

Workaround:
12.1.1 is schema compatible with 11.6.1, so upgrade to 12.1.1 instead.


595394-3 : Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.

Component: TMOS

Symptoms:
Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.

Conditions:
11.5.x/11.6.x Hourly Billing instances with multiple NICs attached.

Impact:
User might not be able to log-in to the instance.

Workaround:
Rebooting the instance corrects the problem.

Fix:
Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x works with new Hourly billing licenses.


595272-1 : Edge client may show a windows displaying plain text in some cases

Component: Access Policy Manager

Symptoms:
Under captive portal environment, sometimes edge client may show a windows with some plain text content.

Conditions:
Edge client is launched when users machine is inside captive portal network.

Impact:
User may not be able to establish VPN

Workaround:
Authenticate to captive portal using browser and Launch edge client again.


595242-1 : libxml2 vulnerabilities CVE-2016-3705

Vulnerability Solution Article: K54225343


595231-1 : libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705

Vulnerability Solution Article: K54225343


595227-1 : SWG Custom Category: unable to have a URL in multiple custom categories

Component: Access Policy Manager

Symptoms:
When configuring a url in multiple categories you receive a validation error message:
May 19 16:13:44 bigip12 err mcpd[8992]: 010717f3:3: Custom category (/Common/category_allow_group2) has invalid URL (http://172.16.20.1/*). Reason: You cannot have the same URL in two or more custom categories. URL used in category (/Common/category_allow_group1).

Conditions:
Configuring the same URL in multiple custom categories.

Impact:
Unable to have the same URL in multiple custom categories, and therefore cannot configure the system to have a URL allowed for one group but not for another.

Workaround:
None

Fix:
Validation preventing the configuration of same URL for multiple custom categories has been fixed.


594910-1 : FPS flags no cookie when length check fails

Component: Fraud Protection Services

Symptoms:
You see No Cookie errors for validation errors other than No Cookie.

Conditions:
Malformed component validation cookie

Impact:
No Cookie errors counted when the validation error was not due to No Cookie

Workaround:
No

Fix:
Fixed an issue with No Cookie error counting.


594869-4 : AFM can log DoS attack against the internal mpi interface and not the actual interface

Component: Advanced Firewall Manager

Symptoms:
While under an attack that matches a DoS profile, BIG-IP may indicate that the interface is the internal mpi interface and not the interface that the attack is happening on.

Conditions:
This can occur in CMP-enabled systems.

Impact:
A valid DoS attack will be misreported


594642-3 : Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.

Component: Local Traffic Manager

Symptoms:
Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.

Conditions:
Stream filter is active during low memory situations

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Stream may now be configured to parse xbufs in chunks. This limits the maximum amount of memory required and reduces the chance of an allocation failure.


594496-1 : PHP Vulnerability CVE-2016-4539

Vulnerability Solution Article: K35240323


594426-2 : Audit forwarding Radius packets may be rejected by Radius server

Component: TMOS

Symptoms:
The Accounting-Request packets are missing two required AVPs (Attribute Value Pair), Acct-Session-ID and Acct-Status-Type. Some Radius servers drop Radius Accounting-Requests which are missing these AVPs.

Conditions:
Configured to use audit forwarding with radius and audit messages are not logged on the Radius server.

Impact:
Unable to log audit messages from BIG-IP using audit forwarding.


594302-1 : Connection hangs when processing large compressed responses from server

Component: Local Traffic Manager

Symptoms:
When large compressed responses are sent by the server, the connection hangs when trying to send decompressed content to the client.

Conditions:
An LTM policy which enforces decompression for responses is attached to the virtual server. The virtual server also has http compression profile attached to it. Server sends large compressed responses.

Impact:
Connection hangs when trying to process the compressed response in order to send decompressed content to client.

Fix:
The large compressed responses are successfully processed and no connection hangs are seen.


594288-1 : Access profile configured with SWG Transparent results in memory leak.

Component: Access Policy Manager

Symptoms:
Access profile configured with SWG Transparent results in memory leak.

Conditions:
Create an access profile of type SWG Transparent, and assign to a virtual. Run traffic through this virtual.

Impact:
TMM leaks memory.

Workaround:
None

Fix:
Fixed the memory leak caused by access filter for SWG transparent use case.


594127-2 : Pages using Angular may hang when Websafe is enabled

Component: Fraud Protection Services

Symptoms:
Pages using angular may not load correctly when Websafe "inject Javascript into page" is enabled

Conditions:
Application using Angular.js
Websafe: "inject Javascript into page" is enabled

Impact:
Page does not load fully

Fix:
Websafe no longer changes the page's "documentMode"


594075-2 : Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically

Component: Advanced Firewall Manager

Symptoms:
With pccd.alwaysfromscratch set to true, the blob doesn't compile and pccd restarts periodically when firewall rules are modified.

Conditions:
1. pccd.alwaysfromscratch is set to true (default value is false)
2. Modify some firewall rules.

Impact:
The blob doesn't compile and pccd keeps restarting without loading new rules.

Workaround:
Remove saved blob files in /var/pktclass/ (rm -f /var/pktclass/*) and restart pccd.


593925-1 : ssh profile should not contain rules that begin and end with spaces (cannot be deleted)

Component: Advanced Firewall Manager

Symptoms:
When attempting to delete a rule for an ssh profile and committing the changes in the GUI, you get an error: "Operation is not supported on property /security/ssh/profile/~Common~ssh-test/rules."

Conditions:
This occurs if you previously created ssh profile rules that contain spaces in them, such as this example:

create security ssh profile ssh-test actions add { " " } rules add { " " { actions add { " " } identity-users add { " "} identity-groups add { " " } } } auth-info add { " " }

Impact:
Unable to delete the rules

Fix:
You can now delete ssh profile rules that contain spaces for the rules.


593696-1 : Sync fails when deleting an ssh profile

Component: Advanced Firewall Manager

Symptoms:
After creating an ssh profile and successfully syncing it to the sync group, you later delete the profile and sync fails with this error on the target device:
"err mcpd[5178]: 01071488:3: Remote transaction for device group /Common/syncme to commit id 6 6285666289815053813 /Common/bigip2.mysite.com 0 failed with error 01071aaf:3: SSH profile: [/Common/ssh1] default actions is required and cannot be removed."

Conditions:
This is triggered when deleting an ssh profile that has been synced in a sync group. Sync group is configured for manual sync. It is not known if automatic sync also exhibits this behavior.

Impact:
Sync fails.


593530-6 : In rare cases, connections may fail to expire

Component: Local Traffic Manager

Symptoms:
Connections have an idle timeout of 4294967295 seconds.

Conditions:
Any IP (ipother) profile is assigned to virtual server.

Impact:
Connections may linger.

Workaround:
None.

Fix:
Fixed idle initialization error when using Any IP (ipother) profile.


593447-1 : BIG-IP TMM iRules vulnerability CVE-2016-5024

Vulnerability Solution Article: K92859602


593355 : FPS may erroneously flag missing cookie

Component: Fraud Protection Services

Symptoms:
You see Missing Cookie errors for validation errors other than Missing Cookie.

Conditions:
Any component validation error.

Impact:
Missing Cookie errors counted when the validation error was not due to Missing Cookie

Workaround:
No.

Fix:
Fixed an issue with Missing Cookie error counting.


593078-1 : CATEGORY::filetype command may cause tmm to crash and restart

Component: Access Policy Manager

Symptoms:
If an iRule command is created using the CATEGORY::filetype command, the tmm may eventually suffer a failure, and restart.

Conditions:
This can occur when using the CATEGORY::filetype iRule under normal operation.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash in CATEGORY::filetype


593070-2 : TMM may crash with multiple IP addresses per session

Component: Policy Enforcement Manager

Symptoms:
TMM crash

Conditions:
A session with multiple IP addresses with PCRF communication for dynamic policy management may have a crash credits to a race condition.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Check for timer expiration prior to processing the timer.


592871-3 : Cavium Nitrox PX/III stuck queue diagnostics missing.

Component: Local Traffic Manager

Symptoms:
Diagnostics tool to investigate rare issue where the Cavium Nitrox PX/III crypto chip gets into a "request queue stuck" situation.

Conditions:
System with Cavium Nitrox PX/III chip(s) which includes the BIG-IP 5xxx, 7xxx, 10xxx, and 12xxx platforms as well as the VIPRIOn B2200 blade, that hits a rare issue which logs a "request queue stuck" message in /var/log/ltm.

Impact:
This tool enables F5 engineers to obtain more data about this problem to help diagnose the issue.

Workaround:
None.

Fix:
Provides a diagnostics tool. Does not directly mitigate the problem.


592870-2 : Fast successive MTU changes to IPsec tunnel interface crashes TMM

Component: TMOS

Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.

Conditions:
This occurs when quickly changing the IPsec tunnel interface MTU.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.

Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).


592868-3 : Rewrite may crash processing HTML tag with HTML entity in attribute value

Component: Access Policy Manager

Symptoms:
If HTML page contains HTML entities in attribute values, rewrite may crash processing this page.

Conditions:
HTML tag like this:
<script src="&#10;" type="text/javascript"></script>

Impact:
Web application may not work correctly.

Workaround:
In most cases HTML entities can be replaced by appropriate characters by iRule.

Fix:
Now rewrite correctly handles HTML entities in attribute values.


592854-1 : Protocol version set incorrectly on serverssl renegotiation

Component: Local Traffic Manager

Symptoms:
If the BIG-IP serverssl profile sends a new ClientHello request to renegotiate SSL, the protocol version will be set to 0. This will cause renegotiation to fail.

Conditions:
ServerSSL profile configured on a virtual server, and BIG-IP initiates a renegotiation.

Impact:
Protocol field is invalid (0), and the server will reset the connection.

Fix:
Fixed a reset issue with SSL renegotiation in the serverssl profile.


592784-2 : Compression stalls, does not recover, and compression facilities cease.

Component: Local Traffic Manager

Symptoms:
Compression stalls, does not recover, and compression facilities may cease.

Conditions:
A device error of any kind, or requests that result in the device reporting an error (for example, attempting to decompress an invalid compression stream).

Impact:
In general, compression stops altogether. Under some circumstances, compression requests may end up routed to zlib (software compression), but generally the SSL hardware accelerator card does not correctly report that it is unavailable when it stalls.

Workaround:
Select the softwareonly compression provider by running the following tmsh command: tmsh modify sys db compression.strategy value softwareonly.

Fix:
The compression device driver now attempts to recover after a failure. If it still cannot recover, new compression requests will be assigned to zlib (software) for compression.


592716-1 : BMC timezone value was not being synchronized by BIG-IP

Component: TMOS

Symptoms:
You notice that errors on the LCD have an incorrect timestamp compared to what is reported in BIG-IP

Conditions:
This can occur when running the 12.1.1 base release on the BIG-IP i-Series platforms.

Impact:
Timestamp is reported in the wrong time zone.

Fix:
Fixed an issue with incorrect timestamp reporting on the LCD display


592699-3 : IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance

Component: Local Traffic Manager

Symptoms:
IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP might encounter significant performance impacts when initiated over a BIG-IP data port using IPv6.

Conditions:
-- Protocols: HTTPS, SCP, SSH, DNS, SMTP.
-- IPv6.
Note: Management port is not impacted.

Impact:
Performance impact pulling data over affected ports from the BIG-IP over IPv6.
BIG-IQ performance is impacted trying to manage BIG-IP devices over IPv6.

Workaround:
Disable TSO for IPv6 at the command line by running the following command: ethtool -K tmm tso off.
Note: This command must be run each time after reboot.

Fix:
The issue has been corrected, so that there is no performance impact pulling data over affected ports using HTTPS, SCP, SSH, DNS or SMTP from the BIG-IP over IPv6, and there is no BIG-IQ performance issue managing BIG-IP devices over IPv6.


592682-1 : TCP: connections may stall or be dropped

Component: Local Traffic Manager

Symptoms:
TCP connections stall or get dropped.

Conditions:
Under some network conditions especially with rateshaper enabled TCP connection could stall and ultimately get reset.

Impact:
This usually happens with rateshaper or BWC enabled. Rarely could also happen with very lossy networks.

Fix:
Properly manage re-transmissions after a tail drop by not not doing the exponential back-off. Reset the re-transmit timer for every partial ack received after a tail drop.


592497-1 : Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.

Component: Local Traffic Manager

Symptoms:
While passing normal traffic, CPU utilization of one or more tmms suddenly goes to 100% as viewed by top and remains there indefinitely.

Conditions:
Idle timeout for tcp flows in FIN_WAIT_2.

Impact:
There is a rare occurrence in which tmm might result in 100% CPU busy.

Workaround:
None.

Fix:
This release honors the idle timeout in FIN_WAIT_2 when server-side expired and HTTP in fallback state.


592485 : Linux kernel vulnerability CVE-2015-5157

Vulnerability Solution Article: K17326


592414-4 : IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed

Component: Access Policy Manager

Symptoms:
IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed from dynamically generated child.

Conditions:
Browsers: IE11 and Chrome
When: After document.write() into its parent has been performed from dynamically generated child.

Impact:
Web application malfunction.

Workaround:
None.

Fix:
Fixed.


592363 : Remove debug output during first boot of VE

Component: TMOS

Symptoms:
There was unneeded debug output during 1st boot of VE on Cloud deployments.

Conditions:
Cloud deployment - AWS and Azure.

Impact:
Extra debug output on 1st boot.

Fix:
Debug output was removed.


592354 : Raw sockets are not enabled on Cloud platforms

Component: TMOS

Symptoms:
Cloud VMs come configured with UNIC driver instead of using raw sockets.

Conditions:
Cloud deployment - AWS and Azure.

Impact:
UNIC is used instead of raw sockets.

Workaround:
Manually disabling unic driver will force raw sockets to be used.

Fix:
Enabled raw sockets by default on Cloud deployments.


592320-5 : ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1

Component: TMOS

Symptoms:
When a fastL4 profile's pva-offload-state set to establish (default is embryonic), the corresponding UDP virtual server using that profile won't offload UDP traffic and causes performance degradation.

Conditions:
This issue is introduced during v12.0.0 development and only impacts v12.1.0 and v12.1.1 releases.
A fastL4 UDP virtual server is using a fastL4 profile that has pva-offload-state set to establish.

Impact:
Performance degradation.

Workaround:
Use default setting for pva-offload-state of embryonic for fastL4 profile.

Fix:
With the fix in 12.1.2 and 13.0.0, ePVA will load UDP traffic when pva-offload-state set to establish.


592274-3 : RAT-Detection alerts sent with incorrect duration details

Component: Fraud Protection Services

Symptoms:
If a remote access trojan (RAT) detection alert is thrown immediately upon initialization, the timestamp of the alert will be incorrect.

Impact:
False positives

Workaround:
n/a

Fix:
When generating RAT Detected alert within 5 seconds from page load, actualCounter in alert details is lower than 5 seconds for example:
"timeToResetCounter":5000,"actualCounter":4296


592113-5 : tmm core on the standby unit with dos vectors configured

Component: Advanced Firewall Manager

Symptoms:
On the standby unit with mirrored connections configured, uninitialized dos_vectors may cause core dump

Conditions:
HA setup, mirroring enabled on a virtual that has dos vectors configured

Impact:
Traffic disrupted while tmm restarts.


592070-5 : DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied

Component: Policy Enforcement Manager

Symptoms:
Variables in the flow context when stored in the sessionDB cannot be shared since the traffic groups of the server and client flows are different.

Conditions:
DHCP virtual created in a non-local traffic group.

Impact:
Variable sharing in the TCL context will not work.

Workaround:
Modify SysDb variable "Tmm.SessionDB.match_ha_unit" to disable the use of traffic-group ID while accessing the sessionDB.

Fix:
Copy the traffic group from client to server connFlows such that both connFlows have the same traffic group.


591918-2 : ImageMagick vulnerability CVE-2016-3718

Vulnerability Solution Article: K61974123


591908-2 : ImageMagick vulnerability CVE-2016-3717

Vulnerability Solution Article: K29154575


591894-2 : ImageMagick vulnerability CVE-2016-3715

Vulnerability Solution Article: K10550253


591881-1 : ImageMagick vulnerability CVE-2016-3716

Vulnerability Solution Article: K25102203


591840-1 : encryption_key in access config is NULL in whitelist

Component: Access Policy Manager

Symptoms:
encryption_key in access config is NULL sometime when applying 404 whitelist action and will result in TMM crash.

Conditions:
All the following must be true:
- Access policy action resulted in a "not found".
- The session corresponding to above action must be expired.
- FIPS platform.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Data required to serve a "not found" action is retrieved and made available early so that such responses can be served correctly.


591806-8 : ImageMagick vulnerability CVE-2016-3714

Vulnerability Solution Article: K03151140


591767-8 : NTP vulnerability CVE-2016-1547

Vulnerability Solution Article: K11251130


591733-4 : Save on Auto-Sync is missing from the configuration utility.

Component: TMOS

Symptoms:
The option to configure save-on-auto-sync is missing in the Device Management GUI.

Conditions:
Devices configured in a DSC configuration.
Automatic with Full or Incremental Sync is enabled.
You attempt to configure the save-on-auto-sync option from the GUI.

Impact:
You will need to have TMSH access to the BIG-IP system to perform this task.

Workaround:
You will need to have TMSH access to the BIG-IP system to perform this task.

Fix:
This release adds per-device-group save_on_auto_sync flag to GUI: flag now shows in GUI and correctly saves.
GUI: The "Sync Type" option in the GUI must be set to "Automatic with Full/Incremental Sync" in order for "Save on Auto-Sync" option to show.

Behavior Change:
Beginning in version 11.5.0, the /cm trust-domain 'save-on-auto-sync' attribute is no longer configured as part of the trust-domain, but is part of the configuration of a device group. With this change, the option to set that attribute becomes available in the GUI on the condition that the "Sync Type" option is set to "Automatic with Full/Incremental Sync".


591666-3 : TMM crash in DNS processing on TCP virtual with no available pool members

Component: Local Traffic Manager

Symptoms:
TMM crash when processing requests to a DNS virtual server.

Conditions:
The issue can occur if a TCP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.

Ensure datagram LB mode is enabled on UDP DNS virtuals.

Fix:
Product corrected to prevent crash when there are no available members.


591659-5 : Server shutdown is propagated to client after X-Cnection: close transformation.

Component: Local Traffic Manager

Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.

Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.

Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.

Workaround:
Set the OneConnect profile "Maximum Reuse" value to 2 below the value of the pool members max keep-alive setting. This forces OneConnect to close the connection before the pool member.

Fix:
Server shutdown is no longer propagated to client after X-Cnection: close transformation, so client side connections are now kept open by the BIG-IP system as expected, and subsequent requests are no longer dropped.


591590-1 : APM policy sync results are not persisted on target devices

Component: Access Policy Manager

Symptoms:
Policy sync results, including profile, sync folder, new partition, statuses, history are not persisted on target devices after sync, when there are no LSO resolution.

Conditions:
- Create an APM policy with no LSO to resolve, or have an APM policy that has LSO resolved by previous sync

- Start a policy sync

Impact:
Sync results including the policy profiles won't be persisted so when the bigip restarts, all the sync data won't be lost.

Workaround:
Run tmsh command to save config:

tmsh save sys config

Fix:
Policy sync result will be persisted on target devices so even when those devices restart, the data will still be there.


591495-2 : VCMP guests sflow agent can crash due to duplicate vlan interface indices

Component: TMOS

Symptoms:
When a VCMP guest uses sflow, the sflow agent will crash when it tries to add a row to its internal data structure and finds the key already exists for some other entry.

Conditions:
This issue can occur on systems with VCMP guests, its occurrence is is more likely with a higher number of cores.

Impact:
sflow agent will crash.

Fix:
Make sure the allocated interface index for a vlan is not already taken by another interface object.


591476-7 : Stuck crypto queue can erroneously be reported

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Nitrox-based systems (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Device error: crypto codec cn-crypto-0 queue is stuck.

Conditions:
-- Running on one of the following platforms:
 + BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 5xxx, 7xxx, 10xxx, 11xxx, and 12xxx
 + VIPRION B41xx-B43xx, B21xx, and B22xx blades.
-- Performing SSL.
-- Under heavy load.

