Applies To:

Show Versions Show Versions

Supplemental Document: Release Information: Hotfixes: BIG-IP 13.0.0

Original Publication Date: 05/22/2017

BIG-IP Hotfix Release Information

Version: BIGIP-13.0.0
Build: 1671.0
Hotfix Rollup: 2

Cumulative fixes from BIG-IP v13.0.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v13.0.x

Functional Change Fixes

None


Local Traffic Manager Fixes

ID Number Severity Description
660170-2 4-Minor tmm may crash at ~75% of VLAN failsafe timeout expiration



Cumulative fixes from BIG-IP v13.0.0 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
652151 CVE-2017-6131 K61757346 Azure VE: Initialization improvement
648867-1 CVE-2017-6074 K82508682 Kernel vulnerability: CVE-2017-6074
643187-1 CVE-2017-3135 K80533167 BIND vulnerability CVE-2017-3135
638556-1 CVE-2016-10045 K73926196 PHP Vulnerability: CVE-2016-10045
636702-4 CVE-2016-9444 K40181790 BIND vulnerability CVE-2016-9444
636700-1 CVE-2016-9147 K02138183 BIND vulnerability CVE-2016-9147
636699-6 CVE-2016-9131 K86272821 BIND vulnerability CVE-2016-9131
643554-2 CVE-2017-3731 CVE-2017-3732 CVE-2016-7055 K37526132 K44512851 K43570545 OpenSSL vulnerabilities - OpenSSL 1.0.2k library update
641612-1 CVE-2017-0302 K87141725 APM crash
637666-1 CVE-2016-10033 K74977440 PHP Vulnerability: CVE-2016-10033
631688-8 CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433 K55405388 K87922456 K63326092 K51444934 K80996302 Multiple NTP vulnerabilities
615267 CVE-2016-2183 K13167034 OpenSSL vulnerability CVE-2016-2183
606710-11 CVE-2016-2834, CVE-2016-5285, CVE-2016-8635 K15479471 Mozilla NSS vulnerability CVE-2016-2834
578076 CVE-2016-0800 K23196136 OpenSSL vulnerability CVE-2016-0800
578017 CVE-2016-0800 K23196136 CVE-2016-0800 : SSLV2 "DROWN" Vulnerability
635933 CVE-2004-0790 K23440942 K13361021 The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
615226 CVE-2016-4809, CVE-2016-7166, CVE-2015-8916, CVE-2015-8917, CVE-2015-8919, CVE-2015-8920, CVE-2015-8922, CVE-2015-8924, CVE-2015-8925, CVE-2015-8926, CVE-2015-8928, CVE-2016-4300, CVE-2016-4302, CVE-2015-8921, CVE-2015-8923 K13074505 Libarchive vulnerabilities: CVE-2016-8687 and others
600205-1 CVE-2016-2178 K53084033 OpenSSL Vulnerability: CVE-2016-2178
598002-9 CVE-2016-2178 K53084033 OpenSSL vulnerability CVE-2016-2178
624722 CVE-2016-7117 CVE-2016-6828 K51201255 Linux kernel vulnerability CVE-2016-7117


Functional Change Fixes

ID Number Severity Description
641724 1-Blocking BIG-IP VE support for GCE
649369-1 2-Critical DES, 3DES and HIGH cipher string includes/excludes wrong ciphers
644870 3-Major Improvements of protocol for sending data to AppIQ offbox via TCP
638967-2 3-Major SSL Forward Proxy not to cache forged certificate if soft_vfyresult indicating an 'untrusted CA' or 'expired cert'
633723-4 3-Major New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
633391-2 3-Major GUI Error trying to modify IP Data-Group
626594-3 3-Major No way to perform a soft server certificate verification
641169 4-Minor Role permissions for actions on the iRules LX Workspace editor page
618332-3 4-Minor No event triggered when the system receives a certificate message from the server.
572272 4-Minor BIG-IP - Anonymous Certificate ID Enumeration


TMOS Fixes

ID Number Severity Description
642058 1-Blocking CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances
641390-2 1-Blocking Backslash removal in LTM monitors after upgrade
636479 1-Blocking Hyper-V VE image fails to boot, stuck on "monpd: - Running monpd bigstart script." displayed on console at startup
636016 1-Blocking VADC: when using an Intel XL710 SR-IOV nic a bigstart restart can re-order the interfaces and impact traffic
658764 2-Critical Linux kernel lasthop driver memory issue
648056-3 2-Critical bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.
645805-2 2-Critical LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain bad ethernet src mac address
641013-6 2-Critical GRE tunnel traffic pinned to one TMM
634132 2-Critical VE: virtio high performance driver (Linux/KVM)
634085-1 2-Critical IPsec tmm assert "ike_ctx tag"
626861-1 2-Critical Ensure unique IKEv2 sequence numbers
615372 2-Critical Occasional TCP resets during connection initiation (RST cause is "No local listener")
508113-2 2-Critical tmsh load sys config base merge file <filename> fails
649617-1 3-Major qkview improvement for OVSDB management
645219 3-Major Switching to native virtio driver
644490-2 3-Major Finisar 100G LR4 values need to be revised in f5optics
639774-1 3-Major mysqld.err rollover log files are not collected by qkview
639575-2 3-Major Using libtar with files larger than 2 GB will create an unusable tarball
639530 3-Major Kernel.el7.2: xhci: off by one error in TRB DMA address boundary check
639049-1 3-Major Virtual Server creation ignores translate-address setting with wild card destination
638825-1 3-Major SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD
638215 3-Major iHealth auto-upload script may get stuck in unusual circumstances
637561-2 3-Major Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice
637141-1 3-Major TMM core after deleting POLICY and executing command: show net ipsec ike-sa.
635116-3 3-Major Memory leak when using replicated remote high-speed logging.
633879-2 3-Major Fix IKEv1 md5 phase1 hash algorithm so config takes effect
630610-1 3-Major BFD session interface configuration may not be stored on unit state transition
629085-2 3-Major Any CSS content truncated at a quoted value leads to a segfault
628164-4 3-Major OSPF with multiple processes may incorrectly redistribute routes
620659-4 3-Major The BIG-IP system may unecessarily run provisioning on successive reboots
610307-4 3-Major Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber
610122 3-Major Hotfix installation fails: can't create /service/snmpd/run
609200-1 3-Major Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.
605792 3-Major Installing a new version changes the ownership of administrative users' files
569100 3-Major Virtual server using NTLM profile results in benign Tcl error
561596 3-Major Hotfixes can optionally update FPS engine file
561592 3-Major Hotfixes can update FPS engine file
559080 3-Major High Speed Logging to specific destinations stops from individual TMMs
541320-8 3-Major Sync of tunnels might cause restore of deleted tunnels.
489499-2 3-Major chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd
644805 4-Minor Kernel.el7.2: BIG-IP VIPRION B4450 - ACPI complaints about unpopulated cpu cores
643404-1 4-Minor "tmsh system software status" does not display properly in a specific cc-mode situation
639528 4-Minor Kernel.el7.2: Broadwell Home Agent devices have non-compliant BAR.
636520-1 4-Minor Detail missing from power supply 'Bad' status log messages
633091 4-Minor Avr debug messages are printed to screen when saving/loading sys config
632668-6 4-Minor When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds
632069-2 4-Minor Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076
631572 4-Minor Cryptic error relating to the liveinstall.movelicense DB variable
627554-1 4-Minor Partition of LTM policies is displayed in breadcrumb rather than properties table row
624896-1 4-Minor GUI LTM Virtual Server Connection Limit and Connection Rate Limit
623362-1 4-Minor Oversized pool member input
617901-9 4-Minor GUI to handle file path manipulation to prevent GUI instability.
614804-1 4-Minor libcurl vulnerabilities: CVE-2016-5420, CVE-2016-5421, CVE-2016-7141
598289 4-Minor TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>
598024-1 4-Minor FastL4 profile with immediate idle timeout is not honored for ePVA offloaded flows
588414-1 4-Minor Displaying application components reports an error
541550-2 4-Minor Defining more than 10 remote-role groups can result in authentication failure
417720 4-Minor BIG-IP LTM Log Indicates Chassis Power Turned Off During Fan Speed Failures
247527-1 4-Minor Mgmt interface cannot be disabled via tmsh
642015-4 5-Cosmetic SSD Manufacturer "unavailable"
636663 5-Cosmetic "monpd: - Running monpd bigstart script." displayed on console at startup
619593-1 5-Cosmetic Provisioning page table cells overlap
609995-1 5-Cosmetic Device Connectivity tabs not properly highlighted
594228-1 5-Cosmetic Resetting mgmt interface statistics doesn't work on VE or VCMP


Local Traffic Manager Fixes

ID Number Severity Description
651476-1 2-Critical bigd may core on non-primary bigd when FQDN in use
648715-3 2-Critical BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0
647962-1 2-Critical B2250: Interface is dropping traffic in passive mode
643396-1 2-Critical Using FLOW_INIT iRule may lead to TMM memory leak or crash
642400-3 2-Critical Path MTU discovery occasionally fails
642090 2-Critical ILXFlow.lbSelect does not work inside 'requestStart' or 'requestComplete' events
640352-1 2-Critical Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet
639764-1 2-Critical Crash when searching external data-groups with records that do not have values
639744-3 2-Critical Memory leak in STREAM::expression iRule
639565 2-Critical Core when accessing MQTT::Type after drop
639383 2-Critical ILX HTTP headernames are not being properly treated as case insensitive
637181-1 2-Critical VIP-on-VIP traffic may stall after routing updates
608304-2 2-Critical TMM crash on memory corruption
581746-6 2-Critical MPTCP traffic handling may cause a BIG-IP outage
654368-1 3-Major ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require
651106-1 3-Major memory leak on non-primary bigd with changing node IPs
649571-2 3-Major Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello
648990-1 3-Major Serverside SSL renegotiation does not occur after block cipher data limit is exceeded
644041 3-Major HTTP response-headers-permitted profile option removes listed headers
641360-1 3-Major SOCKS proxy protocol error
640376-2 3-Major STPD leaks memory on 2000/4000/i2000/i4000 series
638779 3-Major Help file for MQTT profile is missing.
637094 3-Major The iRules LX streaming external data-group API may incorrectly not find a match.
636613 3-Major GUI allows creating New client SSL profile in read-only partition
636289-1 3-Major Fixed a memory issue while handling TCP::congestion iRule
633564-1 3-Major Route unavailable when static route depends on another static route
626386-2 3-Major SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled
622160 3-Major ICMPv6 packets can have the wrong source IP if a IPv6 VIP has IPv4 pool members
620625-3 3-Major Changing Connection.VlanKeyed may cause asymmetric/npath connections to fail
618430-1 3-Major iRules LX data not included in qkview
611691-6 3-Major Packet payload ignored when DSS option contains DATA_FIN
607246-8 3-Major Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires
603609-1 3-Major Policy unable to match initial path segment when request-URI starts with "//"
575642 3-Major rst_cause of "Internal error"
572234-1 3-Major When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.
517756-5 3-Major Existing connections can choose incorrect route when crossing non-strict route-domains
429213 3-Major Some monitor types assigned to the same node IP:port in different Route Domains may collide and mark the object down.
419741-4 3-Major Rare crash with vip-targeting-vip and stale connections on VIPRION platforms
367226-3 3-Major Outgoing RIP advertisements may have incorrect source port
352957-2 3-Major Route lookup after change in route table on established flow ignores pool members
627695-1 4-Minor [netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational
625892-1 4-Minor Nagle Algorithm Not Fully Enforced with TSO
621379-1 4-Minor TCP Lossfilter not enforced after iRule changes TCP settings
611161-4 4-Minor VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
610201-1 4-Minor Undefined behavior when calling HTTP::payload within HTTP_REQUEST_SEND iRule event
570855-1 4-Minor DB variable log.csyncd.level cannot be set to certain values
569814 4-Minor iRule "nexthop IP_ADDR" rejected by validator
552988-1 4-Minor Cannot enable MPTCP on some profiles in GUI.


Global Traffic Manager Fixes

ID Number Severity Description
642330 3-Major GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.


Application Security Manager Fixes

ID Number Severity Description
646511-2 2-Critical BD crashes repeatedly after interrupted roll-forward upgrade
642119-1 2-Critical Websocket URLs can't be explicitly excluded per attack signature
641083-1 2-Critical Policy Builder Persistence is not saved while config events are received
640829-1 2-Critical bd crash scenario
639500-1 2-Critical BD crash fix
641547-1 3-Major Possible dead-lock on accept of multiple suggestions at once
640824-2 3-Major Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log
639767-1 3-Major Policy with Session Awareness Statuses may fail to export
639630-1 3-Major Searching for signatures with overrides in the policy returns incorrect results
638629-1 3-Major Bot can be classified as human
638576-1 3-Major Modified ASM Cookie violation is ON by default
635754-2 3-Major Wildcard URL pattern match works inncorectly in Traffic Learning
635111-1 3-Major New Application Ready Templates Available
633985-1 3-Major CS challenged URL is rejected on complex CPM/irule configurations
631715-2 3-Major ASM::disable does not disable client side challenges
630390-1 3-Major Client Side challenges and device ID doesn't work on a virtual server that has also APM
608245-1 3-Major Reporting missing parameter details when attack signature is matched against parameter value
642874-2 4-Minor Ready to be Enforced filter for Policy Signatures returns too many signatures


Application Visibility and Reporting Fixes

ID Number Severity Description
642613 2-Critical Improve loading time when landing in dashboard page
639406 2-Critical On stress traffic wrong TPS reported to DOS
635688 2-Critical backend<->GUI rest requests optimizations
651627 3-Major IP addresses may appear "Aggregated" in "COMMON" section of dashboard but not Aggregated when applying module-specific filter
649048 3-Major SSLI statistic and Traffic classification statistic lost after upgrade
643332 3-Major DoS Health and Severity analysis charts
643330 3-Major DoS Virtual Servers table has no health column and shows health/severity as numeric value
643328 3-Major Activity Type filter is applied even when ASM is not used
643327 3-Major DoS Visibility Attacks Graph tooltip does not provide sufficient information
643326 3-Major Max Concurrent Server Connections will be hidden by default
643325 3-Major Tooltips and help hints are inconsistent across the page
642449 3-Major Standard deviation for Request Duration is calculated incorrectly
642221-1 3-Major Incorrect entity is used when exporting TCP analytics from GUI
642124 3-Major mixed statistics between two intervals
641963 3-Major Average CPU usage is calculated differently in DOS Visability page
639526 3-Major Configuring lots of Virtual IPs + stress traffic can cause avrd to crash
638115-1 3-Major DoS Visibility page on a system under stress can cause GUI timeouts and disconnections
637847 3-Major Removed "(conn/s)" text from Average Concurrent Connections graph
636155 3-Major Countries table bottom rows are hidden
635680-1 3-Major Link to DoS Visibility from a signature page starts with incorrect time-range
635189-1 3-Major The mitigation changed during the attack and the dimensions are different between COMMON table and HTTP table so it is "clubbed" to 1 or few rows
610485-1 3-Major Attacks chart has no time axis
570926 3-Major Provide a way to configure where in payload the CSPM JS is injected.


Access Policy Manager Fixes

ID Number Severity Description
650450 2-Critical After upgrade to v13.0.0, users may be met with a javascript error on the logon page or other APM pages
645203-1 2-Critical Configuration load fails after upgrade when a SAML SSO config object is put in a sync-only device group
637308-1 2-Critical apmd may crash when HTTP Auth agent is used in an Access Policy
647706-1 3-Major iOS RDP client fails to connect to RD Connection Broker via APM's Native RDP resource
643547-2 3-Major APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP
642926-1 3-Major Increased MySQL Memory usage when APM is provisioned on lower-end systems.
639288-1 3-Major OAuth Authorization Server - OAuth Profile is not listing associated Access Profiles appropriately.
638799-2 3-Major Per-request policy branch expression evaluation fails
638780 3-Major Handle 302 redirects for VMware Horizon View HTML5 client
636675 3-Major It is impossible to open MS Word document in MS SharePoint 2013 using Internet Explorer 11 or MS Edge via Portal Access.
636044-2 3-Major Large number of glob patterns affects custom category lookup performance
632504-2 3-Major APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list
632499-2 3-Major APM Policy Sync: Resources under webtop section are not sync'ed automatically
629921-3 3-Major [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.
621976-5 3-Major OneDrive for Business thick client shows javascript errors when rendering APM logon page
621974-5 3-Major Skype For Business thick client shows javascript errors when rendering APM logon page
550547-1 3-Major URL including a "token" query fails results in a connection reset


WebAccelerator Fixes

ID Number Severity Description
603746 4-Minor DCDB security hardening
603658 4-Minor AAM security hardening


Service Provider Fixes

ID Number Severity Description
649933-2 3-Major Fragmented RADIUS messages may be dropped
642211-1 3-Major Warning logged when GENERICMESSAGE::message drop iRule command used
620759-3 3-Major Persist timeout value gets truncated when added to the branch parameter.
590091-4 3-Major Single-line Via headers separated by single comma result in first character second header being stripped.


Advanced Firewall Manager Fixes

ID Number Severity Description
643752-1 2-Critical Specific configuration change sequence crashes TMM
639729-1 2-Critical Request validation failure in AFM UI Policy Editor
638838 2-Critical Dynamic Signatures are not copied to peers in a device group
638495-1 2-Critical Auto-thresholds are not applied for two vectors on per-VS DNS/SIP DoS profile
596924-1 2-Critical Bot signatures are not reported in the PBD log when the PBD is turned off
644855-1 3-Major irules with commands which may suspend processing cannot be used with proactive bot defense
642562 3-Major TMM may crash with a very high number of concurrent TCP connections
638219 3-Major L4 BDoS incorrectly learns traffic after learning period in learn-only mode
629752 3-Major On DoS Visiblity pages, metrics from unprovisioned modules are displayed in the widgets
629017 3-Major Comparison Charts are alive only during while staying on the page
629013 3-Major Right pane displaying doesn't respect pin selected function when filter just applied
627747 3-Major Improve cURL Usage
630712 4-Minor After provisioning change, Dimension Widgets on DoS Visibility pages are incorrect


Policy Enforcement Manager Fixes

ID Number Severity Description
641482-3 3-Major Subscriber remains in delete pending state until CCR-t ack has success as result code is received
640510-2 3-Major BWC policy category attachment may fail during a PEM policy update for a subscriber.
640457-3 3-Major Session Creation failure after HA
639486-1 3-Major TMM crash due to PEM usage reporting after a CMP state change.
630611-3 3-Major PEM module crash when subscriber not fund
563165 3-Major New Diameter session event triggers registered for by the PCRF should not be appended to existing registered event triggers in PEM.


Fraud Protection Services Fixes

ID Number Severity Description
635126-2 3-Major Allow substitute value on fields sent by AJAX
628337-2 3-Major Forcing a single injected tag configuration is restrictive
637664-1 4-Minor Vector (multi-options) lists values are not inherited if parent profile is changed.
640854 5-Cosmetic Inject CSS link Tag "Customize" checkbox also check Inject CSS link Position


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
636853-4 3-Major Under some conditions, a change in the order of GTM topology records does not take effect.
636790-4 3-Major Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete.
366695-9 3-Major Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed
582773 4-Minor DNS server for child zone can continue to resolve domain names after revoked from parent
644817-1 5-Cosmetic Unexpected behaviour during a DNS(GTM) server creation with wrong option in product field: nullGeneral database error.


Traffic Classification Engine Fixes

ID Number Severity Description
648786-1 2-Critical TMM crashes when categorizing urls with more than 4096 characters


Device Management Fixes

ID Number Severity Description
642983-2 3-Major Update to max message size limit doesn't work sometimes
641445-2 3-Major iControl improvements
629491-1 4-Minor REST token storage improvement


iApp Technology Fixes

ID Number Severity Description
632060-2 3-Major restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header

 

Cumulative fix details for BIG-IP v13.0.0 Hotfix 2 that are included in this release

660170-2 : tmm may crash at ~75% of VLAN failsafe timeout expiration

Component: Local Traffic Manager

Symptoms:
When VLAN failsafe is configured, and the VLAN failsafe timeout is 3/4 expired, tmm wants to generate ICMP traffic to evoke a network response. When this occurs, the system might experience a crash.

Conditions:
- VLAN failsafe is configured on a VLAN, for example with the recommended VLAN failsafe timeout of 90 sec.
- The VLAN does not observe ARP/ndp traffic for 3/4 of the timeout, 67.5 seconds.
- ICMP traffic generated to provoke a network response can under certain circumstances cause a TMM crash.

Impact:
TMM crashes, failover is triggered, as it would with a fully expired VLAN-failsafe-timeout condition (note that failover with a fully expired VLAN failsafe is correct behavior).

Traffic on other VLANs might be disrupted while TMM restarts. (Traffic on the VLAN-failsafe-triggered VLAN is already disrupted, causing the timeout to expire.)

Workaround:
1. To allow for VLAN failsafe to be updated for any frame, run the following command with VLAN failsafe enabled, run the following command:
 tmsh modify failover.vlanfailsafe.resettimeronanyframe enable

This configuration increases the confidence that in the case of a timeout expiry a real traffic disruption is detected.

2. Set the timeout of VLAN failsafe to 4/3 of the setting you want, for example, to have a timeout setting of 90, specify 120. With this setting, failover occurs at 90 seconds for a fully quiescent network.

Note: Having a fully quiescent network is a rare occurrence and likely indicates that another issue is occurring anyway.

Fix:
Generating ICMP traffic from TMM is no longer exposed to a potential crash in an invalid configuration or a completely quiet network, when generating ICMP traffic to provoke a network response on an expiring timer of VLAN failsafe, assuming the following configuration:

- VLAN failsafe is configured.
- VLAN failsafe expired 3/4 of the configured timeout (e.g., 67.5 seconds of 90 seconds ).


658764 : Linux kernel lasthop driver memory issue

Component: TMOS

Symptoms:
BIG-IP lasthop kernel module may leak memory.

Conditions:
BIG-IP lasthop kernel driver may leak specific memory structures which may lead to OOM conditions.

Impact:
BIG-IP experiences OOM conditions and core system services are disrupted.

Fix:
Resolve memory leak in lasthop kernel module.


654368-1 : ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require

Component: Local Traffic Manager

Symptoms:
Error is not reported if the profile is associated with an invalid Certificate Revocation List (CRL) that is not signed by trusted CAs, if the CRL issuer has the same subject name as one of the certs in trusted CA.

Conditions:
This occurs when associating CRLs with virtual servers.

Impact:
Error is not reported for invalid CRL.

Workaround:
OpenSSL command can be used to check if the CRL is signed by trusted CA.

Fix:
Error is reported in TMM logs if the CRL is not signed by trusted CA.


652151 : Azure VE: Initialization improvement

Vulnerability Solution Article: K61757346


651627 : IP addresses may appear "Aggregated" in "COMMON" section of dashboard but not Aggregated when applying module-specific filter

Component: Application Visibility and Reporting

Symptoms:
Some IP addresses may appear as "Aggregated" in the "COMMON" section of the dashboard but not Aggregated when applying a module-specific filter.

This occurs because lack of memory space causes information to be aggregated in the "COMMON" section before being aggregated in the module-specific DB.

Conditions:
A lot of diverse traffic (for some module) from many IP addresses (for example) on a system with a small amount of memory allocated for AVR.

Impact:
User sees a specific number (x) of IP addresses upon landing on the dashboard with "Aggregated" IP addresses, but when selecting a module-specific filter, statistics show a number plus another number (x+y) IP addresses (that is, essentially not aggregated).

Workaround:
Provision more memory to AVR.

Fix:
With this fix, aggregation does not happen in COMMON before it happens in the specific module. This is correct behavior.


651476-1 : bigd may core on non-primary bigd when FQDN in use

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool member resolution, a non-primary bigd process may core under certain circumstances. A non-primary bigd is any process instance other than zero in a multi-bigd scenario, or any bigd process on a non-primary blade in a chassis.

Conditions:
FQDN is in use.

Impact:
bigd may core and be restarted in a loop, causing some monitor instances to not be serviced. This may cause node/pool member flapping, or may cause certain nodes or pool members to be effectively not monitored.

Workaround:
Use static IPs instead of FQDN for node/pool member address assignment.

Fix:
Known causes of the bug have been fixed.


651106-1 : memory leak on non-primary bigd with changing node IPs

Component: Local Traffic Manager

Symptoms:
On BIG-IP systems with the multiple blades, or a BIG-IP system with multiple bigd processes running (bigd.1, bigd.2, etc.), if the system has FQDN nodes configured, all secondary bigd processes will consume an unusually high amount of memory, and bigd cores may exist when the FQDN node IP addresses change frequently.

Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes causing IP addresses to change, bigd on the non-primary places memory consumption may be unusually high.

Impact:
bigd memory leak; possible bigd crash.

Workaround:
Mitigation: use static IP nodes and pool members rather than FQDN.


650450 : After upgrade to v13.0.0, users may be met with a javascript error on the logon page or other APM pages

Component: Access Policy Manager

Symptoms:
BIG-IP APM v13.0.0 has modified javascript to better handle more flexible session timeout parameters. This necessitated a modification in the timeout code in APM.

Unfortunately, that means that after upgrade, your users may receive a script error: 'APMSessionTimeout is undefined' when using the F5 Edge Client, or when using a browser that has the old code cached.

Conditions:
Upgrade to BIG-IP APM v13.0.0 with a login page or other Policy Item that presents a GUI to end users connecting using the F5 Edge Client or a browser with the previous version's timeout javascript code cached.

Impact:
Users receive confusing script errors in Edge Client or their web browser.

Workaround:
Use one of the following workarounds. Note: If possible, use the first one. Only perform the manual workaround if the first one is not possible.

-- Check the Knowledgebase Article (https://support.f5.com/csp/article/K91200585) to determine available fix versions, and then contact F5 Networks Technical Support to obtain any available Engineering Hotfix or version Hotfix to address this issue.

-- Perform this manual workaround:

First, locate the items such as Logon Page and add a '?13' after the include for session_check.js.
For example, the following steps:
1. Logon to the GUI as Admin.
2. Click Profiles/Policies :: Customization :: Advanced.
3. Navigate to your Access Policy.
4. Navigate to Access Policy, then to the page that has the issue, such as Logon Page.
Note: The page is "logon.inc" for a logon page.
5. Locate the following line:

<script language="JavaScript" src="/public/include/js/session_check.js" ></script>.

6. Insert ?13 after session_check.js in the script language line, for example:

<script language="JavaScript" src="/public/include/js/session_check.js?13" ></script>.

7. Click Save Draft.
8. Click Save.

Note: Using the specific text "13" in "?13" isn't critical; it just must be some text.

Fix:
End users with Edge Client or other browser no longer receive javascript errors.


649933-2 : Fragmented RADIUS messages may be dropped

Component: Service Provider

Symptoms:
Large RADIUS messages may be dropped when processed by iRules.

Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.

Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:

Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""

Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.


649617-1 : qkview improvement for OVSDB management

Component: TMOS

Symptoms:
The user can configure ovsdb-server in the BIG-IP system to communicate with an OVSDB-capable controller.

If the user wants the BIG-IP system to connect to an OVSDB-capable controller via a SSL connection, the user needs to configure a certificate and a certificate key in the TMSH command "sys management-ovsdb". Later on, if the user invokes qkview to collect system information, the configured certificate key can be collected in qkview.

Conditions:
The following conditions need to be met:

- BIG-IP has the SDN services license.

- The TMSH command "sys management-ovsdb" is set to "enabled". Note that this is set to "disabled" by default.

- The TMSH command "sys management-ovsdb cert-key-file" is set to a certificate key. Note that this is set to "none" by default.

Impact:
If the user invokes qkview to collect system information, the certificate key configured in the command "sys management-ovsdb cert-key-file" will be collected in qkview.

Workaround:
If OVSDB management is currently set to "enabled" in the BIG-IP system, then the user can reset "sys management-ovsdb cert-file" and "sys management-ovsdb cert-key-file" to "none" before calling qkview to collect system information.

In general, if OVSDB management has ever been set to "enabled", the user with the bash shell access can check if the file /var/run/openvswitch/BIG-IP_ovs_cert_key exists and delete it before calling qkview to collect system information.

Fix:
The certificate key configured in the "sys management-ovsdb" will not be collected when invoking qkview.


649571-2 : Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not act on the absence of renegotiation.

Conditions:
A BIG-IP system acts as TLS client, a TLS server ignores renegotiation request. Finite TLS session data or time limits are configured in Server SSL Profile on the BIG-IP system.

An example of such a TLS server is Apache/2.4.10 on Fedora Linux.

Impact:
Limits, such as data limits ("Renegotiate Size" in Server SSL) or time limits ("Renegotiate Period" in Server SSL) are not enforced with finite "Handshake Timeout".

Workaround:
None.

Fix:
BIG-IP system acting as TLS client (Server SSL Profile) now shuts down the connection if a TLS server did not continue with TLS renegotiation within "Handshake Timeout" seconds after the ClientHello, corresponding to the renegotiation initiation, was sent by the BIG-IP system.


649369-1 : DES, 3DES and HIGH cipher string includes/excludes wrong ciphers

Component: Local Traffic Manager

Symptoms:
When cipher string contains "DES", 3DES ciphers are also included. The keyword "3DES" does not impact the included/excluded ciphers. HIGH no longer includes 3DES ciphers.

Conditions:
Cipher string contains DES, 3DES and/or HIGH.

Impact:
Additional ciphers being offered to the client or ciphers not being omitted.

Behavior Change:
3DES ciphers moved from "high" to "medium".


649048 : SSLI statistic and Traffic classification statistic lost after upgrade

Component: Application Visibility and Reporting

Symptoms:
If you upgrade from 13.0 to 13.1 (or above), SSLI and traffic classification statistis will be lost.

Conditions:
This occurs when upgrading SSLI from version 13.0.0

Impact:
SSLI and traffic classification statistic will be lost.

Fix:
Fixed an issue with statistics being lost during upgrade.


648990-1 : Serverside SSL renegotiation does not occur after block cipher data limit is exceeded

Component: Local Traffic Manager

Symptoms:
If you have a virtual server with a serverssl profile configured that serves large (>2GB) files, you may see these errors in /var/log/ltm:

info tmm[17859]: 01260034:6: Block cipher data limit exceeded.

Conditions:
This occurs when a serverssl profile is in use, and the server-side traffic exceeds 2GB.

Impact:
Serverssl renegotiation does not occur, log message is displayed.


648867-1 : Kernel vulnerability: CVE-2017-6074

Vulnerability Solution Article: K82508682


648786-1 : TMM crashes when categorizing urls with more than 4096 characters

Component: Traffic Classification Engine

Symptoms:
TMM crashes when categorizing urls with more than 4096 characters

Conditions:
url categorization with URL containing more than 4096 characters

Impact:
Traffic disrupted while tmm restarts.

Fix:
TMM now can handle really long url for url categorization


648715-3 : BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0

Component: Local Traffic Manager

Symptoms:
LACP, STP, and LLDP PDUs sent from either of the i2x00 or i4x00 platforms have a VLAN tag added to the PDU when they shouldn't.

Conditions:
Provision any of the three protocols: LLDP, STP, or LACP and the PDU sent by the BIG-IP will incorrectly have a VLAN tag with a tag-id of 0 added to the PDU.

Impact:
Some 3rd party devices may reject the packet. This will adversely affect operation of the affected protocol.

Workaround:
None.

Fix:
This release ensures that the VLAN tag is stripped before the PDU is sent onto the wire.


648056-3 : bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.

Component: TMOS

Symptoms:
bcm56xxd constantly crashes, device goes off-line.

Conditions:
Reboot the system with QinQ VLANs configured and vCMP provisioned.

Impact:
Device goes off-line.

Workaround:
None.

Fix:
bcm56xxd no longer crashes when QinQ VLANs are configured and vCMP provisioned.


647962-1 : B2250: Interface is dropping traffic in passive mode

Component: Local Traffic Manager

Symptoms:
Passive mode is new mode of operation introduced in BIG-IP version 13.0.0. In this mode of operation BIG-IP process data in offline to detect DOS attacks and/or to collect HTTP analytics data etc.

This results are reported by the BIG-IP may not be accurate.

Conditions:
This problem will be seen by the user, device is operating on passive mode data.

Impact:
This will impact BIG-IP capability to operate in Passive mode

Workaround:
The other platform like 5k/5k/10k can be used.

Fix:
upgrade to 13.0.0 HF1 or laterversions.


647706-1 : iOS RDP client fails to connect to RD Connection Broker via APM's Native RDP resource

Component: Access Policy Manager

Symptoms:
iOS RDP client fails to connect to Windows Server 2012/2016 with RD Connection Broker role installed via APM's Native RDP resource.
When user launches Native RDP resource from APM Webtop, RDP client shows following error messages:
-- Can't connect to the Remote Desktop Gateway. Contact your network administrator for assistance. (Error code: 0x03000008).
-- Disconnected from server vpn.example.com with error code 0x00000003.

Conditions:
Using iOS client to connect to Windows Server 2012/2016 with RD Connection Broker role installed via APM's Native RDP resource.

Impact:
Connection from RD client to Terminal Server via BIG-IP APM fails.

Workaround:
None.

Fix:
iOS RDP client now can connect to Windows Server 2012/2016 with RD Connection Broker role installed via APM's Native RDP resource.


646511-2 : BD crashes repeatedly after interrupted roll-forward upgrade

Component: Application Security Manager

Symptoms:
After roll-forward upgrade of version 12.1.x with ASM traffic data is interrupted, BD crashes repeatedly.

Conditions:
Roll-forward upgrade with ASM traffic data from version 12.1.x (with or without hotfixes) to any 12.1.x or later is interrupted by restart/reboot.

Impact:
BD crashes repeatedly on subsequent attempts to start ASM.

Workaround:
Disable roll-forward upgrade of ASM traffic data before upgrade:

tmsh modify sys db ucs.asm.traffic_data.save value disable

Fix:
ASM completes roll-forward upgrade with traffic data correctly, even after upgrade process is interrupted.


645805-2 : LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain bad ethernet src mac address

Component: TMOS

Symptoms:
LACP PDUs generated by the 'lacpd' on the i4x00 & i2x00 platforms contain the wrong Ethernet source MAC address.

Conditions:
LACP configured on an trunk interface on i4x00 or i2x00 platforms.

Impact:
Some Cisco and Juniper switches discard these PDUs. They send PDUs as if the BIG-IP is not transmitting with a all-zeros 'Partner' section System ID. This renders LACP inoperable, and simply does nothing if the far end is configured for 'Passive'.

Fix:
Insure correct Source MAC address is inserted into the PDU.


645219 : Switching to native virtio driver

Component: TMOS

Symptoms:
UNIC is the default driver for virtio devices.

Conditions:
BIG-IP system with a virtio device.

Impact:
Native virtio driver won't be used by default. Therefore, the benefits of using native virtio driver, such as lower CPU utilization, higher throughput won't be available.

Workaround:
Native virtio can be used as follows:
1. Create /config/tmm_init.tcl if the file does not exist.
2. Append the following line in the file:
device driver vendor_dev 1af4:1000 virtio
3. bigstart restart tmm
4. Check if the driver in use is "virtio" after running the following command:
tmctl -dblade -i tmm/device_probed

Fix:
A DB variable has been provided with this fix to conveniently switch to native virtio driver.

To switch to native virtio driver, run the following commands:
1. tmsh modify sys db tmm.drivers.net.virtio value native
2. bigstart restart tmm

Use of virtio is recommended for data plane interface when there is a separate management interface.

Note: Do not switch to native virtio driver when single nic configuration is provisioned (management is also used as dataplane).


645203-1 : Configuration load fails after upgrade when a SAML SSO config object is put in a sync-only device group

Component: Access Policy Manager

Symptoms:
Configuration load fails after upgrading BIG-IP from a previous version. The system posts an error similar to the following:

01070734:3: Configuration error: Invalid Devicegroup Reference. The sso_config_saml (/Common/Auth/<object>) requires apm_log_config (/Common/sso-log-setting-Notice) to be syncd to the same devices
Unexpected Error: Loading configuration process failed.

Conditions:
When a SAML SSO config object or a Form-Based SSO config object is configured in a folder and that folder is in a Sync-Only device group. When upgrading with the existing configuration, the configuration load will fail.

Impact:
The configuration does not load.

Workaround:
1. Disassociate the folder from Sync-Only device group using the following commands:
 
tmsh modify sys folder <folder name> device-group none
tmsh save sys config.
 
2. Upgrade and verify config loads.
 
3. Create log-setting in each folder.
 
root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common)(tmos)# cd <folder name>/
root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common/<folder name>)(tmos)# create apm log-setting sso-log-setting-Notice { access add { general-log { log-level { access-control notice } publisher sys-sso-access-publisher } } }

Repeat this step for each log level: Alert, Critical, Debug, Emergency, Error, Informational, Notice, Warning, and use the appropriate log level accordingly.

4. Modify SSO log-settings to use log-setting created under the folder (<folder name>), according to their previous log level before upgrading. For example,
 
root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common)(tmos)# modify apm sso saml <folder name>/<sso object name> apm-log-config <folder name>/sso-log-setting-Notice
 
5. Associate Sync-Only device group SO1 to folder, as shown in the following example:
 
root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common)(tmos)# modify sys folder <folder name>/ device-group <DG name>
 
6. Verify config load.

Fix:
Configuration load now completes successfully after upgrade when a SAML SSO config object is put in a sync-only device group.


644870 : Improvements of protocol for sending data to AppIQ offbox via TCP

Component: Application Visibility and Reporting

Symptoms:
BIG-IP fails to handle these cases:
1. One AppIQ node is down, and so TCP connection need to be established to another node in AppIQ.
2. All nodes are down, no TCP connection can be established. The number of retries in this case need to be limited per snapshot, so resources are not consumed on the BIG-IP side if AppIQ system is down (current logic is a retry to open connection for every message, need to have few retries per snapshot).

Conditions:
BIG-IP is configured to send statistics to offbox via TCP protocol.

Impact:
1. Data are not sent when they can be sent (to another AppIQ node)
2. BIG-IP resources are consumed by multiple number of reties.
3. When TCP connections can't be established the systen doesn't free connection file descriptors, so at some point the avrd process goes out of file descriptors.

Fix:
1. Added an ability to configure multiple AppIQ IP addresses in external text file /etc/avr/ecm_ip_list.cfg
2. For every type of messages (tmstat, stst snapshots, etc.) BIG-IP makes only 2 attempts to reconnect to every IP provided. If it can't establish connection it doesn't try to send the messages of this type.
3. File descriptors are freed after every not successful connection attempt.
4. An upgrade mechanism for /etc/avr/ecm_ip_list.cfg is implemented.

Behavior Change:
1. Added an ability to configure multiple AppIQ IP addresses in external text file /etc/avr/ecm_ip_list.cfg
2. For every type of messages (tmstat, stst snapshots, etc.) BIG-IP makes only 2 attempts to reconnect to every IP provided. If it can't establish connection it doesn't try to send the messages of this type.
3. File descriptors are freed after every not successful connection attempt.
4. An upgrade mechanism for /etc/avr/ecm_ip_list.cfg is implemented.


644855-1 : irules with commands which may suspend processing cannot be used with proactive bot defense

Component: Advanced Firewall Manager

Symptoms:
A request is dropped.

Conditions:
1. The proactive bot defense is assigned to the virtual.
2. An iRule which suspends processing is assigned to the virtual. (includes a command like the "after" commands")

For more information on which TCL commands park, see K12962: Some iRule commands temporarily suspend iRule processing, available at https://support.f5.com/csp/article/K12962

Impact:
All requests which issue the proactive bot defense and the iRule will get dropped.

Workaround:
N/A

Fix:
irules which suspends the execution won't cause a request drop when the proactive bot defense is assigned.


644817-1 : Unexpected behaviour during a DNS(GTM) server creation with wrong option in product field: nullGeneral database error.

Component: Global Traffic Manager (DNS)

Symptoms:
On a GSLB Server create page, in the Product dropdown, you are able to select a separator option which causes an error when pressing the Finished button.

Conditions:
This occurs when you pick the separator option "-----------" in the product dropdown.

Impact:
Null General Database error is thrown.

Workaround:
Avoid picking the separator option as GSLB Server product type.

Fix:
The separator option is now non-selectable.


644805 : Kernel.el7.2: BIG-IP VIPRION B4450 - ACPI complaints about unpopulated cpu cores

Component: TMOS

Symptoms:
Due to the way modern Intel Haswell CPU BIOSes are typically configured, the BIOS presents an ACPI table, which includes details for unpopulated CPU sockets and on each socket unpopulated CPU cores.

Note: This is not F5-platform-specific, as the same can be seen on many high-end servers.

For physical cpu socket#0 and socket#1, the actual number of CPUs is 24 per socket. The possible number of CPUs is 36 per socket. For unpopulated socket#2 and socket#3, the actual number of CPUs is 0. The symptom is dmesg output similar to the following:


[ 3.198255] ACPI: \_SB_.SCK0.CP18: failed to get CPU physical ID.
[ 3.198266] ACPI: \_SB_.SCK0.CP19: failed to get CPU physical ID.
[ 3.198276] ACPI: \_SB_.SCK0.CP1A: failed to get CPU physical ID.
[ 3.198286] ACPI: \_SB_.SCK0.CP1B: failed to get CPU physical ID.
[ 3.198296] ACPI: \_SB_.SCK0.CP1C: failed to get CPU physical ID.
[ 3.198306] ACPI: \_SB_.SCK0.CP1D: failed to get CPU physical ID.
[ 3.198316] ACPI: \_SB_.SCK0.CP1E: failed to get CPU physical ID.
[ 3.198326] ACPI: \_SB_.SCK0.CP1F: failed to get CPU physical ID.
[ 3.198336] ACPI: \_SB_.SCK0.CP20: failed to get CPU physical ID.
[ 3.198346] ACPI: \_SB_.SCK0.CP21: failed to get CPU physical ID.
[ 3.198356] ACPI: \_SB_.SCK0.CP22: failed to get CPU physical ID.
[ 3.198366] ACPI: \_SB_.SCK0.CP23: failed to get CPU physical ID.

...

The normal at-boot dmesg output should show 96 lines of output since the maximum populated would be 4 * 36 which is 144, but there are only 48 CPUs present.

Conditions:
Booting of BIG-IP 7.2 kernels on VIPRION B4450 blades will show this routinely at each boot.

Impact:
None. This is purely cosmetic output due to to how the BIOS is configured.

There is nothing functionally wrong; the messages are simply diagnostic output that appears in dmesg output. The messages can be safely ignored.

Workaround:
None.

Fix:
The system now silences the cosmetic 'failed to get CPU physical ID' messages for the Intel Haswell BIOS.


644490-2 : Finisar 100G LR4 values need to be revised in f5optics

Component: TMOS

Symptoms:
The original tuning values for the Finisar 100G LR4 optics don't support module tuning. You might see FCS errors.

Conditions:
FCS errors can be observed with the shipping Finisar 100G LR4 tuning values.

Impact:
Occasional packet loss at the 100G physical layer.

Workaround:
Use 100G SR4 optics modules on the link if possible.

Fix:
FCS errors no longer occur using the latest Finisar 100G LR4 tuning values.

For information on installing and using the latest f5optics package (build 48.0 or later) that contains these tuning values, see F5 Platforms: Accessories (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/f5-plat-accessories.html).


644041 : HTTP response-headers-permitted profile option removes listed headers

Component: Local Traffic Manager

Symptoms:
The HTTP response-headers-permitted option should remove headers, but not the ones listed. However, it currently will also remove the listed headers by mistake. This makes this profile option remove all HTTP headers, except for a hard-coded whitelist of headers.

Conditions:
The HTTP response-headers-permitted profile option is used.

Impact:
Extra headers will be removed from HTTP responses.

Workaround:
None.

Fix:
The HTTP response-headers-permitted profile option now works as designed again.


643752-1 : Specific configuration change sequence crashes TMM

Component: Advanced Firewall Manager

Symptoms:
TMM crashes while making a configuration change.

Conditions:
1. insert ip "::" and "::/128" to ip list in dos profile.
2. remove it
3. insert it again.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Fixed a configuration crash sequence scenario


643554-2 : OpenSSL vulnerabilities - OpenSSL 1.0.2k library update

Vulnerability Solution Article: K37526132 K44512851 K43570545


643547-2 : APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP

Component: Access Policy Manager

Symptoms:
Requests to /my.policy are not getting HTTP responses.

Log file '/var/log/apm' contains large number of error messages about failed XML data creation:

err apmd[5076]: 01490207:3: SAML Agent XML thread specific data creation error: ERR_FAIL.

Conditions:
The BIG-IP system is used with APM provisioned, and there are a large number of access policy agents configured across all access policies.

The issue occurs only at APMD startup time, e.g., when the BIG-IP system is reloaded, a new image is installed, or the apmd service is manually restarted.

When issue happens /var/log/apm will contain a large number of similar error messages :

 err apmd[5076]: 01490207:3: SAML Agent XML thread specific data creation error: ERR_FAIL

Impact:
APMD will not able to process any requests.

Workaround:
For some configurations and platforms, you can use the following steps to recover:

- Remove all unused access policies (if applicable).
- Restart apmd.

Fix:
APMD initialization will no longer fail at XML initialization when a large number of access policies/agents are present in the configuration.


643404-1 : "tmsh system software status" does not display properly in a specific cc-mode situation

Component: TMOS

Symptoms:
In Common Criteria mode, the system must first verify a software archive with a cryptographic signature file before using it. If that file is not available, the software change will (intentionally) not proceed. It is also intended that "tmsh system software status" will explain the condition. But instead, it simply shows "failed (reason unknown)"

Conditions:
If the system is in Common Criteria mode, and you try to initiate a software change, but there is no signature file available that corresponds to the selected software archive.

Impact:
It is difficult to ascertain why the software change cannot be made.

Workaround:
The installation log a more detailed explanation for the failure. In the case of Common Criteria mode, it is essential to have the signature file in the same images directory as the .iso image you intend to install.

To do so, copy the .sig file from the F5 Downloads site to the image location, and try the installation again.

Fix:
The "tmsh system software status" now displays the relevant issue, for example:
failed (No signature verification possible for image /shared/images/BIG-IP-12.1.2.0.0.249.iso). Although you must still download the .sig file from F5 Downloads, it's clear what the failure is and what to do next.


643396-1 : Using FLOW_INIT iRule may lead to TMM memory leak or crash

Component: Local Traffic Manager

Symptoms:
Memory leak in TMM or even crash may be observed if using FLOW_INIT event in iRules.

Conditions:
iRule triggered by FLOW_INIT event is in use. Note: The leak is difficult to observe, and the crash requires specific steps, so encountering this issue is relatively uncommon.

Impact:
TMM memory leak or crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a memory leak in the FLOW_INIT iRule event.


643332 : DoS Health and Severity analysis charts

Component: Application Visibility and Reporting

Symptoms:
Severity of attacks and virtual server health over time is not available.

Conditions:
This occurs while looking at the DoS Analysis page.

Impact:
Unable to see certain key statistics.

Workaround:
N/A

Fix:
Both charts are now available on the DoS Analysis page.


643330 : DoS Virtual Servers table has no health column and shows health/severity as numeric value

Component: Application Visibility and Reporting

Symptoms:
Virtual servers table doesn't have a column for virtual server health.
In addition, the attacks table displays severity as a numeric value.

Conditions:
This can be seen when looking at the DoS Visibility page.

Impact:
Cannot determine virtual server health from the numerical values.

Workaround:
N/A

Fix:
Health is now displayed for virtual servers as a textual representation of the condition, and attacks' severity follows the same pattern.


643328 : Activity Type filter is applied even when ASM is not used

Component: Application Visibility and Reporting

Symptoms:
When opening DoS Visibility pages, Activity Type is automatically being applied to hide internal BIG-IP traffic. However, this classification exists only for Application Security, but not AFM.

Conditions:
ASM is not provisioned.

Impact:
Meaningless filtering is being done.

Workaround:
N/A

Fix:
When ASM is not provisioned, the irrelevant Activity Type filter is not applied.


643327 : DoS Visibility Attacks Graph tooltip does not provide sufficient information

Component: Application Visibility and Reporting

Symptoms:
Attacks Graph tooltip lacks relevant information.

Conditions:
This can be seen when looking at the Attacks Graph tooltip.

Impact:
Cannot determine the function of the DoS Visibility Attacks Graph.

Workaround:
N/A

Fix:
A detailed tooltip was added with details about the pointed attack.


643326 : Max Concurrent Server Connections will be hidden by default

Component: Application Visibility and Reporting

Symptoms:
All metrics are visible in the Virtual Servers although they may take space and not all have the same importance.

Conditions:
This can be seen while looking at the DoS Visibility page.

Impact:
Cannot specify which data-table columns are visible by default and which are hidden.

Workaround:
N/A

Fix:
Max Concurrent Server Connections will be hidden by default.


643325 : Tooltips and help hints are inconsistent across the page

Component: Application Visibility and Reporting

Symptoms:
Help tooltips on the (i) icon are not consistent.

Conditions:
This can be seen when looking at the Dos Visibility page.

Impact:
Some widgets have the tooltip, others don't.

Workaround:
N/A

Fix:
More tooltips were added and text was revised.


643187-1 : BIND vulnerability CVE-2017-3135

Vulnerability Solution Article: K80533167


642983-2 : Update to max message size limit doesn't work sometimes

Component: Device Management

Symptoms:
There is a cap on all REST request/response message size. By default it is set to 32 MB, and you can modify it to higher limit using /mgmt/shared/server/messaging/settings/8100 REST endpoint. But the REST framework may not apply this change.

When this occurs, you will see 501 Bad Gateway error from Apache and error message link "java.lang.IllegalArgumentException: 47177925 is more than 33554432" in restjavad log (/var/log/restjavad.0.log).

Conditions:
This can occur when requesting or receiving more than 32 MB of data via iControl REST.

Impact:
REST framework applies message body limit only on incoming request and response. If incoming request results in requests to iControl REST or restnoded, the same settings (message body limit) are not applied.

Workaround:
None.

Fix:
Messaging settings are applied on requests/responses, rather than on RestServer as forwarded outgoing requests/responses will not have server instance attached to request.


642926-1 : Increased MySQL Memory usage when APM is provisioned on lower-end systems.

Component: Access Policy Manager

Symptoms:
You may notice mysql process continuously consuming high amount of CPU and memory resources when APM is provisioned. This can be seen in the results of 'top' command where mysql will be continuously listed. The issue applies to BIG-IP with 32 GB or less system memory available.

Conditions:
When APM module is provisioned, if either of the following is true:
* logging configuration uses on-box publisher and log-level setting leads to high amount of logging data (e.g., DEBUG).
* LocalDB or OAuth Authorization server is configured with a DB instance and traffic is being processed.

Impact:
You may notice general performance issues on BIG-IP systems with system memory 32 GB or lower when MySQL usage is high.

Workaround:
1) Remove following 2 lines from file '/var/lib/mysql/cnf/apm.cnf' --
     innodb_buffer_pool_size = 1G
     sort_buffer_size = 256M
   and save file before exiting.
2) Restart MySQL service using -- 'bigstart restart mysql'

Fix:
MySQL configuration when APM is provisioned now works as expected on lower-memory BIG-IP systems.


642874-2 : Ready to be Enforced filter for Policy Signatures returns too many signatures

Component: Application Security Manager

Symptoms:
Signatures that have not passed the staging period are shown when the filter is set to only show those that are ready to be enforced.

Conditions:
Signatures exist on a policy that have not passed their staging period and have no learning suggestions for them.

Impact:
Incorrect results are shown as a result of the filter.

Workaround:
The result should be inspected to see if the staging period has passed for each individual signature.

Fix:
The "Ready to be Enforced" filter works correctly.


642613 : Improve loading time when landing in dashboard page

Component: Application Visibility and Reporting

Symptoms:
When data contains a very large number of different IP addresses, it can result in a long loading time for the dashboard page.

Conditions:
When opening Dashboard/Analysis page when DB contains a lot of data.

Impact:
Slow loading of the page.

Workaround:
None.

Fix:
This release provides improved loading time when opening Dashboard/Analysis page with a very large number of different IP addresses.


642562 : TMM may crash with a very high number of concurrent TCP connections

Component: Advanced Firewall Manager

Symptoms:
TMM may crash with a very high number of concurrent connections.

Conditions:
This happens if BIG-IP has a lot of concurrent connections and encounters HSB ring drops. At that time if ICMP monitors are configured, then LTM will QoS promote those ICMP monitor flow and if those are for the same endpoints then this crash is possible.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The crash has been fixed by a code change.


642449 : Standard deviation for Request Duration is calculated incorrectly

Component: Application Visibility and Reporting

Symptoms:
In the HSL report, the Standard deviation for Request Duration is incorrect.

Conditions:
There are requests sent with delay reported in AVR reports.

Impact:
Wrong data in AVR reports. Standard deviation should be not 0 (zero), but it is reported as 0.

Workaround:
None.

Fix:
Fixed an issue with standard deviaiton calculation.


642400-3 : Path MTU discovery occasionally fails

Component: Local Traffic Manager

Symptoms:
Connections using a TCP profile that receive an ICMP needsfrag message may incorrectly ignore the message. This may cause Path MTU discovery to fail.

Conditions:
TCP profile assigned to VIP. Smaller MTU on data path than on TCP endpoints.

Impact:
The connection may stall as large TCP segments are continually retransmitted.

Workaround:
Configure the MSS in the TCP profile to match the lowest MSS. Use or disable Path MTU discovery with the tm.pathmtudiscovery database key.

Fix:
Path MTU discovery functions correctly with the TCP profile.


642330 : GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.

Component: Global Traffic Manager

Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.

Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the BIG-IP_gtm.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the BIG-IP_gtm.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list gtm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.


642221-1 : Incorrect entity is used when exporting TCP analytics from GUI

Component: Application Visibility and Reporting

Symptoms:
When exporting statistics from the TCP Analytics page, the resulted data is for the default "view by" entity rather than the one that's actually selected

Conditions:
This occurs in Statistics :: Analytics : TCP, when you are viewing any dimension other than the default, and clicking Export.

Impact:
Incorrect data is being exported.

Workaround:
Use tmsh.

Fix:
The correct entity is now used when exporting TCP analytics from GUI, so the correct data is being exported.


642211-1 : Warning logged when GENERICMESSAGE::message drop iRule command used

Component: Service Provider

Symptoms:
When submitting an iRule script using GENERICMESSAGE::message drop iRule command, a warning message is returned.

Conditions:
This occurs when saving an iRule that contains GENERICMESSAGE::message drop.

Impact:
A warning message is returned.

Workaround:
NA

Fix:
iRule validation was improved to allow GENERICMESSAGE::message drop commands.


642124 : mixed statistics between two intervals

Component: Application Visibility and Reporting

Symptoms:
There are two collection intervals in AVR for collection data: one every 10 sec for real time display and one every 5 min (or else set) for general statistics.
The 5 min statistics in accumulated from the 30 intervals of 10 seconds.
Sometimes, the last 10 seconds interval is missings the 5 min interval accumulation and entered the next 5 min interval resulting in an inaccurate accumulation of the 5 min interval.

Conditions:
This happens when the 10 seconds interval is taking too long to write it self

Impact:
Inaccurate accumulation of the 5 min interval statistics.

Workaround:
No workaround, some statistics will leak to next interval.

Fix:
The statistics for every 5 min interval will be display correctly (no leak between adjacent intervals).


642119-1 : Websocket URLs can't be explicitly excluded per attack signature

Component: Application Security Manager

Symptoms:
A signature matches a websocket URL where it is defined as an excluded signature on the URL.

Conditions:
A websocket URL has a signature defined as excluded on this URL.

Impact:
A false positive signature match

Workaround:
disable the signature on the policy level when applicable.

Fix:
Signatures can now be excluded on the websocket URLs.


642090 : ILXFlow.lbSelect does not work inside 'requestStart' or 'requestComplete' events

Component: Local Traffic Manager

Symptoms:
ILXFlow.lbSelect does not work inside 'requestStart' or 'requestComplete' events

Conditions:
Writing an ilx plugin that uses ILXFlow.lbSelect in the 'requestStart' or 'requestComplete' events.

Impact:
Load balancing selection will fail, the plugin script will fail.

Fix:
This has been fixed in 13.0.0 HF1. ILXFlow.lbSelect can be called in the 'requestStart' and 'requestComplete' events.


642058 : CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances

Component: TMOS

Symptoms:
CBL-0138-01 will not come up or show link on i2000/i4000/HRC-i2800 series appliances.

The following message will appear on the LCD:
0 01/30/17 09:02:59 error 0x1660016 Interface 5.0 detected a non 10GbE optic

The following message will appear in /var/log/ltm:
err pfmand[7630]: 01660016:3: Interface 5.0 detected a non 10GbE optic

The interface will report in tmsh as down:
tmsh show net interface 5.0

--------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
                In Out In Out
--------------------------------------------------------
5.0 down 0 0 0 0 0 0 none

Conditions:
i2000/i4000/HRC-i2800 series appliances and CBL-0138-01.

Impact:
The CBL-0138-01 will not work.

Workaround:
None.

Fix:
CBL-0138-01 Active Copper now works correctly on i2000/i4000/HRC-i2800 Series appliances.


642015-4 : SSD Manufacturer "unavailable"

Component: TMOS

Symptoms:
On systems with an SSD, the manufacturer displayed in 'tmsh show sys hardware' may appear as "unavailable"..

Conditions:
BIG-IP system with SSD installed.

Impact:
No functional impact, cosmetic only.

Workaround:
No workaround but the issue is only cosmetic and does not indicate an issue with the system.

Fix:
SSD Manufacturer now displays "Samsung" as expected.


641963 : Average CPU usage is calculated differently in DOS Visability page

Component: Application Visibility and Reporting

Symptoms:
On systems with HT Split CPU the Average CPU usage shown in DOS Visibility page was calculated as average of all available CPU-s. On other hand, on other screens it is calculated as an average of maximum of data plane and control plane CPU-s. It causes inconsistency in displayed data.

Conditions:
HT Split is enabled on the system (tmsh list sys db scheduler.splitplanes.ltm results in "True")

Impact:
Inconsistency in CPU usage values displayed in DOS Visibility and other screens

Fix:
After the fix on systems with HT Split average CPU usage is calculated only for data plane CPU-s. The GUI title is changed correspondingly.


641724 : BIG-IP VE support for GCE

Component: TMOS

Symptoms:
There is no support for Google Compute Engine (GCE) in BIG-IP Virtual Edition (VE).

Conditions:
Trying to use GCE with BIG-IP VE.

Impact:
No support for GCE.

Workaround:
None.

Fix:
The BIG-IP Virtual Edition (VE) now supports Google Cloud infrastructure using BYOL licenses. F5's Good, Better and Best license bundles are supported up to 5 Gbps. This release supports single NIC configurations only.

Behavior Change:
The BIG-IP Virtual Edition (VE) now supports Google Cloud infrastructure using BYOL licenses. F5's Good, Better and Best license bundles are supported.


641612-1 : APM crash

Vulnerability Solution Article: K87141725


641547-1 : Possible dead-lock on accept of multiple suggestions at once

Component: Application Security Manager

Symptoms:
When accepting multiple suggestions at once it's possible that action fails

Conditions:
Accept of multiple suggestions for the same entities

Impact:
Action fails

Workaround:
One-by-one accept always works

Fix:
Multiple accept mechanism improve to prevent possible dead-locks


641482-3 : Subscriber remains in delete pending state until CCR-t ack has success as result code is received

Component: Policy Enforcement Manager

Symptoms:
BIG-IP subscriber session will remain in delete pending (stale) state if the Result-code received Acknowledgement from Gx or Gy and is marked as Failure for CCR-T request.

Conditions:
The stale session happens, during subscriber termination and if any CCR-T request for Gx or Gy receives an acknowledgement with non-SUCCESS in Result-code AVP

Impact:
The subscriber session in BIG-IP will stay in delete pending state (stale)

Workaround:
A tmm restart will cleanup all the stale sessions

Fix:
Fix will cleanup the session if a CCR-T acknowledgement is received irrespective of the Result-code AVP


641445-2 : iControl improvements

Component: Device Management

Symptoms:
iControl has been hardened to increase security.

Conditions:
iControl enabled and exposed to untrusted networks

Impact:
iControl oes not comply with hardened design standards

Fix:
In hardened versions of the BIG-IP, iControl security is improved.


641390-2 : Backslash removal in LTM monitors after upgrade

Component: TMOS

Symptoms:
After upgrading, BIG-IP fails to load the configuration and reports that a monitor failed to load.

Conditions:
This can occur on upgrade, with specific backslash escaping in LTM monitors. It is specific to LTM monitors. Example:

ltm monitor https /Common/my_https {
    adaptive disabled
    cipherlist DEFAULT:+SHA:+3DES:+kEDH
    compatibility enabled
    defaults-from /Common/https
    destination *:*
    interval 5
    ip-dscp 0
    recv "Test string"
    recv-disable \\\"Test\\\"me\\\" <-- pertinent string value (can be in recv, send or username attributes too).
    send Test
    time-until-up 0
    timeout 16
    username test\\\"me
}

Impact:
The monitor will fail to load.