Impact:
Device errors reported in logs and crypto HA action is taken, possibly resulting in failing over.

Workaround:
Modify the crypto queue timeout value to 0 to prevent timeouts using the following command:

tmsh modify sys db crypto.queue.timeout value 0

Fix:
The crypto driver now only examines requests in the hardware DMA ring to detect a stuck queue.


591455-7 : NTP vulnerability CVE-2016-2516

Component: TMOS

Symptoms:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253

Conditions:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253

Impact:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253

Fix:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253


591447-1 : PHP vulnerability CVE-2016-4070

Component: TMOS

Symptoms:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html

Conditions:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html

Impact:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html

Fix:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html


591438-7 : PHP vulnerability CVE-2015-8865

Vulnerability Solution Article: K54924436


591358-1 : Oracle Java SE vulnerability CVE-2016-3425

Vulnerability Solution Article: K81223200


591343-5 : SSL::sessionid output is not consistent with the sessionid field of ServerHello message.

Component: Local Traffic Manager

Symptoms:
SSL::sessionid output is not consistent with the sessionid field of ServerHello message. This is mostly cosmetic, but if an iRule depends upon the outcome, the result can be unexpected.

Conditions:
This occurs when using an iRule to inspect the session ID on server-side SSL.

Impact:
The values do not match. SSL::sessionid outputs the wrong sessionid.

Workaround:
None.

Fix:
The returned session ID in both the SERVERSSL_SERVERHELLO and SERVERSSL_HANDSHAKE events is the one presented by the SSL server.


591328-7 : OpenSSL vulnerability CVE-2016-2106

Vulnerability Solution Article: K36488941


591325-8 : OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109

Vulnerability Solution Article: K75152412


591268-1 : VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions

Component: Access Policy Manager

Symptoms:
VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions, it depends on client machine configuration. Symptom: negative record in windows DNS cache, can be verified by running ipconfig /displaydns

Conditions:
Specific client machine configuration

Impact:
VS hostname is not resolvable:
- 'Refresh' of webtop causes unavailable webtop
- Recurring check report may fail due to DNS resolve issue

Workaround:
* Clean windows DNS cache: ipconfig /flushdns
or
* Disable DNS Relay proxy service

Fix:
Now DNS Relay proxy service cleans up DNS cache after initialization mitigating issue described


591261 : BIG-IP VPR-B4450N shows "unknown" SNMP Object ID

Component: TMOS

Symptoms:
The BIG-IP VPR-B4450N blade does not show the correct Object ID for SNMP. An SNMP query will return "unknown".

Conditions:
This issue may occur on VIPRION B4450N blades running affected versions of BIG-IP software.

Impact:
Some network management applications may complain and fail.

Workaround:
None.

Fix:
A new SNMP Object ID is added to TMOS v12.1.1 for VPR-B4450N.


591246-1 : Unable to launch View HTML5 connections in non-zero route domain virtual servers

Component: Access Policy Manager

Symptoms:
Currently APM always attempts to uze the RTDom 0 when VMware View HTML5 client is launched.

This doesn't work with the virtual servers in non-zero route domains.

Conditions:
APM configured as a PCoIP proxy on a VS in non-zero route domain.

Impact:
You cannot use virtuals in non-zero route domains if they need VMware View HTML5 client functionality

Fix:
APM now uses the proper route domain from the virtual server to handle VMware View HTML5 client connections.


591139 : TMM QAT segfault after zlib/QAT compression conflation.

Component: Local Traffic Manager

Symptoms:
TMM can segfault during prolonged mixture of software and hardware accelerated compression.

Conditions:
Continuous and prolonged mixture of software and hardware accelerated compression.

Impact:
TMM segfaults.

Workaround:
Disable hardware accelerated compression with:

    tmsh modify sys db compression.strategy value speed

Fix:
TMM QAT compression added pointer-hardening for compression context.


591119 : OOM with session messaging may result in TMM crash

Component: TMOS

Symptoms:
Under out of memory conditions, session messaging may not initialize storage correctly, resulting in a later TMM crash.

Conditions:
Under out of memory conditions, memory allocation for session messaging fails, and storage is not initialized correctly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Reduce load on box in order to avoid OOM conditions.

Fix:
Initialize storage on memory allocation failure.


591117-3 : APM ACL construction may cause TMM to core if TMM is out of memory

Component: Access Policy Manager

Symptoms:
During ACL construction, TMM send queries regarding assigned ACL information. If the reply message contains error message of out-of-memory, TMM was not handling this error message properly, and cause TMM to core.

Conditions:
BIG-IP is extremely loaded and out of memory.

Impact:
Traffic disrupted while tmm restarts.

Fix:
When handling the error reply message of out-of-memory during ACL construction, TMM can handle it without causing TMM to crash.


591104-1 : ospfd cores due to an incorrect debug statement.

Component: TMOS

Symptoms:
ospfd cores due to an incorrect debug statement.

Conditions:
This occurs in NSSA configs when ASE OSPF debugging enabled in imish (for example, by running the command: debug ospf route ase). Affected configuration commands are (in imish):
debug ospf all.
debug ospf route.
debug ospf route ase.

Impact:
ospfd might crash, interrupting dynamic routing.

Workaround:
Do not enable debugging in ospf that includes 'route ase'.

Fix:
ospfd no longer crashes when debugging is enabled in imish.


591042-17 : OpenSSL vulnerabilities

Vulnerability Solution Article: K23230229


591039 : DHCP lease is saved on the Custom AMI used for auto-scaling VE

Component: TMOS

Symptoms:
When configuring the instance for auto-scaling purpose and subsequently generating the Custom/Model AMI that is used for autoscaling VEs, the new instances generated from this image, might have the old DHCP lease acquired by the custom instance before an AMI was generated from it. This can collide with the new lease that the new instances get in their boot-up.

Conditions:
This occurs when Auto-scaling VEs.

Impact:
Multiple valid DHClient leases exist, which could result dhclient in BIG-IP choosing wrong IP address for the management interface.

Workaround:
Delete the /var/lib/dhclient/dhclient.leases before shutting down the custom instance and generating a Custom/Model AMI out of it.

Fix:
Auto-scaling AMI will no longer contain a DHCP lease when they are saved.


590993 : Unable to load configs from /usr/libexec/aws/.

Component: TMOS

Symptoms:
In 12.1.0, a new tmsh object 'sys global-settings file-whitelist-path-prefix' controls the path from which config can be loaded. To be allowed as a config storage location, the path must exist in file-whitelist-path-prefix. Because /usr/libexec/ is not part of the path, loading auto-scaling and CloudWatch iCall configuration files from /usr/libexec/aws/ fails.

Conditions:
The issue occurs with AWS auto-scaling- and CloudWatch-related configuration files in TMOS v12.1.0.

Impact:
AWS auto-scaling-related automation and CloudFormation Templates (CFTs) for deploying BIG-IP will not work because 'sys global-settings file-whitelist-path-prefix' disallows /usr/libexec/aws/ is disallowed as legitimate config location.

Workaround:
To work around this, add /usr/libexec/aws/ into the 'sys global-settings file-whitelist-path-prefix'. To do so, run the following tmsh command:

tmsh modify sys global-settings file-whitelist-path-prefix "{/var/local/scf} {/tmp/} {/shared/} {/config/} {/usr/libexec/aws}".

Fix:
Starting in 12.1.0-HF1, F5 Networks has changed the paths from which configuration files related to AWS autoscaling and CloudWatch can be loaded. This necessitates an extra step in the Custom AMI generation for Auto Scaling.

Configuration files related to AWS auto scaling and CloudWatch have been moved to the /usr/share/aws/ directory. This change was made because the system no longer allows /usr/libexec/aws as a config file storage and load location.

12.1.0 and earlier Auto Scaling-related automation and CFT configurations must be modified to point to the new locations. The new locations for the Auto Scaling and CloudWatch config files are:

The new locations for these config files are:
-- /usr/share/aws/autoscale/aws-autoscale-icall-config.
-- /usr/share/aws/metrics/aws-cloudwatch-icall-metrics-config.

Behavior Change:
Starting in 12.1.0-HF1, the system has changed the paths from which configuration files related to AWS autoscaling and CloudWatch can be loaded. This necessitates an extra step in the Custom AMI generation for Auto Scaling.

Configuration files related to AWS auto scaling and CloudWatch have been moved to the /usr/share/aws/ directory. This change was made because the system no longer allows /usr/libexec/aws as a config file storage and load location.

12.1.0 and earlier Auto Scaling-related automation and CFT configurations must be modified to point to the new locations. The new locations for the Auto Scaling and CloudWatch config files are:

The new locations for these config files are:
-- /usr/share/aws/autoscale/aws-autoscale-icall-config.
-- /usr/share/aws/metrics/aws-cloudwatch-icall-metrics-config.


590904-1 : New HA Pair created using serial cable failover only will remain Active/Active

Component: TMOS

Symptoms:
After creating a new sync-failover device group without network failover enabled, both devices remain Active.

Conditions:
Create a new sync-failover device-group without enabling network failover.

Impact:
Both device in the HA pair will be Active, which is unlikely to pass traffic successfully.

Workaround:
After adding the 2nd device to the sync-failover group, restart sod with "bigstart restart sod" on both devices.

Fix:
After creating the sync-failover group with without network failover configured, but a serial failover cable installed, one of the devices becomes Standby and the other remains Active.


590820-3 : Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.

Component: Access Policy Manager

Symptoms:
Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.

Conditions:
Intense usage of JavaScript methods such as: appendChild(), insertBefore(), and other, similar JavaScript methods, in a customer's web application code.

Impact:
Very low web application performance when using Microsoft Internet Explorer.

Workaround:
None.

Fix:
Applications that use appendChild() or similar JavaScript functions to build UI now experience expected performance in Microsoft Internet Explorer browser.


590805-4 : Active Rules page displays a different time zone.

Component: Advanced Firewall Manager

Symptoms:
Active Rules page displays a different time zone.

Conditions:
When Active Rules page is loaded after the BIG-IP system timezone has changed.

Impact:
GUI shows incorrect timezone.

Workaround:
Run the following command after changing BIG-IP timezone: bigstart restart tomcat.

Fix:
Active Rules page now shows the correct timezone after the BIG-IP system timezone has changed.


590795-1 : tmm crash when loading default signatures or updating classification signature

Component: Traffic Classification Engine

Symptoms:
When upgrading classification signatures or downgrading to the default signatures, tmm will crash.

Conditions:
This occurs when loading updated classification signatures on versions 12.1.0 and 12.1.1.

Impact:
tmm will crash during the load. Traffic disrupted while tmm restarts.

Fix:
Fixed a crash when loading classification signatures.


590779 : Rest API - log profile in json return does not include the partition but needs to

Component: TMOS

Symptoms:
When querying the log profile via the Rest API, the returned response does not include the partition name in FullPath.

For example, for a log profile named mySample:
https://bigip_ip/mgmt/tm/security/log/profile/~Common~mySample/application/mySample

The JSON returned will contain
    "fullPath": "testProfile",
It should contain
    "fullPath": "/Common/testProfile",

This can cause BIG-IQ to fail to sync.

Conditions:
Log profile created. This is most visible when using BIG-IQ to sync.

Impact:
Applications relying on the folder path can fail

Fix:
The Rest API will now provide the full path to the log profile.


590608-1 : Alert is not redirected to alert server when unseal fails

Component: Fraud Protection Services

Symptoms:
Alert is not redirected to the alert server when unseal fails and iRule is enabled.

Conditions:
1. Unsealing alert failure.
2. iRule enabled.

Impact:
Alert is not redirected to the alert server and FPS returns 404 response.

Workaround:
Disable iRule.

Fix:
FPS now correctly redirects the alert.


590601-2 : BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed

Component: Access Policy Manager

Symptoms:
After end-user successfully performs SP initiated SAML SSO with a original request URI other then "/", SP will redirect user back to '/' as landing URI.

Conditions:
BIG-IP is used as SAML SP and no relay state is configured on either SP or IdP

Impact:
User is not redirected to original request URI.

Workaround:
Workaround provided below works when first client request to BIG-IP as SP is 'GET'. This workaround is not applicable when first client request is 'POST'.

SP object can be configured with relay state pointing to the landing URI: %{session.server.landinguri}

After successful authentication, end-user will be redirected to the landing URI (reflected back by IdP in the relay-state).

Fix:
SAML SSO requests will now be redirected to the original request URI.


590578-4 : False positive "URL error" alerts on URLs with GET parameters

Component: Fraud Protection Services

Symptoms:
False-positive URL Error alerts are sometimes generated on URLs with GET parameters.

Conditions:
Use of URLs with GET parameters.

Impact:
Unwanted alerts in alert server.

Workaround:
None

Fix:
Hash calculation is done on slightly different URL inputs, causing mismatch.


590428-1 : The "ACCESS::session create" iRule command does not work

Component: Access Policy Manager

Symptoms:
When the "ACCESS::session create" iRule command is used with an APM virtual, the command does not resume properly and causing the sessions to disconnect/hang.

Conditions:
APM virtual configured with an iRule that includes "ACCESS::session create" iRule command.

Impact:
APM virtual won't function correctly.

Workaround:
The "ACCESS::session create" iRule command should be removed from the iRule attached to the virtual.

Fix:
Updated the session DB calls to include req_id parameter so that the TCL context gets updated/saved and used upon resume.


590345-1 : ACCESS policy running iRule event agent intermittently hangs

Component: Access Policy Manager

Symptoms:
If you are using iRule event agent on the 12.1.0 release, you may see an intermittent Access Policy execution hang. The hang occurs during the execution of ACCESS::policy agent_id.

Conditions:
iRule event agent is configured.
iRule uses ACCESS_POLICY_EVENT_AGENT event
Within this event, ACCESS::policy agent_id command is used.

Impact:
Policy execution intermittently hangs.

Workaround:
Please use this command:
ACCESS::session data get {session.custom_event.id}

Fix:
A hang related to the use of ACCESS::policy agent_id has been fixed.


590211-2 : jitterentropy-rngd quietly fails to start

Component: TMOS

Symptoms:
If jitterentropy-rngd fails to start, it does so quietly during system start, causing init.d script [ OK ] when it should be [ FAILED ].

This can cause the system to hang indefinitely at boot time at the following step (the key name may vary, depending on what needs to be generated):

Generating /var/named/config/rndc.key ( 09:08:10 ) ...

Similarly, if jitterentropy-rngd fails to start but there are no keys to be generated at boot time, the system will boot successfully. However, the genkeys and genkeys-1024 processes invoked by crontab every hour might hang.

Conditions:
This can occur on any BIG-IP system if jitterentropy-rngd fails to start. The issue has been observed chiefly on vCMP guests running on VIPRION B21x0 blades.

Impact:
1) The system may fail to boot (user intervention will be required at this point to recover the system).

2) As crontab invokes the genkeys and genkeys-1024 processes every hour, these may start but never terminate (any hung processes might eventually cause increased memory and CPU utilization, potentially leading to unpredictable system failures).

Fix:
jitterentropy-rngd now starts up as expected, so no failures occur.


590122-2 : Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.

Component: Local Traffic Manager

Symptoms:
Standard TLS rollback detection for TLSv1 or earlier clients might be too strict for clients that do not comply with RFC 2246 and later. These clients may require 'tls-rollback-bug' option set.

Conditions:
Standard behaviour of TLS clients is to use ClientHello.client_version in pre-master secret (PMS).

Some clients, incorrectly, might use negotiated version in PMS.

Impact:
Failed TLS handshake.

Workaround:
Configure the BIG-IP client SSL profile to include tls-rollback-bug, using a command similar to the following:

create /ltm profile client-ssl xxx ciphers DEFAULT options { tls-rollback-bug }.

Fix:
Added support for tls-rollback-bug

Behavior Change:
This release provides improved support for "TLS rollback bug workaround" feature described in Managing SSL Traffic :: Configuring workarounds in the LTM documentation on AskF5. ([1] link below). The value is set by existing tls-rollback-bug option, using the command described in [2], below.

This is an existing option.

When this option is enabled in clientssl profile, RSA-only ciphersuites will have relaxed treatment of the version field set by the SSL/TLS client as part of the sequence of bytes encrypted to the server RSA key, called pre-master secret (PMS).

With the option enabled, PMS can contain either ClientHello.client_version, or negotiated version. Standard behaviour of TLS clients is to use ClientHello.client_version in PMS.

[1] https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_ssl_profiles.html.

[2] create /ltm profile client-ssl xxx ciphers DEFAULT options { tls-rollback-bug }.


590074-1 : Wrong value for TCP connections closed measure

Component: Application Visibility and Reporting

Symptoms:
In TCP analytics, the measure 'connections closed' displays the wrong value.

Conditions:
TMM_API debug enabled.

Impact:
Wrong value displayed.

Workaround:
Do not turn on debug printing.

Fix:
Memory corruption found and fixed. All debug printing organized together at the beginning of the function.


589661 : PS2 power supply status incorrect after removal

Component: TMOS

Symptoms:
After removing the second power supply (PS2), running system_check indicates that the power supply status is still good:

system_check -d | grep power
Chassis power supply 1: status FAN=good; VINPUT=good; VOUTPUT=good; STATUS=good
Chassis power supply 2: status VINPUT=good; VOUTPUT=good; STATUS=not present

Conditions:
This occurs on 10000-series and 12000-series platforms when removing the PS2 power supply and running system_check

Impact:
Erroneous indication that the power supply is still good

Fix:
Power supply status for PS2 is now correctly indicated when the power supply is removed.


589400-1 : With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Component: Local Traffic Manager

Symptoms:
With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Conditions:
Congestion window is small relative to message size; abc is enabled; also might manifest when serverside MTU is greater than clientside MTU.

Impact:
Additional connection latency.

Workaround:
Enabling proxy-mss on the serverside TCP profile significantly reduces incidence of this problem in observed cases.

If init-cwnd is low, raising it might also help.

Disabling abc can also reduce the problem, but might have other negative network implications.

Fix:
Incoming packets are now pulled more aggressively into the send buffer, if there are no negative implications for CPU performance.


589379-2 : ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.

Component: TMOS

Symptoms:
In a configuration with a summary route that is added to ZebOS and configured with 'not-advertise', when deleting the exactly matching route, ospfd sends LSA route with age 1, then immediately sends update with age 3600.

Conditions:
OSPF using route health injection for default route.

Impact:
No functional impact. The extraneous LSA is immediately aged out.

Workaround:
Configure a static default route in imish instead of using RHI for the default route.

Fix:
ZebOS no longer adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.


589318-1 : Clicking 'Customize All' checkbox does not work.

Component: Fraud Protection Services

Symptoms:
Clicking 'Customize All' in Safari browser does not check the checkboxes below, and the settings remain grayed out.

Conditions:
Provision and license FPS.

Impact:
FPS child profile page.

Workaround:
Use tmsh.

Fix:
Clicking 'Customize All' checkbox in Safari browser now checks the checkboxes below and changes the state of the cosponsoring settings.


589256-1 : DNSSEC NSEC3 records with different type bitmap for same name.

Component: Global Traffic Manager

Symptoms:
For a delegation from a secure zone to an insecure zone, BIG-IP returns different type bitmaps in the NSEC3 record depending on the query type. This causes BIND9's validator to reject the secure delegation to the insecure zone.

Conditions:
For insecure delegations, our DNSSEC implementation does not support the DS record. Those queries are forwarded to the backend, BIND if selected as fallback. Without ZSK/KSK for an insecure child zone, BIND responds SOA which we dynamically sign.

Impact:
DNS lookups may fail if BIND9's validator rejects the delegation.

Workaround:
None.

Fix:
If response is a NODATA from either the proxy or a transparent cache, and the query is a DS, set the types bitmap to NS.


589223-1 : TMM crash and core dump when processing SSL protocol alert.

Component: Local Traffic Manager

Symptoms:
TMM crash and core dump when processing SSL protocol alert.

Conditions:
During SSL handshake, if the server sends protocol Alert to the BIG-IP system, TMM might crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
A problem of TMM restarting when processing SSL protocol alert has been fixed.


589083-2 : TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.

Component: TMOS

Symptoms:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation fails because of permission errors.