Workaround:
Manually correct the string to be the way it was before upgrade, then the configuration will load.


641360-1 : SOCKS proxy protocol error

Component: Local Traffic Manager

Symptoms:
In some cases the SOCKS proxy does not properly handle unexpected changes within a single connection

Conditions:
Virtual server configured with SOCKS Proxy profile

Impact:
SOCKS proxy does not function as designed

Fix:
Improved event handling in the SOCKS proxy


641169 : Role permissions for actions on the iRules LX Workspace editor page

Component: Local Traffic Manager

Symptoms:
Mutable actions (delete, save, etc.) are available to roles with lower privilege than Manager.

Conditions:
Being logged in with a role with lower privileges than Manager allows access to mutable actions.

Impact:
The iRules LX filesystem can be modified by a non-privileged user.

Workaround:
None.

Fix:
The system now correctly enforce roles on the iRules LX Workspace editor page.

Behavior Change:
The system now enforces roles on the iRules LX Workspace editor page, so that users cannot add, delete, or save edits unless they have a role of Manager or higher.


641083-1 : Policy Builder Persistence is not saved while config events are received

Component: Application Security Manager

Symptoms:
Policy Builder Persistence is not saved while config events are received.

Conditions:
This occurs when there are many changes made to the policy.

Impact:
Statistics are lost after pabnagd restarts.

Workaround:
None.

Fix:
Persistence is now saved every 24 hours.


641013-6 : GRE tunnel traffic pinned to one TMM

Component: TMOS

Symptoms:
GRE tunnel traffic can be sent to one TMM if BIG-IP doesn't proxy the GRE tunnel and uses forwarding virtual to handle GRE tunnel traffic.

Conditions:
Use forwarding virtual to handle GRE tunnel traffic.

Impact:
GRE tunnel traffic can overwhelm the one TMM and cause performance degradation.

Workaround:
None.

Fix:
Improved GRE tunnel traffic handling so traffic does not overwhelm one TMM and cause performance degradation.


640854 : Inject CSS link Tag "Customize" checkbox also check Inject CSS link Position

Component: Fraud Protection Services

Symptoms:
Check/uncheck status of "Customize" in the "Tag" input field, and also check/uncheck status of "Customize" in the "Position" option.

Conditions:
-- Provision and license FPS.
-- Add new profile.

Impact:
Inject CSS link Position may not inherit values from parent profile.

Workaround:
None.

Fix:
"Customize" of Inject CSS link Position is not checked if "Customize" of Inject CSS link Tag is checked.


640829-1 : bd crash scenario

Component: Application Security Manager

Symptoms:
The bd crashes, switch-over, some traffic outage.

Conditions:
A specific cross domain configuration exists. Specific traffic scenario happens.

Impact:
The bd crashes, switch-over, some traffic outage.

Workaround:
None.

Fix:
Fixed a bd crash scenario.


640824-2 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log

Component: Application Security Manager

Symptoms:
Upon first start after upgrade, the following error messages appear in asm log:
-------------------------
notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
info tsconfig.pl[21351]: ASM initial configration script launched
info tsconfig.pl[21351]: ASM initial configration script finished
info asm_start[19802]: ASM config loaded

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead

 crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted

info perl[21860]: 01310053:6: ASM starting
-------------------------

Conditions:
-- ASM provisioned.
-- Local request logging enabled.
-- Upgrade of a maintenance release, hotfix, or engineering hotfix.

Impact:
Upgrade fails.

Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.

In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.

There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) Do not load a Request Log, when loading a UCS:
    # tmsh modify sys db ucs.asm.traffic_data.load value never

2) Do not save a Request Log, when saving a UCS:
    # tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------

Fix:
Roll-forward upgrade including traffic data now works correctly.


640510-2 : BWC policy category attachment may fail during a PEM policy update for a subscriber.

Component: Policy Enforcement Manager

Symptoms:
The correct BWC category is not applied resulting in incorrect BWC handling of subscriber traffic.

Conditions:
PEM policies against a subscriber should be modified such that the BWC policy stays the same while the BWC category changes.

Impact:
Use cases dependent on BWC can be impacted.

Fix:
Code changes were added such that BWC policy and category changes through PEM are handled correctly.


640457-3 : Session Creation failure after HA

Component: Policy Enforcement Manager

Symptoms:
Under some HA scenarios, the subscriber session will be lost. If such a deleted session is added (the same subscriber-id), the addition attempt fails.

Conditions:
Intra-chassis HA is configured. One of the blades goes down & comes back up very rapidly & some subscriber sessions are lost.
An attempt to add the lost subscriber again fails.

Impact:
A set of subscribers lost during HA will never be added back.

Workaround:
No workaround.


640376-2 : STPD leaks memory on 2000/4000/i2000/i4000 series

Component: Local Traffic Manager

Symptoms:
STPD process on any 2000/4000/i2000/i4000 series platform that sends BPDUs will grow in physical memory usage indefinitely so long as its role in the tree results in sending BPDU packets. The memory usage will be faster for each interface that is sending BPDUs.

Conditions:
Spanning tree is enabled on any 2000/4000/i2000/i4000 series platform and the device has a role in the tree that results in sending BPDUs on one or more interfaces. Memory can be seen to increase when tracking with Linux top commands.

ex. top -b -n 1 | grep stpd

The 5th and 6th columns 'VIRT' and 'RES' slowly increase over time, indicating the memory leak.

Impact:
Memory leak resulting in indefinite consumption of available physical memory over time.

Workaround:
While the memory leak itself cannot be mitigated without a hotfix, the problem can be avoided if the tree can be configured in such a way that the defect affected platforms don't generate BPDUs. This can be done by choosing a root such that the defect affected platforms will have its interfaces to be in blocking mode, or if possible, to be in passthrough mode.

Fix:
BPDU process source code fixed to release memory allocated for each BPDU packet created and sent.


640352-1 : Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet

Component: Local Traffic Manager

Symptoms:
Connflow entry memory are leaked when BIG-IP DHCP proxy is configured in forwarding mode and the DHCP relay agent between
the DHCP client and the BIG-IP system sets giaddr field to itself after connflows created are aged out in a particular order.

Conditions:
1) BIG-IP DHCP proxy is configured in forwarding mode.
2) DHCP relay agent sits between the DHCP client and the BIG-IP system sets giaddr field in DHCP renewal packet to itself (this has been observed in Cisco devices), so that DHCP renewal packet will be sent to a relay agent by DHCP servers.
3) Connflow created to giaddr(relay agent) ages out before
connflows created to DHCP clients.

Impact:
Some connflows are not freed. Memory leak occurs. Eventually memory is exhausted.

Workaround:
None.

Fix:
Ref count handing for giaddr connflows are now decremented when the client side connflow is removed, preventing the memory leak.


639774-1 : mysqld.err rollover log files are not collected by qkview

Component: TMOS

Symptoms:
Only the file /var/lib/mysql/mysqld.err is collected in qkview without truncation rules normally used for log files. Also, the mysqld.err.1 and mysqld.err.2.gz, etc are not collected at all.

Conditions:
This occurs when generating a qkview.

Impact:
You cannot see other mysqld.err rollover files in the qkview, and since the one mysqld.err file might be huge (larger than 2 GB) the output of qkview will be unusable.

Workaround:
The missing files must be manually copied into the qkview output. If the mysqld.err is greater than 2 GB in size, it must first be truncated to smaller than 2 GB.

Fix:
With this fix, the files /usr/lib/mysql/mysqld.err and associated rollover files (up through .7.gz) will be collected by qkview. Also the truncation/transformation rules that are used for log files will also apply (using -s <size> to modify default behavior), meaning that files greater than 5 MB (by default) will be truncated and there is a maximum limit of 75 MB for any given log file (using -s0).


639767-1 : Policy with Session Awareness Statuses may fail to export

Component: Application Security Manager

Symptoms:
ASM policy with many Session Awareness Statuses may fail to export.

Conditions:
There are many Session Awareness Statuses configured for the policy.

Impact:
ASM policy export will fail.

Workaround:
Remove all Session Awareness Statuses before export.

Fix:
ASM policy export only includes Session Awareness Statuses set to "Block All", and completes reliably.


639764-1 : Crash when searching external data-groups with records that do not have values

Component: Local Traffic Manager

Symptoms:
The TMM may crash when search through an external data-group that has at least one value with empty value.

Conditions:
For example, this occurs if data-group is defined as follows:
the key for network 10.40.0.0/13 has no value:
network 10.0.0.0/9 := "network 10.0.0.0/9",
network 10.40.0.0/13,
network 10.10.0.0/17 := "network 10.10.0.0/17",

A search in the data-group above with -value or -element options where at least one of the result records has no value will most likely result in a TMM crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Make sure that every record in the external data-groups has a value.

Fix:
Searching values in an external data-group where result will contain at least one value with an empty value no longer results in a TMM crash. A -value search will yield an empty string for the records that do not have a value.


639744-3 : Memory leak in STREAM::expression iRule

Component: Local Traffic Manager

Symptoms:
If you are using the STREAM::expression iRule with APM, the stream filter can leak memory.

Conditions:
This can occur when using the STREAM::expression iRule with an APM virtual.

Impact:
This causes a memory leak in tmm.

Workaround:
None.

Fix:
This release fixes a memory leak in STREAM::expression iRule.


639729-1 : Request validation failure in AFM UI Policy Editor

Component: Advanced Firewall Manager

Symptoms:
A user of the AFM UI Policy Editor utility may see spurious results relating to firewall objects in the Firewall tab of the UI.

Conditions:
An authenticated UI user must attempt to manually modify firewall objects using the AFM UI URI endpoints.

Impact:
This impacts users as they interact with the AFM UI.


639630-1 : Searching for signatures with overrides in the policy returns incorrect results

Component: Application Security Manager

Symptoms:
1) Searching for Policy Attack Signatures with Overrides "On URLs" or "On HTTP headers" then all signatures are shown, regardless of whether they have overrides or not.
2) Searching for Policy Attack Signatures with Overrides "On XML profiles"/"On JSON profiles"/"On GWT profiles"/"On Plain Text profiles" then no signatures are shown, regardless of whether they have overrides or not.

Conditions:
Signature specific overrides are applied on URLs, Headers, or Content Profiles.

Impact:
No easy way to search for which signatures have overrides defined.

Workaround:
None.

Fix:
Searching for signatures with overrides now works correctly.


639575-2 : Using libtar with files larger than 2 GB will create an unusable tarball

Component: TMOS

Symptoms:
Programs such as qkview will create a .tar file (tarball) using libtar and if any of the files collected is greater than 2 GB, the output tar file cannot be read by /bin/tar.

Conditions:
The file collected via libtar (e.g., by qkview or other program dynamically linking with /usr/lib/libtar-1.2.11) is greater than 2 GB.

Impact:
You will be unable to submit a qkview to iHealth for analysis. Other applications using libtar will produce invalid tar files.

Workaround:
The qkview tarball can be extracted with /usr/bin/libtar, but the offending file will be a zero-length file. Alternatively, the offending file that is greater than 2 GB must be removed from the system prior to running qkview or other program that uses libtar.

Fix:
With the fix to 3rd party software, libtar, programs using libtar no longer create an unusable tarball when dealing with files larger than 2 GB.


639565 : Core when accessing MQTT::Type after drop

Component: Local Traffic Manager

Symptoms:
Core when accessing NULL MQTT::Type after drop.

Conditions:
iRule configured with NULL MQTT::Type and a MQTT::drop.

Impact:
tmm cores. Traffic disrupted while TMM restarts.

Workaround:
None.

Fix:
The system now logs a Tcl error when accessing a NULL MQTT::Type after drop, and performs the drop as expected.


639530 : Kernel.el7.2: xhci: off by one error in TRB DMA address boundary check

Component: TMOS

Symptoms:
Due to an off-by-one error in the xHCI driver, it is possible on BIG-IP platforms with xHCI controllers to
see the following dmesg output when booting an affected platform:

[ 164.552195] xhci_hcd 0000:00:14.0: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 0 comp_code 1
[ 164.552200] xhci_hcd 0000:00:14.0: Looking for event-dma 00000000fffe6000 trb-start 00000000fffe7fe0 trb-end 00000000fffe8000 seg-start 00000000fffe7000 seg-end 00000000fffe7ff0

Conditions:
On any of the following BIG-IP platforms that have xHCI controllers and the system is booting normally:

- BIG-IP 5000/7000
- BIG-IP i2800/i4800
- HRC-i2800
- BIG-IP VIPRION 4450

Impact:
It is not clear what the impact is if nothing is connected to the USB 3.0 ports, which are not accessible except on BIG-IP VIPRION 4450.

Workaround:
None.

Fix:
Redhat integrated the fix for the off-by-one error from upstream kernel.org as part of the RHEL7.3 GA release, which is included in the BIG-IP 7.2 kernels in this release.


639528 : Kernel.el7.2: Broadwell Home Agent devices have non-compliant BAR.

Component: TMOS

Symptoms:
Broadwell-EP CPUs have UNCORE devices known as the "Broadwell Home Agent" devices.

For both single-socket and dual-socket platforms, this is pci 0000:ff:12.*.

These devices have non-compliant BAR's and when the systems with the Broadwell-EP CPUs boot, dmesg output includes as part of early kernel booting messages similar to the following:

[ 2.345303] pci 0000:ff:12.0: BAR 2: failed to assign [mem size 0x00000040]
[ 2.345306] pci 0000:ff:12.0: BAR 4: failed to assign [mem size 0x00000040]
[ 2.345309] pci 0000:ff:12.0: BAR 1: failed to assign [mem size 0x00000010]
[ 2.345312] pci 0000:ff:12.0: BAR 3: failed to assign [mem size 0x00000010]
[ 2.345315] pci 0000:ff:12.0: BAR 5: failed to assign [mem size 0x00000010]

Not related, but also seen is the following:

[ 20.123776] mei_me 0000:00:16.0: initialization failed.

This is due to the bios configuration not permitting access to the ME (Management Engine). The kernel module for the ME should not be loaded as a result.

Conditions:
Affects the following platforms:

- BIG-IP i10600/i10800
- BIG-IP i7600/i7800
- BIG-IP i5600/i5800
- BIG-IP i4600/i4800
- BIG-IP i2600/i2800
- HRC-i2800
- HRC-i5800
- HRC-i10800

Impact:
None. This is cosmetic and should not be cause for alarm.
The Broadwell-EP Home Agent devices are not used by BIG-IP software, and appear only as part of the UNCORE devices
associated with each physical socket.

Workaround:
None needed: this is cosmetic.

Fix:
This release includes RHEL7.3 kernels in the BIG-IP 7.2 kernels. RHEL7.3 kernels adds PCI handling for the Broadwell-EP Home Agent devices, which informs the kernel to not attempt to probe or configure the PCI BARs for such devices.

Also, this release disables loading the MEI driver, which prevents the mei_me message posting.


639526 : Configuring lots of Virtual IPs + stress traffic can cause avrd to crash

Component: Application Visibility and Reporting

Symptoms:
Avrd crash.

Conditions:
lots of Virtual IPs + stress traffic

Impact:
Avrd restarts.

Workaround:
No workaround.

Fix:
avrd no longer crashes under stress traffic with large numbers of virtual IPs.


639500-1 : BD crash fix

Component: Application Security Manager

Symptoms:
A crash of the bd daemon.

Conditions:
Specific configuration and traffic.

Impact:
Traffic resets and /or failover.

Workaround:
N/A

Fix:
BD crash scenario was fixed.


639486-1 : TMM crash due to PEM usage reporting after a CMP state change.

Component: Policy Enforcement Manager

Symptoms:
TMM crash due to a code assertion resulting in potential loss of service.

Conditions:
A CMP state change due to a card reboot, disable, enable, insert or remove should have occurred while or right before a PEM usage reporting action.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Instead of asserting, handled the error condition gracefully.


639406 : On stress traffic wrong TPS reported to DOS

Component: Application Visibility and Reporting

Symptoms:
Stress traffic sent to AVR reports higher TPS than actual to ASM.

Conditions:
ASM is been useed

Impact:
ASM can declares wrongly on attack.

Fix:
The real TPS reported to ASM


639383 : ILX HTTP headernames are not being properly treated as case insensitive

Component: Local Traffic Manager

Symptoms:
ILX HTTP headernames are not being properly treated as case insensitive

Conditions:
Using an ILX plugin with a virtual server that has an HTTP profile.

Impact:
An ILX plugin will have to deal with HTTP header names being aware of case.

Fix:
This has been fixed in 13.0.0 HF1. Headers are handled as case insensitive.


639288-1 : OAuth Authorization Server - OAuth Profile is not listing associated Access Profiles appropriately.

Component: Access Policy Manager

Symptoms:
OAuth Authorization Server - OAuth Profile is not listing associated Access Profiles appropriately. The Access Profiles list shows duplicate OAuth profile names.

Conditions:
An OAuth profile is associated with multiple Access Profile.

Impact:
Selection of Access Profile (i.e., clicking link) on OAuth Profiles list, doesn't show the expected Access Profile properties page.

Workaround:
Switch to Access profiles list page and select the profile directly.

Fix:
Displays associated Access Profiles with OAuth profile on OAuth Profiles list page.


639049-1 : Virtual Server creation ignores translate-address setting with wild card destination

Component: TMOS

Symptoms:
translate-address attribute ignored during virtual server creation, when destination is all zeroes and net mask is not specified.

Conditions:
Creating virtual server with wild card destination, no net mask, and translate-address set to enabled.

Impact:
translate-address can only be set to disabled during creation.

Workaround:
Either set translate-address after creation, or specify net mask for virtual server creation.

Fix:
Translate-address flag will now be honored when set while creating virtual server.


638967-2 : SSL Forward Proxy not to cache forged certificate if soft_vfyresult indicating an 'untrusted CA' or 'expired cert'

Component: Local Traffic Manager

Symptoms:
The system caches a forged certificate when Forward Proxy (FWDP) server-side soft_vfyresult shows an untrusted CA or an expired cert. There is no method of overriding that behavior.

Conditions:
Using FWDP.
Server-side soft_vfyresult shows an untrusted CA or an expired cert.

Impact:
No method to override the caching behavior.

Workaround:
None.

Fix:
In this release, you can configure SSL forward proxy to not cache the forged certificate on the client side if the server-side SSL enables the sys db variable tmm.ssl.servercert_softval and the backend server certificate soft verify_result showing a 'untrusted CA' or 'expired certificate'.

Behavior Change:
In this release, you can configure SSL forward proxy to not cache the forged certificate on the client side if the server-side SSL enables the sys db variable tmm.ssl.servercert_softval and the backend server certificate soft verify_result showing a 'untrusted CA' or 'expired certificate'.


638838 : Dynamic Signatures are not copied to peers in a device group

Component: Advanced Firewall Manager

Symptoms:
During a failover event, a newly active BIG-IP will generate its own Dynamic Signatures rather than use a copy of the previous Active unit's signatures.

Conditions:
HA configuration with Dynamic Signatures enabled.

Impact:
During failover events, there will be a lag of a few seconds while the Dynamic Signatures are generated and collated.

Workaround:
1. Use the following command to verify that the device-group is set to none:
 list sys folder dos-common

2. If it is, you can associate dos-common to device group dos-global-dg using the following command:
 tmsh modify sys folder dos-common/ device-group dos-global-dg

3. Save the config using the following command:
 tmsh save sys config

Fix:
The system now explicitly adds folder and device group association, so the issue no longer occurs.


638825-1 : SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD

Component: TMOS

Symptoms:
Value returned for sysInterfaceMediaActiveSpeed OID has value of 80 for interface with type 100000SR4-FD instead of value of 100000.

Conditions:
This always occurs for this type of interface.

Impact:
User sees wrong value for this interface in SNMP get. Value is correct in tmsh 'show net interface'.

Workaround:
Use tmsh to obtain the value by running the following command: show net interface. Note: There is no workaround in SNMP.


638799-2 : Per-request policy branch expression evaluation fails

Component: Access Policy Manager

Symptoms:
Per-request policy branch expression evaluation fails and you see the following in /var/log/ltm:

info tmm[20278]: 01870007:6: /Common/<policy>:Common:640446c9: Executed expression (expr { [mcget {perflow.category_lookup.failure}] == 1 || [mcget {perflow.response_analytics.failure}] == 1 }) from policy item (Category Lookup) with return value (Failed)

Conditions:
Per-request policy branch expression evaluation fails for any non-Access (non-APM) iRule events that are attached to the virtual server.


The evaluation does not trigger for some requests when, in the same connection, the virtual server gets a request for an internal Access whitelisted URL, and then request for backend resource URIs.

Impact:
Per-request policy branch expression evaluation fails. If Access gets a request for whitelisted URL, the system disables all iRule events except the following:

   #define ACCESS_ALLOWED_IRULE_EVENTS ( \
       ((UINT64)1 << TCLRULE_ACCESS_SESSION_STARTED) | \
       ((UINT64)1 << TCLRULE_ACCESS_SESSION_CLOSED) | \
       ((UINT64)1 << TCLRULE_ACCESS_POLICY_AGENT_EVENT) | \
       ((UINT64)1 << TCLRULE_ACCESS_POLICY_COMPLETED))

Workaround:
None.

Fix:
Per-request policy branch expression evaluation now complete successfully for non-Access (non-APM) iRule events that are attached to the virtual server.


638780 : Handle 302 redirects for VMware Horizon View HTML5 client

Component: Access Policy Manager

Symptoms:
Starting from v4.4, Horizon View HTML5 client is using new URI for launching remote sessions, and supports 302 redirect from old URI for backward compatibility.

Conditions:
APM webtop with a VMware View resource assigned.
HTML5 client installed on backend is of version 4.4 or later.

Impact:
This fix allows for VMware HTML5 clients v4.4 or later to work properly through APM.

Workaround:
For versions 11.6.x and 12.x:
===============================

priority 2
when HTTP_REQUEST {
    regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] vmview_html5_prefix dummy
}

when HTTP_RESPONSE {
    if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
        if { [info exists vmview_html5_prefix] } {
            set location [HTTP::header "Location"]
            set location_path [URI::path $location]
            if { $location_path starts_with "/portal/" } {
                set path_index [string first $location_path $location]
                set new_location [substr $location $path_index]
                regsub "/portal/" $new_location $vmview_html5_prefix new_location
                HTTP::header replace "Location" $new_location
            }
            unset vmview_html5_prefix
        }
    }
}

======================
For version 13.0:
priority 2
when HTTP_REQUEST {
    regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] dummy vmview_html5_prefix
}

when HTTP_RESPONSE {
    if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
        if { [info exists vmview_html5_prefix] } {
            set location [HTTP::header "Location"]
            set location_path [URI::path $location]
            if { $location_path starts_with "/portal/" } {
                set path_index [string first $location_path $location]
                set new_location "$vmview_html5_prefix[substr $location $path_index]"
                HTTP::header replace "Location" $new_location
            }
            unset vmview_html5_prefix
        }
    }
}

Fix:
Handle 302 redirects for VMware View HTML5 client are now handled properly.


638779 : Help file for MQTT profile is missing.

Component: Local Traffic Manager

Symptoms:
Help file for MQTT profile is missing.

Conditions:
MQTT profile man page.

Impact:
MQTT profile man page contains no info.

Workaround:
None.

Fix:
There is now man-page help for MQTT profile.


638629-1 : Bot can be classified as human

Component: Application Security Manager

Symptoms:
A bot is classified as human in a rare case.

Conditions:
Web scraping is turned on. The CSHUI is tried on the user.

Impact:
Bot traffic gets classified as human by ASM.

Workaround:
N/a

Fix:
Fixed the CSHUI algorithm to have better bot detection.


638576-1 : Modified ASM Cookie violation is ON by default

Component: Application Security Manager

Symptoms:
Modified ASM Cookie violation is not active by default in new Policy.

Conditions:
This occurs when creating a new policy.

Impact:
The Modified ASM Cookie Violation isn't enabled.

Workaround:
Manually enable the Modified ASM Cookie Violation.

Fix:
Modified ASM Cookie violation will be activated in new Policy.


638556-1 : PHP Vulnerability: CVE-2016-10045

Vulnerability Solution Article: K73926196


638495-1 : Auto-thresholds are not applied for two vectors on per-VS DNS/SIP DoS profile

Component: Advanced Firewall Manager

Symptoms:
Auto-thresholds are not applied for two vectors on per-VS DNS/SIP DoS profile.

Conditions:
DNS and SIP DoS profiles have enabled all vectors that have auto-thresholds support.

Impact:
No auto-threshold detection for SIP OTHER DOS, SIP PRACK method DOS, DNS IXFR query DOS, DNS OTHER DOS.

Workaround:
None.

Fix:
Auto-thresholds now work for all expected vectors on per-VS DNS/SIP DoS profile.


638219 : L4 BDoS incorrectly learns traffic after learning period in learn-only mode

Component: Advanced Firewall Manager

Symptoms:
L4 BDoS incorrectly learns traffic after learning period in learn-only mode.

Conditions:
-- L4 BDoS.
-- Learn-only mode.
-- Expired learning period.

Impact:
Traffic that has already been learned is learned again.

Workaround:
None.

Fix:
The delayed threshold is now propagated (at least once) after the traffic stops and then delayed threshold is reset so that traffic is learned as expected.


638215 : iHealth auto-upload script may get stuck in unusual circumstances

Component: TMOS

Symptoms:
If iHealth auto-upload is correctly configured, and an upload in progress is aborted due to power loss, or other such calamity, the state for future invocations will result in the iHealth script being non-functional, and displaying the message"ihealth is already executing (2). Exiting."

Conditions:
auto-upload to iHealth is correctly configured, and an upload in progress is aborted due to power loss. When the BIG-IP is restarted, iHealth is no longer reachable.

Impact:
the iHealth script is not usable, and the System-Support page cannot be used to create a qkview.

Workaround:
Execute the command,

guishell -c "update diags_ihealth_request set ihealth_status=0"


638115-1 : DoS Visibility page on a system under stress can cause GUI timeouts and disconnections

Component: Application Visibility and Reporting

Symptoms:
On a system with a lot of AVR related data for DoS Attacks, it might take a while to load the data we want to display on DoS Visibility pages. GUI queries backend for all the required data simultaneously, which can cause the web server to choke down due to too many open connections and high CPU usage.

Conditions:
Large amounts of data for DoS Attacks

Impact:
Instability in GUI usage, user experience degradation

Workaround:
N/A

Fix:
Optimizations were done both on the backend/database side and on the GUI. GUI will throttle its queries to the server.


637847 : Removed "(conn/s)" text from Average Concurrent Connections graph

Component: Application Visibility and Reporting

Symptoms:
The unit of connections/sec is incorrect for the Average Concurrent Connections graph.

Conditions:
This is seen when looking at the Average Concurrent Connections graph.

Impact:
Potentially confusing information. The value is actually a general number of concurrent connections.

Workaround:
None.

Fix:
Removed "(conn/s)" text from Average Concurrent Connections graph.


637666-1 : PHP Vulnerability: CVE-2016-10033

Vulnerability Solution Article: K74977440


637664-1 : Vector (multi-options) lists values are not inherited if parent profile is changed.

Component: Fraud Protection Services

Symptoms:
Vector (multi-options) lists values, (like "Application CSS Locations" or "Allow URLs from these external domains") are not inherited if parent profile is changed.

Conditions:
Provision and license FPS.
Create 2 or more Anti-Fraud profiles.

Impact:
Can cause a mismatched configuration.

Workaround:
Manually fill the appropriate values or use tmsh or Rest API to edit those values.

Fix:
Vectors now inherit values from parent profile.


637561-2 : Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice

Component: TMOS

Symptoms:
The wildcard wideip is not functioning as a wildcard wideip, but as a regular wideip.

Conditions:
Run tmsh load after the wildcard wideip is created:
# tmsh load sys conf gtm-only.

Impact:
Wildcard wideips are not returning wildcard requests correctly.

Workaround:
reload mcpdb using commands:
# touch /service/mcpd/forceload
# bigstart restart mcpd

Fix:
Wildcard wideips now handle matching queries after tmsh load sys from gtm conf file twice.


637308-1 : apmd may crash when HTTP Auth agent is used in an Access Policy

Component: Access Policy Manager

Symptoms:
apmd may crash when HTTP Auth agent is used in an Access Policy.

Conditions:
This might occur on heavy load, when AAA HTTP Server is configured in 'Form based' or 'Custom body' mode.

The probability of occurrence is greater if there are session variables specified in the AAA HTTP Server configuration.

Impact:
apmd daemon crash. APM cannot process requests until apmd starts up again.

Workaround:
Use basic auth, or do not use HTTP Auth.

Fix:
apmd no longer crashes when HTTP Auth agent is used in an Access Policy.


637181-1 : VIP-on-VIP traffic may stall after routing updates

Component: Local Traffic Manager

Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.

Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.

Impact:
Existing connections to the outer VIP may stall.

Workaround:
None.

Fix:
Connections to VIP-on-VIP virtual servers no longer stall after routing updates.


637141-1 : TMM core after deleting POLICY and executing command: show net ipsec ike-sa.

Component: TMOS

Symptoms:
TMM core after deleting POLICY and executing the following command: show net ipsec ike-sa.

Conditions:
-- IKEv1 configured and tunnel established.
-- Traffic is running.
-- IKEv1 peer reconfigured with proxy support as disabled.

Impact:
TMM cores after some hours, or immediately after running the command: show net ipsec ike-sa. Traffic disrupted while tmm restarts.

Workaround:
Do not delete a policy while an IPsec connection is active.

Fix:
TMM no longer cores after deleting POLICY and executing the following command: show net ipsec ike-sa.


637094 : The iRules LX streaming external data-group API may incorrectly not find a match.

Component: Local Traffic Manager

Symptoms:
The iRules LX streaming data-group API for external data-groups may incorrectly not find a match when the following commands are used:
- searchStartsWith (case insensitive search only)
- matchEndsWith/searchEndsWith (any search types).
- matchContains/searchContains (any search types).

The following commands are not affected:
- matchEquals/searchEquals.
- matchStartsWith.

Conditions:
There are no conditions for the failure. Using the specified commands will most likely fail. Note: If the data-group is relatively small in size (e.g., approximately 10 records), it is possible that the issue will not happen.

Impact:
The specified commands will incorrectly not find a match when there is one.

Workaround:
None.

Fix:
The iRules LX streaming external data-group API now correctly find a match when the following commands are used:
- searchStartsWith (case insensitive search only).
- matchEndsWith/searchEndsWith (any search types).
- matchContains/searchContains (any search types).
.


636853-4 : Under some conditions, a change in the order of GTM topology records does not take effect.