Using iControl, the system posts an error similar to the following: Error processing request for URI:http://localhost:8110/mgmt/tm/sys/config
{code:400,message: Can't create tmsh temp directory \"/config/.config.backup\" Permission denied, errorStack:[]}.

Using TMSH (e.g., running the command: tmsh save sys config), the system posts an error similar to the following:

Can't create tmsh temp directory "/config/.config.backup" Permission denied

Conditions:
This occurs when the following conditions are met:
-- Remote Authentication is configured.
-- User is logged in as a remote user who has the admin role.
-- Using TMSH or iControl for remotely authenticated user operations.

Impact:
Cannot save the configuration.

Workaround:
Use one of the following workarounds:
-- Use the GUI to save the configuration.
-- Have a locally authenticated user with admin role save the configuration.

Fix:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation now completes as expected, without permission errors.


588959-2 : TMM may crash or behave abnormally on a Standby BIG-IP unit

Component: Local Traffic Manager

Symptoms:
TMM may crash or behave abnormally on a Standby BIG-IP unit. Memory utilization before the crash can appear to be unusually high.

Conditions:
This is a rare issue, currently known to occur only in WOM or Multipath TCP (MPTCP) virtual servers configured with mirroring. Virtual servers that make use of the standard TCP profile are not affected.

Impact:
The unit is not operational until TMM has finished writing the core file to disk and restarting. If the unit was Active for a different traffic-group, traffic for that traffic-group will be disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes in the rare case of WOM or Multipath TCP (MPTCP) virtual servers configured with mirroring.


588888-3 : Empty URI rewriting is not done as required by browser.

Component: Access Policy Manager

Symptoms:
Empty URI must be rewritten at server side and client side rewriter in the same way: as empty URI (all browsers treat this type of URI in a specific way).

Conditions:
A tag with an empty 'src' or 'href' attribute.

Impact:
Web application malfunction, such as incorrect or unexpected behavior or error messages.

Workaround:
Use an application-specific iRule that modifies the empty URI.
-- For example, for JavaScript methods such as setAttribute(), an iRule should change this:
'F5_Invoke_setAttribute(o, "src", uri)'
to this:
'(uri=="")?o.setAttribute("src", uri):F5_Invoke_setAttribute(o, "src", uri)'.

-- As another example, for JavaScript methods such as write(str), writeln(str), innerHTML=str, outerHTML=str, and similar methods, if str contains <img src="" ... >, the iRule must remove the src attribute.

Fix:
This release fixes the issue of rewriting the empty URI the same way at the server side and client side: as empty URI (all browsers treat this type of URI in a specific way).


588879-2 : apmd crash under rare conditions with LDAP in BIGIP 12.0 and beyond

Component: Performance

Symptoms:
APM crashes during periods of high Active Directory lookups.

Conditions:
APM configured to use ldap. This was seen during stress testing of AD queries.

Impact:
APM crashes, clients unable to connect


588686 : High-speed logging to remote logging node stops sending logs after all logging nodes go down

Component: TMOS

Symptoms:
All logging to external logging nodes (such as BIG-IQ) suddenly stop.

Conditions:
This occurs when all of the configured logging nodes go down. Even when they are brought back up, tmm will not send logs to the remote servers.

Impact:
Remote logging stops and will only resume if tmm is restarted.


588456-3 : PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).

Component: Policy Enforcement Manager

Symptoms:
When the BigIp is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address, the DHCP server sends the ACK to the renewal packet to the relay agent IP(giaddr) instead of ciaddr. Bigip DHCP module does not process the ACK and update the lease time, which causes PEM subscriber session to be aged out.

Conditions:
1)BigIP in forwarding mode
2)giaddr field in unicast DHCP renewal packet is set to
IP address of relay agent(Typically, it is set to 0 by DHCP client)

Impact:
PEM Subscriber Session will age out


588405-1 : BADOS - BIG-IP Self-protection during (D)DOS attack

Component: Anomaly Detection Services

Symptoms:
Problem: 100% accurate detection may not help to prevent an attack

It's necessary to protect BIG-IP CPU utilization during attack - for BAD actors (in addition to shunlist) and for unknown IPs.
This mechanism should allow bad actors detection and keep CPU utilization in reasonable limits.

Conditions:
High BIG-IP CPU utilization during (D)DOS attack

Impact:
Service impact due to BIG-IP CPU high utilization

Workaround:
No workaround

Fix:
Added additional CPU protection during a (D)DOS attack


588399-1 : BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated

Component: Anomaly Detection Services

Symptoms:
BIG-IP CPU utilization can be excessively high even after mitigating bad actors.

Conditions:
This can occur when Bad Actor detection is used

Impact:
CPU utilization will be higher than expected.

Fix:
An issue with referencing bad actors that have been detected and affecting CPU utilization has been fixed.


588351-5 : IPv6 fragments are dropped when packet filtering is enabled.

Component: Local Traffic Manager

Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.

Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.

Impact:
IPv6 fragments with a non-zero offset are lost.

Workaround:
Disable packet filtering.

Fix:
IPv6 fragments are no longer dropped when packet filtering is enabled.


588327 : Observe "err bcm56xxd' liked log from /var/log/ltm

Component: TMOS

Symptoms:
Some "err bcm56xxd" log is observed from /var/log/ltm that read "err bcm56xxd[10968]: 012c0012:3: bs_module_do_precond:No preconditioning provided for module on port 3/5.0"

Conditions:
This occurs when during system start.

Impact:
The error is benign and can be ignored.

Fix:
The "No preconditioning provided for module" message is now logged at the info level.


588289-1 : GTM is Re-ordering pools when adding pool including order designation

Component: Global Traffic Manager

Symptoms:
GTM re-orders, including the "0" order when adding the pool with specific order designation.

Conditions:
This occurs when adding pools with a specified order.

Impact:
This changes the pool order unexpectedly which will affect Load balancing using global-availability.


588140 : Pool licensing fails in some KVM/OpenStack environments

Component: TMOS

Symptoms:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ, BIG-IQ can fail. The system posts the following error in /var/log/ltm: Dossier error 16.

Conditions:
This occurs when BIG-IQ is used to license the BIG-IP VE instance.

Impact:
From BIG-IQ, the licensing operation will appear as a successful operation, however, BIG-IP VE will not be licensed.

Fix:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ in OpenStack and/or KVM environments completes with success on BIG-IQ and BIG-IP.


588115-1 : TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw

Component: Local Traffic Manager

Symptoms:
As a result of a known issue TMM may crash in some specific scenarios if there is an overlapping and more specific route to the floating self-IP range configured on the unit.

Conditions:
- Unit configured with a floating self-IP and allow-service != none.
  - More specific route exists via GW to the self-IP.
  - Configured gateway for the overlapping route is unreachable.
  - Ingress traffic to the floating self-IP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the use of routes overlapping with configured floating self-IPs.

Fix:
TMM no longer crashes when floating self IPs are configured with more specific overlapping routes.


588089-3 : SSL resumed connections may fail during mirroring

Component: Local Traffic Manager

Symptoms:
SSL resumed connections when using SSL mirroring may fail during mirroring. This could result in SSL connections being unable to recover after failover.

Conditions:
Mirroring enabled on virtual with an associated client-ssl profile.

Impact:
SSL connections unable to recover after failover.

Workaround:
Disable session cache to prevent connections from resuming.


588087-1 : Attack prevention isn't escalating under some conditions in session opening mitigation

Component: Application Security Manager

Symptoms:
Attack is detected and isn't escalating in session opening

Conditions:
A session opening attack, challenges are being answered by the attacker.

Impact:
The attack continues.

Workaround:
Configure the attack prevention as rate limit.

Fix:
Fixed attack escalation in some cases on session opening.


588058-3 : False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer

Component: Fraud Protection Services

Symptoms:
Large numbers of "failed to unseal" Source Integrity alerts.

Conditions:
Source integrity feature enabled. Clients using Internet Explorer 8 to 10.

Impact:
High number of false positive alerts in alert dashboard.

Workaround:
Create alert dashboard signature to ignore source integrity alerts containing "failed to unseal" and Internet Explorer 8 to 10 user agent.

Fix:
Fixed parsing in relevant browsers.


588049-1 : Improve detection of browser capabilities

Component: Application Security Manager

Symptoms:
Browsers can override native functions, and manipulate the PBD capabilities test.

Conditions:
1. Proactive Bot defense is on.
2. Attacker override its native functions.

Impact:
Malicious browsers can go undetected by PBD.

Workaround:
N/A

Fix:
Check that majority of browsers native functions are not overridden.


587966-1 : LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port

Component: Local Traffic Manager

Symptoms:
LTM FastL4 DNS virtual server or SNAT: first A query dropped when A and AAAA requested at the same time with same source IP:port.

Conditions:
A and AAAA DNS Query requested at the same time with the same source IP and Port.

Impact:
A Type DNS Query dropped intermittently.

Workaround:
Configure a standard virtual server with a UDP profile for the traffic instead of using FastL4 or SNAT.

Fix:
Type A requests no longer dropped when A and AAAA DNS Query requested at the same time with the same source IP and Port.


587791-1 : Set execute permission on /var/lib/waagent

Component: TMOS

Symptoms:
Due to recent changes of the build process /var/lib/waagent didn't have proper execute permission set. This caused failure in executing user custom scripts during deploying.

Conditions:
First deployment of VM in Azure, which requires executing custom scripts.

Impact:
Custom scripts cannot be executed.

Workaround:
N/A

Fix:
Properly set execute permissions to /var/lib/waagent directory.


587780 : warning: HSBe2 XLMAC initial recovery failed after 11 retries.

Component: TMOS

Symptoms:
ltm log contains multiple instances of the following message on VIPRION B4450 blades: warning: HSBe2 XLMAC initial recovery failed after 11 retries.

Conditions:
This often happens when VIPRION 4480 or 4800 chassis with B4450 blades is rebooting.

Impact:
No operation impact. This is a cosmetic message that you can safely ignore.

Workaround:
None needed. This message is cosmetic only.

Fix:
A more robust XLMAC recovery mechanism has been implemented which reduces the maximum retries to four. It does not completely eliminate this warning message (HSBe2 XLMAC initial recovery failed after 11 retries), but its frequency is greatly reduced.


587735 : False alarm on LCD indicating bad fan

Component: TMOS

Symptoms:
During some blade power ON conditions, a false alarm message is displayed on the LCD on the chassis bezel.
This alarm indicates that several chassis fans are bad, however in reality the fans are not bad.
Typically, the messages look like this:
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 2: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 3: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 4: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 5: status (0) is bad.

Conditions:
Erroneous fan warnings may occur when a blade is inserted into a VIPRION 4800 chassis.

Impact:
No functional impact. The user may experience concern over the false alarms.

Workaround:
Press green check button on the front of chassis bezel to clear the alarm.


587698-3 : bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured

Component: TMOS

Symptoms:
bgpd daemon crashes

Conditions:
bgp extended-asm-cap is configured before configuring
ip extcommunity-list standard with rt and soo fields.

Impact:
bgpd daemon crashes leading to route loss and traffic loss.

Fix:
bgpd does not crash when both bgp extended-asm-cap and
ip extcommunity-list standard with rt and soo parameters are configured.


587676-2 : SMB monitor fails due to internal configuration issue

Component: Local Traffic Manager

Symptoms:
SMB monitor fails due to internal configuration issue

Conditions:
Configure the SMB monitor

Impact:
SMB monitor fails to execute

Fix:
Fixed an internal configuration issue so that the SMB monitor will load properly


587668 : LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.

Component: TMOS

Symptoms:
Pressing the LCD checkmark button does not always bring up clearing prompt on VIPRION blades.

Conditions:
Pressing the LCD's checkmark button to clear an alert on VIPRION blades.

Impact:
Cannot clear the alert using the LCD.

Workaround:
Press the checkmark button followed by the left or right arrow buttons.

Fix:
In this release, unneeded LCD updates that might have clogged the message channel have been optimized, and the keypress passed along at a later time, so it is not lost. So pressing the LCD checkmark button now correctly brings up clearing prompt on VIPRION blades.


587656-2 : GTM auto discovery problem with EHF for ID574052

Component: Global Traffic Manager

Symptoms:
After applying EHF9-685.88-ENG to CRCGTMCS101, many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.

Conditions:
After applying EHF9-685.88-ENG

Impact:
Many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.

Workaround:
Skip to the next Eng HF
v11.4.1-hf10/hotfix/HF10-690.10-ENG

Fix:
This problem only occurs with the one faulty EHF9-685.88-ENG and does not occur anywhere else.


587629-2 : IP exceptions may have issues with route domain

Component: Application Security Manager

Symptoms:
The IP exception feature doesn't work as expected.

Conditions:
There are many defined same IPs but with different route domain.
There were config changes to these IPs regarding their exception properties.

Impact:
An ignored IP is not ignored etc.

Workaround:
bigstart restart asm

Fix:
Fixed an issue with IPs and route domain.


587617-1 : While adding GTM server, failure to configure new IP on existing server leads to gtmd core

Component: Global Traffic Manager

Symptoms:
gtmd core with SIGSEGV in selfip_needs_xlation.

Conditions:
No GTM server object configured with existent selfip.

Impact:
gtmd cores. GTM unable to respond to DNS queries. DNS traffic disrupted while gtmd restarts.

Workaround:
Configure the GTM server object with an existent selfip. For more information, see K15671: The BIG-IP GTM system must use a local self IP address to define a server to represent the BIG-IP GTM system at https://support.f5.com/csp/#/article/K15671

Fix:
gtmd will not core.


587419-1 : TMM may restart when SAML SLO is performed after APM session is closed

Component: Access Policy Manager

Symptoms:
TMM may core when user performs SAML SLO on external to BIG-IP SP/IdP, and BIG-IP's APM session is no longer valid.

Conditions:
- User initiated SAML SLO on external SAML provider, and external provider redirect users to BIG-IP with SLO request.
- User does not have a valid session on BIG-IP when SLO request is received.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable SAML SLO by removing SLO request/response URLs from configuration

Fix:
TMM will no longer restart in the case described above.


587106-1 : Inbound connections are reset prematurely when zombie timeout is configured.

Component: Carrier-Grade NAT

Symptoms:
When an LSN pool is configured in PBA mode with a non-zero zombie timeout, inbound connections are killed and reset prematurely, often in a matter of seconds.

Conditions:
PBA mode configured on the pool, and zombie_timeout set to a non-zero value.

Impact:
Inbound connections to PBA pools with a zombie timeout configured may not be usable.

Workaround:
None.

Fix:
Inbound connections are no longer reset when zombie_timout is configured to a non-zero value.


587077-1 : Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118

Vulnerability Solution Article: K37603172


587016-3 : SIP monitor in TLS mode marks pool member down after positive response.

Component: Local Traffic Manager

Symptoms:
SIP monitor in TLS mode marks pool member down after positive response. The SIP monitor in TLS mode is constantly marked down.

Conditions:
SIP monitor configured in TLS mode.
Server does not send close_notify alert in response to the monitor's close_notify request.

Impact:
Unable to monitor the status of the TLS SIP server.

Workaround:
None.

Fix:
SIP monitor in TLS mode now marks pool member up after positive response. This is correct behavior.


586878-4 : During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.

Component: TMOS

Symptoms:
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3.

The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade.

Conditions:
The issue occurs when all the below conditions are met.
1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, 11.6.1, and versions 12.1.0 and later).

Impact:
Configuration fails to load. The system posts an error message that might appear similar to one of the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Unexpected Error: Loading configuration process failed.

Workaround:
To workaround this situation, modify the configuration file before upgrading:
1. Check the config file /config/bigip.conf.
2. Identify the clientssl profile without a cert/key.
    For example, it might look similar to the following:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            "" { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }

   Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            default { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }
3. Remove the clientssl profile from /config/bigip.conf.
4. Run the command: tmsh load sys conf.
5. Re-create the clientssl profiles you need.


586738-4 : The tmm might crash with a segfault.

Component: Local Traffic Manager

Symptoms:
The tmm might crash with a segfault.

Conditions:
Using IPsec with hardware encryption.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
IPsec is configured with hardware encryption error now returns an error code when appropriate, and manages the error as expected, so tmm no longer crashes with a segfault.


586718-1 : Session variable substitutions are logged

Component: Access Policy Manager

Symptoms:
With the log level set to debug, session variable substitutions are logged, including the encrypted password if you are substituting the password variable. You may see the following logs: debug apmd[3531]: 01490000:7: Util.cpp func: "ScanReplaceSessionVar()" line: 608 Msg: data: '%{session.logon.last.password}' start_pos: 0, count: 30 on 'session.logon.last.password' with the encrypted password logged

Conditions:
APM Access Policy log level set to debug, and session variable substitution is performed.

Impact:
Session variable substitution should not be logged, even if it is secure.

Workaround:
Set log level to informational or notice for normal operations. Logging at debug level is not recommended unless absolutely needed for specific troubleshooting as it adversely affects system performance.

Fix:
Session variable substitutions are no longer logged.


586449-1 : Incorrect error handling in HTTP cookie results in core when TMM runs out of memory

Component: Local Traffic Manager

Symptoms:
If an under provisioned TMM runs out of memory, then this may result in allocation failures. Incorrect error handling of allocation failures in HTTP cookie code results in TMM core.

Conditions:
Cookie persistence with encryption required is enabled on the virtual. If an under provisioned TMM runs out of memory, then this may result in allocation failures.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fix error handling in HTTP cookie code. Allocation errors result in connection resets as opposed to core due to assert.


586070 : 'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Component: Advanced Firewall Manager

Symptoms:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Conditions:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Impact:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Workaround:
N/A

Fix:
Fixed a typo in GUI


586006-1 : Failed to retrieve CRLDP list from client certificate if DirName type is present

Component: Access Policy Manager

Symptoms:
Client certification revocation check will fail.

Conditions:
Two conditions will trigger this problem:
1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND
2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.

Impact:
Users may fail access policy evaluation when client certification is used.

Workaround:
Configure an LDAP server for the CRLDP object. It need not return a valid CRL.


585905-1 : Citrix Storefront integration mode with pass-through authentication fails

Component: Access Policy Manager

Symptoms:
Citrix Storefront integration mode with pass-through authentication fails. Client fails with error message saying "Authentication service is not reachable"

Conditions:
Citrix Storefront integration mode with only pass-through authentication enabled on the Storefront.

Impact:
Could not use pass through authentication on the storefront for remote access of the store.

Workaround:
None

Fix:
Passthrough authentication could be used for remote-access of the store.


585833-3 : Qkview will abort if /shared partition has less than 2GB free space

Component: TMOS

Symptoms:
In order to inform the user that the /shared partition needed to be cleaned up, qkview was checking for at least 2GB of free space. This isn't a hard requirement to build a qkview which potentially could use much less than the 2GB limit. Additionally, some F5 VE systems are shipped with less than 2GB in /shared, thus qkviews cannot be produced.

Conditions:
The /shared partition is smaller than 2GB or has less than 2GB free.

Impact:
User is unable to create a qkview despite having enough room to build one.

Workaround:
Increase the size of /shared so that it has at least 2GB of free space. See https://support.f5.com/csp/#/article/K14952 for detailed instructions on resizing volumes.

Fix:
A warning about having less than 2GB will still be issued, but the qkview will continue to attempt to finish.


585823-1 : FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode)

Component: Advanced Firewall Manager

Symptoms:
Firewall NAT translation failures are observed if the pre-translation connection matches a Firewall NAT policy rule that uses source address list to match the incoming source address and the source translation object in the rule is configured to do 'dynamic-pat' with mode = deterministic

Conditions:
Following conditions suffice for the issue:

a) FW NAT rule has source translation object of type 'dynamic-pat' and mode = deterministic

AND

b) FW NAT rule has match source address-list only (and no inline source addresses on the match side)

Impact:
Translation failure occurs as described resulting in the connection failures.

Workaround:
If a FW NAT rule has source translation object with dynamic-pat and deterministic mode, the source address(es) on the match side should be specified as inline address(es) instead of specifying the source address-list with such addresses.

Fix:
Fix involves using the addresses specified in the source address list of the FW NAT rule to match incoming connections and perform translation.


585813-3 : SIP monitor with TLS mode fails to find cert and key files.

Component: Local Traffic Manager

Symptoms:
SIP monitor with TLS enabled fails to find cert and key in filestore.

Conditions:
SIP monitor with TLS mode.

Impact:
Cannot create SIP monitor with TLS mode enabled and have the pool correctly checked.

Workaround:
Create an external monitor script to invoke the SIP monitor. Supply the correct arguments to the script.

Fix:
SIP monitor with TLS mode now finds cert and key files, so you can create SIP monitor with TLS mode enabled and have the pool correctly checked.


585807-2 : 'ICAP::method <method>' iRule is documented but is read-only

Component: Service Provider

Symptoms:
'ICAP::method' iRule function is documented as 'ICAP::method <REQMOD|RESPMOD>' which is said to get as well as set (modify) the ICAP method type in the ICAP_REQUEST event. Validation has at times rejected an argument, and at times accepted it. In fact the argument is ignored even if validation accepts it: the method type cannot be changed by the iRule. When validation rejects it, the system posts an error similar to the following: 01070151:3: Rule [/Common/icap_test] error: /Common/icap_test:2: error: [unexpected extra argument "REQMOD"][ICAP::method "REQMOD"]

Conditions:
iRule in ICAP_REQUEST event with 'ICAP::method REQMOD' or 'ICAP::method RESPMOD'.

Impact:
Users may attempt to change the method type. Usually the validator rejects it. In some versions the validator accepts it, but the methods only return the existing method type.

Workaround:
Do not attempt to change the method type with 'ICAP::method <method>'.

Fix:
ICAP::method is now documented as simply 'ICAP::method' with no argument, and it simply returns the current method type 'REQMOD' or 'RESPMOD'.


585745-2 : sod core during upgrade from 10.x to 12.x.

Component: TMOS

Symptoms:
The failover daemon (sod) may core during an upgrade, when the peer device upgrade completes and rejoins the trust.

Conditions:
Upgrading a high availability configuration from 10.x to 12.x or later.

Impact:
Corefile generated, and system will temporarily go offline, resulting in an interruption of service.

Workaround:
Upgrade multiple devices in the high availability configuration from 10.x to a supported 11.x release, and then upgrade to the desired 12.x release.

Fix:
The failover daemon (sod) no longer cores during an upgrade, when the peer device upgrade completes and rejoins the trust.


585654 : Enhanced implementation of AES in Common Criteria mode

Component: Local Traffic Manager

Symptoms:
Common Criteria (CC) mode disallows the use of dedicated BIG-IP accelerator. It can be observed that performance of the BIG-IP in CC mode may not be as fast as benchmarks for some implementations AES on CPU.

Conditions:
Common Criteria (CC) mode is enabled.

Impact:
Lower performance with CBC-based AES ciphersuites.

Fix:
Updated AES implementation may achieve higher performance of CBC-based AES ciphersuites.


585562-3 : VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari

Component: Access Policy Manager

Symptoms:
When using Google Chrome or Safari (WebKit-based) browser to launch VMware View HTML5 client for Horizon 7 from APM webtop, this attempt fails with a blank screen in place of remote desktop session.

Conditions:
-- BIG-IP APM configured as PCoIP proxy for Horizon 7.
-- APM webtop in which the HTML5 client is used to launch a remote desktop.

Impact:
Cannot use HTML5 client. Only native client (Horizon View client) is available.

Workaround:
when HTTP_REQUEST {
    if { [HTTP::header "Origin"] ne "" } {
        HTTP::header remove "Origin"
    }
}

Fix:
VMware View HTML5 client shipped with Horizon 7 now work sthrough BIG-IP APM in Chrome/Safari.


585547-1 : NTP configuration items are no longer collected by qkview

Component: TMOS

Symptoms:
qkview was collecting the file "/etc/ntp/keys" which in some cases, contains secret keys used for integrity verification of NTP messages.

Conditions:
Execute qkview to collect diagnostic information.

Impact:
Possibility for keys to be exposed.

Workaround:
1. Do not execute qkview.
2. If executing qkview, do not share this file with untrusted parties.

Fix:
With this release, qkview no longer collects this file.


585485-3 : inter-ability with "delete IPSEC-SA" between AZURE, ASA and BIGIP

Component: TMOS

Symptoms:
Some IKEv1 IPsec vendor implementations (for example Cisco ASA) send a delete SPI message for an IPsec-SA and expect that the sibling IPsec-SA (the SPI in the other direction) will also be deleted by the peer.

BIG-IP sends and expect messages with two SPI's inside.

Conditions:
An IPsec tunnel between a BIG-IP system and some other vendor may experience this. Azure and Cisco ASA are two such vendors.

Impact:
An IPsec tunnel goes down and in some situations may not renegotiate while the BIG-IP believes that the outgoing SPI is still active. The tunnel will stay down until the lifetime of the outbound SA expires.

Workaround:
Delete the outbound SA from the BIG-IP using the tmsh command by specifying the related SA:

(tmos)# delete net ipsec ipsec-sa ?
Properties:
  "{" Optional delimiter
  dst-addr Specifies the destination address of the security associations
  spi Specifies the SPI of the security associations
  src-addr Specifies the source address of the security associations
  traffic-selector Specifies the name of the traffic selector

Fix:
The BIG-IP system will remove both SAs associated with one traffic-selector (tunnel) when the peer sends a delete SPI message.


585442-2 : Provisioning APM to "none" creates a core file

Component: Access Policy Manager

Symptoms:
Provisioning APM level to "none" may result in apmd creating a core file.

Conditions:
When the APM service is shut down, the apmd daemon may create a core file.

Impact:
Harmless

Workaround:
There is no loss in functionality.


585424-1 : Mozilla NSS vulnerability CVE-2016-1979

Vulnerability Solution Article: K20145801


585412-4 : SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines

Component: Local Traffic Manager

Symptoms:
Connections to a virtual server that uses an SMTPS profile may be reset with a reset cause of 'Out of memory.'

Conditions:
This might occur under the following conditions:
-- A virtual server that uses an SMTPS profile with activation-mode set to allow.
-- A client connection which does not use TLS that sends a DATA section with a text line that is longer than approximately 8192 characters.

8192 characters is an approximation for the maximum line length. The actual problem length can be affected by the MSS value and the particular way that the TCP traffic is segmented.

Impact:
The TCP connection is reset with a reset-cause of Out of memory' and the email will not be delivered.

Workaround:
None.

Fix:
A virtual server that uses an SMTPS profile with activation-mode set to allow no longer resets connections when the client does not use STARTTLS and the email body contains very long lines.


585352-2 : bruteForce record selfLink gets corrupted by change to brute force settings in GUI

Component: Application Security Manager

Symptoms:
If you update the brute force settings in the GUI, rest_uuid is updated as well, which breaks the self-link in the iControl REST API

Conditions:
Update brute force settings in GUI

Impact:
Unique record part updated

Workaround:
Update brute force settings using the REST API

Fix:
GUI is not changing rest_uuid when brute force settings are updated


585332 : Virtual Edition network settings aren't pinned correctly on startup

Component: TMOS

Symptoms:
You notice unusually high CPU utilization on Virtual Edition after upgrading to 12.1.0 when compared to a previous release (such as version 11.6.1).

Conditions:
This occurs after upgrading to 12.1.0. In Virtual Edition version 12.1.0, there is an issue where network interface IRQs don't get pinned correctly at startup.

Impact:
Since CPU0 is unusually high compared to previous releases, upgrading could put Virtual Edition into an overloaded state.

Workaround:
bigstart restart tmm will start the network interfaces and pin them to the right IRQ.

Fix:
Fixed an issue where interfaces and their IRQs were not configured correctly during system boot.


585120-1 : Memory leak in bd under rare scenario

Component: Application Security Manager

Symptoms:
Under high traffic, bd may leak memory and cause an ASM restart under certain rare conditions

Conditions:
ASM enabled and under high traffic

Impact:
Causes traffic abort while restart is happening. High swap and memory.

Workaround:
None.

Fix:
A memory leak in the bd was fixed.


585097-1 : Traffic Group score formula does not result in unique values.

Component: TMOS

Symptoms:
In certain configurations, the Traffic Group score for a particular Traffic Group can be identical across devices in a device service cluster, resulting in the Traffic Group becoming Active on more than one device simultaneously.

Conditions:
The score is derived from the management-ip and other factors. If the device management-ips are not on the same /24 subnet, the score is not guaranteed to be unique.

The score can be observed with the tmsh "run cm watch_trafficgroup_device" command, and in some versions of BIG-IP, the "show cm traffic-group" command.

Impact:
When the problem occurs, Traffic Groups will be Active on multiple devices simultaneously. The problem can affect all Traffic Groups.

Workaround:
The only solution is to change the management-ip on one of the colliding devices. The workaround is not practical with DHCP, and in many other situations.

Fix:
The Active device selection logic has been changed to deterministically choose the Active device location, even in cases with identical static scores.


585054-1 : BIG-IP imports delay violations incorrectly, causing wrong policy enforcement

Component: Application Security Manager

Symptoms:
When you import an XML file that contain references to violations in the delay blocking session tracking configuration, extra violations get added to the list.

Conditions:
This occurs when importing delay-type violations in ASM

Impact:
A very large subset of the violations is added to the policy

Fix:
BIG-IP now imports delay-type violations correctly.


584926-1 : Accelerated compression segfault when devices are all in error state.

Component: Local Traffic Manager

Symptoms:
TMM segfaults. Kernel log contains "Uncorrectable Error" and "icp_qa_al err" messages.

Conditions:
All physical or virtual devices concurrently enter error state.

Impact:
Tmm segfaults and restarts. May require a reboot.

Workaround:
Disable QAT compression using tmsh:

tmsh modify sys db compression.strategy value softwareonly

Fix:
TMM QAT compression driver will not fail if all QAT devices concurrently go down.


584921-1 : Inbound connections fail to keep port block alive

Component: Carrier-Grade NAT

Symptoms:
Connections that use a PBA port block should keep the port block from expiring. However inbound connections to a client using a port block will fail to refresh the block, causing the block to expire pre-maturely. An inbound connection can remain active while the port block has been deleted.

Conditions:
An inbound connection with no outbound connections fails to keep a port block alive, resulting in an inbound connection to a client without a corresponding port block.

Impact:
When reverse mapping an inbound connection to a subscriber (e.g. trying to find who was using an ip address/port at a particular time), customers may find no corresponding port block, or a port block belonging to another client when the reverse map is performed at a time when the connection is closed.

Workaround:
When performing a reverse map, customers should use the start time of a connection to determine which port block was in use.

Fix:
Inbound connections properly refresh the port block, preventing premature expiration of the port block.


584670 : Output of tmsh show sys crypto master-key

Component: TMOS

Symptoms:
In this release, tmsh show sys crypto master-key has changed and will now display its output as the base 64 encoded form of a SHA512 hash.

Conditions:
You will see this when running tmsh show sys crypto master-key, or f5mku -Z, or f5mku -U

Impact:
None


584661 : Last good master key

Component: TMOS

Symptoms:
When applying a UCS file to a platform that was different from the one the UCS was taken on, for example after RMA, you get a master key decrypt error because the master key is different.

Conditions:
This can occur either when applying a UCS file to an identical platform you received as an RMA exchange, or while performing the platform-migrate command.

Impact:
UCS load fails when extracting a UCS that came from another system.

Fix:
Secure Vault now stores the last good master key, which allows you to set the master key password to be the same as the other device you are importing from, then load the UCS from the other system. If master key decryption fails, the system will load the master key that was in effect before the UCS load was initiated. If that master key matched the master key from the system where the UCS was taken then encrypted attributes in the UCS can be loaded into the configuration.


584655 : platform-migrate won't import password protected master-keys from a 10.2.4 UCS file

Component: TMOS

Symptoms:
If you run the platform-migrate command to migrate from a UCS file generated on a platform running 10.2.4, the password protected master key won't import

Conditions:
You would encounter this when doing platform migration from an older platform running 10.2.4, and using the UCS file from that platform to platform-migrate to 12.1.1. This also only occurs if your 10.2.4 UCS contains secure attributes, such as clientssl or serverssl keys and profiles

Impact:
The platform-migrate command will fail if the 10.2.4 UCS contains a password protected master key.

Fix:
The 12.1.1 release can successfully platform-migrate UCS files from a 10.2.4 configuration if some steps are taken to generate a password protected master key on the 10.2.4 release. Without these steps, this impact exists. The 10.2.4-specific solution https://support.f5.com/csp/#/article/K9420


584642-1 : Apply Policy Failure

Component: Application Security Manager

Symptoms:
Some Policies cannot be successfully applied/activated

Conditions:
Signature overrides on Content Profiles are configured

Impact:
Policy cannot be applied

Workaround:
None.

Fix:
Policies can be successfully applied.


584623-2 : Response to -list iRules command gets truncated when dealing with MX type wide IP

Component: Global Traffic Manager

Symptoms:
GTM iRule "members" with the "-list" flag will truncate MX-type WideIP pool members when printed out to a log.

Conditions:
Use the GTM iRule "members" with the "-list" flag to print out the members of an MX WideIP pool during a DNS event.

Impact:
WideIP MX-type pool members are truncated in the log.

Workaround:
None


584583-3 : Timeout error when attempting to retrieve large dataset.

Component: TMOS

Symptoms:
The Rest API can timeout when attempting to retrieve large dataset, such as a large GTM pool list. The error signature when using the Rest API looks like "errorStack":["java.util.concurrent.TimeoutException: remoteSender:127.0.0.1, uri:http://localhost:8110/tm/gtm/pool, method:GET "

Conditions:
Configuration containing a large number of GTM pools and pool members (thousands).

Impact:
If using the Rest API to retrieve the pool list, you may receive timeout errors.


584582-1 : JavaScript: 'baseURI' property may be handled incorrectly

Component: Access Policy Manager

Symptoms:
If generic JavaScript object has 'baseURI' property, it may be handled incorrectly via Portal Access: web application may get 'undefined' value for this property.

Conditions:
User-defined JavaScript object with 'baseURI' property.

Impact:
Web application may work incorrectly.

Workaround:
iRule can be used to remove F5_Deflate_baseURI() calls from rewritten JavaScript code.

Fix:
Now JavaScript objects with 'baseURI' property are handled correctly by Portal Access.


584471-1 : Priority order of clientssl profile selection of virtual server.

Component: Local Traffic Manager

Symptoms:
When a SSL connection with specified server name is received in a virtual server from the client side, the BIG-IP system selects one clientssl profile for this connection based on the given server name. Currently the system matches the server name using the following rules:
(1) First try to match the server name with explicit server name configuration of the clientssl profiles.
(2) If (1) has no match, then try to match the common names of the certificates used by the clientssl profiles.
(3) If (2) has no match, then try to match the subject alternative names of the certificates used by the clientssl profiles.

The issue is, based on RFC6125, common name should be used as a 'last resort'. In other words, the third rule should be the second rule.

Conditions:
The issue occurs when all of the following conditions are met.
(1) The incoming SSL request includes SNI (server name) extension in the clienthello, used to specify its desirable SSL server.
(2) The given server name from the client side does not match any server name configured in all the clientssl profiles of the virtual server.
(3) The certificates used by the clientssl profile of the virtual server have subject alternative names (note that every certificate has common name but not necessarily subject alternative names).

Impact:
The virtual server might select a clientssl profile that is not preferred by the client side.

Workaround:
None.

Fix:
Priority order of clientssl profile selection of virtual server. The system now matches the server name using the following rules:

(1) First try to match the server name with explicit server name configuration of the clientssl profiles.
(2) If (1) has no match, then try to match the subject alternative names of the certificates used by the clientssl profiles.
(3) If (2) has no match, then try to match the common names of the certificates used by the clientssl profiles.

So the common-name match is last, which is correct according to RFC6125.


584374-2 : iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address.

Component: Global Traffic Manager (DNS)

Symptoms:
iRule command RESOLV::lookup causes tmm crash when resolving an IP address.

Conditions:
Using the RESOLV::lookup iRule command to resolve an IP address.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the RESOLV::lookup command to resolve an IP address.

Fix:
TMM no longer crashes when the iRule command RESOLV::lookup is used.


584373-2 : AD/LDAP resource group mapping table controls are not accessible sometimes

Component: Access Policy Manager

Symptoms:
AD/LDAP resource group mapping
In case of both lengthy group names and resource names edit link and control buttons could disapper under dialogue bounds

Conditions:
very long group names and resource names

Impact:
Impossible to delete and move rows in table - still possible to edit tho.

Workaround:
Spread one assign thru multiple rows

Fix:
Scroll bar is appearing when needed


584310-1 : TCP:Collect ignores the 'skip' parameter when used in serverside events

Component: Local Traffic Manager

Symptoms:
When TCP::Collect is used with 'skip' and 'length' arguments in SERVER_CONNECTED, the "skip' argument does not take effect and is ignored. The Collect works, but collects only the length bytes from start.

Conditions:
TCP:Collect on server side events like SERVER_CONNECTED used with the 'skip' parameter. This is an intermittent issue that have happen only with IIS server.

Impact:
TCP:Collect collects bytes without taking into account the skip, so the bytes collected are not the correct ones.

Workaround:
None.

Fix:
The settings for TCP::Collect command skip and length arguments are now honored during packet processing.


584213-1 : Transparent HTTP profiles cannot have iRules configured

Component: Local Traffic Manager

Symptoms:
When an HTTP profile is configured in transparent mode, but has a nonexisting iRule attached to it, then tmm will crash.

Conditions:
There is irule but proxy is transparent

when HTTP_PROXY_REQUEST {
   after 1000
}

Change configuration from explicit->transparent while we were in the after command. We then attempt to use configuration that doesn't exist, and then crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This is incorrect configuration. Either detach the iRule or configure the profile in a mode other than transparent.

Fix:
Incorrectly configured proxy types from TMOS installations of earlier versions will be corrected at upgrade time. A warning will be logged that describes the change made.


584103-2 : FPS periodic updates (cron) write errors to log

Component: Application Security Manager

Symptoms:
FPS periodic updates (run via cron) write errors to log when FPS is not provisioned.

Conditions:
FPS is not provisioned.

Impact:
Errors appears in FPS logs.


584082-3 : BD daemon crashes unexpectedly

Component: Application Security Manager

Symptoms:
bd crashes, with the following log signature immediately before the crash in /var/log/bd.log:

"IO_PLUGIN|ERR |Mar 29 20:48:02.217|17328|plugin_common.c:0085|plugin context doesn't match the argument which was originally set on it".

Conditions:
It is not known exactly what triggers this condition; it can occur intermittently during normal use of ASM.

Impact:
A bd crash, failover, traffic disturbance.

Workaround:
None.

Fix:
Fix a bd crash scenario.


584029-6 : Fragmented packets may cause tmm to core under heavy load

Component: Local Traffic Manager

Symptoms:
tmm core due to assertion

Conditions:
tmm offloads a fragmented packet via an ffwd operation.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


583957-6 : The TMM may hang handling pipelined HTTP requests with certain iRule commands.

Component: Local Traffic Manager

Symptoms:
Rarely, the TMM may hang during a HTTP::respond or HTTP::redirect iRule command if it is part of a pipelined HTTP request.

Conditions:
A HTTP::respond or HTTP::redirect iRule is used.
The iRule command is in an event triggered on the client-side.
A pipelined HTTP request is being handled.

Impact:
The TMM will be restarted by SOD.

Fix:
The TMM no longer hangs in rare situations when processing a pipelined HTTP request and invoking a HTTP::respond or HTTP::redirect iRule command.


583943-1 : Forward proxy does not work when netHSM is configured on TMM interfaces

Component: Local Traffic Manager

Symptoms:
Forward proxy feature does not always work when netHSM is configured on TMM interfaces.

Conditions:
When netHSM device is configured on TMM interface.

Impact:
The forward proxy feature does not work. This is an intermittent issue.

Workaround:
None.

Fix:
Forward proxy now works consistently when netHSM is configured on TMM interfaces.


583936-5 : Removing ECMP route from BGP does not clear route from NSM

Component: TMOS

Symptoms:
When configured to install multiple routes into the routing table, ZebOS does not withdraw BGP routes when a neighbor is shut down and it has more than two routes already installed for the same route prefix.