Component: Global Traffic Manager (DNS)

Symptoms:
A change in the order of topology records does not take effect in GTM until the configuration is reloaded or a topology record is added or deleted.

Conditions:
This occurs only when Longest Match is disabled and the order of topology records is changed without adding or deleting records.

Impact:
In certain configurations, the topology load balancing decision may not be made correctly.

Workaround:
Reload the GTM configuration or add/delete a topology record.

Fix:
Changes in the order of topology records now take effect immediately.


636790-4 : Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete.

Component: Global Traffic Manager (DNS)

Symptoms:
While logged in as a Manager role, if a user attempts to modify an object this role does not have access to, the GUI will post a validation error.

Conditions:
This occurs when users in the Manager role make changes to Datacenter links/servers/prober-pool/Topology.

Impact:
The system posts generic validation errors when Create, Update, Delete actions are initiated by a user without proper permissions. These permissions are not allowed for the Manager, but the GUI makes it appear as if they are.

Workaround:
None.

Fix:
The GUI now properly hides or disables the action buttons if a user does not have proper permissions to perform the action.


636702-4 : BIND vulnerability CVE-2016-9444

Vulnerability Solution Article: K40181790


636700-1 : BIND vulnerability CVE-2016-9147

Vulnerability Solution Article: K02138183


636699-6 : BIND vulnerability CVE-2016-9131

Vulnerability Solution Article: K86272821


636675 : It is impossible to open MS Word document in MS SharePoint 2013 using Internet Explorer 11 or MS Edge via Portal Access.

Component: Access Policy Manager

Symptoms:
It is impossible to open MS Word document in MS SharePoint 2013 using Internet Explorer 11 or MS Edge via Portal Access:
the browser shows error message.

Conditions:
- MS SharePoint 2013 accessed via Portal Access session;
- Internet Explorer 11 or MS Edge;
- MS Word installed locally;
- MS Word document in SharePoint library.

Impact:
User cannot edit/browse MS Word documents from SharePoint library in local MS Word application.

Workaround:
There is no workaround for this bug.

Fix:
Now MS Word documents in SharePoint 2013 library can be opened in local MS Word application via Portal Access.


636663 : "monpd: - Running monpd bigstart script." displayed on console at startup

Component: TMOS

Symptoms:
The following message seen on the console "monpd: - Running monpd bigstart script." when starting BIG-IP.

Conditions:
AVR, SWG, APM, AFM, PEM or ASM is provisioned.

Impact:
Unnecessary message is seen on the console, it can be safely ignored.

Fix:
Message removed.


636613 : GUI allows creating New client SSL profile in read-only partition

Component: Local Traffic Manager

Symptoms:
Client SSL Profile Ciphers Group/String option is not grayed out when in a partition where editing is not allowed. This enables the option to click "Create New Cipher Group[+]" button, which is leads to the create client SSL profile page.

Conditions:
New client SSL profile creation page displayed in read-only partition when New Cipher Group(+) button clicked in any Client SSL profile properties page.

Impact:
GUI shows edit/create option when user is in read-only mode.

Workaround:
GUI just displays the create client SSL profile page, save will fail.

Fix:
Ciphers Group/String option should be grayed out in client SSL profile page. If Cipher Group is selected, [+] should be grayed out.


636520-1 : Detail missing from power supply 'Bad' status log messages

Component: TMOS

Symptoms:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, no detail is included which indicates which characteristic of the power supply's state is resulting in a 'Bad' overall status for the power supply.
In this scenario, the message logged at default logging level contains information similar to the following:
... crit chmand[...]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV03G): Bad

Conditions:
This occurs when the system posts an internal hardware sensor alert.

Impact:
Unable to diagnose cause of 'Bad' power supply status at default logging level to determine whether the probable cause is due to a power supply hardware fault or a possible external power source issue.

Workaround:
If power supply errors continue to be logged:

1. Set the libhal logging level to 'Debug':
tmsh mod sys db log.libhal.level { value "Debug" }

2. Let the system run in this configuration for at least a few minutes to collect a number of chmand error logs, such as:
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x3 pin:0x2 action:0xd
... debug chmand[...]: 012a0007:7: Received Sensor Alert: sensor id 0x16f slot 0xff
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x1 pin:0x2 action:0x3.

3. Set the libhal logging level back to 'Notice':
tmsh mod sys db log.libhal.level { value "Notice" }

4. Take a qkview or an archive of /var/log/ltm, and engage F5 Professional Services for further analysis.

Fix:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, additional detail is now logged to help identify the cause of the 'Bad' overall status for the power supply.


636479 : Hyper-V VE image fails to boot, stuck on "monpd: - Running monpd bigstart script." displayed on console at startup

Component: TMOS

Symptoms:
The following message seen on the console "monpd: - Running monpd bigstart script." when starting BIG-IP. When booting in Hyper-V, this causes the VE to fail to fully boot.

Conditions:
AVR, SWG, APM, AFM, PEM or ASM is provisioned.

Impact:
The BIG-IP VE fails to fully boot in Hyper-V

Fix:
Message removed.


636289-1 : Fixed a memory issue while handling TCP::congestion iRule

Component: Local Traffic Manager

Symptoms:
Increased memory usage in tmm.

Conditions:
TCP::congestion highspeed iRule is executed for the TCP connection. The issue is only observed for highspeed congestion control.

Impact:
The memory allocated for congestion control is not freed.

Workaround:
If it is desired to use highspeed congestion control under some conditions, it is possible to start with highspeed by choosing highspeed congestion control in the TCP profile and switch to other desired congestion control when condition does not hold. With this workaround, once congestion control is changed to something other than highspeed, it is not possible to switch back to highspeed again.

Fix:
Improved memory utilization while using TCP::congestion iRule.


636155 : Countries table bottom rows are hidden

Component: Application Visibility and Reporting

Symptoms:
When "Ignored filters" message appears for the Countries widget on DoS Visibility screen, scrolling to the bottom of the list is impossible since the bottom-most rows are hidden.

Conditions:
This can be seen on the DoS Visibility screen when scrolling to the bottom of the list.

Impact:
The country at the end of the table is not visible.

Workaround:
Change sorting from Descending to Ascending to view the list in reverse

Fix:
All rows are displayed regardless of what else is on the page


636044-2 : Large number of glob patterns affects custom category lookup performance

Component: Access Policy Manager

Symptoms:
The number of glob patterns in a custom category linearly affects custom category lookup compute times. For example, twice as many glob patterns will roughly double the CPU resources required to compute a match.

Conditions:
A large number of custom category glob patterns. The precise number is not so important as the observed effect of slow response times. However, more than 1000 glob patterns is known to cause a significant observed performance degradation.

Impact:
Slow response times to HTTP requests.

Workaround:
It may be possible to compress the large collection of glob patterns into fewer patterns.


636016 : VADC: when using an Intel XL710 SR-IOV nic a bigstart restart can re-order the interfaces and impact traffic

Component: TMOS

Symptoms:
After a bigstart restart, traffic no longer flows because interface ordering can change.

Conditions:
A Virtual Edition configuration with more than one XL710 SR-IOV interface.

Impact:
The VLANs will be assigned to the wrong interfaces, network traffic is blocked.

Workaround:
If VLANs do not exist or the config is not saved before bigstart restart, there is nothing to be done except assigning the right VLAN to the desired interface (1.X) after restart. The MAC address of interfaces can be used to identify the desired interface.

If a config with VLANs is saved before bigstart restart, run the following command:
-- bigstart stop (this brings the data plane ethX devices down)
-- f5-swap-eth -s (this reassigns the interfaces)
-- bigstart start (this restarts the system).

Or you can reboot the guest.


635933 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable

Vulnerability Solution Article: K23440942 K13361021


635754-2 : Wildcard URL pattern match works inncorectly in Traffic Learning

Component: Application Security Manager

Symptoms:
In the policy with URL learning mode set to ALWAYS, wildcard URL matching for *.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]" will prevent you from adding other wildcard destinations using policy builder.

Conditions:
Policy builder enabled. PolicyBuilder creates the wildcard urls "*.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]".
If you need to manually create another wildcard url "/polo/images/*", the pattern match will be incorrect and you will not be able to accept the learning suggestion.

Impact:
You will not be able to accept the learning suggestion to the correct wildcard URL.

Workaround:
In order to get suggestions on the correct wildcard match, remove "png" from the URL list in the policy: To do so, navigate to Security :: Application Security :: Policy Building :: Learning and Blocking Settings :: URLs :: File types for which wildcard HTTP URLs will be configured (e.g., *.jpg).

Also make sure that you have correct wildcard order. Go to
Security :: Application Security :: URLs :: Wildcards Order :: HTTP URLs.

"/polo/images/*" should be above "*.[Pp][Nn][Gg]" in the list. If it is not, move it using "Up" button".

Fix:
Wildcard URL pattern match now works as expected in Traffic Learning


635688 : backend<->GUI rest requests optimizations

Component: Application Visibility and Reporting

Symptoms:
The BIG-IP GUI times out, or you are logged out periodically.

Conditions:
This can occur during normal use of the AVR GUI and is due to potential communication issues between the GUI and the BIG-IP via the REST API.

Impact:
You see a time-out window, pages not fully displayed.

Fix:
Fixed some GUI timeout issues when fetching data from the BIG-IP


635680-1 : Link to DoS Visibility from a signature page starts with incorrect time-range

Component: Application Visibility and Reporting

Symptoms:
Link to DoS Visibility from a signature page starts with incorrect time-range

Conditions:
This can occur on the Security :: DoS Protection : Behavioral Signatures page

Impact:
Data is displayed for Last Hour, even though the signature might have been older

Workaround:
Change the time-range manually

Fix:
Correct time-range is loaded


635189-1 : The mitigation changed during the attack and the dimensions are different between COMMON table and HTTP table so it is "clubbed" to 1 or few rows

Component: Application Visibility and Reporting

Symptoms:
If the mitigation changes during a snapshot, the hits will still count for the old mitigation if no protocol specific filter applied.

Conditions:
Attack mitigation has changed.

Impact:
You will see hits count for the wrong mitigation.

Fix:
Fixed an issue with attack mitigation statistics.


635126-2 : Allow substitute value on fields sent by AJAX

Component: Fraud Protection Services

Symptoms:
"Full ajax encryption" was incompatible with substitute value

Conditions:
Requirement to enable substitute value on ajax forms

Impact:
Could not enable substitute value

Workaround:
n/a

Fix:
Susbstitute value and ajax encryption can now be activated together.


635116-3 : Memory leak when using replicated remote high-speed logging.

Component: TMOS

Symptoms:
As a result of a known issue when a system uses a High Speed Logging (HSL) configuration with replication across the HSL pool TMM may leak memory.

Conditions:
Remote HSL setup with distribution set to replicated in the log destination configuration.
More than one poolmember, and one of them becomes unavailable.

Impact:
TMM will leak memory at a rate proportional to the amount of logging.
Over time this may cause an outage should TMM run out of memory.

Workaround:
Do not use replication in the HSL destination configuration.

Fix:
TMM no longer leaks memory when using a replicated HSL setup.


635111-1 : New Application Ready Templates Available

Component: Application Security Manager

Symptoms:
Application Ready Templates for Drupal, Joomla, and Wordpress were missing from the 13.0.0 release.

Conditions:
None.

Impact:
Predefined templates for Drupal, Joomla, and Wordpress were missing.

Workaround:
Templates could be downloaded from https://devcentral.f5.com/d/new-asm-templates

Fix:
Application Ready Templates for Drupal, Joomla, and Wordpress are now available in policy creation.


634132 : VE: virtio high performance driver (Linux/KVM)

Component: TMOS

Symptoms:
By default, the UNIC driver is used for virtio devices on Linux/KVM hypervisors, and at higher network speeds, the soft IRQ interrupt load competes with tmm. This can be observed under load with the "top" linux command showing ksoftirqd soft IRQ load.

Conditions:
Version 13.0.0 default behavior on Linux/KVM hypervisor with virtio nic(s) presented to the guest.

Note: To determine what driver is in use for each nic, use following command: tmctl -d blade tmm/device_probed.

Impact:
Potential performance issues (CPU utilization, throughput, connections/second).

Workaround:
None.

Fix:
For higher performance with virtio nics (relevant on Linux/KVM hypervisors), a new sys db variable supports switching to a TMM native driver.


634085-1 : IPsec tmm assert "ike_ctx tag"

Component: TMOS

Symptoms:
The tmm asserts with the message "ike_ctx tag."

Conditions:
It looks to be happening only on VE with ikev2 and ipv4, and the probable cause is timing related corruptions.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The "ike_ctx tag" assert was replaced with an OOPS and the system logs the error and continues.


633985-1 : CS challenged URL is rejected on complex CPM/irule configurations

Component: Application Security Manager

Symptoms:
A request is rejected.

Conditions:
CS challege is happening.
There is a complex CPM configuration or an irule.

Impact:
The request is rejected.

Workaround:
N/A

Fix:
Request is not rejected in complex CPM configuration.


633879-2 : Fix IKEv1 md5 phase1 hash algorithm so config takes effect

Component: TMOS

Symptoms:
BIG-IP does not recognize the choice of md5 as hash algorithm in phase1 negotiation for IKEv1, but the GUI indicates it is available and configured.

Conditions:
Using either the command line or web UI to change hash algorithm to md5 in IKEv1 phase1.

Impact:
You are unable to configure md5 as hash algorithm in IKEv1, despite the UI and command line indicating this as an option.

Workaround:
You may be able to select md5, then save and then restart, this would set up the daemon from a config file instead of via incremental config parsing. So while it would not work right after being changed in the UI, the md5 option may work after a restart.

Fix:
The choice of md5 for hash algorithm now works correctly and immediately for an IKEv1 peer. The message causing this is now parsed correctly so md5 is recognized and used.


633723-4 : New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot

Component: Local Traffic Manager

Symptoms:
A new db variable has been added to print diagnostic information when Cavium Nitrox devices encounter a "request queue stuck" error.

Conditions:
A Cavium Nitrox "request queue stuck" error occurs and the db variable "crypto.ha.action" is set to reboot.

I.e., when log message such as:
Feb 27 07:39:07 localhost crit tmm1[19936]: 01010260:2: Hardware Error(Co-Processor): cn1 request queue stuck

Impact:
Under the above conditions, the system will automatically run "nitrox_diag" to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

The system will immediately failover to the standby system, but will then spend approximately one minute gathering diagnostic information beffore rebooting.

See https://support.f5.com/csp/article/K95944198 for more information about nitrox_diag.

Behavior Change:
Under rare conditions, the system will take approximately one additional minute to reboot.

If a Cavium Nitrox "request queue stuck" error occurs and the db variable "crypto.ha.action" is set to reboot, the system will automatically run "nitrox_diag" to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

When the error happens, failover to the standby system will still happen immediately. The delay is only on rebooting the system which has already gone to standby mode.


633564-1 : Route unavailable when static route depends on another static route

Component: Local Traffic Manager

Symptoms:
Static route on the BIG-IP becomes unavailable after TMM restart, even though it's configured, and shows up in "list net route".

Conditions:
This occurs after restart, when a static route exists that depends on another static route. For example, a gateway route depends on an interface route.

Impact:
Route unavailable for use, traffic depends on the route is dropped if there are no alternate routes.

Workaround:
Removed the broken static route, and re-add it again.

Fix:
Route inter-dependencies no longer cause static routes to be unavailable after restart.


633391-2 : GUI Error trying to modify IP Data-Group

Component: TMOS

Symptoms:
While trying to add/remove/edit IPv6&IPv4 within an existing data group list for iRules, the properties page throws a parsing error.

Conditions:
Try to modify the value field under Address Records Row whether string/int, and click Update

Impact:
There is an "Error parsing IP address" messave at the top of the page. You cannot modify internal data groups using GUI. You can delete and re-create the entry, but cannot modify it.

Workaround:
Use tmsh to modify the record field of the data groups.

Fix:
You can now modify the IPv6&IPv4 value within an existing data group.

Behavior Change:
users would be able to modify and update data groups


633091 : Avr debug messages are printed to screen when saving/loading sys config

Component: TMOS

Symptoms:
Avr debug messages are printed to screen

Conditions:
When running:
tmsh save sys ucs someUcs
or
tmsh load sys ucs someUcs

Impact:
You see debug messages, these can be ignored.

Workaround:
No workaround

Fix:
Run tmsh save/load sys ucs someUcs
and verify avr messages are not printed.
Example of debug message:
11:24:42 Running cs_save_pre_script on Mon Dec 12 11:24:42 PST 2016


632668-6 : When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds

Component: TMOS

Symptoms:
When a BIG-IP using statically configured BFD sessions (i.e. "bfd session <IP> <IP>" in the ZebOS configuration) is forced offline, it continues to send "State Up" BFD packets for an additional ~30 seconds.

Conditions:
System is using statically configured BFD sessions. System is forced offline.

Impact:
The BFD peer thinks the BIG-IP is still online and may send packets to it.

Fix:
Ensure BFD "State Up" packets are not sent when the BIG-IP is forced offline.


632504-2 : APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list

Component: Access Policy Manager

Symptoms:
Non-LSO resources such as webtop, even they are assigned via a normal resource assign agent, are listed under dynamic resource as opposed to static one.

Conditions:
- Create a webtop resource.
- Create an access profile.
- Launch VPE to assign webtop resource via a normal resource assign agent ("Advanced Resource Assign").
- Click on "Sync policy" button to bring up the policy sync dialog, click on "Advanced Settings" drop-down button and select "Static resources".

Impact:
No impact when default settings are configured for policy sync. Only in advanced setting is it confusing that a static resource is only listed in the dynamic resource list, with a prompt to include it as dynamic resource. Doing so does not cause any harm, but is unnecessary.

Workaround:
If it is a static resource, do not select it as dynamic resource.

Fix:
Static non-LSO resources such as webtop will be listed in static resource list in the advanced setting dialog for policy sync.


632499-2 : APM Policy Sync: Resources under webtop section are not sync'ed automatically

Component: Access Policy Manager

Symptoms:
Resources put under webtop section such as webtop link, portal access requires to be included as dynamic resource or else sync will fail.

Conditions:
- Create a webtop section source such as portal access.
- Create a webtop section and add the above-create portal access to it.
- Create an access profile and add the webtop section resource via a resource assign agent in VPE.
- Sync the profile.

Impact:
Sync will fail and some configured resources will not be available on the other devices.

Workaround:
Includes those resources as dynamic resources in Policy Sync advanced settings.

Fix:
User can sync profile with resources under webtop section without including them manually as dynamic resources.


632069-2 : Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076

Component: TMOS

Symptoms:
On VE platforms, under certain conditions, the sudo utility does not correctly enforce all restrictions specified in its configuration file.

Conditions:
VE platform
Authenticated user with advanced shell access

Impact:
BIG-IP does not depend on the restrictions related to these vulnerabilities, and sudo is only present on VE platforms. Only VE users who have modified the sudo configuration by editing its configuration file directly are impacted.

Fix:
Update sudo package to improve security


632060-2 : restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header

Component: iApp Technology

Symptoms:
when upgrading to 12.1.1, 12.1.2 or 13.0 releases, executing a command similar to

curl -k -u admin:admin https://127.0.0.1:443/mgmt/shared/device-discovery-tasks causes the following error:

"errorMessage": "Could not connect to host 10.0.0.160. Please ensure there are no licensing, firewall, port lockdown or network connectivity issues. Error: Failed to read key /config/filestore/files_d/Common_d/trust_certificate_key_d/:Common:dtca.key_12100_2: invalid header",

Conditions:
Upgrading from releases prior to 12.1.1 to 12.1.1 or 12.1.2 or 13.0

Impact:
if your device has an iApps LX application, then that application sill not synchronize to the standby device. So if a failover occurs, then the iApps LX application will seem to disappear, and traffic will not pass through the application.

Workaround:
If you have upgraded and are in this condition, and you need to use iAppsLX, you can perform the following procedure to recover.

Impact of procedure: this procedure disables HA and requires you to rebuild your HA environment. You only need to use this procedure if you absolutely need to run an iAppLX.

1. Reset device trust, then re-establish device trust, your device group(s), and your traffic group(s)
2. At the BIG-IP command line for each of the devices, run the following command:
clear-rest-storage

Fix:
Upgrade to 13.1 or 13.0.x hot fix


631715-2 : ASM::disable does not disable client side challenges

Component: Application Security Manager

Symptoms:
ASM::disable command was run but a challenge was still sent.

Conditions:
irule with ASM::disable. CS or DID challenge is configured.

Impact:
An unexpected JS challenge arrives

Workaround:
N/A

Fix:
Challenges are now not sent when ASM::disable command happens.


631688-8 : Multiple NTP vulnerabilities

Vulnerability Solution Article: K55405388 K87922456 K63326092 K51444934 K80996302


631572 : Cryptic error relating to the liveinstall.movelicense DB variable

Component: TMOS

Symptoms:
Unable to install, with an error containing, "Could not access license source".

Conditions:
liveinstall.movelicense needs to be disabled (with the config saved).
lind may need to be restarted (or the system rebooted after the change).
A new slot (nonexistent volume) needs to be chosen for the new installation.

Impact:
Installation fails when this DB variable is set.

Workaround:
Enable liveinstall.movelicense (or reset-to-default).
Save the configuration.
bigstart restart lind.
Either the aborted installation will resume, or a new one will succeed.

Fix:
A more helpful message is now provided:

failed (--nomovelicense specified, but target volume (1) does not exist.)


630712 : After provisioning change, Dimension Widgets on DoS Visibility pages are incorrect

Component: Advanced Firewall Manager

Symptoms:
Dimension Widgets list is defined upon first access to a DoS page during a browsing session. This means that if provisioning changes during that sessions, the widgets that are displayed may be incorrect.
When un-provisioning modules it is not a problem since every widget goes through a licensing/provisioning validation before being added to the page.
However, if adding a new module to provisioning, new widgets will not be added until the window/tab is closed and a new browsing session starts, or until "Reset Layout" is performed.

Conditions:
Change of provisioning modules during browsing session

Impact:
List of dimension widgets is not up to date with current provisioning

Workaround:
Workaround 1: closing and opening the window or tab.
Workaround 2: choosing "Reset Layout" option from the cog menu.

Fix:
List of widgets is now determined by what's actually provisioned.


630611-3 : PEM module crash when subscriber not fund

Component: Policy Enforcement Manager

Symptoms:
Under rare circumstances, PEM usage reporting for a subscriber will cause a crash.

Conditions:
PEM subscriber info is missing for the current tmm, e.g., after a CMP state change.

Impact:
PEM/TMM SIGSEV.

Workaround:
None.

Fix:
PEM usage reporting for a subscriber no longer causes a crash when PEM subscriber info is missing for the current tmm.


630610-1 : BFD session interface configuration may not be stored on unit state transition

Component: TMOS

Symptoms:
'bfd session' statements missing in ZebOS 'running-config'.

Conditions:
State transitions from online to offline.

Impact:
BFD configuration will become missing in ZebOS running config and no BFD sessions will be established.

Workaround:
Re-add statements manually.

Fix:
BFD session interface configuration is now stored on unit state transition.


630390-1 : Client Side challenges and device ID doesn't work on a virtual server that has also APM

Component: Application Security Manager

Symptoms:
Client side challenges do not work when APM is enabled in clientless mode.

Conditions:
APM is on the virtual server as ASM.
APM is running in clientless mode.

Impact:
device ID related features doesn't work correctly.

Workaround:
N/S

Fix:
challenges are now sent in when APM in on the chain.


629921-3 : [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.

Component: Access Policy Manager

Symptoms:
With SWG client side NTLM auth configuration while doing the NTLM auth for backend, ECA plugin is trapping the Authorization credentials (NTLMSSP_NEGOTIATE) sent by the client, it sinks the request and generates the 407 to the client to do proxy authentication.

Conditions:
Set-up SWG for auth with ntlm credentials
Access a proxied resource which also requires ntlm auth

Impact:
Backend server access is restricted.

Workaround:
None


629752 : On DoS Visiblity pages, metrics from unprovisioned modules are displayed in the widgets

Component: Advanced Firewall Manager

Symptoms:
When either ASM or AFM are not provisioned, Dimension Widgets are still showing metrics that belong to these modules.

Conditions:
Have either ASM or AFM provisioned, but not both

Impact:
We're showing metrics that aren't applicable to the given system

Workaround:
N/A

Fix:
Only metrics belonging to provisioned modules will be presented to the user.


629491-1 : REST token storage improvement

Component: Device Management

Symptoms:
Under some conditions, it is possible to exceed the capacity of the REST token storage subsystem

Conditions:
REST interface in heavy use by authenticated users

Impact:
Unable to generate additional REST tokens

Fix:
Improve handling of REST tokens under high usage conditions


629085-2 : Any CSS content truncated at a quoted value leads to a segfault

Component: TMOS

Symptoms:
Any CSS content truncated at a quoted value leads to a segfault.

Example:
...
.c1 {background-image: url('some

Conditions:
CSS ends without closing quote in value.

Example:
...
.c1 {background-image: url('some

Impact:
TMM or rewrite segfault. Traffic disrupted while tmm restarts.

Workaround:
Use a particular iRule.

Fix:
CSS content truncated at a quoted value no longer leads to a segfault.


629017 : Comparison Charts are alive only during while staying on the page

Component: Advanced Firewall Manager

Symptoms:
Comparison Charts are not persisted and if the page is reloaded or navigated away from in any other way, the charts will be lost.

Conditions:
Refreshing the page while looking at comparison charts.

Impact:
Settings are not preserved; you must reconfigure them to see the comparison.

Workaround:
None.

Fix:
All charts configuration, including comparison charts will be persisted during navigation session (as long as the browser tab is open), even if the page is reloaded or being navigated away from.


629013 : Right pane displaying doesn't respect pin selected function when filter just applied

Component: Advanced Firewall Manager

Symptoms:
When applying a filter when Pin Selected function is enabled, it doesn't work. If disabling and enabling it again, everything will be fine and filtered entities will be pinned.

Conditions:
N/A

Impact:
N/A

Workaround:
Disable and re-enable Pin Selected option

Fix:
When changing filters from outside of the widget, the widget will update the position of its selected entities.


628337-2 : Forcing a single injected tag configuration is restrictive

Component: Fraud Protection Services

Symptoms:
Injected tags configuration in profile is globally controlled from the db variable antifraud.injecttags, and forces all protected pages to have a common set of HTML tags. If your web application has pages that do not work with the injected tags, then this will cause the application to work improperly.

Conditions:
This occurs when the injected tags db variable (antifraud.injecttags) is configured.

Impact:
Your web application may have pages that do not handle the tags properly and may malfunction.

Workaround:
Configure injected tags in a way which can applied to all URLs protected in a profile. If it is not possible due to some URL HTML structure, HTML must be modified.

Fix:
Injected tags configuration has been moved to the URL level.


628164-4 : OSPF with multiple processes may incorrectly redistribute routes

Component: TMOS

Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.

Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.

Impact:
Incorrect routing information in the network when OSPF converges.

Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.

Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.


627747 : Improve cURL Usage

Component: Advanced Firewall Manager

Symptoms:
In some cases, cURL usage within AFM does not comply with standards.

Conditions:
AFM active and configured to use external credentials

Impact:
Non-compliant cURL usage

Fix:
Improve cURL usage


627695-1 : [netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational

Component: Local Traffic Manager

Symptoms:
'Yes' and 'No' options to proceed or cancel the uninstall operation are not operational.

Conditions:
Issue happens when running safenet-sync.sh -u.

Impact:
No impact.

Workaround:
None.

Fix:
In this release, there is no Yes or No option for the SafeNet uninstall 'safenet-sync.sh -u.' command.


627554-1 : Partition of LTM policies is displayed in breadcrumb rather than properties table row

Component: TMOS

Symptoms:
There is no 'Partition/Path' row on LTM policies properties page. Instead the partition is displayed in the breadcrumb at the top of the page.

Conditions:
This is encountered when selecting a LTM policy.

Impact:
Partition/Path not displayed.

Workaround:
None.

Fix:
The partition was removed from the properties page breadcrumb and added as a 'Partition/Path' row to match the behavior of other LTM properties pages.


626861-1 : Ensure unique IKEv2 sequence numbers

Component: TMOS

Symptoms:
Although BIG-IP generates random sequence numbers for use in protocol negotiation, it is possible to allocate a new number already in use by a phase-one ike-SA or a phase-two child-SA.

Conditions:
When a sufficiently large number of tunnels are in use (e.g., numbering in thousands), odds of generating a duplicate sequence number is relatively high, given the number of random bits used to generate the number. More tunnels makes it more likely to occur.

Impact:
On sequence number collision, this might confuse an old SA, and probably never complete negotiation of a new SA. In addition, the system might crash if updating an old SA happened in a state where update is not expected.

Workaround:
None.

Fix:
Now BIG-IP uses more random bits in generated sequence numbers, and it always checks whether a new sequence number is currently in use anywhere else before proceeding. Thus collisions cannot be generated in sequence number allocation. New numbers should always be guaranteed unique now.


626594-3 : No way to perform a soft server certificate verification

Component: Local Traffic Manager

Symptoms:
There is no way to perform a soft server certificate verification.

Conditions:
Server-side SSL forward proxy when 'server certificate is set to 'require' and 'untrusted CA response control' and 'expired certificate response control' are both set to 'ignore'.

Impact:
No way to perform a soft server certificate verification and continue the handshake as though the verification is OK, even if it is not OK.

Workaround:
None.

Fix:
There is a new sys db variable: tmm.ssl.servercert_softval with default value 'disabled'.

When this sys db variable is 'enabled', calling SSL::verify_result will return a soft verfiy_result value.

Typical use case:
It is used in the server-side SSL forward proxy when 'server certificate is set to 'require' and 'untrusted CA response control' and 'expired certificate response control' are both set to 'ignore' but would like to perform a soft server certificate verification.

Behavior Change:
There is a new sys db variable: tmm.ssl.servercert_softval with default value 'disabled'.

When this sys db variable is 'enabled', calling SSL::verify_result will return a soft verfiy_result value.

Typical use case:
It is used in the server-side SSL forward proxy when 'server certificate is set to 'require' and 'untrusted CA response control' and 'expired certificate response control' are both set to 'ignore' but would like to perform a soft server certificate verification.


626386-2 : SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled

Component: Local Traffic Manager

Symptoms:
On a BIG-IP device, whenever a large-sized client certificate is sent by an SSL client to a virtual service, and SSL persistence is enabled, the SSID parser does not reassemble fragmented ClientKeyExchange messages correctly. It interprets the next incoming fragment - part of the CertificateVerify message - as a new record, incorrectly calculates its length and ends up waiting endlessly for more bytes to receive the record.

Conditions:
When SSL persistence is enabled and a large-sized client
certificate is sent by the SSL client to the BIG-IP device.