Conditions:
ECMP routing must be enabled and in-use.

Impact:
ECMP routes are not properly removed from the main routing table.

Fix:
Now properly removing ECMP routes from the routing table.


583754-7 : When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.

Component: TMOS

Symptoms:
Executing 'show ltm persist persist-records' results in a blank error message.

Conditions:
TMM must be down.

Impact:
Non-obvious / unhelpful error message is generated, leading to customer confusion.

Workaround:
N/A


583686-2 : High ASCII meta-characters can be disallowed on UTF-8 policy via XML import

Component: Application Security Manager

Symptoms:
After importing an XML policy, you cannot view or edit policies containing high ASCII characters.

Conditions:
This occurs when importing XML policies containing high-ASCII meta-characters but high-ASCII is not allowed in a UTF-8 policy.

Impact:
Unable to view or edit the policy, and Illegal meta character in value violation is triggered


583631-2 : ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.

Component: Local Traffic Manager

Symptoms:
Server SSL ClientHello does not encode lowest supported TLS version. The outer record for a ClientHello contains the same version as the ClientHello. If, for example, the ClientHello is TLS1.2, the outer record will contain TLS1.2. Older servers that do not support later TLS versions might generate an alert and close the connection.

Conditions:
A BIG-IP system with a server SSL profile that supports a TLS version higher than that of the server to which it is connecting.

Impact:
The connection fails. The system might generate an alert.

Workaround:
Force the server SSL profile to use a lower TLS version number by selecting 'No TLSv1.2' or 'No TLSv1.1' in the `options' section of the Server SSL Profile.

Fix:
When enabled by setting the db variable, 'SSL.OuterRecordTls1_0,' to, 'enable,' the outer SSL record will always contain TLS1.0. This is the default. You can use this db variable to prevent an issue in older servers that do not support TLS versions later than 1.0, in which an alert might be generated closing the connection.

Behavior Change:
Formerly, the version present in the ClientHello and the version present in the outer record would match. Now, if the sys db variable, 'SSL.OuterRecordTls1_0,' is set to 'enable' the version present in the outer record will be TLS 1.0 regardless of the version in the ClientHello. This is the default.


583516-2 : tmm ASSERT's "valid node" on Active, after timer fire..

Component: TMOS

Symptoms:
TMM crashes on ASSERT's "valid node".

Conditions:
The cause is unknown, and this happens rarely.

Impact:
tmm crash

Workaround:
no

Fix:
TMM no longer asserts on 'valid node'


583285-5 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.

Component: TMOS

Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message. This is the second part of a fix provided for this issue. See fixes for bug 569236 for the first part.

Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.

Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.

Workaround:
Manually remove the invalid SA on the BIG-IP system.

Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again. This is part two of a two-part fix. Fixes for bug 569236 provide part one of the fix.


583177 : LCD text truncated by heartbeat icon on VIPRION

Component: TMOS

Symptoms:
while looking at informational text on the first line of the LCD display on a VIPRION, the end of the string is truncated by a heartbeat icon.

Conditions:
This occurs on platforms that display a heartbeat icon on the LCD display.

Impact:
The heartbeat icon is displayed over the last character of the string, this is cosmetic.

Fix:
In this release, longer messages on the LCD are now displayed on multiple lines.


583113-1 : NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event

Component: Access Policy Manager

Symptoms:
The following iRule did not work as expected when the access profile had an NTLM auth. The client still received a 407 prompt to enter NTLM credentials.

when HTTP_PROXY_REQUEST {
    if { [HTTP::uri] contains "disable" } {
        ACCESS::disable
    }
}

Conditions:
Access profile of an SWG type, with an NTLM auth profile attached.

Impact:
It was impossible to disable NTLM auth from the HTTP_PROXY_REQUEST event.

Workaround:
The following iRule works from HTTP_REQUEST

when HTTP_REQUEST {
    if { [HTTP::uri] contains "disable" } {
        ACCESS::disable
        ECA::disable
    }
}

Fix:
When ACCESS filter is disabled, it still processes certain messages. The logic in one of those message handlers was "if NTLM configured, then wake up the ECA plugin"

Fix changed the logic to "if NTLM configured and ACCESS filter is not disabled, then wake up the ECA plugin."


583024-1 : TMM restart rarely during startup

Component: Advanced Firewall Manager

Symptoms:
A TMM crashes with a core file during startup. It restarts then correctly.

Conditions:
The system starts up.

Impact:
The system startup takes longer. A core file appears. Traffic is not impacted and a failover usually doesn't occur since the system didn't reach the active state.

Workaround:
None.

Fix:
TMM no longer crashes during startup.


583010-4 : Sending a SIP invite with "tel" URI fails with a reset

Component: Service Provider

Symptoms:
Using a "INVITE tel:" URI results in SIP error (Illegal value).

Conditions:
Sending a SIP "INVITE tel:" to BIG-IP does not work.

Impact:
"INVITE tel:" messages are not accepted by BIG-IP.

Workaround:
None

Fix:
An EHF will be released to address this issue. It will also be addressed in a future release.


582769-1 : WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual

Component: Local Traffic Manager

Symptoms:
WebSockets frames are not forwarded with WebSocket profile and ASM enabled on virtual.

Conditions:
Virtual has WebSocket profile attached to it. ASM is enabled on the virtual. WebSockets server replies with a "Connection: upgrade" header. The issue is also seen if multiple header values are present in Connection header.

Impact:
WebSockets frames are not forwarded to the pool member

Workaround:
Use a simple iRule similar to the following:

when HTTP_RESPONSE {
    if { [HTTP::status] == 101 } {
        HTTP::header replace "Connection" "Upgrade"
    }
}

Fix:
The system now accepts "Connection: UPGRADE" or "Connection: upgrade" as valid header for WebSocket handshake, and supports a comma-separated list of values for the Connection response header.


582752-3 : Macrocall could be topologically not connected with the rest of policy.

Component: Access Policy Manager

Symptoms:
It is possible to create macrocall access policy item that:

1. Belongs to policy items list.
2. Correctly connected to ending.
3. Have no incoming rules (i.e., no items pointing at it).

Conditions:
1. Create access policy with macrocall item in one of the branches.
2. Remove the item which refers to this macrocall item from AP

As a result, macrocall item remains.

Impact:
VPE fails to render this access policy.

Workaround:
Delete macrocall access policy item manually using tmsh commands.

Fix:
Any modification of access policy is not allowed if it makes any access policy item non-referenced.
At upgrade time, non-referenced access policy items are deleted. All subsequent access policy items are deleted as well. Resulting access policies can be rendered correctly by VPE. Note that only active configuration is corrected, saved configuration file (/config/bigip.conf) contains uncorrected version until any new configuration changes are done. Active configuration can be saved by explicit tmsh command ('tmsh save sys config partitions all").


582683-2 : xpath parser doesn't reset a namespace hash value between each and every scan

Component: Application Security Manager

Symptoms:
After a while the iRule event stops firing until the cbrd daemon is restarted.

Conditions:
The customer has a virtual server configured with an XML, along with an iRule that triggers on the XML_CONTENT_BASED_ROUTING event.

Impact:
XML content based routing does not work dependably.

Workaround:
N/A

Fix:
fixing xpath parer -- Restoring namespace declaration each time the xpath parser finishes to parse the document.


582629-1 : User Sessions lookups are not cleared, session stats show marked as invalid

Component: Application Visibility and Reporting

Symptoms:
AVR session statistics may be reported as excessively high, and when the sessions time out they get marked as invalid instead of being removed.

Conditions:
The exact conditions which cause this in a production configuration are unknown, as this was discovered during internal testing.

Impact:
Session statistics will report incorrectly

Fix:
An issue with session statistics not clearing after session timeout has been fixed.


582526-3 : Unable to display and edit huge policies (more than 4000 elements)

Component: Access Policy Manager

Symptoms:
It takes a very long time or is not possible to display huge policies (more than 4000 elements). VPE returns server timeout error or simple halts.

Conditions:
Huge Access Policy, for example, containing 4000 or more elements.

Impact:
Unable to edit policy because VPE times out.

Workaround:
None.

Fix:
VPE loading times for APM policies is greatly improved, so displaying very large policies (for example, 4000 elements) now completes successfully.


582465-1 : Cannot generate key after SafeNet HSM is rebooted

Component: Local Traffic Manager

Symptoms:
After the SafeNet Hardware Security Module (HSM) is restarted, users cannot generate a new key.

Conditions:
The BIG-IP system uses the SafeNet HSM.

Impact:
HSM service is not usable even after restarting pkcs11d. Users must re-authenticate.

Workaround:
To generate a new key, after HSM finishes starting up, run the following commands:

# /shared/safenet/toolkit/sautil -v -s 1 -i 10:11 -c
# /shared/safenet/toolkit/sautil -v -s 1 -i 10:11 -o -p <hsm_partition_password>

Or, you can reinstall SafeNet client.

Fix:
After the SafeNet Hardware Security Module (HSM) is restarted, users can now generate a new key.


582374-1 : Multiple 'Loading state for virtual server' messages in admd.log

Component: Anomaly Detection Services

Symptoms:
When a dosl7d profile is configured on a BIG-IP that's in a device group and the BIG-IP is set to "Forced Offline" in the Device Management settings, admd will log multiple messages to admd.log similar to 47854390298368 Mar 22 02:38:50 [info] virtual bool CVirtualServerImpl::loadState() : Loading state for virtual server

Conditions:
- dosl7d profile attached to a virtual server
- BIG-IP is part of a DSC cluster
- a BIG-IP is forced offline in the cluster

Impact:
Excessive logging occurs to /var/log/adm/admd.log

Workaround:
None

Fix:
An issue with excessive logging to admd.log has been fixed.


582133-1 : Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.)

Component: Application Security Manager

Symptoms:
When conditions of "Track Site Change" settings are met the staging flag on "*" entities is supposed to be turned ON in order to learn sub-sequences of site changes without blocking traffic. However it doesn't happen. The staging flag stays OFF.

Conditions:
Staging was set OFF on "*" entity. After that conditions of "Track Site Change" settings are met.

Impact:
in a situation when the protected Web application was changed, ASM can block traffic when it should not be blocked.

Workaround:
Staging flag can be changed manually via GUI

Fix:
The problem was a sub-sequence of other code changes. The code was fixed he way it should count for "Track Site Change" conditions and change Staging flag when it is needed.


582084-1 : BWC policy in device sync groups.

Component: TMOS

Symptoms:
When there is a BWC policy created in global sync group and also a local one, then the configuration displays an error.

Conditions:
If BWC policy is created both in global sync and local.

Impact:
Configuration error, BWC policies will not be synced due to errors.

Workaround:
Ensure that BWC policy is in global sync only.

Fix:
BWC policy is now configured for device group sync only in the global group and not local.


581991-1 : Logging filter for remote loggers doesn't work correctly with more than one logging profile

Component: Application Security Manager

Symptoms:
A logging message arrived at a remote logger while the remote logger's filter have a criteria that doesn't match.

Conditions:
More than one logging profile is attached to a virtual server, the logging profiles have different filters conditions.

Impact:
A non related messages will be presented at the remote logger

Fix:
Fixed an issue with multiple remote logging with different filters.


581945-2 : Device-group "datasync-global-dg" becomes out-of-sync every hour

Component: TMOS

Symptoms:
The datasync-global-dg device-group may become out-of-sync unexpectedly without any user changes.
When this happens, the user can manually sync the device-group, but after about an hour the device-group becomes out-of-sync again.

Conditions:
1. This happens only in certain timezones, depending on the timezone configured on the BIG-IP. We have only seen this happening in the Europe/London timezone.
2. The problem will start happening about 3 days after the first installation of an ASM Signature Update (ASU) or FPS Engine/Signature Update.

Impact:
GUI/shell shows config-sync "possible change conflict" or "changes pending" in regards to the datasync-global-dg device-group.

Workaround:
None

Fix:
The datasync-global-dg device-group no longer becomes out-of-sync unexpectedly and repeatedly every hour.


581840-5 : Cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.

Component: Device Management

Symptoms:
If trying to manage a BIG-IP version 11.6.1 or 11.6.1 HF1 with an administrator account named other than “admin”, this can fail.

Conditions:
This can occur with a BIG-IQ managing a BIG-IP version 11.6.1 or 11.6.1HF1 system with a different account than “admin”.

Impact:
You cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.

Workaround:
Install 11.6.1 HF2 on the BIG-IP system, or use an administrator account named “admin” for managing the device.

Fix:
Can now manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.

Behavior Change:
local requests through iControl client are now made on port 80, instead of 443.


581835-1 : Command failing: tmsh show ltm virtual vs_name detail.

Component: TMOS

Symptoms:
The following command fails: tmsh show ltm virtual vs_name detail. The system posts the following error:

01020036:3: The requested profile exchange: virtual server object (exchange_profile_name:vs_name) was not found.

Conditions:
Occurs when an APM Access Profile has an Exchange Profile attached and the access profile is then assigned to a virtual server.

Impact:
No information is displayed by the tmsh show command.

Workaround:
None.

Fix:
The tmsh show command now presents information, and 'tmsh show ltm virtual vs_name detail' shows the expected details without error.


581834-5 : Firefox signed plugin for VPN, Endpoint Check, etc

Component: Access Policy Manager

Symptoms:
clients are unable to use the Firefox plugin on Firefox version 47 and above

Conditions:
Clients using Firefox v47 and above attempting to use the Firefox plugin

Impact:
Clients will be unable to use the plugin if they are using Firefox version 47 and above

Fix:
The Firefox plugin now supports all versions.


581824-2 : "Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link.

Component: Global Traffic Manager (DNS)

Symptoms:
When you attempt to view the monitors' properties, the page throws an "Instance not found" error.

Conditions:
Viewing the GSLB Monitors tcp_half_open, gateway_icmp and bigip_link's properties page.

Impact:
You cannot view some of their monitors' properties.

Fix:
Fixed the "Instance not found" error.


581811 : The blade alarm LED may not reflect the warning that non F5 optics is used.

Component: TMOS

Symptoms:
When non F5 optics is used for front switch ports, the LCD and /var/log/ltm will display some warning message. But the alarm LED may not reflect that.

Conditions:
This is caused by a race condition. When a blade comes up and decides its role as a primary blade or a secondary blade, it will clear the alarm LED. So the last blade coming up may have its alarm LED in the right state, but the blades that came up earlier may have their alarm LEDs cleared.

Impact:
The alarm LED may not reflect the warning.

Workaround:
None.

Fix:
The problem is fixed in TMOS v12.1.1.


581746-1 : MPTCP traffic handling may cause a BIG-IP outage

Component: Local Traffic Manager

Symptoms:
Occasional BIG-IP outages may occur when MPTCP traffic is being handled by a Virtual server.

Conditions:
MPTCP has been enabled on a TCP profile on a Virtual Server.

Impact:
A System outage may occur.

Workaround:
Do not enable MPTCP on any TCP profile

Fix:
An issue with handling of MPTCP traffic has been corrected.


581438-2 : Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision.

Component: Global Traffic Manager

Symptoms:
Prior to this, only 16 pool members could be chosen during a single load-balancing decision.

Impact:
Cannot return more than 16 pool members in a DNS response.

Fix:
GTM now allows more than 16 pool members to be returned from a pool in a DNS response. Any amount from 1 to 500 can be selected.

Behavior Change:
BIG-IP DNS GSLB now allows more than 16 pool members to be returned from a pool in a DNS response. Any amount from 1 to 500 can be selected.


581406-1 : SQL Error on Peer Device After Receiving ASM Sync in a Device Group

Component: Application Security Manager

Symptoms:
When:
1) A "Block All" Session Tracking Status exists
and
2) A full sync occurs in an ASM CMI device group (always the case in manual sync device group)

Then upon loading the full sync in the peer an SQL error will appear during the load:
"Failed on insert to PLC.PL_SESSION_AWARENESS_DATA_POINT (DBD::mysql::db do failed: Duplicate entry '<ID>' for key 'PRIMARY')"

Conditions:
1) A "Block All" Session Tracking Status exists
and
2) A full sync occurs in an ASM CMI device group (always the case in manual sync device group)

Impact:
Benign error which does not affect configuration or enforcement.

Workaround:
None

Fix:
SQL error no longer occurs on CMI Sync with Session Awareness


581315-1 : Selenium detection not blocked

Component: Application Security Manager

Symptoms:
When selenium client webdriver is detected running the Chrome browser it is not being blocked due to low score being assigned by PBD (Suspicious Browsers) mechanism.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.

Impact:
A bot which running selenium Chrome webdriver isn't mitigated by DoSL7 PBD mechanism.

Workaround:
N/A

Fix:
Only for Desktop Google Chrome browsers, the PBD javascript code checks if a plugin called "Widevine Content Decryption Module" doesn't exists, the browser considered as running via the selenium tool and will be blocked by PBD.


580893-2 : Support for Single FQDN usage with Citrix Storefront Integration mode

Component: Access Policy Manager

Symptoms:
Adding a new login account onto Citrix Receiver enumerates the applications and desktop. Logging off and reconnecting using the same account starts failing.

Conditions:
-- Citrix Storefront Integration mode with APM.
-- Using the same FQDN to access both Storefront as well as an APM virtual server.

Impact:
Clients are unable to connect.

Workaround:
No workaround other than using different FQDNs.

Fix:
You can now use the same FQDN to successfully access both Storefront as well as an APM virtual server.


580747-1 : libssh vulnerability CVE-2016-0739

Vulnerability Solution Article: K57255643


580596-1 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907

Vulnerability Solution Article: K14190 K39508724


580500-1 : /etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed.

Component: TMOS

Symptoms:
/etc/logrotate.d/sysstat fails to read /var/log/sa6 or fails to write to /var/log/sa6,, diskspace in /var/log/sa6 is not rotated and disk space reclaimed.

Conditions:
/var/log/sa6 becomes corrupt or disk space becomes full in /var/log/sa6

Impact:
Disk space is not reclaimed in /var/log/sa6

Workaround:
edit /etc/logrotate.d/sysstat
Add "exit 0" after sadf line

Fix:
When /etc/logrotate.d/sysstat's sadf fails, exit cleanly
so logrotate reclaims disk space


580340-1 : OpenSSL vulnerability CVE-2016-2842

Vulnerability Solution Article: K52349521


580313-1 : OpenSSL vulnerability CVE-2016-0799

Vulnerability Solution Article: K22334603


580303-5 : When going from active to offline, tmm might send a GARP for a floating address.

Component: Local Traffic Manager

Symptoms:
When moving from active to offline, tmm might send one final GARP for a floating address from the device that is moving offline.

Conditions:
Using high availability, and switching a device from active to offline.

Impact:
The GARP from the offline device can arrive on upstream devices after the GARP from the newly active device, which might poison the address cache of the upstream device. The result is that failover takes longer, since the upstream devices must rediscover the active device.

Workaround:
Use MAC masquerading along with the floating address; the system sends a GARP for the MAC masqueraded address, which prevents the issue.

Fix:
tmm no longer sends a final GARP for a floating address immediately before going offline.


580168-4 : Information missing from ASM event logs after a switchboot and switchboot back

Component: Application Security Manager

Symptoms:
Information missing from ASM event logs after a switchboot and switchboot back

Conditions:
ASM provisioned
event logs available with violation details
install/upgrade to another volume and switchboot to it
wait for ASM to fully come up
switchboot back
event logs are still available but violation details are gone

Impact:
Information missing from ASM event logs after a switchboot and switchboot back

Workaround:
N/A

Fix:
N/A


580026-5 : HSM logging error

Component: Local Traffic Manager

Symptoms:
In some cases HSM logging does not function as designed.

Conditions:
Installing SafeNet HSM to BIG-IP chassis.

Impact:
Inaccurate HSM logs

Fix:
Improve HSM logging


579955-6 : BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475

Vulnerability Solution Article: K01587042


579953 : Updated the list of Common Criteria ciphersuites

Component: Local Traffic Manager

Symptoms:
This is a continuous maintenance of the default set per certification requirements

Conditions:
These changes are only in effect when ccmode script is executed.

Impact:
Current set of ciphersuites is the following, subject to change in future releases:

AES{128,256}-{SHA,SHA256}
ECDHE-RSA-AES128-CBC-{SHA,SHA256}
ECDHE-RSA-AES256-CBC-{SHA,SHA384}
ECDHE-RSA-AES128-GCM-{SHA256,SHA384}
ECDHE-ECDSA-AES128-{SHA,SHA256}
ECDHE-ECDSA-AES256-{SHA,SHA384 }
ECDHE-ECDSA-AES128-GCM-{SHA256,SHA384}


579926-1 : HTTP starts dropping traffic for a half-closed connection when in passthrough mode

Component: Local Traffic Manager

Symptoms:
HTTP starts dropping traffic for a half-closed connection when in passthrough mode.

Conditions:
HTTP is in passthrough mode. Traffic is flowing for a half-closed connection.

Impact:
Incomplete data transfer to end-point, when the connection is half-closed and HTTP is in passthrough mode.

Workaround:
No workaround.


579917-1 : User-defined signature set cannot be created/updated with Signature Type = "All"

Component: Application Security Manager

Symptoms:
When creating a User-Defined Signature Set the Signature Type cannot be set to "All". After saving the setting, it resets back to Request.

Conditions:
Creating a new signature set with Signature Type set to "All" (the dropdown defaults to "Request" when opening the create page).

Impact:
A Custom Signature Set cannot be created for with Request and Response Signatures

Workaround:
No workaround, but can be mitigated by creating two signature sets, or using manual sets.

Fix:
Signature Type can now successfully be set to "All" Signatures


579843-1 : tmrouted may not re-announce routes after a specific succession of failover states

Component: Local Traffic Manager

Symptoms:
tmrouted does not re-announce RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.

Conditions:
- Active/Standby HA pair set up
 - Both units configured with a dynamic routing protocol and Route Health Injection enabled on one or more Virtual-Addresses.
 - Active unit has the following succession of failover states:
   Active->Offline->Online->Standby->Active

Impact:
Tmrouted may not announce the Virtual addresses when coming back to Active state after the mention succession.

Workaround:
A failover to Standby and back to Active works around the issue.
Restarting tmrouted is also an alternative option.

Fix:
tmrouted now re-announces RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.


579829-7 : OpenSSL vulnerability CVE-2016-0702

Vulnerability Solution Article: K79215841


579529 : Stats file descriptors kept open in spawned child processes

Component: TMOS

Symptoms:
No known user visible impact.

Conditions:
This occurs in all multi-blade platforms where clusterd is running.

Impact:
No known user visible impact.

Workaround:
None.

Fix:
Stats file descriptors are opened so that they are closed when a child process is spawned.


579495-1 : Error when loading Upgrade UCS

Component: Application Security Manager

Symptoms:
When loading an older version UCS file while ASM is live an error may occur when processing the new configuration. You will see the following error in the asm log:

Mar 9 07:16:06 dut30 err perl[22696]: 01310011:3: ASM configuration error: event code T1499 Failed to update configuration table CONFIG_TYPE_DYNAMIC_TABLES

Conditions:
Loading an older version UCS on a live system.

Impact:
Enforcement of Allowed Methods may be incorrect

Workaround:
Restart ASM

Fix:
Configuration is correctly processed when loading a UCS file for upgrade on a live device.


579371-4 : BIG-IP may generate ARPs after transition to standby

Component: Local Traffic Manager

Symptoms:
tmm generates unexpected ARPs after entering standby.

Conditions:
-- High availability configuration with a vlangroup with bridge-in-standby disabled.
-- ARP is received just before transition to standby.

Impact:
Unexpected ARP requests that might result in packet loops.

Workaround:
None.

Fix:
ARPs will no longer be proxied on vlangroups with bridge-in-standby disabled after entering standby.


579220-1 : Mozilla NSS vulnerability CVE-2016-1950

Vulnerability Solution Article: K91100352


579210 : VIPRION B4400N blades might fail to go Active under rare conditions.

Component: TMOS

Symptoms:
Over extended periods of booting and rebooting a VIPRION system containing B4400N blades, a switch port connected to the HSB might fail to initialize properly. In some cases, logs indicate an occurrence of the problem in the following form: hgm_fcs_errs[higig mac #] exceeds 1000.

Conditions:
This happens under very rare conditions on B4400N blades; for example, after approximately 8-12 hours of continuous rebooting.

Impact:
When the problem is manifest, the HSB receives FCS errors at a high-frequency and does not receive any valid traffic from the port switch. The B4400N blade might be unable to go active and join the cluster.

Workaround:
To recover, reboot the system once.


579085-6 : OpenSSL vulnerability CVE-2016-0797

Vulnerability Solution Article: K40524634


578951-2 : TCP Fast Open connection timeout during handshake does not decrement pre_established_connections

Component: Local Traffic Manager

Symptoms:
If a TCP connection is started and contains a valid Fast Open cookie, then times out during the three-way handshake, the failure is not accounted for properly. If this occurs more than a threshold number of times, BIG-IP will stop performing TCP Fast Open.

Conditions:
A TCP connection using TCP Fast Open with a valid Fast Open cookie times out during the three-way handshake.

Impact:
Each connection that times out in this fashion decreases the number of valid pre-established connections that the BIG-IP can support. If the number of connections timed out in this fashion rises above a threshold, BIG-IP will act as if TCP Fast Open is disabled. This threshold cannot be changed.

Fix:
Decrement the pre-established connections counter when a TCP Fast Open connection times out during the initial handshake.


578570-1 : OpenSSL Vulnerability CVE-2016-0705

Vulnerability Solution Article: K93122894


578564-4 : ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response

Component: Service Provider

Symptoms:
Connection aborted with RST "ADAPT unexpected state transition (old_state 22 event 7)"

Conditions:
An HTTP virtual has a request-adapt profile.
The ICAP server returns an HTTP response for REQMOD.
An iRule executes HTTP::respond in the HTTP_RESPONSE_RELEASE event.

Impact:
HTTP::respond cannot be used to modify an HTTP response returned by an ICAP server that is modifying an HTTP request.

Fix:
HTTP::respond works as expected even on an HTTP response returned by an ICAP server after request adaption.


578551-5 : bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot

Component: TMOS

Symptoms:
network 0.0.0.0/0 route-map Default is missing in bgp after a restart/reboot

Conditions:
"network 0.0.0.0/0 route-map Default" is configured in bgp

Impact:
The bgp doesn't have the same configuration after a restart/reboot. persistence of bgp protocol is not maintained leading to unexpected behavior of bgp

Fix:
the persistence of "network 0.0.0.0/0 route-map Default" in bgp is maintained after a restart/reboot


578064 : tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade

Component: TMOS

Symptoms:
tmsh show sys hardware show "unavailable" for hard disk manufacturer

Conditions:
In VIPRION B4400/B4450 blades, tmsh show sys hardware always shows "unavailable" for hard disk manufacturer.

Impact:
Can't get correct hard disk manufacturer information.

Fix:
Fixed


578036-1 : incorrect crontab can cause large number of email alerts

Component: TMOS

Symptoms:
There is an incorrect crontab entry in /etc/cron.usbflush for /sbin/lsusb

Conditions:
This occurs for the usbflush entry.

Impact:
usbflush does not run, alert email is generated once per minute.

Workaround:
change /etc/cron.usbflush to use /usr/sbin/lsusb

Fix:
Fix /etc/cron.usbflush to use /usr/sbin/lsusb


577863-5 : DHCP relay not forwarding server DHCPOFFER and DHCPACK message after sometime

Component: Policy Enforcement Manager

Symptoms:
If routing table on DHCP server is mis-configured, so that DHCP server know how to send packets to BigIP selfIP(used by BigIP DHCP relay), but does not know how to send packets to DHCP clients, DCHP client will not receive DHCP reply for unicast request and will start to broadcast DHCP renewal. After a while, BigIP will stop to relay DHCPOFFER and DHCPACK back to DHCP clients all together.

Conditions:
DHCP server unicast reply back to client is not received by client, causing DHCP client to send broadcast DHCP packets(with client's IP as source IP).

Impact:
BigIP will stop to relay DHCPOFFER and DHCPACK back
to DHCP clients

Workaround:
Fix the DHCP server routing table, so that DHCP server can deliver DHCP reply packet back to client successfully.


576591-6 : Support for some future credit card number ranges

Component: Application Security Manager

Symptoms:
ASM does not block or mask when a specific credit card number range (planned for the future) appears in the response.

Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card number with specific ranges.

Impact:
The traffic passes unmasked or unblocked to the end client.

Workaround:
A custom pattern is possible for these cases, but should be adjusted to each customer specifically.


576478 : Enable support for the Purpose-Built DDoS Hybrid Defender Platform

Component: Advanced Firewall Manager

Symptoms:
N/A

Conditions:
Requires new DoS License

Impact:
None

Fix:
This fix adds support for recognition of a Purpose-Built DDoS Hybrid Defender license, and the necessary mechanisms to launch the DDoS Application.

Behavior Change:
There is no change in behavior to existing behavior and functionalities. However, when a DoS License is installed, the Big-IP platform takes on the role of a dedicated DoS protection device. Consequently most non-DoS related functionalities are either disabled or function in limited capacity.


576305-7 : Potential MCPd leak in IPSEC SPD stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IPSEC SPD stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IPSEC SPD stats.


575649-5 : MCPd might leak memory in IPFIX destination stats query

Component: TMOS

Symptoms:
MCPd might leak memory in IPFIX destination stats query.

Conditions:
In some cases, querying IPFIX destination stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IPFIX destination stats.


575591-6 : Potential MCPd leak in IKE message stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IKE message stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IKE message stats.


575589-5 : Potential MCPd leak in IKE event stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IKE event stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IKE event stats.


575587-7 : Potential MCPd leak in BWC policy class stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying BWC policy stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying BWC policy stats.


575176-1 : Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic

Component: TMOS

Symptoms:
In some scenarios UDP traffic can cause syncookie statistics to be incremented.

Conditions:
Virtual server with fastL4 profile with ePVA offload enabled.
Virtual server to handle UDP traffic.

Impact:
Statistics might be incorrectly incremented, and can lead to early syncookie activation if used in conjunction with TCP on the same virtual server.

Fix:
The BIG-IP system no longer increases Syn Cookie cache statistics on ePVA enabled devices with UDP traffic.


575170-2 : Analytics reports may not identify virtual servers correctly

Component: Application Visibility and Reporting

Symptoms:
In certain configurations, Analytics statistics on virtual server activity may not be reported correctly.

Conditions:
This occurs for virtual servers that are configured in one of these ways:

1. Two virtual servers have the same IP-Port-RouteDomain setting, but they use different protocols (such as TCP for one and UDP for the other) or different sources.

2. A virtual server is defined with a masked IP address rather than an explicit address (for example, 10.10.10.0/24).

Impact:
As a result, Analytics reports show an Aggregated Virtual Server or an incorrect one instead of displaying the correct virtual servers.

Workaround:
None.

Fix:
Correct identification of the virtual server and the activity reported in the charts is displaying to the right virtual server.


575133-1 : asm_config_server_rpc_handler_async.pl SIGSEGV and core

Component: Application Security Manager

Symptoms:
asm_config_server_rpc_handler_async.pl SIGSEGV and core

Conditions:
Import ASM XML security policy

Impact:
asm_config_server_rpc_handler_async.pl SIGSEGV and core. This occurs after the policy import completes.

Workaround:
N/A

Fix:
The asm_config_server_rpc_handler_async.pl no longer crashes upon import ASM XML security policy.


575066-1 : Management DHCP settings do not take effect

Component: TMOS

Symptoms:
Modifications to /sys management-dhcp do not take effect.

Conditions:
Custom management-dhcp settings configured.

Impact:
DHCP for management interface does not function correctly.


575027-1 : Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.

Component: TMOS

Symptoms:
Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.

Conditions:
This occurs when the following conditions are met:
1. Use of tagged VLANs in the configuration.
2. Change cmp-hash of the tagged VLAN.

Impact:
Throughput is lower than expected. Packets are not being hashed using the hash set in config. (This can be verified by looking at 'tmm/flow_redir_stat'.)

Workaround:
Use untagged VLANs and hypervisor side tagging.

Fix:
You can now use tagged VLAN configurations along with a cmp-hash setting for the VLAN, without compromising performance.


575011-1 : Memory leak. Nitrox3 Hang Detected.

Component: Local Traffic Manager

Symptoms:
System exhausts available memory due to compression memory leak. Prior to running out of memory, repeatedly logs "Nitrox3 Hang Detected".

Conditions:
Compression device unavailable during creation of a new context.

Impact:
System can run out of memory.

Workaround:
Disable hardware compression using tmsh:

% tmsh modify sys db compression.strategy softwareonly

Fix:
Repaired memory leak.


574880-3 : Excessive failures observed when connection rate limit is configured on a fastl4 virtual server.

Component: Local Traffic Manager

Symptoms:
When connection rate limit is set on a fastL4 virtual server,
client connections hang with high probability.

Conditions:
Set Connection Rate Limit on a fastL4 virtual server.

Impact:
Client connections hang with high probability.

Workaround:
Do rate limiting using iRules.
https://devcentral.f5.com/articles/iruleology-table-based-rate-limiting

Fix:
Fixed Connection Rate Limiting on a fastL4 virtual server.


574052-4 : GTM autoconf can cause high CPU usage for gtmd

Component: Global Traffic Manager

Symptoms:
The autoconf feature of GTM can cause high CPU utilization (~90%) under certain situations.

In large configurations of LTM vses that contain "." (dot) in the name.

Conditions:
Large configuration of LTM VS that contain "." in the name have the name converted ("." is replaced by "_") and the LTM VS name is saved to the config.

This causes the matching algorithm in autoconf to spend many CPU cycles walking the list of VS to find a match.

This problem is caused by large numbers of VSes on a GTM Server. (10k VSes on 10k Server is less of an issue
than 10k VSes on 1 GTM Server)

Impact:
CPU usage is high, which may impact monitoring and LB decisions.

Workaround:
There are some mitigations. The preferable (for performance
and stability) are listed first.

1. Rename the virtual servers on the LTM to remove the "."
   This would require deleting the GTM configuration and
   rediscovering it and recreating pools.

2. Turn off autoconf.
   Run autoconf once to populate the config, then turn it
   off.

3. Reduce the frequency of autoconf. It will still cause
   a high CPU usage scenario, but it will be less frequent.

Versions 12.0.0 and higher do not convert the "." to "_". So that problem is eliminated for new configurations.
If a customer upgrades to 12.0.0 and the config still contains VS names that were previously converted, they still may run into high CPU usage.
Upgrading to 12.0.0 alone does not fix this issue, a reconfig would be necessary.

Fix:
Change algorithm used to match LTM VS names to GTM VS to reduce linear walk of all VSes on a server.


574020-5 : Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')

Component: Local Traffic Manager

Symptoms:
Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}').

Conditions:
This issue occurs when the following conditions are met:

-- Safenet HSM installation.
-- Password contains special metacharacters (!#{}').

Impact:
Script fails to work properly, and fails to properly install/configure the HSMs, requiring manual intervention. Performing the operation manually is very complex, because the user must account for both tmsh and shell quoting, which the some user environments might not have.

Workaround:
Change password, or manually run tmsh command to define the /sys crypto fips external-hsm object (using proper shell quoting).

Fix:
Safenet HSM installation script install now completes successfully if partition password contains special metacharacters (!#{}').

Note: When using passwords with non-alphanumeric characters, make sure that they are escaped correctly, so that bash does not attempt to reinterpret or expand the password.


573764-1 : In some cases, only primary blade retains it's statistics after upgrade on multi bladed system

Component: Application Visibility and Reporting

Symptoms:
Statistics from the primary blade remain after upgrade, but not from the other blades.

Conditions:
Upgrade to new version in multi bladed system.

Impact:
Not all statistics are present after upgrade.

Workaround:
No workaround


573643-3 : flash.utils.Proxy functionality is not negotiated

Component: Access Policy Manager

Symptoms:
Access to some field names of classes inherited from flash.utils.Proxy is broken.

Conditions:
Presence of flash.utils.Proxy descendants.

Impact:
Customer application malfunction.

Workaround:
None.


573611-1 : Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs

Component: Access Policy Manager

Symptoms:
When a user session times out, then subsequently attempts access using the expired session ID, APM may log a log message at "err" level similar to this:

Aug 15 14:54:25 bigip.hostname err tmm[10206]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access_session.c, Function: access_session_delete, Line:

Conditions:
User is logged into APM and session times out.

Impact:
Error log messages may be confusing to BIG-IP APM administrators. The client is able to successfully reconnect.

Fix:
Erroneous messages of "Access encountered error: ERR_NOT_FOUND" are no longer logged in the APM log.


573584 : CPLD update success logs at the same error level as an update failure

Component: TMOS

Symptoms:
On booting after a successful CPLD update, you see an error in /var/log/ltm: "err chmand[4933]: 012a0003:3: CPLD not updated after previous power cycle."

Conditions:
This occurs during reboot after a successful firmware update

Impact:
The message is logged as an error, but it actually means that the CPLD version is as it is expected to be. This error can be safely ignored.

Fix:
CPLD update not required is now logged at the info level, not error.


573343-1 : NTP vulnerability CVE-2015-8158

Vulnerability Solution Article: K01324833


573075-4 : ADAPT recursive loop when handling successive iRule events

Component: Service Provider

Symptoms:
After the first iRule resumes from being parked, ADAPT attempts to process the second iRule event repeatedly.
The connection is aborted with RST cause "ADAPT unexpected state transition".
The adapt profile statistic "records adapted" reaches a very high number as it counts every attempt.

Conditions:
A requestadapt or responseadapt profile is configured.
An iRule is triggered on the ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT event, that parks.
The modified headers (from an ICAP server) arrive at the ADAPT filter while the first event is parked.
Any iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event does not park.

Impact:
The connection is aborted with RST cause "ADAPT unexpected state transition".
The statistic "records adapted" reaches a very high number.
Eventually the TMM crashes and the Big-IP fails over.

Workaround:
If possible, arrange the iRules to avoid the conditions above.
In particular, if there is no better way, it is possible to avoid this if there is an iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event that parks.

Fix:
ADAPT correctly processes successive iRule events exactly once for each adaptation, and the "records adapted" statistic reports the correct number.


572885-1 : Policy automatic learning mode changes to manual after failover

Component: Application Security Manager

Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.

Conditions:
ASM provisioned.
Device group w/ ASM policy sync configured.
ASM Policy is in automatic learning mode.
A failover occurs.

Impact:
The policy changes from automatic learning mode to manual.

Workaround:
None.

Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.


572558-1 : Internet Explorer: incorrect handling of document.write() to closed document

Component: Access Policy Manager

Symptoms:
HTML page with document.write() operations inside event handlers may not be processed correctly. Internet Explorer may show error on this page.

Conditions:
HTML page with document.write() calls inside event handlers or another scripts executed after document loading.
Strings passed to document.write() function contain HTML tags with URL or another re-writable content in attributes.

Impact:
HTML page is not shown at all or works incorrectly in Internet Explorer.

Workaround:
No workaround known

Fix:
Now HTML pages with document.write() calls for closed document are handled correctly by Portal Access.


572281-5 : Variable value in the nesting script of foreach command get reset when there is parking command in the script

Component: Local Traffic Manager

Symptoms:
When there is something like the following script:

foreach a [list 1 2 3 4] {
   set a 10
   after 100
}

There is parking command, after, in the script and it runs after "set a 10", when after command returns, the value of a goes back to the initial value set in the foreach, value of 10 is lost.

Conditions:
There is parking command in the nesting script of foreach. For more information on commands that park, see K12962: Some iRule commands temporarily suspend iRule processing at https://support.f5.com/csp/#/article/K12962

Impact:
Variable values get reset.

Workaround:
Set(or set again) the variable value after the parking command.

Fix:
Will fix in later release.


572133-5 : tmsh save /sys ucs command sends status messages to stderr

Component: TMOS

Symptoms:
When you run the tmsh save /sys ucs command, some normal status messages are being sent to stderr instead of stdout. This will be seen if a you are watching stderr for error messages.

Conditions:
There are no conditions, every time the command is run, it will send some status type messages to stderr.

Impact:
If a script runs the command it may report that the save failed because messages were send to stderr.