Impact:
Client connection hangs during the handshake. No impact to any other module.

Workaround:
Disable SSL persistence.

Fix:
SSL now reassembles fragments correctly with a large-sized client certificate when SSL persistence is enabled.


625892-1 : Nagle Algorithm Not Fully Enforced with TSO

Component: Local Traffic Manager

Symptoms:
Sub MSS packets are more numerous than Nagle's algorithm would imply.

Conditions:
TCP Segmentation Offload is enabled.

Impact:
Sub-MSS packets increase overhead and client power consumption.

Workaround:
Disable TCP Segmentation Offload by running the following command:
tmsh modify sys db tm.tcpsegmentationoffload value disable

Fix:
Deliver Integer Multiples of MSS to the TSO hardware when Nagle's algorithm applies.


624896-1 : GUI LTM Virtual Server Connection Limit and Connection Rate Limit

Component: TMOS

Symptoms:
Depending on the Virtual Server Type selection the Connection Limit and Connection Rate Limit may or may not be supported.

When changing the Virtual Server Type the GUI sometimes displays or hides the Connection Limit and/or Connection Rate Limit inconsistently.

Conditions:
When switching between Types, the Connection Limit and Connection Rate Limit may or may not be displayed or hidden correctly for the selected type.

Impact:
When updating the Virtual Server, if a value is persisted when it is not supported, the user will get an error. Or if a value is supported, but not visible, you cannot set the value through the GUI.

Workaround:
For values that are saved when they are not supported and the user gets an error, the user can set the value to 0. If the Connection Limit or Connection Rate Limit is not displayed in the GUI, the user can use tmsh to set the value.

Fix:
Ensure GUI is displaying and hiding Connection Limit and Connection Rate Limit correctly for each Virtual Server Type.


624722 : Linux kernel vulnerability CVE-2016-7117

Vulnerability Solution Article: K51201255


623362-1 : Oversized pool member input

Component: TMOS

Symptoms:
In the System :: High Availability : Fail-safe : Gateway property page in the GUI, you are allowed to enter a pool member count higher than the maximum of 65535.

Conditions:
This occurs when entering a minimum pool member count. The limit is 0-65535 but the GUI allows you to enter a higher number.

Impact:
If you enter a higher number, a validation error will occur: "Value out of range. Correct Range: 0 - 65535"

Fix:
The pool member input is now 5 characters long.


622160 : ICMPv6 packets can have the wrong source IP if a IPv6 VIP has IPv4 pool members

Component: Local Traffic Manager

Symptoms:
ICMPV6 packet has the source IP of IPv4 Mapped IPv6 selfIP address instead of the IPv6 selfIP address configured on the unit

Conditions:
IPv6 forwarding VIP with no translation references IPv4 poolmembers and the PMTU to the nexthop is less than the packet size sent by the server.

Impact:
ICMPv6 packets with wrong source IP addresses


621976-5 : OneDrive for Business thick client shows javascript errors when rendering APM logon page

Component: Access Policy Manager

Symptoms:
OneDrive for Business thick client shows javascript errors when rendering APM logon page

Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses OneDrive for Business thick client to authenticate.

Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working OneDrive for Business app.

Workaround:
Click thru javascript error dialogs.

Fix:
OneDrive for Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.


621974-5 : Skype For Business thick client shows javascript errors when rendering APM logon page

Component: Access Policy Manager

Symptoms:
Skype For Business thick client shows javascript errors when rendering APM logon page

Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses Skype For Business thick client to authenticate.

Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working Skype For Business app.

Workaround:
Click thru javascript error dialogs.

Fix:
Skype For Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.


621379-1 : TCP Lossfilter not enforced after iRule changes TCP settings

Component: Local Traffic Manager

Symptoms:
TCP Lossfilter function doesn't work properly, although the first few losses will be properly ignored.

Conditions:
TCP profile has ALL of the following settings:
mptcp disabled; rate-pace disabled; tail-loss-probe disabled; fast-open disabled; cmetrics-cache-timeout = 0; congestion ctrl is reno, new-reno, high-speed, or scalable; nagle enabled or disabled; rtx_thresh = 3; loss-filter settings are both > 0.

an iRule changes any of the above settings except loss-filter.

Impact:
Sending rate declines due to packet losses improperly interpreted as congestion.

Workaround:
Change any of the conditions above.

Fix:
Properly handle loss-filter state when switching TCP stacks.


620759-3 : Persist timeout value gets truncated when added to the branch parameter.

Component: Service Provider

Symptoms:
Persist timeout value gets truncated when added to the branch parameter due to difference in storage type.

Conditions:
If the persist timeout value was higher that 65535 then the value gets truncated.

Impact:
Incorrect persist timeout get into affect for the call other than the value set in the config.

Workaround:
None.

Fix:
Persist timeout value no longer gets truncated when added to the branch parameter.


620659-4 : The BIG-IP system may unecessarily run provisioning on successive reboots

Component: TMOS

Symptoms:
After the first boot, the system runs provisioning and boots successfully, but there is a file left on the system /mprov_firstboot. This will appear in /var/log/ltm:
  info mprov:4614:: \'\'provision.initialized\' indicates force TMOS only provisioning - forcing.\'

During a subsequent boot, provisioning will run again, potentially unnecessarily, due to the existence of this file. The following will appear in /var/log/ltm during the second boot:
  info mprov:4609:: \'Existence of file \'/mprov_firstboot\' indicates force TMOS only provisioning - forcing.\'

Conditions:
The memory size of the host changes and there is some other need for reprovisioning (for example a new configuration load).

Impact:
On a vCMP host, the second provisioning may not complete properly and guest systems will not pass traffic.

The vCMP host will continually try to start more than one tmm and fail when there should only be one tmm running. The /var/log/tmm logfile on the vCMP host will contain:
  <13> Sep 25 01:33:28 vcmphost1 notice Too small memsize (60) -- need at least 136 MB

The /var/log/tmm logfile on the vCMP guest will contain:
  <13> Sep 25 01:38:21 bigip1 notice Failed to write /var/run/libdag.so_2, err: -30
  <13> Sep 25 01:38:21 bigip1 notice panic: vdag failed to attach
  <13> Sep 25 01:38:21 bigip1 notice ** SIGFPE **

Workaround:
If the vCMP host is in a tmm restart loop due to this issue, reboot the vCMP host to allow the system to come up properly.

Fix:
The BIG-IP software now always removes the /mprov_firstboot file when the system is reprovisioned.


620625-3 : Changing Connection.VlanKeyed may cause asymmetric/npath connections to fail

Component: Local Traffic Manager

Symptoms:
When Connection.VlanKeyed is modified, asymmetric/npath connections may fail.

Conditions:
Connection.VlanKeyed bigd key is modified.

Impact:
Asymmetric/npath routed connections may fail.

Workaround:
Restarting TMM will resolve the issue, though this will interrupt traffic so should be performed during a maintenance window. To do so, run one of the following tmsh commands:

-- on an appliance (BIG-IP platform): bigstart restart tmm
-- on a clustered system (a VIPRION or VIPRION-based vCMP guest): clsh bigstart restart tmm

Fix:
Changing Connection.VlanKeyed no longer causes asymmetric/npath connections to fail.


619593-1 : Provisioning page table cells overlap

Component: TMOS

Symptoms:
Cells in the provisioning page table overlap when they contain long strings.

Conditions:
Cells in the provisioning page table contain long strings.

Impact:
The cells will overlap.

Workaround:
None.

Fix:
Cells in the provisioning page table no longer overlap when they contain long strings.


618430-1 : iRules LX data not included in qkview

Component: Local Traffic Manager

Symptoms:
Qkview does not contain any of the iRuleLX information.

Conditions:
N/A

Impact:
Support engineers will have to ask for the iRuleLX information separately. No iHealth heuristics possible at the moment.

Fix:
The following ILX information was added to the qkview:

TMSH commands:
  list ilx workspace all-properties
  list ilx plugin all-properties
  list ilx global-settings (13.0.0+)
  list ltm profile ilx all-properties (13.0.0+)
  show ilx plugin all
  show ltm profile ilx all (13.0.0+)

The files in the following folders:
  /var/ilx - master copies of workspaces
  /var/sdm - running files of the plugins
  /var/log/ilx - ILX specific logs


618332-3 : No event triggered when the system receives a certificate message from the server.

Component: Local Traffic Manager

Symptoms:
There is no event triggered when the system receives a certificate message from the server.

Conditions:
System receives a certificate message from the server.

Impact:
No event triggered.

Workaround:
None.

Fix:
A new event SERVERSSL_SERVERCERT is raised after the server certificate is received and verified on the server side.

Behavior Change:
A new event SERVERSSL_SERVERCERT is raised after the server certificate is received and verified.


617901-9 : GUI to handle file path manipulation to prevent GUI instability.

Component: TMOS

Symptoms:
Request file path may be incorrectly processed

Conditions:
Authenticated administrative user makes a GUI request

Impact:
The GUI becomes unstable because it cannot process the request.

Fix:
Redirect the user to a No Access page.


615372 : Occasional TCP resets during connection initiation (RST cause is "No local listener")

Component: TMOS

Symptoms:
Occasionally, the BIG-IP will send a TCP RST in response to an initial SYN with the reset cause "No local listener". This does not affect subsequent connections from the client, so they are likely to succeed.

The reset cause for a packet can be logged by setting the DB variable TM.rstcause.log to enable. The reset cause can be sent in the RST packet by setting the DB variable TM.rstcause.pkt to enable.

Conditions:
A virtual server is configured to use TCP and a client initiates a connection.

Impact:
The attempted connection is reset. Subsequent attempts are likely to succeed.

Workaround:
None.

Fix:
The icr_eventd daemon was updated to use TCP connections more efficiently.


615267 : OpenSSL vulnerability CVE-2016-2183

Vulnerability Solution Article: K13167034


615226 : Libarchive vulnerabilities: CVE-2016-8687 and others

Vulnerability Solution Article: K13074505


614804-1 : libcurl vulnerabilities: CVE-2016-5420, CVE-2016-5421, CVE-2016-7141

Component: TMOS

Symptoms:
Under certain conditions, processes using libcurl may reuse existing TCP connections that should be isolated.

Conditions:
Custom programs installed on BIG-IP and using libcurl may be affected.

Impact:
Libcurl is present on BIG-IP systems but is not used in a vulnerable way by any standard processes.

Fix:
Update libcurl to non-vulnerable version


611691-6 : Packet payload ignored when DSS option contains DATA_FIN

Component: Local Traffic Manager

Symptoms:
The payload of a packet is ignored when an MPTCP DSS option has DATA_FIN set.

Conditions:
A packet contains both a payload and an MPTCP DSS option with DATA_FIN set. This has been observed when uploading files from a Linux client to a server.

Impact:
The last packet of data is not received.

Workaround:
Disable MPTCP.

Fix:
Accept data when a packet contains both a payload and an MPTCP DSS option with DATA_FIN set.


611161-4 : VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.

Component: Local Traffic Manager

Symptoms:
VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.

Conditions:
VLAN failsafe configured on a non-default cmp-hash VLAN.
When the VLAN failsafe situation occurs, and the generated arp requests are not being answered, VLAN failsafe resorts to ICMP.

Impact:
There are very rare situations in which failsafe triggers but it should have not.

Workaround:
None.

Fix:
VLAN failsafe no longer generates traffic using ICMP, and now supports non-default cmp-hash on VLAN.


610485-1 : Attacks chart has no time axis

Component: Application Visibility and Reporting

Symptoms:
Attacks chart has no time axis

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
Standard AVR Chart time axis has been added


610307-4 : Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber

Component: TMOS

Symptoms:
This error message may be generated once or twice at shutdown:

01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.

Conditions:
Occurs once or twice per boot as a BIG-IP is being shut down or restarted.

Impact:
None. This can be ignored.

Workaround:
No workaround necessary. This message indicates no ill effects and can be ignored.

Fix:
This error message could have been generated once or twice at shutdown:

01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.

It no longer appears. Note that even when it was present, it only occurred at system shutdown and could be ignored.


610201-1 : Undefined behavior when calling HTTP::payload within HTTP_REQUEST_SEND iRule event

Component: Local Traffic Manager

Symptoms:
The invocation of HTTP::payload iRule API within the HTTP_REQUEST_SEND iRule event may lead to undefined behavior, such as retrieval of invalid HTTP data, or system crash.

Conditions:
The problem manifests itself exclusively with iRules attached to HTTP virtual servers, where the iRules are using the HTTP::payload API invocation within the HTTP_REQUEST_SEND server-side event.

Impact:
Corrupted HTTP data or system crash may result from the invocation of the HTTP::payload API within the HTTP_REQUEST_SEND iRule event.

Workaround:
The HTTP::payload API should not be invoked within the HTTP_REQUEST_SEND iRule event. According to the underlying API documentation, the valid HTTP events should be limited to CACHE_REQUEST, CACHE_RESPONSE, HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE, HTTP_RESPONSE_CONTINUE, HTTP_RESPONSE_DATA.

Fix:
The HTTP::payload API should not be invoked within the HTTP_REQUEST_SEND iRule event. According to the underlying API documentation, the valid HTTP events should be limited to CACHE_REQUEST, CACHE_RESPONSE, HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE, HTTP_RESPONSE_CONTINUE, HTTP_RESPONSE_DATA.


610122 : Hotfix installation fails: can't create /service/snmpd/run

Component: TMOS

Symptoms:
Hotfix installation fails with RPM transaction errors.
The system posts several errors similar to the following in /var/log/liveinstall.log: info: RPM: can't create /service/snmpd/run at usr/share/perl5/vendor_perl/daemon.pm line 99.

Conditions:
12.x hotfix installation from 11.6.0 on top of a 12.x base image that was previously booted.

Impact:
It is not possible to perform a hotfix installation to a 12.x volume from 11.6.0 after the 12.x volume has been booted.

Workaround:
- Install the hotfix directly to a new slot which has not been booted into before using a command similar to the following:
     tmsh install sys software hotfix 12.1.0-hf1 create-volume volume HD1.4


609995-1 : Device Connectivity tabs not properly highlighted

Component: TMOS

Symptoms:
The Failover Network and Mirroring tabs in Device Connectivity aren't properly highlighted.

Conditions:
Clicking on "System :: High Availability :: Device Connectivity :: Failover Network" menu option and the "System :: High Availability :: Device Connectivity :: Mirroring" menu option.

Impact:
Displays the "Device Management :: Devices :: [device name]" page but doesn't highlight the tab. Highlighting works for ConfigSync tab only. "Failover Network and Mirroring" should be highlighted as well.

Workaround:
None.

Fix:
The Failover Network and Mirroring tabs in Device Connectivity are now highlighted as expected.


609200-1 : Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.

Component: TMOS

Symptoms:
Hotfix installation fails using certain version 11.x software to host incremental hotfix application of version 12.x software.

Conditions:
This issue occurs when the following conditions are met:
-- Active software is v11.x.
-- Target software is v12.x.
-- This is the first attempt install a hotfix to the installation target.

Impact:
Cannot install hotfix.

Workaround:
Delete the target location, and perform the hotfix installation again.

Subsequent attempts to install the hotfix will automatically install the base release first, which includes the needed DB hash type, and the hotfix will succeed.


608304-2 : TMM crash on memory corruption

Component: Local Traffic Manager

Symptoms:
In rare cases tmm might crash on memory corruption.

Conditions:
It is not known what sequence of events triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes on memory corruption in rare cases.


608245-1 : Reporting missing parameter details when attack signature is matched against parameter value

Component: Application Security Manager

Symptoms:
A parameter is shown without parameters details or with garbled parameter details in the local logging GUI.

Conditions:
An attack signature was detected in a parameter value.

Impact:
Bad reporting

Workaround:
N/A


607246-8 : Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires

Component: Local Traffic Manager

Symptoms:
You notice erratic persistence behavior when you set cookie persistence to "required" in your cookie persistence profile

Conditions:
Encrypted cookie persistence with fallback where the fallback persistence has a reasonable short timer such that a request containing a valid cookie is handled after the fallback entry has expired.

Impact:
Persistence fails after fallback expired.

Workaround:
Change cookie-encryption to preferred which allows persistence on either encrypted or decrypted cookie.


606710-11 : Mozilla NSS vulnerability CVE-2016-2834

Vulnerability Solution Article: K15479471


605792 : Installing a new version changes the ownership of administrative users' files

Component: TMOS

Symptoms:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID.

Conditions:
A user is an administrative user who has advanced shell (bash) access and custom files in their home directory.

Impact:
Low in most cases, since the administrative user can still access most files. One exception is that SSH requires that the authorized_keys file be owned by the user ID in question. This is 0 when a user has an administrative role, so the authorized_keys file will be ignored and a password will still be required for login.

Workaround:
Run the following command, substituting a different filename as needed: chown 0 /home/theuser/.ssh/authorized_keys.

Fix:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID. This still happens by design, but no longer applies to the user's SSH configuration files, which stay at UID 0. Therefore, these users are no longer be prevented from using stored public keys in authorized_keys.


603746 : DCDB security hardening

Component: WebAccelerator

Symptoms:
The DCDB utility, as used in AAM processing, does not use current secure coding practices.

Conditions:
AAM active

Impact:
DCDB usage does not follow current secure coding practices.

Fix:
Update DCDB use to meet current secure coding standards.


603658 : AAM security hardening

Component: WebAccelerator

Symptoms:
The wamd process, as used in AAM processing of images and PDFs, does not use current secure coding practices.

Conditions:
AAM active
Image and/or PDF optimization enabled by policy

Impact:
wamd does not follow current secure coding practices.

Fix:
Update wamd to meet current secure coding standards.


603609-1 : Policy unable to match initial path segment when request-URI starts with "//"

Component: Local Traffic Manager

Symptoms:
HTTP URI path policy does not match when request-URI starts with "//".

Conditions:
Policy unable to catch request when HTTP URI path configured to match value anywhere in path or in initial path segment when the request-URI starts with "//".

Impact:
The policy does not match in this case.

Workaround:
The policy could be modified to scan the full URI instead of just the path element however care should be taken to correctly handle potential matches with absolute URIs or in the query string.


600205-1 : OpenSSL Vulnerability: CVE-2016-2178

Vulnerability Solution Article: K53084033


598289 : TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>

Component: TMOS

Symptoms:
In TMSH, when trying to add a pool member that has name in the format of <ipv4>:<number>:<service port>, TMSH gives an error. It also corrupts bigip.conf.

Conditions:
-- Use TM Shell to load configuration.
-- ltm pools have members that have names in the format of <ipv4>:<number>:<service port>

Impact:
TMSH fails to load system configuration file

Workaround:
None.

Fix:
TMSH now allows pool members have names in the format of <ipv4>:<number>:<service port>, so the valid pool member could pass TMSH checks without error.


598024-1 : FastL4 profile with immediate idle timeout is not honored for ePVA offloaded flows

Component: TMOS

Symptoms:
On ePVA platforms, if fastL4 profile is configured with immediate idle timeout and the flow was offloaded at embryonic, the server still acts as the flow has not timeout, and continues to send packets to client.

Conditions:
Users have flows that passes through virtual IP with a "idle-timeout immediate" setting may not have the expected behaviors.

Impact:
Some flows that should have timed-out and should no longer exist is still alive.

Workaround:
Set "pva-acceleration" to "none" for the FastL4 profile.

Fix:
Now all flows goes through the virtual IP configured with a fastL4 profile and has idle-timeout to immediate will timeout immediate as expected.


598002-9 : OpenSSL vulnerability CVE-2016-2178

Vulnerability Solution Article: K53084033


596924-1 : Bot signatures are not reported in the PBD log when the PBD is turned off

Component: Advanced Firewall Manager

Symptoms:
Bot signatures are matched and not reported

Conditions:
Proactive bot defense (PBD) is turned off. Bot signatures is turned on.

Impact:
Missing logs on bot signatures.

Workaround:
N/A

Fix:
Matched bot signatures are now reported .


594228-1 : Resetting mgmt interface statistics doesn't work on VE or VCMP

Component: TMOS

Symptoms:
$ tmsh reset-stats net interface mgmt
Doesn't reset mgmt interface statistics.

Conditions:
Only on VE or VCMP

Impact:
You cannot reset the management interface statistics, but this has no impact elsewhere in the system.

Fix:
This command
$ tmsh reset-stats net interface mgmt
resets mgmt interface statistics properly.


590091-4 : Single-line Via headers separated by single comma result in first character second header being stripped.

Component: Service Provider

Symptoms:
Removing the first Via header strips the leading character from the second Via when headers are separated by a comma (',').

Conditions:
Multiple Via headers on single-line separated by a single comma (',').

Impact:
Leading character of 2nd Via header will be stripped e.g. 'SIP/2.0/TCP' becomes 'IP/2.0/TCP'.

Workaround:
None.

Fix:
Removing the first Via header no longer strips the leading character from the second Via when headers are separated by a comma (',').


588414-1 : Displaying application components reports an error

Component: TMOS

Symptoms:
Displaying an iApp which contains an iRule from an iLX workspace reports an error.

Conditions:
Displaying an iApp which contains an iRule from an iLX workspace.

Impact:
The components page reports an error.

Workaround:
Use tmsh.

Fix:
Displaying application components no longer reports an error.


582773 : DNS server for child zone can continue to resolve domain names after revoked from parent

Component: Global Traffic Manager (DNS)

Symptoms:
See CVE-2012-1192. A domain name in a child server may continue to be resolved by the child server even after the parent server revokes the NS record for the child server.

Conditions:
A steady series of DNS queries for a domain name in the child. The TTL for the domain name A record is shorter than the TTL for the NS record for the child name server. The NS record is removed from the parent server.

Impact:
The revoked child server will still be used by a client after it is revoked.

Workaround:
Restart the TMM to clear out the cache.

Fix:
Do not update the NS record TTL to the value returned from the child server.


581746-6 : MPTCP traffic handling may cause a BIG-IP outage

Component: Local Traffic Manager

Symptoms:
Occasional BIG-IP outages may occur when MPTCP traffic is being handled by a Virtual server.

Conditions:
MPTCP has been enabled on a TCP profile on a Virtual Server.

Impact:
A System outage may occur.

Workaround:
Do not enable MPTCP on any TCP profile

Fix:
An issue with handling of MPTCP traffic has been corrected.


578076 : OpenSSL vulnerability CVE-2016-0800

Vulnerability Solution Article: K23196136


578017 : CVE-2016-0800 : SSLV2 "DROWN" Vulnerability

Vulnerability Solution Article: K23196136


575642 : rst_cause of "Internal error"

Component: Local Traffic Manager

Symptoms:
The rst_cause may be logged as "Internal Error". rst_cause of "Internal error" does not give a narrow reason for the reset. It means that one of the other reset causes was not matched but the exact issue cannot be determined from this generic error.

Conditions:
Heavy/normal production network usage.

Impact:
System problem diagnosis is more difficult.

Workaround:
N/A


572272 : BIG-IP - Anonymous Certificate ID Enumeration

Component: TMOS

Symptoms:
Requests to the BIGIP mgmt API verify parameters separately and can return responses that indicate which parameter was invalid.

Conditions:
--

Impact:
Possible disclosure of the em_server_ip field of valid client certificates. This does not reveal the certificate needed for authentication.

Workaround:
--

Fix:
When these parameters are invalid the external response no longer indicates the specific reason. The reason is still logged in the apache logs for administrator review.

Behavior Change:
Whenever a communication starts between BIG-IQ and BIG-IP, there are two certificates being exchanged to avoid using the credentials on every request. Once they are shared, BIG-IQ stops using the BASIC authorization and switches to an authorization relying in two parameters that are sent in the URL: em_server_ip and em_server_auth_token.

When these parameters are invalid for some reason, the 401 response no longer indicates the reason. The reason is still logged in the apache logs.


572234-1 : When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.

Component: Local Traffic Manager

Symptoms:
When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. This is the MAC address of Linux's tmm0 or tmm interface.

Conditions:
The traffic destination is the BIG-IP Linux host, e.g. big3d iQuery server.

The traffic is proxied via fastL4, e.g. ConfigSync "Local Address" is set to None.

The return route is a pool route.

The traffic is interrupted, e.g. a router between the iQuery server and the client is switched off for several seconds.

Impact:
The traffic is sourced from invalid ethernet MAC 00:98:76:54:32:10.
The iQuery connection cannot continue.

Workaround:
Increase the lasthop module's TCP idle timeout.

echo 121 > /proc/sys/net/lasthop/idle_timeout/tcp

Fix:
TCP connections no longer emit packets that have a source MAC address of 00:98:76:54:32:10.


570926 : Provide a way to configure where in payload the CSPM JS is injected.

Component: Application Visibility and Reporting

Symptoms:
This is an enhancement that allows you to choose where in the document the CSPM script will be injected.

Conditions:
You are using some application that can't read the document if something appears after closing the html tag.

Impact:
Today we append the CSPM payload (for client latency measurements) at the end of the HTML document (after the html tag).
This works in browsers but it's not compliant to the HTML standard and may break some applications that rely on this standard (not browsers).

Workaround:
Un-checking "Page Load Time" in analytics profile.

Fix:
Verify that script was injected to the chosen location in the returned document.


570855-1 : DB variable log.csyncd.level cannot be set to certain values

Component: Local Traffic Manager

Symptoms:
The DB variable log.csyncd.level lists some values for tab completion, but validation prevents you from setting them. The error message looks like this:

01070911:3: The requested enumerated (alert) is invalid (critical, error, warning, notice, informational, debug) for loglevel in daemon_csyncd (/Common/daemon_csyncd)

Conditions:
You are trying to use the DB variable log.csyncd.level to increase the amount of information logged by csyncd. csyncd is a system service that on chassis mirrors certain portions of the filesystem between blades, and on all BIG-IP devices runs certain commands after detecting filesystem changes.

Impact:
You cannot set the log level to certain values.

Workaround:
If you want more debugging information, set the log level to 'debug', which is still accepted.

Fix:
The DB variable log.csyncd.level lists some values for tab completion, but validation formerly prevented you from setting them. This has now been resolved; all advertised values will now be accepted.


569814 : iRule "nexthop IP_ADDR" rejected by validator

Component: Local Traffic Manager

Symptoms:
The nexthop command allows an administrator the ability to specify a forwarding address in an iRule. The form which takes an IP address may be rejected by the validator with an error message of the form:

01070151:3: Rule [/Common/irule_example] error: Unable to find vlan, vlangroup or tunnel (10.0.0.1) referenced at line 2: [nexthop 10.0.0.1]

Conditions:
This occurs when the nexthop command contains only the IP address, for example:

when HTTP_REQUEST {
  nexthop 10.0.0.1
}

Impact:
The iRule containing the 'nexthop IP_ADDR' command cannot be associated with a virtual server.

Workaround:
The 'nexthop VLAN IP_ADDR' form of the command does pass the validator. Choose the named vlan on which IP_ADDR can be reached. For example:

    when HTTP_REQUEST {
nexthop internal 10.0.0.1
    }

Fix:
Validator now allows 'nexthop IP_ADDR' in iRules.


569100 : Virtual server using NTLM profile results in benign Tcl error

Component: TMOS

Symptoms:
Tcl error in /var/log/ltm.

Tcl error: bad option "serverside": must be require or preclude while executing "constrain NTLM require clientside {HTTP} serverside {CONNPOOL} preclude FTP

Conditions:
Virtual server using the NTLM profile. Only logged when the first virtual server is created or when TMM restarts.

Impact:
If you are using TMSH to configure virtual server and NTLM profile, validation/constraint is not performed/enforced.

Workaround:
This is a benign, cosmetic error. There should be no functional impact to the system.

Fix:
Fixed the unexpected error message encountered and added validation when creating a virtual server with an NTLM profile.


563165 : New Diameter session event triggers registered for by the PCRF should not be appended to existing registered event triggers in PEM.

Component: Policy Enforcement Manager

Symptoms:
PCRF may receive old event triggers it is not interested in.

Conditions:
PEM with a valid Gx interface should receive more than one set of event triggers that the PCRF needs to register for.

Impact:
Increase in Diameter traffic.

Fix:
Discard previously registered event triggers while registering a new set.


561596 : Hotfixes can optionally update FPS engine file

Component: TMOS

Symptoms:
Previously, to receive a full solution that required changes on the FPS BIG-IP side and FPS client-side, both a hotfix and a live update were required.

Conditions:
FPS hotfix

Impact:
No ability to opt in/out of engine and signature changes from the hotfix

Workaround:
N/A

Fix:
Two new DB variables to enable/disabled taking update from hotfix:

datasync.update_engine_from_factory
datasync.update_signatures_from_factory


561592 : Hotfixes can update FPS engine file

Component: TMOS

Symptoms:
Previously, to receive a full solution that required changes on the FPS BIG-IP side and FPS client-side, both a hotfix and a live update were required.

Conditions:
FPS hotfix

Impact:
You have to install both the hotfix and the engine update

Workaround:
Install live update separately

Fix:
Hotfix can now update the FPS javascript engine


559080 : High Speed Logging to specific destinations stops from individual TMMs

Component: TMOS

Symptoms:
High Speed Logging to specific destinations stops from individual TMMs. The flows appear to have very large idle times. Attempts to delete the flows sets the idle time to zero, but does not kill the flow.

Conditions:
This appears to be the result of a failure on the part of the log destination (for example, a log server) wherein the server's TCP stack ACKs a FIN request from the TMM, but does not follow through with a matching FIN or RST. The logging code expects another timeout (essentially a FIN-WAIT2 timeout), but never receives one because the flow has already been marked as expired. As a result, the flow goes into a state in which it appears to be viable but is not actually delivering.

Impact:
Logs are silently lost.

Workaround:
Create an additional virtual server to act as a proxy for the log server, and sent the logs to this virtual server. This essentially uses the TMM itself as a sanitizing proxy.

Fix:
The system now resets the expire timer when it initiates the close. If the server fails to reset or complete the close, the flow is aborted on the next expiration event.


552988-1 : Cannot enable MPTCP on some profiles in GUI.

Component: Local Traffic Manager

Symptoms:
Version 12.1 Cannot enable MPTCP on some profiles in GUI. Get error message: 01070734:3: Configuration error: In profile /Common/proxy-client to enable MPTCP, Hardware SYN Cookie must be disabled.

Conditions:
Version 12.1 Enabling MPTCP on some profiles in GUI.

Impact:
Version 12.1 Cannot enable MPTCP.

Workaround:
Use tmsh to enable MPTCP on some profiles.

Fix:
Eliminate validation: it is reasonable to have MPTCP function until entering syncookie mode.


550547-1 : URL including a "token" query fails results in a connection reset

Component: Access Policy Manager

Symptoms:
Per Request Policy access to URL containing a "token" query parameter fails and results in a connection reset with the following error:

"ERR_NOT_FOUND: access2 token not found; subsession might be inactive"

Conditions:
Configure an Explicit SWG with a PRP that includes [protocol lookup (https) + category-lookup]
It does not matter ntlm or basic auth.
This is triggered on sites that have "token" in the query parameters.

Impact:
Clients receive this response:
"ERR_NOT_FOUND: access2 token not found; subsession might be inactive"

Workaround:
Workaround iRule:

when HTTP_REQUEST {
    if { [HTTP::query] contains "token" } {
      set fix 1
      HTTP::query [string map "token aabbcc" [HTTP::query]]
    }
}

when HTTP_REQUEST_SEND {
    if { [info exists fix] && $fix equals 1 } {
      clientside {
        HTTP::query [string map "aabbcc token" [HTTP::query]]
        unset fix
      }
    }
}

Fix:
Customization namespace for subsession state prefix with default value as "000fffff" has been added controlled via db variable "tmm.access.subsessionstateprefix" before state/token query param and validation is ensured to check for the prefix value before triggering serialize/deserialize code to avoid RST.

In case if a UCS is being restored and used for a Hotfix, the newly added DB variable may not be present in /config/Bigdb.dat file. The following information needs to be added in /config/Bigdb.dat file followed by a "bigstart restart" to ensure proper working.

#
# This string is used as the prefix for the subsession state value that is sent as
# part of the redirect URI being sent to the client.
#
[Tmm.Access.SubsessionStatePrefix]
default=000fffff
type=string
realm=local
display_name=Tmm.Access.SubsessionStatePrefix
scf_config=true
max=32


541550-2 : Defining more than 10 remote-role groups can result in authentication failure

Component: TMOS

Symptoms:
Authentication fails, indicating the affected user is associated with an "unknown" role:

notice httpd[2112]: pam_bigip_authz: authenticated user bob with role 12345678 ([unknown]) in partition /bin/false

Conditions:
Define more than 10 remote-role groups and authenticate with a user having more than 10 roles.

Impact:
User cannot authenticate.

Workaround:
None.


541320-8 : Sync of tunnels might cause restore of deleted tunnels.

Component: TMOS

Symptoms:
After a full load sync, tunnels may be spuriously added to the default route domain for the partition that contains them.

Conditions:
Viewing tunnels after a full load sync.

Impact:
This might result in a deleted tunnel being restored to the configuration.

Workaround:
None.

Fix:
Sync of tunnels no longer causes restore of deleted tunnels.


517756-5 : Existing connections can choose incorrect route when crossing non-strict route-domains

Component: Local Traffic Manager

Symptoms:
After modifying the BIG-IP system's routing table, traffic for some existing connections might be interrupted because an incorrect route starts being used.

Conditions:
After a routing table modification, routes might be reselected for a portion of connections through the BIG-IP system. When a connection crosses non-strict route-domains, the routing table from a route-domain that is different from the route-domain used during connection start-up may be used.

Impact:
This might lead to traffic following a different path to the destination and traffic interruption. New connections will work properly, this only affects existing connections.

Workaround:
None.

Fix:
Existing connections now choose the correct route when crossing non-strict route-domains.


508113-2 : tmsh load sys config base merge file <filename> fails

Component: TMOS

Symptoms:
Save sys config file.

(tmos)# save sys config file demo.scf no-passphrase
Saving running configuration...
  /var/local/scf/demo.scf
  /var/local/scf/demo.scf.tar

Try to load the base configuration within this file.

(tmos)# load sys config base merge file demo.scf
Loading configuration...
  /var/local/scf/demo.scf
Syntax Error:(/var/local/scf/demo.scf at line: 6) "apm" unexpected argument

The error is from a system configuration, not user created.

apm report default-report {
    report-name sessionReports/sessionSummary
    user /Common/admin
}

Basically the configuration fails to load all components for unprovisioned modules and features.

Conditions:
Running the command: load sys config base merge file <filename> when the system contains unprovisioned modules and features.

Impact:
tmsh load sys config base merge file <filename> fails.

Workaround:
None.

Fix:
The provisioning checks were modified to let this command succeed.


489499-2 : chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd

Component: TMOS

Symptoms:
chmand fails to register for unsolicited LOP events, meaning that asynchronous alerts from lopd will not seen or reported by chmand. A message is seen in /var/log/ltm that contains the phrase, "failed to register for LOP at <address>"

Conditions:
Occurs when chmand has been re-started after it has already synchronized once with lopd.

Impact:
Asynchronous events from lopd will not be reported or handled, such as fan tray removal/insertion and PSU removal/insertion. Alerts that are driven by system_check through polling sensor values and comparing them to specified limits, however, will still be operational.

Workaround:
Re-start lopd:
# bigstart restart lopd

Fix:
Modified chmand to recognize the case where unsolicited alert registration with lopd has already occurred so that it no longer treats it as an error.


429213 : Some monitor types assigned to the same node IP:port in different Route Domains may collide and mark the object down.

Component: Local Traffic Manager

Symptoms:
A race condition may occur in which a monitor instance is killed abruptly if another copy of the same monitor attempts to check health of the same node IP:port in a different route domain. The killed monitor will then contribute to a monitoring timeout and potentially mark the node as down.

This issue occurs because the PID file created to prevent duplicate monitoring of the same pool member is not sufficiently unique to distinguish between route domains. For example, SIP monitor named "sip_london" applied to pool members 1.2.3.4%100 and 1.2.3.4%200 would share the same PID file:

/var/run/SIP__Common_sip_london.::ffff:1.2.3.40..5060.pid

Conditions:
For health monitor types which execute outside of the bigd process (see list below), a health monitor profile is assigned to monitor 2 different nodes which have the same IP:port in different route domains.

The affected monitor types include:

Diameter
IMAP
LDAP
NNTP
POP3
Radius
Radius Accounting
RPC
Scripted
SIP
SMB
SMTP
WAP

Impact:
Pool members may flap down/up.

Workaround:
To work around this, perform the following steps:

1. Create a duplicate copy of the monitor profile, and add the route domain to the name of the monitor profile. For example:

ltm monitor radius /Common/radius_seattle_rd43 {
    default-from /Common/radius_seattle
}

2. For nodes or pool members in that route domain, replace the old monitor profile with the new duplicate monitor profile.


419741-4 : Rare crash with vip-targeting-vip and stale connections on VIPRION platforms

Component: Local Traffic Manager

Symptoms:
Rare TMM crash bug with vip-targeting-vip. Core analysis is typically necessary to determine whether this bug is the cause.

Conditions:
Triggering this bug is difficult and seems to require vip-targeting-vip (e.g., use of the 'virtual' command in an iRule) and more than one blade.

Impact:
In rare situations, the TMM crashes.

Workaround:
None. This occurs rarely, and the system recovers automatically. Although this workaround has not be verified, in situations where virtual A targets virtual B via the 'virtual' command, it should be sufficient for virtual A to have shorter timeouts than virtual B.


417720 : BIG-IP LTM Log Indicates Chassis Power Turned Off During Fan Speed Failures

Component: TMOS

Symptoms:
If a power supply fan unit becomes jammed or experiences a failure that prohibits the minimum RPM threshold to be met, the LTM log will erroneously indicate that the power supply has been turned off. For example:

localhost crit chmand[8482]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(73-610-125): Bad

localhost crit chmand[8482]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power supply #2 fan-1: Bad

localhost warning chmand[8482]: 012a0018:4: Chassis power module 2 turned off.

Conditions:
Any kind of power supply fan failure that prevents the unit from achieving the minimum spec. for RPMs.

Impact:
Misleading log message.

Workaround:
None.


367226-3 : Outgoing RIP advertisements may have incorrect source port

Component: Local Traffic Manager

Symptoms:
TMM may change the source port of RIP packets send by ripd to something other than 520. Neighbor routers will not accept these packets and RIP routing will not work.

If the TMM instance handling the outgoing packet would not be selected to handle return traffic by the hashing algorithm in use, the source port of the traffic will be modified so the hashing algorithm returns the same TMM instance.

Conditions:
Multiple TMM instances, RIP routing configured.

Impact:
Dynamic routing using RIP will not work if the traffic hash of the packets does not match the TMM handling the outgoing traffic.

Fix:
TMM no longer modifies the source port of RIP traffic.


366695-9 : Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed

Component: Global Traffic Manager (DNS)

Symptoms:
A "Manager" role has the ability to create/modify/delete GTM data centers, links, servers, prober pools, and topology objects from TMSH, but they do not have this permission in the database, so they get an error.

Conditions:
Someone of "Manager" roll attempts to create/modify/delete a GTM datacenter, link, server, prober-pools, or topology objects.

Impact:
Error message thrown

Workaround:
Error thrown is correct, but user's shouldn't be able to even get this far in tmsh.

Fix:
Removed Manager's ability to create/modify/delete GTM data centers, links, servers, prober-pools, and topology objects. This was already prevented through validation code, but now TMSH users only have access to view these objects.


352957-2 : Route lookup after change in route table on established flow ignores pool members

Component: Local Traffic Manager

Symptoms:
Established flows via Virtual Servers with iRules using the 'nexthop vlan addr' command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail after a route table change, even if the change does not affect any of the addresses used in the flow.

Conditions:
An iRule with 'nexthop vlan addr' on the CLIENT_ACCEPTED state is added to a virtual server with pool members and the address in the nexthop command is different from the gateway.

Impact:
A flow established before a route table change may fail if the destination was set in an iRule using 'nexthop'. New flows established after the route table change work as expected.

Workaround:
Modify iRule to fire 'nexthop' on every client packet. If the flow has been modified due to a route change, then the next client packet that fires 'nexthop' will correct it.

Fix:
The nexthop for established flows, set using "nexthop vlan addr" in an iRule for CLIENT_ACCEPTED state, does not change when there are changes in the route table. This is correct behavior.


247527-1 : Mgmt interface cannot be disabled via tmsh

Component: TMOS

Symptoms:
Issuing a tmsh command to disable the management interface of a blade or appliance appears to succeed, but the management interface is not actually disabled.

Conditions:
This problem occurs on the following hardware platforms:
BIG-IP 1500, 3400, 3410, 6400, 6800, 8400, and 8800 appliances.

This problem does not occur on the following hardware platforms:
BIG-IP 1600, 3600, 3900, 6900, 8900-series and 11000-series appliances.

Impact:
After using the tmsh utility to set the mgmt interface to a disabled state, the tmsh utility will show the mgmt interface as disabled. However, the mgmt interface still responds to network traffic, including ping and ssh.

Workaround:
There are three possible ways to work around this issue:

1) Unplug the management interface if it is not intended to be used.

2) Bring down the switch interface to which the management port connects.

3) Disable the management interface using the following information below.

Important: This workaround might cause unintended consequences. Only use this option as a last resort, as disabling the management interface may remove the ability for the Linux host to communicate with several of the BIG-IP subsystems. As a result of this loss of communication, certain BIG-IP features may not function as expected or at all.

For platforms that expose a 'mgmt' interface via ifconfig, run the command: ifconfig mgmt down. To bring the 'mgmt' interface back up, run the command ifconfig mgmt up.

For platforms that do not expose a 'mgmt' interface via ifconfig, run the command: ifconfig eth0 down. To bring 'eth0' interface back up, run the command ifconfig eth0 up.



Known Issues in BIG-IP v13.0.x


TMOS Issues

ID Number Severity Description
655500-2 1-Blocking Rekey SSH sessions after one hour
658636-3 2-Critical When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.
655357-3 2-Critical Corrupted L2 FDB entries on B4450 blades might result in dropped traffic
653453-2 2-Critical ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.
653376-1 2-Critical bgpd may crash on receiving a BGP update with >= 32 extended communities
624635-1 2-Critical BIG-IP doesn't support more than 4 NICs on Hyper-V on Windows Server 2012
583306 2-Critical Using management port as config sync address might allow its deletion.
580697-1 2-Critical VIPRION 2200 platform might not pass traffic properly after FPGA firmware switch.
419345-1 2-Critical Changing Master Key on the standby might cause secondaries to restart processes
663521-3 3-Major Intermittent dropping of multicast packets on certain BIG-IP platforms
663063-1 3-Major Disabling pool member used in busy HSL TCP destination can result service disruption.
661764-1 3-Major It is possible to configure a number of CPUs that exceeds the licensed throughput
660833-1 3-Major merged repeatedly cores due to unused istats-trigger object
660532-1 3-Major Cannot specify the event parameter for redirects on the policy rule screen.
657834-1 3-Major Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
657727-1 3-Major Running tcpdump from TMSH cannot capture the local "tmm" interface
657708-1 3-Major Packet Tester is still available in the GUI when AFM is not provisioned
655649-1 3-Major BGP last update timer incorrectly resets to 0
655506 3-Major Guest configurations with mergeable buffers disabled are not supported.
655005-2 3-Major "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync
654011-1 3-Major Pool member's health monitors set to Member Specific does not display the active monitors
653888-1 3-Major BGP advertisement-interval attribute ignored in peer group configuration
653772-3 3-Major fastL4 fails to evict flows from the ePVA
652671-5 3-Major Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.
652484-3 3-Major tmsh show net f5optics shows information for only 1 chassis slot in a cluster
651253 3-Major tmipsecd down after provisioning modules
651155-2 3-Major HSB continually logs 'loopback ring 0 tx not active'
651136-1 3-Major ReqLog profile on FTP virtual server with default profile can result in service disruption.
650002-2 3-Major tzdata bug fix and enhancement update
648873-4 3-Major Traffic-group failover-objects cannot be retrieved via iControl REST
648544-6 3-Major HSB transmitter failure may occur when global COS queues enabled
648317-1 3-Major Upgrade to 13.0.0 on B2100/B2150 with IOMMU enabled prevents vCMP guests from starting
647988-2 3-Major HSL Balanced distribution to Two-member pool may not be balanced correctly.
647944-1 3-Major MCP may crash when making specific changes to a FIX profile attached to more than one virtual server
647834-5 3-Major Failover DB variables do not correctly implement 'reset-to-default'
646890-2 3-Major IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512
646804-1 3-Major call to tmctl in diskmonitor for the tmstat vmcp_stat table results in error: tmctl: vcmp_stat: No such table.
645206-2 3-Major Missing cipher suites in outgoing LDAP TLS ClientHello
645179-1 3-Major Traffic group becomes active on more than one BIG-IP after a long uptime
644979-1 3-Major Errors not logged from hourly 1k key generation cron job
644184-3 3-Major ZebOS daemons hang while AgentX SNMP daemon is waiting.
643799-4 3-Major Deleting a partition may cause a sync validation error
643459-4 3-Major Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy
642982-1 3-Major tmrouted may continually restart after upgrade, adding or renaming an interface
642923-1 3-Major MCP misses its heartbeat (and is killed by sod) if there are a large amount of file objects on the system
642422-1 3-Major BFD may not remove dependant static routes when peer sends BFD Admin-Down
642314-1 3-Major CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x
641450-4 3-Major A transaction that deletes and recreates a virtual may result in an invalid configuration
639619-1 3-Major UCS created on 11.6.0 that contains a secure attribute DWBL (Dynamic White/Black lists) feed list fails to upgrade to 13.0.0 with AFM and LTM on Virtual Edition (VE).
639505-2 3-Major BGP may not send all configured aggregate routes
638091 3-Major Config sync after changing named pool members can cause mcpd on secondary blades to restart
637979-2 3-Major IPsec over isession not working
637827 3-Major VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0
636031-1 3-Major GUI LTM Monitor Configuration String adding CR for type Oracle
635703-2 3-Major Interface description may cause some interface level commands to be removed
633824-1 3-Major Cannot add pool members containing a colon in the node name
633413-2 3-Major IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI
633110-3 3-Major Literal tab character in monitor send/receive string causes config load failure, unknown property
631172-1 3-Major GUI user logged off when idle for 30 minutes, even when longer timeout is set
629915 3-Major Cannot login with Firefox and IE after toggling between wireless and wired networks.
627760-4 3-Major gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
626589-5 3-Major iControl-SOAP prints beyond log buffer
624692-4 3-Major Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying
624626-4 3-Major Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility
622619-6 3-Major BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD
616021-6 3-Major Name Validation missing for some GTM objects
612086 3-Major Virtual server CPU stats can be above 100%
609967-1 3-Major qkview missing some HugePage memory data
605840-6 3-Major HSB receive failure lockup due to unreceived loopback packets
604547-4 3-Major Unix daemon configuration may lost or not be updated upon reboot
598650-5 3-Major apache-ssl-cert objects do not support certificate bundles
592870-4 3-Major Fast successive MTU changes to IPsec tunnel interface crashes TMM
587821 3-Major vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
585043-1 3-Major Question mark prevents TMSH from loading configuration file
581851 3-Major mcpd, interleaving of messages / folder contexts from primary to secondary blade
579760 3-Major HSL::send may fail to resume after log server pool member goes down/up
571333-7 3-Major fastL4 tcp handshake timeout not honored for offloaded flows
567490-1 3-Major db.proxy.__iter__ value is overwritten if it's manually set
550739-3 3-Major TMSH mv virtual command will cause iRules on the virtual to be dis-associated
544906-4 3-Major Issues when using remote authentication when users have different partition access on different devices
543208-2 3-Major Upgrading v11.6.0 to v12.x in a sync-failover group might cause mcpd to become unresponsive.
535717 3-Major Password history is not enforced when root, Administrator, or User Manager changes another user's password
528314 3-Major Generating new default certificate and key pairs for BIG-IP ssl profiles via CLI will not be reflected in GUI or in tmsh
528295-11 3-Major Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.
523985-1 3-Major Certificate bundle summary information does not propagate to device group peers
523797-1 3-Major Upgrade: file path failure for process name attribute in snmp.
517829 3-Major BIG-IP system resets client without sending error report when certificate is revoked
516167-1 3-Major TMSH listing with wildcards prevents the child object from being displayed
499348-6 3-Major System statistics may fail to update, or report negative deltas due to delayed stats merging
469366-4 3-Major ConfigSync might fail with modified system-supplied profiles
469035-1 3-Major A SecureVault rekey operation may fail if configuration contains a blank password protected by SecureVault
468505-1 3-Major TMSH crypto commands do not work with the TMSH batch mode
455066-3 3-Major Read-only account can save system config
378967-12 3-Major Users are not synchronized if created in a partition
375434 3-Major HSB lockup might occur when TMM tries unsuccessfully to reset HSB.
663580-2 4-Minor logrotate does not automatically run when /var/log reaches 90% usage
662372-2 4-Minor Uploading a new device certificate file via the GUI might not update the device certificate
660239-1 4-Minor When accessing the dashboard, invalid HTTP headers may be present
658298-2 4-Minor SMB monitor marks node down when file not specified
657459 4-Minor Setting MGMT GUI Port to 443 on Single Nic not honored on reboot.
650019-1 4-Minor The commented-out sample functions in audit_forwarder.tcl are incorrect
647812-4 4-Minor /tmp/wccp.log file grows unbounded
644975-2 4-Minor /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost
644723-2 4-Minor cm56xxd logs link 'DOWN' message when an interface is admin DISABLED
643768-1 4-Minor Invalid entries in SNMP allowed-address and SNMP community fields can cause upgrade failure.
640863-1 4-Minor Disabling partition selector in DNS Resolver's Forward Zones
636823-4 4-Minor Node name and node address
633181-2 4-Minor A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section
625428-2 4-Minor SNMP reports incorrect values for F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit
624909-1 4-Minor Static route create validation is less stringent than static route delete validation
623536-7 4-Minor SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent
606799-5 4-Minor GUI total number of records not correctly initialized with search string on several pages.
598437-2 4-Minor SNMP process monitoring is incorrect for tmm and bigd
591732-1 4-Minor Local password policy not enforced when auth source is set to a remote type.
583930-1 4-Minor Virtual Edition supports only 2 numa domains
583084-4 4-Minor iControl produces 404 error while creating records successfully
582595-4 4-Minor default-node-monitor is reset to none for HA configuration.
565603 4-Minor Large number of stat arp entries on a BIG-IP system
530927-7 4-Minor Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed
530530-5 4-Minor [mcpd] TMSH "range" filter for 'show sys log' fails to work as expected
520877-2 4-Minor Alerts sent by the lcdwarn utility are not shown in tmsh
617578 5-Cosmetic Inconsistent info between tmsh and WebUI for profile radiusLB-subscriber-aware
542347-3 5-Cosmetic Denied message in audit log on first time boot
396273-1 5-Cosmetic Error message in dmesg and kern.log: vpd r/w failed


Local Traffic Manager Issues

ID Number Severity Description
661716 2-Critical TMM core when session ticket and OCSP Stapling is enabled on the clientSSL profile
659899-3 2-Critical tmm cores on all blades when device is forced offline under certain conditions.
657713-1 2-Critical TMM cored with SIGPFE panic string "Valid node"
653495-1 2-Critical Incorrect SNI hostname attached to serverside connections
650317-2 2-Critical The TMM on the next-active panics with message: "Missing oneconnect HA context"
649171-3 2-Critical tmm core in iRule with unreachable remote address
648320-2 2-Critical Downloading via APM tunnels could experience performance downgrade.
648245-1 2-Critical When using a route TMM may use a smaller MTU
648037-1 2-Critical LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash
646643-1 2-Critical HA Standby Virtual Server with a lasthop pool may crash.
646604-1 2-Critical Client connection may hang when NTLM and OneConnect profiles used together
643210-3 2-Critical Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM
639039-5 2-Critical Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons
634369-1 2-Critical Bigd crash (SIGABRT) while running iControl REST scripts against monitor configuration with FQDN nodes
629178-2 2-Critical Incorrect initial size of connection flow-control window
621870-1 2-Critical Outage may occur with VIP-VIP configurations
618463-4 2-Critical artificial low route mtu can cause SIGSEV core from monitor traffic
513310-2 2-Critical TMM might core when a profile is changed.
662881-1 3-Major L7 mirrored packets from standby to active might cause tmm core when it goes active.
662085-2 3-Major iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages
661881-1 3-Major Memory and performance issues when using certain ASN.1 decoding formats in iRules
659919-1 3-Major Verified Accept prevents persist cookie from being inserted into responses
659519-2 3-Major Non-default header-table-size setting on HTTP2 profiles may cause issues
658214-1 3-Major TCP connection fail intermittently for mirrored fastl4 virtual server
657883-1 3-Major tmm cache resolver should not cache response with TTL=0
657858-3 3-Major TMM can restart when VLAN keyed connections are disabled.
657626-1 3-Major User with role 'Manager' cannot delete/publish LTM policy.
655793-2 3-Major SSL persistence parsing issues due to SSL / TCP boundary mismatch
655767-4 3-Major MCPD does not prevent deleting an iRule that contains in-use procedures
655724-4 3-Major MSRDP persistence does not work across route domains.
655432-6 3-Major SSL renegotiation failed intermittently with AES-GCM cipher
654981-1 3-Major Local Traffic Policies operating in First Match mode do not stop executing after the first matched rule if this has no action
653511-3 3-Major Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve
653228-3 3-Major SNAT does not work properly on FTP VIP2VIP
653137-3 3-Major Virtual flaps when FQDN node and pool configured with autopopulate
652535-2 3-Major HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.
652370 3-Major The persist cookie insert iRule command may leak memory
651772-4 3-Major IPv6 host traffic may use incorrect IPv6 and MAC address after route updates
651713 3-Major passive mode and un-tagged frames
651681-3 3-Major Orphaned bigd instances may exist (within multi-process bigd)
651651-1 3-Major bigd can crash when a DNS response does not match the expected value
651541-1 3-Major Changes to the HTTP profile do not trigger validation for virtual servers using that profile
651135-2 3-Major LTM Policy error when rule names contain slash (/) character
650292-1 3-Major DNS transparent cache can return non-recursive results for recursive queries
648954-1 3-Major Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls
647071-1 3-Major Stats for SNATs do not work when configured in a non-zero route domain
645635-1 3-Major Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests
645058-4 3-Major Modifying SSL profiles in GUI may fail when key is protected by passphrase
645036 3-Major Removing pool from virtual server does not update its status
644873-3 3-Major ssldump can fail to decrypt captures with certain TCP segmenting
643860-5 3-Major Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly
643777-1 3-Major LTM policies with more than one IP address in TCP address match may fail
643041-1 3-Major Less than optimal interaction between OneConnect and proxy MSS
641512-5 3-Major DNSSEC key generations fail with lots of invalid SSL traffic
641491-1 3-Major TMM core while running iRule LB::status pool poolname member ip port
640565-2 3-Major Incorrect packet size sent to clone pool member
640395-2 3-Major When upgrading from 10.x to a version that supports spanning VIPs, the virtual address spanning property may not be set properly
640369-1 3-Major TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan
638715-1 3-Major Multiple Diameter monitors to same server ip/port may race on PID file
637613-4 3-Major Cluster blade being disabled immediately returns to enabled/green
631862-5 3-Major Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk
623084-5 3-Major mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp
620556-2 3-Major Fragmented packets on clone pool for L7 virtual server targeting another L7 virtual server through iRule
619844-3 3-Major Packet leak if reject command is used in FLOW_INIT rule
603681 3-Major Updating pool members using iControl REST "PUT" resets monitors
602708-3 3-Major Traffic may not passthrough CoS by default
601727 3-Major Some FQDN nodes are not correctly created
586621 3-Major SQL monitors 'count' config value does not work as expected.
582331 3-Major Maximum connections is not accurate when TMM load is uneven
579252 3-Major Traffic can be directed to a less specific virtual during virtual modification
570281 3-Major Cannot modify 'ip-address' attribute of static ARP / NDP entries
563689-1 3-Major ZebOS configuration cannot be loaded via imish when service password-encryption is set
562267 3-Major FQDN nodes do not support monitor alias destinations.
549927-1 3-Major iRule validation does not check RULE_INIT/virtual are disallowed in proc calling
516280-3 3-Major bigd process uses a large percentage of CPU
505037 3-Major Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop
486735 3-Major Maximum connections is not accurate when TMM load is uneven
454640-1 3-Major mcpd instances on secondary blades might restart on boot
449158 3-Major Using an iRule nexthop to "vlan:mac address" does not forward the packet
248914-3 3-Major ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address
225492-2 3-Major Ramcache might disallow valid cache configurations that are very near the limit.
222690-1 3-Major The persist none iRule command does not disable cookie persistence for the connection when used with the LB::reselect command.
653746-1 4-Minor Unable to display detailed CPU graphs if the number of CPU is too large
652577-1 4-Minor Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address
651005-4 4-Minor FTP data connection may use incorrect auto-lasthop settings.
646495-1 4-Minor BIG-IP may send oversized TCP segments on traffic it originates
641273 4-Minor port-fwd-mode mode configuration object value
636348-2 4-Minor BIG-IP systems configured for high availability (HA) and System Gateway Failsafe may fail to load their configuration after device trust is reset.
618595 4-Minor Duplicate SQL monitors updating pool member status incorrectly
603380-7 4-Minor Very large number of log messages in /var/log/ltm with ICMP unreachable packets.
599048-5 4-Minor BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option
558893-4 4-Minor TMM may fail to forward FTP data connections when multiple PORT/EPRT commands are used in succession referring to the same IP/PORT
539026-4 4-Minor Stats refinements for reporting Unhandled Query Actions :: Drops
477992-4 4-Minor Instance-specific monitor logging fails for pool members created in iApps
477786 4-Minor Inconsistent behavior sending RST on self IP with Port Lockdown None
462043-3 4-Minor DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms
222409-7 4-Minor The HTTP::path iRule command may return more information than expected


Performance Issues

ID Number Severity Description
588752-1 1-Blocking APM Login Performance may be degraded
634022-1 3-Major Active Directory authentication with Step-Up-Auth has degraded performance.
600458-1 3-Major TCP resets occuring under high load


Global Traffic Manager Issues

ID Number Severity Description
663310-2 3-Major named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files
643813-1 3-Major ZoneRunner does not properly process $ORIGIN directives
629530-6 3-Major Under certain conditions, monitors do not time out.