Workaround:
You can ignore the message "Saving active configuration..." being sent to stderr. It is not an error.

Fix:
The command will send the status messages to stdout.


570818-4 : Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.

Component: TMOS

Symptoms:
LTM IPsec IKEv2 does not support dynamic remote-address CONFIG option, but still might potentially process that information sent by third-party devices. The configuration changes from this option might affect traffic-selector selection in IKEv2 negotiations, leading to wrong matching results and failure in establishing IPsec SA.

Conditions:
Certain third-party vendor devices are the remote IKEv2 peer, for example, a CISCO APIC device.

Impact:
Failure in establishing IPsec SA.

Workaround:
None.

Fix:
Address lease-pool in IKEv2 no longer interferes with IKEv2 negotiations.


570697-1 : NTP vulnerability CVE-2015-8138

Vulnerability Solution Article: K71245322


570667-2 : OpenSSL vulnerabilities

Vulnerability Solution Article: K64009378


570217-2 : BIG-IP APM now uses Airwatch v2 API to retreive device posture information

Component: Access Policy Manager

Symptoms:
Airwatch version 8.3 and above no longer use the v1 REST API. APM is not be able to retrieve device information from Airwatch MDM version 8.3 and higher and device posture checking in APM policies fails.

Conditions:
- Airwatch configured on APM
- Airwatch is upgraded to version 8.3 or higher

Impact:
BIG-IP APM is unable to retrieve device information and device posture check will fail.

Workaround:
n/a

Fix:
BIG-IP APM now utilizes the Airwatch v2 API to access device posture information.

Important: you must be using Airwatch release 8.3 and up because older releases do not support the v2 REST API end points.


570057-2 : Can't install more than 16 SafeNet HSMs in its HA group

Component: Local Traffic Manager

Symptoms:
With installation script on the BIG-IP, you can't install more than 16 SafeNet HSMs in its high availability group with versions 5.2 and 5.4.

Conditions:
Attempt to install more than 16 SafeNet HSMs.

Impact:
Installer script failure.

Workaround:
The limit is set by SafeNet. Currently, with F5-supported 5.2 and 5.4 client software, SafeNet doesn't allow more than 16 HSMs in one high availability configuration.

Fix:
Updated SafeNet installation scripts by replacing "vtl" to "lunacm" for high availability group creation and member adding operations for version 6.2.


569563-3 : Sockets resource leak after loading complex policy

Component: Access Policy Manager

Symptoms:
File descriptors used by apmd remain unclosed (TCP and UDP) after loading a complex access policy.

After some time, the APM process file descriptor table is exhausted and no more access policies are processed.

The following error messages may be observed in the logs:

err apmd[16013]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 86 Msg: epoll_create() failed [Too many open files].

Conditions:
This can happen at the initial stage after apmd starts, or later when policies are reloaded. Although this is not directly related to log-level, this problem is easier to observe when the access control log-level is Warning or lower (Notice, Info, Debug).

File descriptors leak (remain unclosed) after loading complex policies that contain many agents.

Impact:
The APM process is unable to create new sessions, leading to an inability to process access policy operations.

Workaround:
This can happen at the initial stage after apmd starts, or later when policies are reloaded.

Current preferred workaround is to set log level to ERROR or higher and restart apmd.

When a large number of file descriptors has already been observed, the only way to close them other than disabling logging is to raise log levels to ERROR or above, and then issue the following command:

bigstart restart apmd

Note 1: Do not use sys db variables to change log level for versions 12.0.0 and later.

Note 2: Double-check log levels using the following command: tmsh list apm log-setting all-properties

Note 3: Opened file descriptors do not close until apmd is restarted.

Note 4: When in doubt (about whether file descriptors are leaking), run the following command on the BIG-IP system:

lsof -p `pidof apmd` | grep TCP; lsof -p `pidof apmd` | grep UDP. This gives you the number of open files.

- Detailed steps to change logging-level to ERROR:

Step 1. Modify access control log level using the following command: tmsh modify apm log-setting all access modify { all { log-level { access-control err } } }

Step 2. Check the log levels using the following command: tmsh list apm log-setting all-properties

Step 3. Manually restart apmd using the following command: bigstart restart apmd

Fix:
Sockets are now closed properly, so there is no longer file descriptor leakage when loading or reloading complex access policies.


569467-5 : BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.

Vulnerability Solution Article: K11772107


569355-1 : Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494

Vulnerability Solution Article: K50118123


569316-1 : Core occurs on standby in MRF when routing to a route using a transport config

Component: Service Provider

Symptoms:
If routing a message to a route that uses a transport-config to define how to create an outgoing connection, the standby device will core.

Conditions:
routing a message to a route that uses a transport-config to define how to create an outgoing connection.

Impact:
The standby device will core.

Workaround:
NA

Fix:
Fix properly initializes a field on the standby.


569309-3 : Clientside HTML parser does not recognize HTML event attributes without value

Component: Access Policy Manager

Symptoms:
Assignment of a specific HTML content to tag.innerHTML could lead to a JavaScript error. This happens when one or more of tags in HTML text contain html event attributes without value (such as <div onclick />)

Following or similar error is logged in browser JavaScript console:
Unable to get property 'charAt' of undefined or null reference

Impact:
Web application does not work when accessed through Portal Access.

Workaround:
iRule could be provided for specific application.

Fix:
Now empty inline event handler attributes are not rewritten on client side.


569288-6 : Different LACP key may be used in different blades in a chassis system causing trunking failures

Component: Local Traffic Manager

Symptoms:
In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch.

Conditions:
This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation.

Impact:
Non aggregated trunk members won't be able to pass traffic.

Workaround:
Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd"


569121-1 : Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low

Component: Anomaly Detection Services

Symptoms:
If you have a large CMP configuration using Advanced Detection and rate limiting with a low rate limit applied, the per-core rate limit on attack traffic can end up being lower than the desired overall rate limit.

Conditions:
This was seen during internal testing with a large number of cores (3 blades / 24 cores) and a very low rate limit applied.

Impact:
Overall rate limit is lower than expected.

Fix:
Improvements were made to rate limiting in environments with a high number of tmms


568672-1 : Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI

Component: TMOS

Symptoms:
After an SA goes down, 'show net ipsec traffic-selector' may report that the traffic-selector is up. The Web UI also reports up.

Conditions:
This occurs if a tunnel times out and goes to the down state.

Impact:
Confusion on the true state of the tunnel.

Workaround:
None needed.

Fix:
Now, when a tunnel times out and goes to the down state, the state is shown correctly.


568543-4 : Syncookie mode is activated on wildcard virtuals

Component: Local Traffic Manager

Symptoms:
Syncookie mode can be activated with a wildcard virtual, even in the case where there is no SYN flood.

Conditions:
The default number of connections per second before activating syncookie mode is 1993. This value can be increased to a max of 4093. After this threshold is reached, then syncookie mode is activated. This is an insufficient maximum for wildcard virtuals, since they can have 30k+ connections per second.

Impact:
Syncookie mode is activated with high connection rates to a wildcard virtual.

Workaround:
Break up the wildcard virtual into multiple virtuals to reduce the number of connections per virtual.

Fix:
It is now possible to set the PvaSynCookies.Virtual.MaxSynCache DB variable to 64K (previous max was 4093)


567546-1 : Files with file names larger than 100 characters are omitted from qkview

Component: TMOS

Symptoms:
If the filename of a file being gathered by qkview happens to be larger than 100 characters, the qkview will simply not include it.

Conditions:
No conditions necessary. Any file with a name larger than 100 characters is automatically omitted.

Impact:
Files with names larger than 100 characters are being omitted from the qkview. Since UNIX files can be 256 characters long, this potentially could omit important files that could help diagnose problems.

Workaround:
One would have to rename any files with names larger than 100 characters to names with less than 100 characters.

Fix:
Qkview was fixed to not use POSIX as the tar format, but instead to use the "GNU" format which allows for up to 256 characters (the system limit). The fixed program now allows any length of characters possible.


567457-2 : TMM may crash when changing the IKE peer config.

Component: TMOS

Symptoms:
TMM might crash when changing the IKE peer config. It can happen with either IKEv1 or IKEv2 (TMM config crash).

Conditions:
This occurs when making changes to IPsec tunnels that causes the configuration to become invalid. For example, changing ISAKMP phase1 from SHA-1 to MD5 results in an invalid configuration.

Note: This occurs in the GUI only. The tmsh 'create' command does not cause this core.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use tmsh to make the affected configuration changes... this occurs in the GUI only. The tmsh 'create' command does not cause this core.

Fix:
TMM no longer crashes when changing the IKEv1 or IKEv2 peer config, even if the changes are not valid for the configuration.


566576-6 : ICAP/OneConnect reuses connection while previous response is in progress

Component: Service Provider

Symptoms:
ICAP with OneConnect sometimes initiates a new ICAP request (REQMOD or RESPMOD) on the server connection while a previous response on the same connection is still being streamed from the ICAP server. This can cause the server to append the new response after the end of the previous response, in the same packet.

Conditions:
There is a 'oneconnect' profile on the internal virtual server along with the 'icap' profile.
Triggered by a disconnection of the IVS by the parent HTTP virtual server, before the ICAP transaction is complete.
This can happen for a number of reasons, such as an error in detected on the HTTP virtual server, or an HTTP::respond iRule that replaces an IVS response in progress.

Impact:
The connection used by the interrupted transaction is returned to the pool for reuse, potentially resulting in a new ICAP transaction beginning before the end of the interrupted one, and its response may be concatenated to the incomplete tail of the first one. OneConnect is unable to separate the contiguous ICAP responses whose boundary is within a packet. All the packet payload goes to the first ICAP transaction, and any payload after the terminating chunk is discarded. Thus the beginning of the second response is lost and its header parser gets confused. It keeps waiting for more data and rescanning the entire response, resulting in increasing CPU use up to 100% until the connection is aborted.

Workaround:
Remove OneConnect.

Fix:
Big-IP with ICAP and OneConnect never reuses a server connection while a previous ICAP transaction is still in progress. Whenever the IVS disconnects prior to completion of an ICAP transaction, the connection is not pooled for reuse.


566507-4 : Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment

Component: TMOS

Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.

Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.

Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.

Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.

Fix:
The advertised next-hop in BGP is now the smallest floating-IP active on the current BIG-IP system. Note: The ZebOS routing protocol suite available for BIG-IP configurations does not support traffic groups, so this issue might still be seen in certain circumstances.


566342 : Cannot set 10T-FD or 10T-HD on management port

Component: Local Traffic Manager

Symptoms:
When setting the B4450 or B4300 mgmt port to 10T-FD or 10T-HD, there is no link LED. However, the peer unit shows the correct link LED for this setting.

Conditions:
B4450 or B4300 blade and you want to set 10T-FD or 10T-HD media type

Impact:
Unable to set this media type.

Fix:
The management port of B4450 and B4300 blades can now be configured with 10T-FD or 10T-HD


565895-1 : Multiple PCRE Vulnerabilities

Vulnerability Solution Article: K17235


565799-4 : CPU Usage increases when using masquerade addresses

Component: Local Traffic Manager

Symptoms:
When using masquerade addresses, CPU usage increases. This can ultimately lead to a reduction in device capacity.

Conditions:
This can occur if one or more of your traffic groups is configured to use a MAC Masquerade address.

Impact:
Possible performance degradation or reduction in capacity

Fix:
Performance of masquerade address checks is restored.


565137 : Pool licensing fails in some KVM/OpenStack environments.

Component: TMOS

Symptoms:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ, BIG-IQ can fail. The system posts the following error in /var/log/ltm: Dossier error 16.

Conditions:
This occurs when BIG-IQ is used to license the BIG-IP VE instance.

Impact:
From BIG-IQ, the licensing operation will appear as a successful operation, however, BIG-IP VE will not be licensed.

Workaround:
There is no workaround.

Fix:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ in OpenStack and/or KVM environments completes with success on BIG-IQ and BIG-IP.


564876-2 : New DB variable log.lsn.comma changes CGNAT logs to CSV format

Component: Carrier-Grade NAT

Symptoms:
New CSV format that does not use quotes as delimiters was not present prior to 12.1.2.

Conditions:
Setting the DB variable log.lsn.comma

Impact:
More control of logging format via the DB variable log.lsn.comma

Workaround:
N/A

Fix:
There is a new db variable log.lsn.comma that changes CGNAT logs to a CSV format that does not use quotes as delimiters between fields. Optional IP address fields appear as zero addresses, and optional numeric fields appear as zero. This new db variable applies to all LSN modes and to all ALG logs.

Behavior Change:
There is a new db variable log.lsn.comma that changes CGNAT logs to a CSV format that does not use quotes as delimiters between fields. Optional IP address fields appear as zero addresses, and optional numeric fields appear as zero. This new db variable applies to all LSN modes and to all ALG logs.


564771-1 : cron sends purge_mysql_logs.pl email error on LTM-only device

Component: TMOS

Symptoms:
On a device provisioned with LTM only, cron may log or send an email containing the following perl error:

/etc/cron.hourly/purge_mysql_logs.pl:

Usage: $class->connect([$dsn [,$user [,$passwd [,\%attr]]]]) at /etc/cron.hourly/purge_mysql_logs.pl line 27

This script was only intended to be run with AM, ASM, or ASM provisioned and it generates an error if it is not.

Conditions:
Any device with AM, ASM, and PSM not provisioned. LTM-only devices are impacted.

Impact:
If cron can send email, it will send the perl error in the email once per hour.


564522-2 : cron is configured with MAILTO=root but mailhost defaults to 'mail'

Component: TMOS

Symptoms:
The crontab and ssmtp configurations environment is MAILTO="", which means no email and it is difficult to find where the email went.

Conditions:
This exists in the default crontab and ssmtp configurations.

Impact:
- You may receive unexpected messages addressed to "root" at a host named "mail" on your network

OR

- You may encounter messages similar to the following in /var/log/maillog:

Dec 10 03:25:24 BIG-IP-1 err sSMTP[8421]: Unable to connect to "mail" port 25.
Dec 10 03:25:24 BIG-IP-1 err sSMTP[8421]: Cannot open mail:25

Workaround:
Change outbound-smtp mailhub to localhost with tmsh:

tmsh modify /sys outbound-smtp mailhub localhost

Fix:
Default mailhub has been changed to localhost. Starting in 12.0.0, MAILTO is set to root instead of "" in /etc/crontab so that the output of cron jobs can be captured. However, ssmtp is configured by default with a mailhost of 'mail', which may result in either error messages logged to /var/log/maillog or unexpected messages received on another system.


564281-3 : TMM (debug) assert seen during Failover with Gy

Component: Policy Enforcement Manager

Symptoms:
When using the debug version of the tmm, HA fail over may cause the tmm to assert when Gy is configured.

Conditions:
Using PEM and Gy is configured.

Impact:
The TMM (debug version) may core and restart, resetting all connections.

Workaround:
Do not use the debug tmm with Gy.

Fix:
This debug assert has been changed to a debug log message.


563592 : Content diagnostics and LCD

Component: TMOS

Symptoms:
While running platform_check, you notice this on the LCD:

F5 LCD Server
Clients: 0
Screens: 0

Conditions:
This occurs when running platform_check after running bigstart stop

Impact:
This is cosmetic, the LCD does not indicate that it is in diagnostic mode.

Fix:
When the LCD is unable to communicate with BIG-IP, such as during shutdown or platform_check, the LCD now displays the following:
F5 LCD Server
Host inaccessible or
in diagnostic mode


562928-2 : Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled

Component: TMOS

Symptoms:
Certain url connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled with 'curl: (7) couldn't connect to host' error.

Conditions:
Using curl command with'--local-port' option causes the connections to fail on the BIG-IP system.

Impact:
TCP connections do not complete the three way handshake and traffic does not pass.

Workaround:
Disabling 'cmp' option in virtual server secures the traffic over IPsec tunnels.

Fix:
Using curl command with'--local-port' option no longer causes the connections to fail on the BIG-IP system.


562636-2 : Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.

Component: Access Policy Manager

Symptoms:
When certain end user interface pages (e.g. 401 response) are served by the APM, these include a unique parameter in the URL. This results in the leak of objects representing caches for these pages, because their unique parameter renders caching ineffective.

Conditions:
This occurs when the following conditions are met:
-- Use of SWG in Transparent mode.
-- One of the following:
+ Use a logon page agent, an external logon page agent, or a 401 agent in the access policy.
+ Trigger an access policy evaluation when one is already in progress or when accessing a page that requires an established session.

Impact:
A memory leak in the TMM.

Workaround:
None (when the triggering conditions are encountered).

Fix:
This release corrects the possible memory exhaustion issue in access end-user interface pages for transparent proxy/SWG cases.


562267-3 : FQDN nodes do not support monitor alias destinations.

Component: Local Traffic Manager

Symptoms:
FQDN nodes do not support monitor alias destinations.

Conditions:
Configure a monitor with an alias address or port. The system will either prevent you from configuring, or the monitor will only be directed to the node address or port.

Impact:
The BIG-IP system does not send health checks to the configured monitor alias port. Monitor doesn't work as expected.

Workaround:
Depending on the functionality needed, you might be able to work around this by using an alternative configuration.

Fix:
FQDN nodes now support monitor alias destinations.


561500-4 : ICAP Parsing improvement

Component: Service Provider

Symptoms:
If a malformed ICAP message is sent to the Big-IP the ICAP parser can enter a state where it consumes an increasing amount of CPU and memory.

Conditions:
A request-adapt or response-adapt profile is configured.
An ICAP message is received from an ICAP server lacking "ICAP/1.0" as initial header line.

Impact:
Memory and CPU usage increase.
Eventually the TMM may crash causing Big-IP fail-over.

Fix:
ICAP parser checks for correct initial ICAP/1.0 header line and rejects message if missing.


561444-1 : LCD might display incorrect output.

Component: TMOS

Symptoms:
Incorrect LCD display due to garbled messages received from LCD panel.

Conditions:
This occurs in various situations. Multiple messages sent to LCD and user interaction on LCD seem to reproduce the issue.

Impact:
LCD may display incorrect data.

Workaround:
The LCD usually corrects itself eventually, but to restore it immediately to a good state, run the following command: bigstart restart fpdd.

Fix:
The issue allowing garbled messages between the front panel display daemon (fpdd) and the LCD daemon (LCDd) is now prevented from happening.


561348-7 : krb5.conf file is not synchronized between blades and not backed up

Component: Access Policy Manager

Symptoms:
krb5.conf file is not in sync across all blades.
this may cause a feature (Kerberos SSO / Kerberos Auth) to not work as expected.

Conditions:
When administrator made changes to krb5.conf file manually, the configuration file is not synchronized to all blades or is lost upon upgrade.

Impact:
Kerberos Auth / Kerberos SSO does not work properly on all blades.

Workaround:
None.

Fix:
The APM code now automatically synchronizes the changes to /etc/krb5.conf file to all devices in the Failover Device group. Any change made to this file either in Active Device or Standby device will be automatically synced to other device.

In Chassis, all the Secondary blades will mirror the file on the Primary blade. Any manual change done on the Secondary blade(s) will be lost. The admin has to do the changes on Primary blade only and it will be synchronized with all others blades.

Behavior Change:
When admin modifies /etc/krb5.conf file, the changes are automatically updated on other devices in the same Failover Device group.

When admin modifies the /etc/krb5.conf file on the primary blade of the chassis, the changes are automatically updated on all secondary blades.


560471-1 : Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down

Component: Local Traffic Manager

Symptoms:
Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down.

Conditions:
Changing the monitor configuration of a pool. For example:

tmsh modify ltm pool http-pool monitor http and tcp
tmsh modify ltm pool http-pool monitor min 1 of { http tcp }

Impact:
Virtual server may be incorrectly marked down, when it should not be.

Fix:
Changing the monitor configuration of a pool no longer causes the virtual server to be marked as down.


560114-6 : Monpd is being affected by an I/O issue which makes some of its threads freeze

Component: Application Visibility and Reporting

Symptoms:
When Monpd is restarted, it starts printing non-stop error message to logs. Analytics statistics may be lost, and new data cannot be loaded. The ltm log contains this error signature - err stat_bridge_thread[8278]: monpd`ERR`date`11285` [stat_bridge_thread::validateCorrectNumberOfPartitions, ] Too many partitions (44) defined for DB table AVR_STAT_DISK_T

Conditions:
A system I/O issue (maybe caused by /var/log being full).