Application Security Manager Issues

ID Number Severity Description
654873-1 2-Critical ASM Auto-Sync Device Group
653292-1 2-Critical MySQL does not initialize correctly on first system start
653014-2 2-Critical Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name
652200-2 2-Critical Failure to update ASM enforcer about account change.
660327-1 3-Major Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.
660326-1 3-Major Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.
657531-1 3-Major High memory usage when using the ICAP server
654996-2 3-Major Closed connections remains in memory
652781 3-Major Learn from responses checkbox can appear checked and disabled in manual mode
649513-1 3-Major IP Intelligence: Policy diff doesn't work for categories
648639-2 3-Major TS cookie name contains NULL or other raw byte
646800-1 3-Major A part of the request is not sent to ICAP server in a specific case
644725-2 3-Major Configuration changes while removing ASM from the virtual server may cause graceful ASM restart


Application Visibility and Reporting Issues

ID Number Severity Description
659527-1 3-Major Custom Predefined Reports are not displayed in ASM Analytics Schedules
658343-3 3-Major AVR tcp-analytics: per-host RTT average may show incorrect values
649177-1 3-Major Testing for connection to SMTP Server always returns "OK"
639395-3 3-Major AVR does not display 'Max read latency' units.
636104 3-Major If pool member is defined with port 0, member may not be visible on the HTTP dimension pane.
629573 3-Major No drill-down filter for virtual-servers is mentioned on exported reports when using partition
574160-7 3-Major Publishing DNS statistics if only Global Traffic and AVR are provisioned
633217 4-Minor Countries in new DoS visibility tables will appear "N/A" after upgrade


Access Policy Manager Issues

ID Number Severity Description
658462-1 2-Critical Portal Access: tmm may crash if web application uses long cookie names and/or values
652004-1 2-Critical Show /apm access-info all-properties causes memory leaks in tmm
651229-1 2-Critical tmm may restart when SAML SLO is initiated by SP using redirect binding
660654 3-Major 'epsec refresh' works incorrectly if install package is deleted
658852-6 3-Major Empty User-Agent in iSessions requests from APM client on Windows
656784 3-Major Windows 10 Creators Update breaks RDG functionality in BIG-IP APM
654513-1 3-Major APM daemon crashes when the LDAP query agent returns empty in its search results.
654485-1 3-Major Portal Access: Same-origin AJAX rquest may fail if response contains non-wildcard Access-Control-Allow-Origin header
653771-1 3-Major tmm crash after per-request policy error
653324-2 3-Major On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly
652910-1 3-Major Native RDP published on webtop does not connect if allowed vlans specified explicitly
652146-1 3-Major Email agent does not send email if the remote server does not provide a 200 OK response to VRFY request.
651947-1 3-Major Token validate response session variables created with no prefix might collide with other session variables.
651910-1 3-Major When we upgrade from 12.* to 13.0+ you cannot change the "Enable Access System Logs" and "Enable URL Request Logs" properties via the UI
649613-2 3-Major Multiple UDP/TCP packets packed into one DTLS Record
648060-1 3-Major EdgeClient locked mode exclusion list admin UI doesn't allow underscore character
645684-3 3-Major Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.
640924-2 3-Major On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly
639283-1 3-Major Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate
634576-2 3-Major TMM core in per-request policy
583272-3 3-Major "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth
582606 3-Major IPv6 downloads stall when NA IPv4&IPv6 is used.
552444-3 3-Major Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD
547692-4 3-Major Firewall-blocked KPASSWD service does not cause domain join operation to fail
527119-5 3-Major Iframe document body could be null after iframe creation in rewritten document.
435419-2 3-Major Install of partial epsec file causes mcpd to crash, followed by multiple cores.
381258-7 3-Major 'with' statement in web applications works wrong in some cases
307037-2 3-Major Dynamic Resources Are Assigned But Not Accessible
640521-2 4-Minor EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices
636866-2 4-Minor OAuth Client/RS secret issue with export/import


WebAccelerator Issues

ID Number Severity Description
440572-1 4-Minor Empty X-WA-Surrogate header in WAM symmetric deployment


Service Provider Issues

ID Number Severity Description
640407-2 2-Critical Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF
639236-4 2-Critical Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute
569316-4 2-Critical Core occurs on standby in MRF when routing to a route using a transport config
656811-7 3-Major Memory usage with MBLB SIP ingress buffer on standby
647158-4 3-Major Internal virtual server inherits CMP hash mode from parent virtual server
625098-7 3-Major SCTP::local_port iRule not supported in MRF events
618222-1 3-Major Loop detection implemention logic violates branch parameter compliance with RFC3261
651640-2 4-Minor queue full dropped messages incorrectly counted as responses


Advanced Firewall Manager Issues

ID Number Severity Description
652278-1 2-Critical dwbld memory leak when AFM/ASM is provisioned
651001-2 2-Critical massive prints in tmm log: "could not find conf for profile crc"
651961-1 3-Major AVR is not called for DNS packets when AFM is not provisioned.
639859 3-Major The CPU utilization of MCP can be high on standby box with autodos enabled
600836 3-Major Manager role functions differently in GUI and CLI.
519612-2 3-Major JavaScript challenge fails when coming within iframe with different domain than main page


Policy Enforcement Manager Issues

ID Number Severity Description
659567-2 3-Major iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions
652052-2 3-Major PEM:sessions iRule made the order of parameters strict
635257-3 3-Major Inconsistencies in Gx usage record creation.
624231-3 3-Major No flow control when using content-insertion with compression


Fraud Protection Services Issues

ID Number Severity Description
648650 2-Critical Upgrade from 11.6.1 to 13.0.0 fails when two parameters in URL added to anti-fraud profile get 'identify-as-username enabled'.
658315-1 3-Major WebSafe Login Validation may break response


Global Traffic Manager (DNS) Issues

ID Number Severity Description
642039-1 2-Critical TMM core when persist is enabled for wideip with certain iRule commands triggered.
659912-2 3-Major GSLB Pool Member Manage page display issues and error message
656807-1 3-Major iRule DNS::ttl does not allow 0 (zero)
655807-1 3-Major With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score
654599-4 3-Major The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
653775-4 3-Major Ampersand (&) in GTM synchronization group name causes synchronization failure.
651875-1 3-Major GSLB Server properties page should show the iQuery section when type is BIG-IP System
645615-1 3-Major zxfrd may fail and restart after multiple failovers between blades in a chassis.
644447-1 3-Major sync_zones script increasingly consumes memory when there is network connectivity failure
640903-2 3-Major Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen
636149-1 3-Major Multiple monitor response codes to single monitor probe failure
615222-2 3-Major GTM configuration fails to load when it has gslb pool with members containing more than one ":"
517609-4 3-Major GTM Monitor Needs Special Escape Character Treatment
659969-4 4-Minor tmsh command for gtm-application disabled contexts does not work with none and replace-all-with
648806-2 4-Minor Invalid "with the first highest ratio counter" logging for pool member ratio load balance
644220-4 4-Minor Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page


Anomaly Detection Services Issues

ID Number Severity Description
617324-1 3-Major Service health calculation creates unjustified CPU utilization
653573-1 4-Minor ADMd not cleaning up child rsync processes

 

Known Issue details for BIG-IP v13.0.x

663580-2 : logrotate does not automatically run when /var/log reaches 90% usage

Component: TMOS

Symptoms:
The alertd daemon does not run logrotate when the diskmonitor utility detects that /var/log has less than 10% free space.

Conditions:
/var/log has less than 10% free space.

Impact:
The /var/log filesystem might become completely full, preventing new log messages from being written.

Note: K8865: Overview of the diskmonitor utility (https://support.f5.com/csp/article/K8865) provides a desription for expected behavior.


663521-3 : Intermittent dropping of multicast packets on certain BIG-IP platforms

Component: TMOS

Symptoms:
The switch device on the VIPRION B2250 and B4300 blades and the BIG-IP 10x00, i10x00, i7x00 and i5x00 platforms might drop multicast packets under certain high traffic conditions.

Conditions:
-- Certain high-traffic conditions.
-- Running on the specified blades/platforms.

Note: These dropped packets are counted under the 'drop_out' column from 'show net interface all-properties'.

Impact:
Dropped multicast packets, possibly impacting multicast protocols.

Workaround:
None.


663310-2 : named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files

Component: Global Traffic Manager

Symptoms:
named reports "file format mismatch", zone files are renamed randomly to db-XXXX files, and zone cannot be loaded.

Conditions:
-- Upgrade from BIG-IP containing pre-9.9.X versions of Bind, to BIG-IP versions with Bind versions later than 9.9.x.
-- Slave zone files are in text format.
-- No options set for masterfile-format text.

Impact:
Zones cannot be loaded.

Workaround:
Before upgrading, add the following line to the named.conf options:
masterfile-format text;


663063-1 : Disabling pool member used in busy HSL TCP destination can result service disruption.

Component: TMOS

Symptoms:
Manually disabling an otherwise available pool member from a pool used as HSL TCP destination can result in tmm crash and service disruption.

This is more likely to occur when HSL destination is using 'balanced' distribution.

Conditions:
-- Busy HSL destination configured with TCP protocol, balanced distribution, and using pool.
-- Manually disabling a pool member.

Impact:
Service disruption while tmm recovers. HA fail-over event. Traffic disrupted while tmm restarts.

Workaround:
You can avoid the issue in either of these ways:
-- Do not manually disable busy pool members that can still respond to TCP handshake.
-- Disable the service on the pool member first.


662881-1 : L7 mirrored packets from standby to active might cause tmm core when it goes active.

Component: Local Traffic Manager

Symptoms:
L7 mirrored packets from standby to active might cause tmm core when it goes active.

Conditions:
-- Spurious ACK sent to the standby unit that is mirrored over to the active unit for processing.
-- Matching connection on the active has not been fully initialized.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


662372-2 : Uploading a new device certificate file via the GUI might not update the device certificate

Component: TMOS

Symptoms:
After uploading a new device certificate via the 'Upload File' option in the GUI, the device certificate remains unchanged.

Conditions:
-- Upload a new device certificate file via the GUI.
-- There is already a file called /tmp/server.crt.

Impact:
The device certificate is not updated and no error is shown.

Workaround:
Use the 'Paste Text' option to import the certificate.


662085-2 : iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages

Component: Local Traffic Manager

Symptoms:
Using Node.js package manager (NPM) to install a large Node.js package in the TMUI results in truncated contents in the workspace.

Conditions:
Installing large Node.js packages using the TMUI.

Impact:
The workspace contents will be truncated. Some of the package contents will be missing, or boilerplate F5 elements (f5-nodejs, package.json, etc.) will not be shown.

Workaround:
None.

Note: TMSH recognizes the entire file structure of node_modules (e.g., package.json and module folders of f5-nodejs and async), but TMUI does not.


661881-1 : Memory and performance issues when using certain ASN.1 decoding formats in iRules

Component: Local Traffic Manager

Symptoms:
Memory and performance issues when using calls to ASN1::decode with "a" or "B" characters in the format string. This occurs because these calls do not correctly free memory allocated by those functions.

Conditions:
iRules that contain calls to ASN1::decode with "a" or "B" characters in the format string.

Impact:
Memory leak, degraded performance, potential eventual out-of-memory crash.

Workaround:
None.

Note: Because of the memory leak associated with this issue, using calls to ASN1::decode with "a" or "B" characters in the format string should be avoided.


661764-1 : It is possible to configure a number of CPUs that exceeds the licensed throughput

Component: TMOS

Symptoms:
The system does not prevent you from selecting a number of CPUs that exceeds the license's throughput limit.

Conditions:
Configure a number of CPUs that exceeds the licensed throughput, for example, configuring 4 CPUs on a 2Mbps license on a VE system.

Impact:
Depending on the operations performed, it is possible for tmm to core.

Workaround:
None, other than configuring only the available number of CPUs.


661716 : TMM core when session ticket and OCSP Stapling is enabled on the clientSSL profile

Component: Local Traffic Manager

Symptoms:
TMM core when session ticket and OCSP Stapling is enabled on the clientSSL profile.

Conditions:
-- ocsp-stapling enabled
-- session-ticket enabled

The client sends a valid session ticket along with status_request extension.

Impact:
tmm cores. Traffic disrupted while tmm restarts.

Workaround:
Disable session tickets for the clientssl profile.


660833-1 : merged repeatedly cores due to unused istats-trigger object

Component: TMOS

Symptoms:
If any of the elements of the istats-trigger configuration are not defined, this issue occurs. For example, all the elements defined in the key of the istats-trigger definition must be defined before the trigger is created.

Conditions:
The merged process continuously cores.

Impact:
merged restarts.

Workaround:
None.


660654 : 'epsec refresh' works incorrectly if install package is deleted

Component: Access Policy Manager

Symptoms:
If the install EPSEC package is deleted before running the 'epsec refresh' command, the existing EPSEC version is refreshed instead of the new version.

Conditions:
-- Upload and install EPSEC package with a later version than is on the system.
-- Delete the install package.
-- Run the command: epsec refresh.

Impact:
System package will be installed (essentially, a rollback to the previous version).

Workaround:
Leave the install package on the system until after you run the epsec refresh command.


660532-1 : Cannot specify the event parameter for redirects on the policy rule screen.

Component: TMOS

Symptoms:
Cannot specify the event parameter for redirects on the policy rule screen.

System presents the following error: An error occurred: transaction failed:010716e2:3: Policy '/Common/Drafts/test', rule 'test-rule3'; an action precedes its conditions.

Conditions:
This occurs when setting a policy rule action's "event" parameter in the GUI when configuring redirects.

Impact:
Cannot specify the event parameter.

Workaround:
None.


660327-1 : Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.

Component: Application Security Manager

Symptoms:
Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.

This happens only if before the upgrade, there was an ASM logging profile which had both remote logging and local logging enabled on it.

In the case of a single logging profile with local-plus-remote ASM enabled on it, upon an upgrade, the logging profile is split into two profiles. One has the '_local' extension added to it. Another attempt to load the config of the pre-upgrade system will fail. This only happens when using 'load sys config' or 'load sys config file', and does not happen when using 'load sys ucs'.

Upon failure, the following error is seen on the terminal:
01070710:3: Cannot update_indexes/checkpoint DB object, class:fw_log_profile status:13 - EdbCfgObj.cpp, line 127
Unexpected Error: Loading configuration process failed.

And in /var/log/ltm:
err mcpd[6618]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:fw_log_profile status:13 - EdbCfgObj.cpp, line 127.

Conditions:
-- Using a configuration that contains a Log Profile with ASM enabled and both Remote Log and Local Log enabled.
-- Upgrade to 12.1.2 or later (Use roll-forward upgrade, or instead use clean install and afterwards load the saved config file).

Impact:
Config load fails. Upgrade fails.

Workaround:
Use one of the following Workarounds:
1.
Save the new configuration before editing and re-loading, using the following commands:
tmsh save sys config partitions all
tmsh load sys config partitions all

(Note: Saving the UCS also saves the configuration.)

2.
Instead of loading the full configuration directly, first load the base and then load the full configuration:
tmsh -c 'load sys config partitions all base; load sys config partitions all'


660326-1 : Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.

Component: Application Security Manager

Symptoms:
Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.

Conditions:
-- Websecurity profile assigned to a virtual server.
-- ASM not provisioned.
-- Upgrade to v12.1.0 or later.

Impact:
Upgrade fails.

Note: Although this is an invalid configuration, upgrade should not fail.

Workaround:
There are two workarounds.
-- Provision ASM.
-- Remove all websecurity profiles (and LTM policies that control ASM) from all virtual servers

Note: The first workaround must be done before the update. The second can be done before the upgrade, or by editing the config files and re-loading config (first base, then all) using the following command:

tmsh -c 'load sys config partitions all base; load sys config partitions all'


660239-1 : When accessing the dashboard, invalid HTTP headers may be present

Component: TMOS

Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.

Conditions:
Access the dashboard via Statistics :: Dashboard.

Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.

Workaround:
None.


659969-4 : tmsh command for gtm-application disabled contexts does not work with none and replace-all-with

Component: Global Traffic Manager (DNS)

Symptoms:
The command for distributed-app's disabled-contexts does not work with the options 'none' and 'replace-all-with'.

Conditions:
Issuing gtm-application disabled contexts commands including the options 'none' and 'replace-all-with'.

Impact:
Command does not complete successfully. This is an internal validation issue.

Workaround:
None.


659919-1 : Verified Accept prevents persist cookie from being inserted into responses

Component: Local Traffic Manager

Symptoms:
A virtual server that has the 'Verified Accept' TCP option enabled will fail to include persistence cookies in the first response on an HTTP connection.

Conditions:
Using cookie persistence when 'Verified Accept' is enabled in the TCP profile.

Impact:
BIG-IP behavior is inconsistent in use of persistence cookies, and may incorrectly load-balance subsequent requests from a client when the expectation is that those requests should have a persist cookie (except the BIG-IP never sent one).

Workaround:
Apply an iRule such as this to a virtual server with Verified Accept configured:
    when HTTP_REQUEST {
        # Bypass verified-accept handling on first request and force a LB decision / persist lookup
        if { [HTTP::request_num] == 1 } { LB::detach }
    }


659912-2 : GSLB Pool Member Manage page display issues and error message

Component: Global Traffic Manager (DNS)

Symptoms:
The GSLB Pool Member Manage page displays an error message 'Entry could not be matched against existing objects' when using the static-target checkbox to add a member that does not exist on the BIG-IP config.

Also when editing a pool member, the pool member's name will not be auto-selected in the combo box.

Conditions:
-- GSLB pool configured.
-- Members available for addition to the pool.

Note: This issue can happen when creating a pool in the members section as well as on the pool members manage page.

Impact:
Degraded usability.

Workaround:
Use TMSH to add a static-target and to edit pool members.


659899-3 : tmm cores on all blades when device is forced offline under certain conditions.

Component: Local Traffic Manager

Symptoms:
tmm cores on all blades when device is forced offline under certain conditions.

Conditions:
-- Virtual server with iRule containing DOSL7 commands.
-- TCP profile with AVR, ASM, and AFM provisioned on VIPRION platform.
-- On Device Management :: Devices, force offline the device (or in tmsh, run /sys failover offline).

Impact:
tmm core on all blades. Traffic disrupted while tmm restarts.

Workaround:
None.


659567-2 : iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions

Component: Policy Enforcement Manager

Symptoms:
When the RADIUS discovery virtual server and the traffic listener virtual server sit in two different route domains, the iRule command 'PEM::session info $sub subscriber-id' may not be able to fetch the subscriber-id.

Conditions:
-- Running v12.1.x or v13.0.0.
-- RADIUS server.
-- Use of iRule command PEM::session.

Impact:
'PEM::session info state/subscriber-id' commands might not return the expected session info.

Workaround:
None.


659527-1 : Custom Predefined Reports are not displayed in ASM Analytics Schedules

Component: Application Visibility and Reporting

Symptoms:
When creating custom predefined filters, either via Requests page or via ASM Statistics, these custom reports are not displayed as part of the predefined reports list when creating/modifying an ASM Schedule.

Conditions:
Creating custom predefined filters, either via Requests page or via ASM Statistics.

Impact:
Reports created by user can not be easily used in GUI to create a scheduled report.

Workaround:
N/A


659519-2 : Non-default header-table-size setting on HTTP2 profiles may cause issues

Component: Local Traffic Manager

Symptoms:
HTTP2 connection sent RST_STREAM due to protocol error in response to headers frame.

Conditions:
HTTP2 profile configured with header-table-size with value exceeding 4096.

Impact:
Periodic HTTP2 connection failure to the virtual.

Workaround:
Restore the default header-table-size setting for the HTTP2 profile.


658852-6 : Empty User-Agent in iSessions requests from APM client on Windows

Component: Access Policy Manager

Symptoms:
'User-Agent' might be empty in some '/isession' requests from APM client on Microsoft Windows. Having empty User-Agent headers is not in RFC compliance and forces some firewall to block the connection. This might result in failure to establish a VPN tunnel.

Conditions:
'/isession' requests from APM client on Windows.

Impact:
Failure to establish a VPN tunnel.

Workaround:
None.


658636-3 : When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.

Component: TMOS

Symptoms:
- LTM/DNS monitors created via tmsh batch/transactions improperly escape newline characters.
- Expected escaping: \r\n
- Actual escaping: \\r\\n
- Impact: The URI sent is not correct,

Conditions:
When creating LTM or DNS monitors through batch/transaction mode when strings contain newline characters. For example, using the following commands to batch-create:

create gtm monitor http one_test_mon { send "GET / HTTP/1.0\r\nHost: abc.example.com\r\nUser-Agent: slb-healthcheck\r\nConnection: Close\r\n\r\n" recv "200"}
submit cli transaction
list gtm monitor http one_test_mon

The system creates the following monitor:

gtm monitor http one_test_mon {
    defaults-from http
    destination *:*
    interval 30
    probe-timeout 5
    recv 200
    send "GET / HTTP/1.0\\r\\nHost: abc.example.com\\r\\nUser-Agent: slb-healthcheck\\r\\nConnection: Close\\r\\n\\r\\n"

Impact:
Cannot use batch/transaction mode in TMSH to create LTM or DNS monitors. Cannot use LTM or DNS monitors created using batch/transaction mode in tmsh.

Workaround:
Create the monitor directly in tmsh without using batch/transaction mode.


658462-1 : Portal Access: tmm may crash if web application uses long cookie names and/or values

Component: Access Policy Manager

Symptoms:
If JavaScript code sets a very long cookie value or uses very long cookie name (longer than 450 bytes), tmm may crash processing this cookie change.

Conditions:
-- JavaScript code sets/changes long cookie value or uses long cookie name;
-- Chrome or MS Edge browser is used.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
Use an iRule to remove 'Origin' header from any request to '/private/fm/volatile.html'.

Note: This iRule has to enable events for internal requests using 'ACCESS::restrict_irule_events enable' command.


658343-3 : AVR tcp-analytics: per-host RTT average may show incorrect values

Component: Application Visibility and Reporting

Symptoms:
When viewing the Statistics :: Analytics :: TCP :: RTT, then selecting (in the table below the graph), View By: "Remote Host IP Address", the values presented RTT Avg (ms) may be incorrect (they could even be larger than the RTT Max column).

As values are aggregated through the data tables, the reported rtt average value becomes larger and larger.

Conditions:
AVR is provisioned, and a tcp-analytics profile is attached to a virtual server.

Impact:
The values reported in the RTT Avg column when viewing by Remote Host IP Address may be incorrect.

Workaround:
None.


658315-1 : WebSafe Login Validation may break response

Component: Fraud Protection Services

Symptoms:
Response will be dropped, client will get an Err_Connection_Closed error

Conditions:
1. WebSafe and APM are both provisioned and enabled
2. request for a WebSafe protected URL results in successful Login Validation

Impact:
response is dropped and application breaks

Workaround:
Do Not use WebSafe's Login-Validation, when a "connection terminating" filter (like APM) enabled


658298-2 : SMB monitor marks node down when file not specified

Component: TMOS

Symptoms:
The smb monitor may always mark the node down when the file is not specified in the monitor config.

Conditions:
Pool member monitored with smb monitor.

Impact:
Service impact due to node being marked down.

Workaround:
Configure monitor to fetch file (authenticated).


658214-1 : TCP connection fail intermittently for mirrored fastl4 virtual server

Component: Local Traffic Manager

Symptoms:
In some cases, a mirrored FastL4 virtual server may fail to forward the SYN on the server-side after receiving the context-ack from the peer. Note: This is a connection-failure through the active system, not simply a failure to mirror to the peer.

Symptoms include:
-- TCP connection failures.
-- Possibly other packets lost.

Conditions:
-- FastL4 virtual server.
-- Mirroring is enabled.
-- Certain traffic interleaving might be necessary for this intermittent problem to occur.

Impact:
FastL4 mirroring does not always forward SYN to server after receiving context ACK. Connections fail.

Workaround:
Set the tm.fastl4_ack_mirror dv variable using the following command: tmsh modify sys db tm.fastl4_ack_mirror value disable.


657883-1 : tmm cache resolver should not cache response with TTL=0

Component: Local Traffic Manager

Symptoms:
tmm cache resolver caches responses with TTL=0, and it shouldn't.

Conditions:
TTL is set to 0 on the BIG-IP DNS system, so TMM will see TTL=0 from the DNS answer.

Impact:
tmm cache resolver caches responses with TTL=0.

Workaround:
None.


657858-3 : TMM can restart when VLAN keyed connections are disabled.

Component: Local Traffic Manager

Symptoms:
TMM may restart intermittently when VLAN-keyed connections are disabled.

Conditions:
VLAN-keyed connections are disabled. Several types of traffic can cause this, including FTP traffic and multicast traffic.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None.


657834-1 : Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent

Component: TMOS

Symptoms:
When using OSPF with high load and network recalculation there is a possibility of a race condition that can lead to additional OSPF retransmissions to be sent out. This will also cause SNMP traps to be sent if configured on the system.

Conditions:
- OSPF routing protocol configured.
 - System configured to send SNMP traps
 - OSPF instability/networking flaps.
 - The larger the amount of routes flapping the more likely to see the condition.

Impact:
There is no impact on the OSPF processing itself. The additional traffic will not cause failing adjacencies or loss of routing information.
However, this may cause many additional OSPF related traps to be sent; which may cause additional load on the external network monitoring system.

Workaround:
While this does not have a direct workaround, you may want to investigate the cause of the network/OSPF instability that causes the additional retransmissions.


657727-1 : Running tcpdump from TMSH cannot capture the local "tmm" interface

Component: TMOS

Symptoms:
Cannot run tcpdump against the "tmm" interface. System posts errors similar to the following:
tcpdump: pcap_loop: Device /Common/tmm not found
tcpdump: ioctl: No such device

This occurs because the 'tmm0' interface was renamed to 'tmm' beginning in v12.1.0, but the libbigpacket conditional logic to handle "special device names" still references 'tmm0'.

Conditions:
-- When running tmsh, an environment variable ("TMOS_PATH") is set.
-- The user logs in to the CLI with a default shell of tmsh (either as configured, or with a role assigned via remote-roles), or tries to run tcpdump via tmsh.

Impact:
Cannot run tcpdump on the 'tmm' internal interface.

Workaround:
Unset the 'TMOS_PATH' environment variable before running tcpdump.


657713-1 : TMM cored with SIGPFE panic string "Valid node"

Component: Local Traffic Manager

Symptoms:
In a gateway pool, where the action is set to reject or drop when service is down. Sweeper will then expire and close all connflow. Then ub proxy's own timer triggers to close, it will cause tmm core.

Conditions:
In a gateway pool, when action is set to reject or drop when service is down.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Set service-down-action to none or reselect.


657708-1 : Packet Tester is still available in the GUI when AFM is not provisioned

Component: TMOS

Symptoms:
The Packet Tester is an AFM-only tool, but is available in the GUI when AFM is not provisioned.

Conditions:
BIG-IP system with AFM not licensed.

Impact:
The packet tester is available to use when it should not be.

Workaround:
None.


657626-1 : User with role 'Manager' cannot delete/publish LTM policy.

Component: Local Traffic Manager

Symptoms:
User with role 'Manager' cannot delete/publish LTM policy.

audit.log contains a message similar to the following:
notice icrd_child[18194]: 01420002:5: AUDIT - pid=18194 user=Manager folder=/Manager module=(tmos)# status=[01070822:3: Access Denied: User (Manager) may not delete objects in partition (Common)] cmd_data=publish ltm policy /Manager/Drafts/draft-test.

Conditions:
-- User with 'Manager' role.
-- Attempting to delete or publish an LTM policy.

Impact:
Operation does not complete, and system posts error.

Workaround:
None.


657531-1 : High memory usage when using the ICAP server

Component: Application Security Manager

Symptoms:
High UMU memory when using the ICAP server.

Conditions:
-- ICAP is in use.
-- There are long requests (requests longer than 128 KB) that should get to the ICAP server.

Impact:
UMU memory goes up.

Workaround:
-- Decrease the max concurrent long requests.
-- Decrease the size for the long requests buffer size.
-- Make sure the ICAP server is up and running and responding quickly (the issue will be more visible when the ICAP server is lagging).


657459 : Setting MGMT GUI Port to 443 on Single Nic not honored on reboot.

Component: TMOS

Symptoms:
Setting MGMT GUI Port to 443 on Single Nic not honored on reboot.

Conditions:
Setting MGMT GUI Port to 443 on Single Nic.

Impact:
The 443 value is not saved after reboot.

Workaround:
Reconfigure port after each reboot using the following command: modify sys httpd ssl-port 443.


656811-7 : Memory usage with MBLB SIP ingress buffer on standby

Component: Service Provider

Symptoms:
Memory usage increases to high levels when the ingress-max profile setting is set to a large value.

Conditions:
Incoming SIP messages are mirrored to standby, then the flow is aborted on active.

Impact:
Degraded performance. With the built-in MBLB profile allocations will go up to 50 and stay there until the 'while' is killed on the client and the flow is allowed to expire. With a non-default MBLB profile, allocations will go as high as the ingress-max setting.

Workaround:
- Make sure there is at least one available pool member.
- Use default MBLB profile, or at least ingress-max set close to the default (50).


656807-1 : iRule DNS::ttl does not allow 0 (zero)

Component: Global Traffic Manager (DNS)

Symptoms:
DNS::rr cannot set ttl to 0. The system returns the following message: error: [internal error "unexpected return code"][DNS::ttl $rr 0].

Conditions:
-- Using iRule DNS::ttl.
-- Trying to set ttl to 0.

Impact:
DNS::rr cannot set ttl to 0, the resolver cache can't be disabled, and the system returns an error: error: [internal error "unexpected return code"][DNS::ttl $rr 0]

Workaround:
None.


656784 : Windows 10 Creators Update breaks RDG functionality in BIG-IP APM

Component: Access Policy Manager

Symptoms:
After upgrading to Windows 10 Creators Update, when attempting to connect to a remote desktop through APM with the Remote Desktop Gateway (RDG) feature, the remote desktop client is not able to authenticate and connect.

Conditions:
- You are accessing Microsoft Remote Desktop through BIG-IP APM using Remote Desktop Gateway (RDG) feature
- You upgrade to Windows 10 Creators Update (version 1703)

Impact:
Remote desktop client is not able to authenticate and connect to the desktop.

Workaround:
Instead of direct access to remote desktops using the APM RDG feature, configure the desktops as remote desktop items on APM Webtop.

With BIG-IP release 13.0.0:
Publish the remote desktop resource items on the APM Webtop with client type as "Native".

With older BIG-IP releases:
Publish the remote desktop resource items on the APM Webtop with client type "Java" or "ActiveX".


655807-1 : With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score

Component: Global Traffic Manager (DNS)

Symptoms:
When choosing QoS Load balance, packet rate is dominating the score.

Conditions:
QoS load balance.

Impact:
Load balance decision is mostly impacted by packet rate.

Workaround:
None.


655793-2 : SSL persistence parsing issues due to SSL / TCP boundary mismatch

Component: Local Traffic Manager

Symptoms:
When the SSL client machine is set up to send SSL messages whose boundaries do not align with underlying TCP boundaries, the parser fails when SSL persistence is enabled.

The SSL parsing should succeed regardless of a match or mismatch between SSL message boundary and TCP segment boundary.

Conditions:
[1] SSL persistence is enabled.
[2] SSL message boundary does not align with underlying TCP segment boundary. One example of boundary mismatch is when the TCP MTU size is changed to a lower value (around 1200 bytes). Even then there may be specific values for which the boundaries match and parsing succeeds.

Impact:
When the parsing fails, the SSL client hangs and times out. In other words, SSL traffic is affected.

Workaround:
Disable SSL persistence.


655767-4 : MCPD does not prevent deleting an iRule that contains in-use procedures

Component: Local Traffic Manager

Symptoms:
If an iRule that is attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error.

MCPD contains validation that should prevent a user from deleting an iRule that is currently in use by a virtual server, e.g.:

    01070265:3: The rule (/Common/rule_uses_procs) cannot be deleted because it is in use by a virtual server (/Common/vs_http).

However, if an iRule attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error. This results in a configuration that will subsequently fail to load (during a config load, MCPD validation will catch this), or will fail if a full configuration sync is performed.

Conditions:
Must be using iRules that call into other iRules.

Impact:
System gets into a state where traffic may fail unexpectedly, and subsequent reboots, configuration loads, upgrades, or configuration sync operations will fail.

Workaround:
None. Use caution when deleting iRules, especially iRules that call into other iRules.


655724-4 : MSRDP persistence does not work across route domains.

Component: Local Traffic Manager

Symptoms:
MSRDP persistence doesn't work with non-default route domains.

Conditions:
Configure a virtual server with a MSRDP persistence profile and a pool using a non-default route domain.

Impact:
MSRDP persistence does not work.

Workaround:
Implement MSRDP persistence using iRules.


655649-1 : BGP last update timer incorrectly resets to 0

Component: TMOS

Symptoms:
In ZebOS, every time the scan timer resets it also incorrectly resets the BGP last update timer as shown under the imish command 'sh ip route'.

Output from 'sh ip route':

4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:32
                    [20/0] via 10.10.1.6, eno33554952, 00:00:32
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:33
                    [20/0] via 10.10.1.6, eno33554952, 00:00:33
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:00 <<<< shouldn't reset
                    [20/0] via 10.10.1.6, eno33554952, 00:00:00

Conditions:
Once ZebOS has learned a route from a BGP peer the route will show up under 'sh ip route' and the BGP last update timer will incorrectly reset.