Impact:
AVR statistics are lost.
Monpd thread cannot load new data, and it prints non-stop error messages to the logs.

Workaround:
Run the following:

find /var/avr/loader/ -mindepth 1 -name "*" -print0 | xargs -0 rm
touch /var/avr/init_avrdb
bigstart restart monpd


560109-7 : Client capabilities failure

Component: TMOS

Symptoms:
In some cases client capabilities detection may fail, crashing TMM.

Conditions:
AVR and/or AAM provisioned and configured

Impact:
Traffic disrupted while TMM restarts

Workaround:
N/A

Fix:
Improve processing of client capabilities


559837-4 : Misleading error message in catalina.out when listing certificates.

Component: TMOS

Symptoms:
GUI logs 'Table not found' in catalina.out when some exceptions are returned before/at table creation. The exceptions are the actual cause of the failure.

java.sql.SQLException: Table not found: SSL_CERTIFICATES_0_1652477104084229 in statement [DROP TABLE ssl_certificates_0_1652477104084229].

Conditions:
This occurs when listing certificates, and exceptions are returned.

Impact:
1. Throws table creation exceptions when randomly generated table name contains invalid character ('-').
2. Misleading 'Table not found" message in catalina.out.

Workaround:
Refreshing the page might fix the invalid table name issue because doing so generates a new table name. In some situations a restart of tomcat and httpd may be required.

Fix:
Errors occur when listing certificates that contain invalid characters from the randomly generated table names, so the GUI logs 'Table not found' in catalina.out when some exceptions are returned before/at table creation.


557680-4 : Fast successive MTU changes to IPsec tunnel interface crashes TMM

Component: TMOS

Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.

Conditions:
The issue occurs when the IPsec tunnel interface attributes has its configuration modified quickly and repeatedly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.

Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).


557471-3 : LTM Policy statistics showing zeros in GUI

Component: TMOS

Symptoms:
Statistics for LTM Policies, e.g., the total count of policy action invocations and number of successful policy action invocations, are not being updated in the GUI. The GUI shows zeros for both of these stats for every LTM Policy.

Conditions:
Occurs under all conditions.

Impact:
Through the GUI, Administrators cannot see invocation counts for general troubleshooting or to determine which policies are being used.

Workaround:
To work around this issue, you can use the tmsh utility to view BIG-IP LTM traffic policy statistics. To do so, perform the following procedure:

To retrieve stats for all policies, run the following command:
# tmsh show ltm policy.

To retrieve stats for a specific policy, run the following command:
# tmsh show ltm policy <policy-name>.

Fix:
LTM Policy statistics now shows the correct values in the GUI.


557434-4 : After setting a Last Resort Pool on a Wide IP, cannot reset back to None

Component: Global Traffic Manager (DNS)

Symptoms:
After configuring a wide IP with a Last Resort Pool set to something other than None, you can no longer change the Last Resort Pool back to None.

Conditions:
Last Resort Pool is set to something other than None.

Impact:
There is no None option in TMSH or GUI.

Workaround:
Setting the Pool Name to an empty string via tmsh will set it to None.
For example
modify gtm wideip a wip.f5.com last-resort-pool a

Fix:
None options added to tmsh and GUI.


557411-1 : Full Webtop resources appear overlapping in IE11 compatibility mode

Component: Access Policy Manager

Symptoms:
Full Webtop resources appear overlapping each other in MSIE 11 in compartibility mode

Conditions:
MSIE 11, compartibility mode. Full Webtop in use

Impact:
Everything is working but the icons overlap.

Workaround:
1. modify advanced customization of apm.css

#webtop_favorites_inner_container span.favorite span.caption{
...
    <? if( $_GET['ctype'] == 'IE' && $_GET['cversion'] < 9){ ?>
    zoom: 1;
    <? }elseif( $_GET['ctype'] == 'IE' && $_GET['cversion'] == 11){ ?>
    zoom: 0;
    <? } ?>
}


2. an irule that would change apm.css to
#webtop_favorites_inner_container SPAN.favorite SPAN.caption {
...
zoom: 1; /* <--- set 0 if msie 11 in compartibility mode */
}

Fix:
Everything is back to normal


557358-5 : TMM SIGSEGV and crash when memory allocation fails.

Component: Local Traffic Manager

Symptoms:
TMM SIGSEGV and crash when memory allocation fails.

Conditions:
Although the specific conditions under which this occurs are not well understood, it appears that the issue occurs when the SSL operation detects an error and processes the connection for removal from the SSL queue. Before the connection is removed, another command attempts to remove the connection a second time, which causes the issue to occur.

Impact:
TMM SIGSEGV and crash. Traffic disrupted while tmm restarts.

Workaround:
None known at this time.

Fix:
TMM SIGSEGV and crash no longer occur when memory allocation fails due to a command attempting to remove the connection for removal from the SSL queue a second time.


557190-3 : 'packet_free: double free!' tmm core

Component: Local Traffic Manager

Symptoms:
You observe 'packet_free: double free' panic/warnings in conjunction with other issues. The actual double free cannot be diagnosed because the data available is insufficient to indicate with sufficient granularity where or when it occurred.

Conditions:
Indeterminate based on the data in this sighting.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
In the Fast L4 profile, enable the option 'Reassemble IP Fragments'.

Fix:
The system now maintains the fragment chain to prevent possible double free occurrences.


555039-4 : VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration

Component: TMOS

Symptoms:
There is a high drop counts when running tmsh show net interface, and running tmctl -a drop_reason shows that a large number of drops are due to counters.rx_cosq_drop

Smaller buffering alpha values are configured for egress buffering to allow an 8 HW CoS queue feature to correctly implement weight based egress dropping. This results in busy ports dropping more aggressively, although allowing more fair buffering amongst multiple active ports.

Conditions:
Higher traffic rates, which stress switch MMU buffering resources, might result in egress CoS queue drop on busy ports.
This affects the BIG-IP 5000- and 7000 series platforms, and VIPRION B2100, B2150, and PB200 blades.

Impact:
This results in busy ports dropping more aggressively. Note that using smaller values allows more fair buffering amongst multiple active ports, whereas higher values allow better burst absorption but less fair buffering.

Workaround:
None.

Fix:
This release uses a larger alpha value for better burst absorption when the 8 hardware CoS queue feature is not enabled.


554713-2 : Deployment failed: Failed submitting iControl REST transaction

Component: TMOS

Symptoms:
When deploying an access control policy to a sync group, you notice the following error: Deployment failed:
Failed submitting iControl REST transaction 1445978291443908: remoteSender:ip_address

Conditions:
This can happen on policy sync with a large number of ACLs.

Impact:
The system will function properly, but some transactions may take longer than expected. BIG-IQ deployment of APM access control lists is one known case to fail due to timeouts.

Workaround:
None.

Fix:
The audit log contains every database modification request message sent to mcpd. Certain messages once took an unexpectedly long time to render, which has been fixed.


553795-7 : Differing certificate/key after successful config-sync

Component: TMOS

Symptoms:
1) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with the same name as the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip will retain a copy of the original key.

2) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with a different name from the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer's client-ssl profile will still use the original certificate/key instead of the new one.

Conditions:
1) High Availability failover systems with FIPS configured with Manual Sync.

2) High Availability failover systems configured with Manual Sync.

Impact:
1) An abandoned FIPS key is left behind.

2) The systems claim to be synced, but one system's client-ssl profile uses one certificate/key pair, while the other system(s)' same client-ssl profile uses a different certificate/key pair.

Workaround:
1) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
   Workaround #2: Delete the FIPS key by-handle on the peer system(s).

2) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
   Workaround #2: Manually update the client-ssl profile then delete the old certificate/key on the peer system(s).

Fix:
Systems now have the same certificate/key after successful config-sync of High Availability configurations.


551349-5 : Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade

Component: TMOS

Symptoms:
A monitor destination address in the form of *:port (IPv4) is converted to *.port when upgrading from 10.2.4 to 11.5.x.

Conditions:
A monitor exists with a non-explicit address and explicit port on a BIG-IP system running 10.2.4. Then upgrade to 11.5.x (or install 10.2.4 ucs)

Impact:
Monitors appears to function normally but they will have the wrong format in the config file.

Workaround:
None.

Fix:
Determine if non-explicit (*) address is ipv4 or ipv6 based on next character to be parsed.


551208-6 : Nokia alarms are not deleted due to the outdated alert_nokia.conf.

Component: Local Traffic Manager

Symptoms:
Some of the log messages watched by alertd changed between BIG-IP software versions 10.x to versions 11.x/12.x. However, the /etc/alertd/alert_nokia.conf file has not been updated accordingly.

Conditions:
Running versions 11.x/12.x and receiving targeted messages that match the 10.x regex key fields. This occurs when the Nokia snmp alarms are enabled. See K15435 at https://support.f5.com/csp/#/article/K15435

Impact:
Matching the specific fields in the log message fails, so the corresponding alarm is not deleted from the nokia_alarm table. This might cause SNMP alerts to not be broadcast in Nokia-specific environments.

Workaround:
None.

Fix:
The log messages watched by alertd and appearing in alert_nokia.conf now match each clear event key to its corresponding error definition, so alerts are recorded correctly.


550161-4 : Networking devices might block a packet that has a TTL value higher than 230.

Component: Local Traffic Manager

Symptoms:
Some networking devices block a packet that has a TTL value higher than 230. The TTL value for the BIG-IP system is set to 255 internally and cannot be changed.

Conditions:
The issue occurs when traffic originates from the BIG-IP system (as a client).

Impact:
No access to the resources.

Workaround:
None.

Fix:
The TTL value can now be changed from the hardcoded value of 255. This supports the requirement that some networking devices have to block a packet whose TTL value is higher than 230.


549329-3 : L7 mirrored ACK from standby to active box can cause tmm core on active

Component: Local Traffic Manager

Symptoms:
A spurious ACK sent to the standby unit will be mirrored over to the active unit for processing. If a matching connection on the active has not been fully initialized, tmm will crash.

Conditions:
HA active-standby configuration setup for L7 packet mirroring.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.


547479-5 : Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted

Component: TMOS

Symptoms:
TMM crashes with a subkey that has master_record field set to true.

Conditions:
Unknown.

Impact:
Traffic disrupted while tmm restarts.


547053-1 : Bad actor quarantining

Component: Anomaly Detection Services

Symptoms:
An issue was found where bad actors could be released from quarantine due to a timing issue

Conditions:
This is a timing issue related to an having unusually high number of bad actors at the same time.

Impact:
Traffic can be removed from quarantine and passed to the web server

Fix:
An issue was fixed related to bad actor quarantining


546145-1 : Creating local user for previously remote user results in incomplete user definition.

Component: TMOS

Symptoms:
Creating a local user for a user who previously authenticated using a remote mechanism (e.g. LDAP, RADIUS) results in a user who has no partition-access. Additionally, the user cannot be modified via web UI.

Conditions:
Configure remote system authentication. Create a local user for remotely authenticated user.

Impact:
User cannot authenticate. User name does not appear in User List.

Workaround:
After initial creation, modify local user via tmsh to include appropriate partition-access.


545810-3 : ASSERT in CSP in packet_reuse

Component: Local Traffic Manager

Symptoms:
Causes TMM to crash

Conditions:
This crash will happen on LTM virtuals that meet the following two configuration criteria:
- the virtual is configured with fasthttp profile.
- the virtual's enabled VLAN is mapped to the _loopback interface.

Impact:
Crash and restart of TMM

Workaround:
None

Fix:
Fixed the logic in determining if we are an L7 loopback connection. This way CSP receives only packets that it owns and can be re-used


545796-5 : [iRule] [Stats] iRule is not generating any stats for executed iRules.

Component: Local Traffic Manager

Symptoms:
iRule is not generating any stats for executed iRules when the rule is removed/edited and then re-added to the virtual server.

Conditions:
This occurs when the following steps are taken:
1. Move/edit an iRule that is attached to a virtual server.
2. Pass traffic to the virtual server.
3. Add the iRule back to the virtual server.

Impact:
No iRule usage stats available.

Workaround:
None.

Fix:
iRule now generates stats for executed iRules when the rule is removed/edited and then re-added to the virtual server.


545450-5 : Log activation/deactivation of TM.TCPMemoryPressure

Component: Local Traffic Manager

Symptoms:
The TCP memory pressure feature allows packets to be randomly dropped when the TMM is running low on available memory. The issue is that these packets are dropped silently.

Conditions:
TM.TCPMemoryPressure set to "enable".

Impact:
Packets are dropped, where the cause of the drop cannot be easily determined.

Fix:
Logging added in /var/log/ltm for activation and deactivation of TCP memory pressure. The deactivation message also includes the number of packets and bytes dropped.


544477 : New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.

Component: TMOS

Symptoms:
Phone support is not available for hourly billing customers in cloud marketplaces.

Conditions:
All hourly billing VE instances in AWS Marketplace.

Impact:
Phone support is not available for hourly billing VE instances.

Fix:
New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.

Behavior Change:
Changed licensing for hourly billing instances from pre-licensed image to template reg key which must be licensed through the license server.


544033-5 : Fragmented ICMP Echo to Virtual Address may not receive response

Component: Local Traffic Manager

Symptoms:
In a very specific scenario, a response to an IPv4 ICMP Echo to a Virtual address may not reach back to the originator.

Conditions:
- Client network MTU is lower than the BIG-IP system's ingress VLAN's MTU.
- Client ICMP Echo is larger than Client's MTU and fragmented.

Impact:
Response is not received at client.

Workaround:
In certain version 11.x/12.x environments, it may be acceptable to disable PathMTU discovery.
If it is, this can be worked around by disabling the following DB Key:
tmsh modify sys db tm.pathmtudiscovery value disable

Note this workaround is not possible in BIG-IP software versions 10.x. 10.x does not have a workaround.

Fix:
Client now receives correctly ICMP echo response from Virtual Address when echo request has been fragmented.


543208-1 : Upgrading v11.6.0 to v12.x in a sync-failover group might cause mcpd to become unresponsive.

Component: TMOS

Symptoms:
Failover event on traffic-group-1 causes mcpd to generate messages like this:

01070711:3: Caught runtime exception, Failed to collect files (Invalid IP Address: )..
01070712:3: Caught configuration exception (0), Failed to sync files..
...
0107134b:3: (Child rsync being terminated due to timeout. Total size in Kb: 0 timeout in secs: 10 start-time: Mon Aug 24 11:35:42 2015 max-end-time: Mon Aug 24 11:35:42 2015 time now: Mon Aug 24 11:35:42 2015 ) errno(0) errstr().
01070712:3: Caught configuration exception (0), Failed to sync files..

Conditions:
-- Some systems in the trust are running a pre-12.x version of TMOS.
-- Some systems in a device group have been upgraded to 12.x.
-- A failover event occurs on traffic-group-1.
-- This appears to be most evident in APM configurations.

Impact:
mcpd on the devices running pre-12.x version may become unresponsive. Upgrade fails.

Workaround:
None.

Fix:
This release corrects an issue in which a group of devices in a trust domain could potentially cause mcpd to become unresponsive and log failure messages.


542097-4 : Update to RHEL6 kernel

Component: TMOS

Symptoms:
Rare race condition between two (or more) threads operating on the same buffer_head/journal_head may cause a kernel panic

Conditions:
Running RHEL6 kernel under heavy disk load, more likely on a vCMP host

Impact:
Unexpected machine reboot causing loss of service

Workaround:
None.

Fix:
Redhat provided an update to RHEL6.7
F5 backported to RHEL6.4, 6.5:

jbd2: Fix oops in jbd2_journal_remove_journal_head()
jbd: Fix oops in journal_remove_journal_head()


541550-3 : Defining more than 10 remote-role groups can result in authentication failure

Component: TMOS

Symptoms:
Authentication fails, indicating the affected user is associated with an "unknown" role:

notice httpd[2112]: pam_bigip_authz: authenticated user bob with role 12345678 ([unknown]) in partition /bin/false

Conditions:
Define more than 10 remote-role groups and authenticate with a user having more than 10 roles.

Impact:
User cannot authenticate.

Workaround:
None.


541549-2 : AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.

Component: TMOS

Symptoms:
The default settings of an AMI is not to delete an attached volume of an instance when the instance is terminated. This results in extra effort to delete a volume manually after terminating the instance. If not done always, the orphaned volume causes extra bills.

Conditions:
A BIG-IP VE is launched from an AMI in the marketplace.

Impact:
Volumes attached to BIG-IP VE instances will be deleted automatically when the instance is terminated. This option is set to be default now. If you want to keep a volume even after terminating a BIG-IP VE instance, you will have to set it to not be deleted upon termination during instance launch in AWS console.

Workaround:
None.

Fix:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.

Behavior Change:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.


541320-10 : Sync of tunnels might cause restore of deleted tunnels.

Component: TMOS

Symptoms:
After a full load sync, tunnels may be spuriously added to the default route domain for the partition that contains them.

Conditions:
Viewing tunnels after a full load sync.

Impact:
This might result in a deleted tunnel being restored to the configuration.

Workaround:
None.

Fix:
Sync of tunnels no longer causes restore of deleted tunnels.


540928-1 : Memory leak due to unnecessary logging profile configuration updates.

Component: Application Security Manager

Symptoms:
There is a memory leak in ASM control plane daemons after processing many calls in a long lived process

Conditions:
A) Pool member state changes frequently.
or
B) Manual learning is enabled (versions 12.x)

Impact:
Memory consumption by ASM control plane daemons increases.

Workaround:
Restart ASM - which will cause a failover and a down time

OR just kill asm_config_server by:
-----------------------
pkill -f asm_config_server
-----------------------
which will get restarted back by ASM process watchdog in ~15 seconds and should not cause failover nor downtime.

Fix:
An async worker lifecycle was introduced so long lived processes will now dispatch a fixed number of calls to their workers before retiring them.


540872-1 : Config sync fails after creating a partition.

Component: TMOS

Symptoms:
Config sync fails after creating a partition. A config sync error similar to the following occurs:

Configuration error: Can't associate (/P1/pool1) with folder (/P1) folder does not exist

Conditions:
This error occurs when a folder is created in the same transaction that an object is also created in that folder.

This can be done either by explicitly using tmsh or iControl transaction mechanisms or through incremental sync of APM where folders get created.

Impact:
A transaction will fail or incremental sync on APM will fail on a peer.

Workaround:
In the case of transactions, create partitions and folders in a separate transaction from any object creation.

For incremental sync of APM, force a full sync by using the 'Overwrite Configuration' option in the UI.


539360 : Firmware update that includes might take over 15 minutes. Do not turn off device.

Component: TMOS

Symptoms:
On certain platforms, firmware updates might take over 15 minutes to complete. It is very important to wait until update completes. Do not turn on the device until the operation is finished.

Conditions:
This occurs on the following iSeries platforms: i2000, i4000, i5000, i7000, and i10000.

Impact:
Reboot takes a long time. The GUI posts the following message: Reboot in progress
Please do not turn off your device. Depending on your configuration, reboot time will vary, taking 5 to 20 minutes. To view reboot progress, connect to the serial port of your device or access the system hypervisor.

Workaround:
None.

Fix:
Although reboot takes a long time on the iSeries platforms, the GUI posts a message containing a time range, similar to the following message: Reboot in progress
Please do not turn off your device. Depending on your configuration, reboot time will vary, taking 5 to 20 minutes. To view reboot progress, connect to the serial port of your device or access the system hypervisor.


537553-8 : tmm might crash after modifying virtual server SSL profiles in SNI configuration

Component: Local Traffic Manager

Symptoms:
Modifying a Secure Sockets Layer (SSL) profile associated with a virtual server may result in the Traffic Management Microkernel (TMM) producing a core file. As a result of this issue, you may encounter one or more of the following symptoms:

-- BIG-IP system sends an invalid memory access segmentation fault (SIGSEGV) or floating point error (SIGFPE), signal to TMM, resulting in a stack trace that appears in the /var/log/tmm file.
-- TMM restarts and produces a core file in the /shared/core directory.
-- The BIG-IP system generates an