Impact:
None. This is cosmetic.

Workaround:
None.


655506 : Guest configurations with mergeable buffers disabled are not supported.

Component: TMOS

Symptoms:
Guest configurations with mergeable buffers disabled are not supported.

Conditions:
Guest configuration explicitly disables mergeable buffers:
<host mrg_rxbuf='off'/>

Impact:
tmm core. Traffic disrupted while tmm restarts. When mergeable buffers are disabled, the 13.0.0 virtio driver crashes and the 13.1.0 driver stops processing, i.e., it does not attach to the device.

Workaround:
Do not disable mergeable buffers.


655500-2 : Rekey SSH sessions after one hour

Component: TMOS

Symptoms:
Common Criteria requires that SSH session be rekeyed at least every hour

Conditions:
SSH connections to or from the BIG-IP system.

Impact:
SSH sessions are rekeyed in response to the quantity of data transferred, or on user demand, but not on the basis of elapsed time

Workaround:
If time-based rekeying is required in your environment, edit the SSH configuration to include a RekeyLimit with both data and time parameters using a command similar to the following:
tmsh modify sys sshd include 'RekeyLimit 256M 3600s'

Outbound SSH client connections can be modified by adding the same RekeyLimit configuration to /config/ssh/ssh_config or by including that option on the command line when calling the ssh client.


655432-6 : SSL renegotiation failed intermittently with AES-GCM cipher

Component: Local Traffic Manager

Symptoms:
SSL failed to renegotiate intermittently with AES-GCM cipher because IV is not properly updated when a change cipher spec message is received.

Conditions:
This failure is more likely to occur during mutual authentication.

Impact:
Some servers authenticate client using renegotiation. This issue prevents their clients from properly connecting to the servers.

Workaround:
Disable AES-GCM cipher.


655357-3 : Corrupted L2 FDB entries on B4450 blades might result in dropped traffic

Component: TMOS

Symptoms:
ARP replies reach front panel port of B4450 blades but fail to reach TMMs.

This occurs because the switch in the B4450 blade has an L2 learning issue in the switch fabric that requires the system to correct the new L2 FDB entries learned on Higig trunks. The L2 module runs in poll mode by default, which is exposed to a 3-second race window in software, during which learning events in the switch hardware for a given L2 FDB entry can be lost. That can lead to corrupted L2 FDB entries and cause traffic hitting the corrupted L2 FDB entries to fail.

Conditions:
-- An L2 FDB entry is learned on Higig trunk.
-- Multiple L2 learning events happen on the L2 FDB entry during the 3-second race window in software.

Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.

Workaround:
Delete the corrupted L2 FDB entries and cause the switch to re-learn them.

To do so, identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.


655005-2 : "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync

Component: TMOS

Symptoms:
The "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync.

Conditions:
Changing the "Inherit traffic group from current partition / path" setting and syncing to a peer unit using incremental sync.

Impact:
Peers in a Device Group will get out of sync.

Workaround:
Use a full sync instead.


654996-2 : Closed connections remains in memory

Component: Application Security Manager

Symptoms:
A connection remains open, which results in memory leaks in the tmm for the connections.
The following command shows connections on traffic that was already closed: tmsh show sys conn.

Conditions:
A ASM_RESPONSE_VIOLATION iRule on the ASM-enabled virtual server.
A request with connection: close.

Impact:
Memory increase due to connections left open.

Incoming connections to the virtual server may fail and result in the BIG-IP sending a reset with a reset cause of "TCP closed".

Workaround:
If possible, remove this event from the iRule and/or add the OneConnect profile to the virtual server.


654981-1 : Local Traffic Policies operating in First Match mode do not stop executing after the first matched rule if this has no action

Component: Local Traffic Manager

Symptoms:
Local Traffic Policies configured for First Match mode may not stop executing after the first matched rule.

Conditions:
This happens when the first matched rule has no action (i.e. is set to ignore).

Impact:
This may cause Local Traffic Policies to execute an unintended action.

Workaround:
Rework the rules in your affected Local Traffic Policies so that every rule has at least one associated action.


654873-1 : ASM Auto-Sync Device Group

Component: Application Security Manager

Symptoms:
Some messages that were meant to be sent to peers in a device group are not successfully sent.

Conditions:
A mix of the following uses in GUI or REST API:
1) Creating/importing/deleting policies.
2) Accepting many suggestions at once.
3) Adjusting Policy Building Settings.

Impact:
1) Overuse of full sync between devices.
2) Possible inconsistencies between devices.
3) Possibility of memory leak in rare cases.

Workaround:
Use manual sync groups for ASM sync.


654599-4 : The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed

Component: Global Traffic Manager (DNS)

Symptoms:
Tomcat can potentially drop requests made by the client via the Web GUI on the GSLB Pool Members Manage page.

Conditions:
The config contains a large amount (in the thousands) of GSLB virtual servers or wide IP's, resulting in the action not being completed.

Impact:
The "Finished" button on that page does not save the changes made on that page.

Workaround:
Use TMSH.


654513-1 : APM daemon crashes when the LDAP query agent returns empty in its search results.

Component: Access Policy Manager

Symptoms:
APM daemon crashes when the LDAP query agent returns no search results.

Conditions:
APM provisioned with AD authentication setup.

Impact:
APM daemon crashes, need to restart RBA and WebSSO. This is a very rarely encountered issue.

Workaround:
Add LDAP Auth agent before the LDAP query to the existing policy.

Note: Adding the extra agent, LDAP Auth agent, in the policy will preserve the functionality and features, enabling the policy to fail in LDAP Auth agent, instead of crash in LDAP Query agent.


654485-1 : Portal Access: Same-origin AJAX rquest may fail if response contains non-wildcard Access-Control-Allow-Origin header

Component: Access Policy Manager

Symptoms:
Same-origin AJAX request fails via Portal Access if back-end response includes Access-Control-Allow-Origin header and its value differs from '*' and request origin.

Conditions:
- Same-origin AJAX request, for example:
  GET /some/file.ext HTTP/1.1
  Host: http://example.com
  Origin: http://example.com

- Back-end response with Access-Control-Allow-Origin header:
  HTTP/1.1 200 OK
  Access-Control-Allow-Origin: http://another.com

Without Portal Access, such a response is valid and accessible to client web application, if there were no redirects. But via Portal Access, the response is rejected.

Impact:
Web application may not work correctly.

Workaround:
Use iRule to remove special query parameter 'F5_origin' from same-origin AJAX requests via Portal Access to disable CORS check emulation.


654011-1 : Pool member's health monitors set to Member Specific does not display the active monitors

Component: TMOS

Symptoms:
When you configure a pool to have member-specific health monitoring, the active monitor no longer displays in the GUI.

Conditions:
Have a pool member with Health Monitors set to Member Specific.

Impact:
The specified active monitors will be saved but won't be displayed as active.

Workaround:
Use tmsh to view a pool member's active monitors.


653888-1 : BGP advertisement-interval attribute ignored in peer group configuration

Component: TMOS

Symptoms:
BGP peer-group advertisement-interval attribute may be ignored with default settings set on individual peers belonging to the peer-group.

Conditions:
- BGP configured with peer-groups.
- advertisement-interval configured with a non-default value

Impact:
The BGP peer will have an additional statement added indicating a default value of the advertisement-interval.

Workaround:
Manually set the advertisement-interval of the peer, instead of using the peer-group for this particular setting.


653775-4 : Ampersand (&) in GTM synchronization group name causes synchronization failure.

Component: Global Traffic Manager (DNS)

Symptoms:
A GTM synchronization-group-name containing an ampersand (&) might cause an XML parsing failure and GTM sync groups would fail to sync.

Conditions:
A GTM synchronization group name with an ampersand (&) in the name.

Impact:
GTM sync groups does not synchronize.

Workaround:
Remove ampersand from sync group name.


653772-3 : fastL4 fails to evict flows from the ePVA

Component: TMOS

Symptoms:
An accelerated flow is in the ePVA with no corresponding software connection.

Conditions:
-- FastL4.
-- ePVA.
-- The other conditions under which this occurs are not well defined.

Impact:
ePVA can continuously send a packet. This might eventually result in a network outage.

Workaround:
Disable HW acceleration.


653771-1 : tmm crash after per-request policy error

Component: Access Policy Manager

Symptoms:
TMM core is seen when reject ending in per-request policy encounters error.

Conditions:
The conditions which trigger this are unknown at this time, it was seen once on a per-request policy error.

Impact:
Traffic disrupted while tmm restarts.


653746-1 : Unable to display detailed CPU graphs if the number of CPU is too large

Component: Local Traffic Manager

Symptoms:
Cannot display detail CPU graph. Go to Statistics :: Performance. Click 'View Detail Graph' under System CPU usage. Graph cannot display. System posts the message: Error trying to access the database.

Conditions:
VIPRION with 288 CPU cores or more totaled across all blades.

Impact:
Administrator is unable to view the detail CPU graphs.

Workaround:
None.


653573-1 : ADMd not cleaning up child rsync processes

Component: Anomaly Detection Services

Symptoms:
ADMd daemon on device is spinning up rsync processes and not cleaning them up properly, causing tons of this zombie processes

Conditions:
If rsync process ends via exit (in the case of some trouble)

Impact:
No technical impact, but there are many zombie processes

Workaround:
Restart admd (bigstart restart admd) to remove all existing rsync zombies.


653511-3 : Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve

Component: Local Traffic Manager

Symptoms:
Connections can fail intermittently when multiple clients use the same ephemeral port to connect to BIG-IP and are SNATted to the same address.

Conditions:
When SNAT/Automap is configured with SP-DAG and virtual server source-port setting is "preserve".

Impact:
Service interruption due to intermittent connection failures.

Workaround:
None.


653495-1 : Incorrect SNI hostname attached to serverside connections

Component: Local Traffic Manager

Symptoms:
SNI hostname submitted to a virtual server on the client side is sent to server side, even if there is a different hostname specified in the server SSL profile.

Conditions:
-- Client side ClientHello contains SNI.

Impact:
SNI is sent from client to server without stripping or rewriting the SNI.

Workaround:
None.


653453-2 : ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.

Component: TMOS

Symptoms:
ARP replies reach the front panel port of the B4450 blade, but fail to reach TMMs. This is caused by a L2 defect in the Broadcom Trident2+ switch B4450 blade uses.

Conditions:
The switch learned a corrupted L2 FDB entry on internal HiGig trunk.

Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.

Workaround:
Identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.


653376-1 : bgpd may crash on receiving a BGP update with >= 32 extended communities

Component: TMOS

Symptoms:
bgpd may crash when receiving a BGP update with >= 32 extended communities

Conditions:
A configured BGP peer sends a route update including and attribute containing 32 or more extended communities.

Impact:
bgpd may crash causing the BGP peering to reset

Workaround:
Ensure that peers do not send 32 or more extended communities to the BIG-IP in BGP routing updates.


653324-2 : On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly

Component: Access Policy Manager

Symptoms:
On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly; it appears very small.

Conditions:
On macOS Sierra (10.12), edge client, customized icon of size 48x48 pixels.

Impact:
This is a display issue only. There is no functional impact to the system.

Workaround:
N/A


653292-1 : MySQL does not initialize correctly on first system start

Component: Application Security Manager

Symptoms:
MySQL is not yet setup, failed to initialize.
Shutting down MySQL...... SUCCESS!

Conditions:
avr or asm are provisioned

Impact:
AVR, loadmanager etc dependent on mysql are down

Workaround:
Run of 'bigstart restart mysql' should solve the issue


653228-3 : SNAT does not work properly on FTP VIP2VIP

Component: Local Traffic Manager

Symptoms:
SNAT does not work properly on FTP VIP2VIP.

Conditions:
-- FTP communicates VIP2VIP to second virtual server.
-- SNAT is configured on second virtual server.

Impact:
SNAT does not work properly on FTP VIP2VIP on data channel.

Workaround:
Do not configure SNAT on second virtual server.


653137-3 : Virtual flaps when FQDN node and pool configured with autopopulate

Component: Local Traffic Manager

Symptoms:
Virtual address status flaps (RED :: BLUE :: DOWN :: UNCHECKED) when the FQDN node and pool are configured with autopopulate enabled, and the FQDN DNS response returns the same addresses.

Conditions:
-- FQDN node and pool are configured with autopopulate enabled.
-- FQDN DNS response returns the same addresses.

Impact:
The virtual server becomes unavailable, and later switches to unchecked.

Workaround:
None.


653014-2 : Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name

Component: Application Security Manager

Symptoms:
An issue was introduced when dealing with custom Blocking pages containing an HTTP Header that has an underscore in the name.

Conditions:
A custom Blocking page is defined containing an HTTP Header that has an underscore in the name.

Impact:
Set Active fails

Workaround:
Use hyphens instead of underscores in the header name.


652910-1 : Native RDP published on webtop does not connect if allowed vlans specified explicitly

Component: Access Policy Manager

Symptoms:
Native RDP hosts published on webtop does not connect if allowed vlans specified explicitly on the virtual server. It downloads the rdp file but opening the rdp file gets error message from rdp client something like "Your computer can't connect to remote computer".

Conditions:
- Native RDP host type published in webtop mode.
- RDP Virtual server specified the allowed vlans explicitly.
- MSRDP NTLM configuration is not specified in vdi profile.

Impact:
Could not connect to Native RDP host published on webtop

Workaround:
You can use either one of the below workarounds,

- Have the virtual server with "All the vlans and tunnels" configuration.

- Have MSRDP NTLM auth configuration in VDI profile which is attached to virtual server.


652781 : Learn from responses checkbox can appear checked and disabled in manual mode

Component: Application Security Manager

Symptoms:
A security policy can get the 'Learn from responses' checkbox turned on in automatic mode. After moving to manual mode, the checkbox remains checked and it is not possible to uncheck it in manual mode.

Conditions:
This occurs when the following actions are performed, in this order:
1. Have a policy in automatic mode
2. Check the learn from responses.
3. Move the policy to manual

Impact:
Cannot uncheck the 'Lean from responses' checkbox in manual mode.

Workaround:
Move to automatic, uncheck the checkbox, and move back to manual.


652671-5 : Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.

Component: TMOS

Symptoms:
Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit. When provision.extramb is synced to the peer unit, mprov is called, which restarts tmm.

Conditions:
-- Configure two devices in a sync group.
-- tmsh modify sys db provision.extramb value 150.
-- Sync to peer unit.

Impact:
TMM restarts on the peer unit. Traffic halted while tmm restarts.

Workaround:
None.


652577-1 : Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, changes to the MAC Masquerading setting of a traffic group may cause the Standby unit to be unable to reach the floating Self-IP.

Conditions:
- HA pair
 - Traffic-group with a MAC set in the MAC Masquerading setting.
 - Floating Self-IP using the above traffic-group
 - Make a change to the MAC Masquerading MAC address on the Active unit.
 - Run a config-sync from Active to Standby

Impact:
Standby unit is unable to reach the floating Self-IP address.
No external or internet facing traffic will be affected.

Workaround:
Reboot or restart TMM.


652535-2 : HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.

Component: Local Traffic Manager

Symptoms:
HTTP/2 RST_STREAM is seen with PROTOCOL_ERROR when frame header is fragmented.

Conditions:
HTTP/2 profile is enabled on the virtual. The frame header gets fragmented because of TCP segmentation.

Impact:
HTTP/2 stream is reset.

Workaround:
None.


652484-3 : tmsh show net f5optics shows information for only 1 chassis slot in a cluster

Component: TMOS

Symptoms:
When you run tmsh show net f5optics, f5optics version information is displayed for one blade of a multi-blade chassis.

Conditions:
This occurs when running the tmsh show net f5optics command on VIPRION.

Impact:
The f5optics version is not displayed for all of the blades.


652370 : The persist cookie insert iRule command may leak memory

Component: Local Traffic Manager

Symptoms:
In some situations, the persist cookie insert iRule command may leak memory.

Conditions:
The persist cookie insert iRule command is used.

Impact:
Eventually, the TMM will run out of memory due to the leak.


652278-1 : dwbld memory leak when AFM/ASM is provisioned

Component: Advanced Firewall Manager

Symptoms:
After many hours of system uptime, the dwbld process is consuming more memory than expected. dwbld is one of the service daemons started when AFM or ASM is provisioned.

Conditions:
AFM or ASM provisioning.

Impact:
Memory leak affects overall system performance.

dwbld gradually leaks memory even when idle. This causes system going low on resident memory and affects performance of rest of the system.

Workaround:
None.


652200-2 : Failure to update ASM enforcer about account change.

Component: Application Security Manager

Symptoms:
There is an error updating BD with the following information:
Errors:
------------
  bd_agent|ERR|...|F5::BdAgent::handle_bd_pipe_message,,Some records sent to enforcer were not handled

  ECARD|ERR |...|account_id_table_management.cpp:0222|Failed to PUT table
  ECARD|ERR |...|temp_func.c:0850|CONFIG_TYPE_ACCOUNTS message had errors in block_index: 0. status=9
-------------

Conditions:
In a high availability environment (with manual failover and ASM) with a UCS load that contains policies with the same names.

Impact:
Traffic is blocked due to Unknown HTTP selector

Workaround:
Use one of the following Workaround:
A) Deactivate and reactivate the affected policy.
B) Restart ASM on the affected device.


652146-1 : Email agent does not send email if the remote server does not provide a 200 OK response to VRFY request.

Component: Access Policy Manager

Symptoms:
Access Policy Email Agent does not send email if the remote server does not provide a 200 OK response to VRFY request.

Conditions:
The version of CURL included in 13.0.0 uses VRFY requests to confirm recipients are valid before sending mail. Many servers consider VRFY a potential leak of information and will respond "252 - Not verified" and the BIG-IP system will not send the message.

Impact:
The Access Policy Email Agent does not send mail messages or log an error about mail not being sent.

Workaround:
None.


652052-2 : PEM:sessions iRule made the order of parameters strict

Component: Policy Enforcement Manager

Symptoms:
In the versions before 12.0, the order of parameters for "PEM::SESSIONS" rule was flexible. It was made strict because of the new validation infrastructure in 12.0. This breaks some existing iRules.

The system will report a validation error such as:

01070151:3: Rule [/Common/test_irule] error: /Common/test_irule:2: error: ["invalid argument subscriber-type"][PEM::session create $ip subscriber-type e164 user-name $user imsi $imsi subscriber-id $callingstationid]

Conditions:
Some parameters, for example, subscriber-id come before the parameter user-name.

Impact:
Configuration that was valid in earlier versions is not accepted in newer versions. This may result in the configuration failing to load during an upgrade and return an MCP validation error.

Workaround:
Change the order of the parameters.


652004-1 : Show /apm access-info all-properties causes memory leaks in tmm

Component: Access Policy Manager

Symptoms:
When tmsh is used to view session information, memory will leak on each request to pull the session information from tmm. This is a small leak but can be significant issue when all sessions are examined or the sessions are examined multiple times in a short time interval.

Conditions:
when using show /apm access-info all-properties

Impact:
Memory will leak in tmm daemons. This affects all modules that use tmm.

Workaround:
The only workaround is not to use the mcp interface by tmm daemon, or to restart the tmms periodically after using the interface multiple times.


651961-1 : AVR is not called for DNS packets when AFM is not provisioned.

Component: Advanced Firewall Manager

Symptoms:
AVR DNS analytics are not available with avr-dnsstat-sample-rate setting to non-zero on the DNS profile when AFM is not provisioned.

Statistics :: Analytics :: DNS returns a message similar to the following: There is no data to display either due to the lack of relevant traffic, or due to the settings of the filter.

Conditions:
-- AFM is not provisioned.
-- DNS traffic.

Impact:
No DNS analytics data available. Cannot see AVR data for DNS resolutions.

Workaround:
None.


651947-1 : Token validate response session variables created with no prefix might collide with other session variables.

Component: Access Policy Manager

Symptoms:
Token validate responses create session variables without any sub-prefix, which may result in collisions with other session variables.

Conditions:
Executing policy containing 'introspect' session variables such as 'authresult' and 'errMsg'.

Impact:
May collide with other session variables. If they collide with token introspect responses, one or the other will be overwritten, depending on the order in which the variables are executed.

Workaround:
None.


651910-1 : When we upgrade from 12.* to 13.0+ you cannot change the "Enable Access System Logs" and "Enable URL Request Logs" properties via the UI

Component: Access Policy Manager

Symptoms:
You cannot change the "Enable Access System Logs" and "Enable URL Request Logs" properties via the UI.

Conditions:
After upgrade from 12.* to 13.0+

Impact:
You cannot change the "Enable Access System Logs" and "Enable URL Request Logs" properties via the UI.

Workaround:
Manually add the properties via tmsh:
(assuming affected log setting is abc)

modify log-setting abc access add { general-log { publisher sys-db-access-publisher } }
modify log-setting abc url-filters add { test_logsetting_swg { enabled true publisher sys-db-access-publisher }}


651875-1 : GSLB Server properties page should show the iQuery section when type is BIG-IP System

Component: Global Traffic Manager (DNS)

Symptoms:
The iQuery section does not display on the GSLB Server properties page in the Web GUI.

Conditions:
There must be a GSLB Server created and configured to be of type BIG-IP System.

Impact:
The iQuery section does not display when it should on the properties page in the Web GUI.

Workaround:
the iQuery settings can be changed via TMSH.


651772-4 : IPv6 host traffic may use incorrect IPv6 and MAC address after route updates

Component: Local Traffic Manager

Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, may use an MAC and IPv6 source address from a different VLAN.

Conditions:
- Multiple vlans with IPv6 configured addresses.
- Multiple routes to the same destination, either the same or more specific, default routes, etc. that cover the traffic destination.
- Changes in routes that will cause the traffic to the destination to shift from one vlan and gateway to another. This can be typically observed with dynamic routing updates.

Impact:
Traffic to the destination may fail due to using incorrect source IPv6/MAC address.
This may cause monitor traffic to fail.

Workaround:
Continuous traffic to the IPv6 link-local nexthops can avoid this issue.
This may be achieved by a script or an external monitor pinging the nexthop link-local address using the specific vlan.


651713 : passive mode and un-tagged frames

Component: Local Traffic Manager

Symptoms:
When port is configures in passive mode, to handle un-tagged frames the system required a VLAN to be configured on the system.

Conditions:
When port is operating in passive mode.

Impact:
will have an impact on system performance.

Workaround:
Create a VLAN. Assign passive mode port as an untagged member of VLAN.


651681-3 : Orphaned bigd instances may exist (within multi-process bigd)

Component: Local Traffic Manager

Symptoms:
When multi-process 'bigd' is configured, orphaned 'bigd' instances may be exit; such as an orphaned 'bigd.1' alongside the active 'bigd.1'.

Conditions:
-- db variable Bigd.NumProcs to 2 or higher.
-- System monitors with long timeouts (such as ~183 seconds or longer), might also be relevant.

When 'bigd' manages monitor configurations that results in no monitoring activity for a long time (such as due to long monitor timeouts), the operating system may temporarily suspend (and later resume) the 'bigd' process. The system might treat the 'bigd' process as if it were "hung", and start another 'bigd' instance without explicitly terminating the suspended 'bigd' process.

Impact:
The suspended 'bigd' process consumes process memory. The process might be suspended (consuming no CPU resources), or running, which might result in "double-monitoring" the resources assigned to that 'bigd' process.

Note: If double-monitoring occurs, monitor status should be correct, but the double-monitoring unnecessarily consumes extra resources.

Workaround:
Configure 'bigd' to run as a single process. To do so, set the db variable Bigd.NumProcs to 1.

Shortening monitor timeouts can reduce the possibility of a 'bigd' process being (temporarily) suspended by the operating system.


651651-1 : bigd can crash when a DNS response does not match the expected value

Component: Local Traffic Manager

Symptoms:
bigd can crash when a response returned from a DNS request does not match the expected value.

Conditions:
Monitoring DNS server(s). FQDN not in use.

Impact:
Potential bigd core and restart; may cause endless restart loop as long as DNS monitor instance is configured.


651640-2 : queue full dropped messages incorrectly counted as responses

Component: Service Provider

Symptoms:
negative number of active response messages reported on sipsession profile stats

Conditions:
If a request message is dropped because the sip filter's ingress message queue is full, the wrong stats is incremented

Impact:
Counting the dropped request messages as response messages causes the calculation of the accepted response messages to be incorrectly calculated, thus producing a negative value.


651541-1 : Changes to the HTTP profile do not trigger validation for virtual servers using that profile

Component: Local Traffic Manager

Symptoms:
Changing the HTTP profile does not trigger validation for virtual servers, so no inter-profile dependencies are checked.

Conditions:
Using an HTTP profile with a virtual server that uses other profiles that have settings that are mutually exclusive with those of the HTTP profile.

Impact:
The system will be in an invalid state. One immediate way this can be seen is when syncing to a peer. The sync operation does not complete as expected.

Workaround:
Use the error messages in the logs to determine how to change the configuration to return the system to a valid state.


651253 : tmipsecd down after provisioning modules

Component: TMOS

Symptoms:
After provisioning a set of modules, tmipsecd may not be running.

Conditions:
After provisioning a set of modules.

Impact:
IPsec would not be operational.

Workaround:
Restart tmipsecd by running the following command: bigstart start tmipsecd.


651229-1 : tmm may restart when SAML SLO is initiated by SP using redirect binding

Component: Access Policy Manager

Symptoms:
When the BIG-IP system is configured as SAML SP, there are two bindings supported for SLO profile: HTTP-Redirect and HTTP-POST (default option). If the BIG-IP system is configured to initiate SAML SP SLO profile with redirect binding - tmm may restart.

Conditions:
-- Configure the BIG-IP system as SAML SP.
-- Configure HTTP-Redirect binding for SLO profile.
-- Initiate SLO on SAML SP.

Impact:
tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
Reconfigure the BIG-IP system to use HTTP-POST binding for SLO profile. Configuration should be changed on IDP connector objects.


651155-2 : HSB continually logs 'loopback ring 0 tx not active'

Component: TMOS

Symptoms:
In the TMM log files, HSB reports that 'loopback ring 0 tx not active'.

Conditions:
Unknown.

Impact:
Excessive logging. This may also cause an HSB lockup to not be detected.

Workaround:
None.


651136-1 : ReqLog profile on FTP virtual server with default profile can result in service disruption.

Component: TMOS

Symptoms:
When FTP's control channel and data channel arrive on different TMMs, ReqLog profile may fail to identify data channel's listener.

Conditions:
Default inherit FTP profile virtual server configured with ReqLog profile.

Impact:
Service disruption, fail-over event.

Workaround:
Create non-inheriting FTP profile for FTP virtual server with ReqLog profile.


651135-2 : LTM Policy error when rule names contain slash (/) character

Component: Local Traffic Manager

Symptoms:
Beginning with v12.0.0, there has been additional validation for LTM Policy rule names to allow only certain valid characters. Prior to v13.1.0, the slash (/) character was included in the set of valid characters.

But because the slash character is used as a delimiter in the BIG-IP virtual path hierarchy (e.g., /Common/my_policy/my_rule), extra slashes in a rule name causes validation problems because the rule appears to the system as having additional path segments.

Conditions:
LTM Policy rule contains the slash (/) character.

Impact:
Configuration will not load.

Workaround:
In the bigip.conf file, the LTM Policy rule names can be manually edited to either remove the illegal character or to substitute a valid character.

For example, the following policy won't load because the rule name contains a slash (/) character:
   
    ltm policy mypolicy {
    ...
       rules {
          /testperson/a {
    ...
    }

But it will load when the slash (/) characters are changed to a legal character, such as underscores (_):
    ltm policy mypolicy {
    ...
       rules {
          _testperson_a {
    ...
    }


651005-4 : FTP data connection may use incorrect auto-lasthop settings.

Component: Local Traffic Manager

Symptoms:
Due to known issue FTP data connection may fail to use auto-lasthop settings configured on the virtual server and use a value configured on VLAN level instead.

Conditions:
With the configuration below, FTP data connection will fail to use auto-lasthop:
(1)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'enable'

(2)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'disable'
- Virtual server auto-lasthop set to 'enable'

With the configuration below, FTP data connection will improperly use the auto-lasthop:
(1)
- Global auto-lasthop set to 'enable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'disable'

(2)
- VLAN auto-lasthop set to 'enable'
- Virtual server auto-lasthop set to 'disable'

Impact:
FTP data connection may fail to be established.

Workaround:
Use routing instead of auto-lasthop.
(or) Enable auto-lasthop on VLAN level.


651001-2 : massive prints in tmm log: "could not find conf for profile crc"

Component: Advanced Firewall Manager

Symptoms:
Massive messages in tmm log:
"could not find conf for profile crc"

messages are shown while traffic is passing.

Conditions:
1. Have dos profile attached to vs. dos profile does not have dos application enabled.
2. Have ASM policy attached to VS with Web Scraping on/session hijacking/session awarness with DID collection/brute force with DID collection.

Impact:
Massive prints in tmm log that can cause tmm to abort. Traffic disrupted while tmm restarts.

Workaround:
Have DOS application enabled (even if doing nothing).


650317-2 : The TMM on the next-active panics with message: "Missing oneconnect HA context"

Component: Local Traffic Manager

Symptoms:
The next-active TMM panics with message: "Missing oneconnect HA context" on a virtual which doesn't have one-connect on the active.

Conditions:
A mirrored virtual is configured with one-connect on the next-active but no one-connect profile is present on the active. This can occur when the config-sync connection between peers is down or auto-sync on the device group is disabled. The next-active expects a one-connect HA context but the active does not send it.

Impact:
Connections on the active are not mirrored while the next-active restarts.

Workaround:
Resolving configuration differences between the active and next-active will prevent this panic.


650292-1 : DNS transparent cache can return non-recursive results for recursive queries

Component: Local Traffic Manager

Symptoms:
If a non recursive query is cached by the DNS transparent cache, subsequent recursive queries provide the non-recursive answer.

Conditions:
DNS transparent cache that receives a non-recursive query whose result is stored in the cache.

Impact:
Non recursive responses for recursive requests.

Workaround:
An iRule can be attached to the listener to disable the cache if the "rd bit" is not set in the DNS request.


650019-1 : The commented-out sample functions in audit_forwarder.tcl are incorrect

Component: TMOS

Symptoms:
The commented-out sample "Transform" functions in audit_forwarder.tcl are not correct and should not be used.

Conditions:
Attempting to write your own Transform function in audit_forwarder.tcl using the examples.

Impact:
The Transform function may not work if the examples are followed.

Workaround:
Use the default Transform function as a starting point instead of one of the examples.


650002-2 : tzdata bug fix and enhancement update

Component: TMOS

Symptoms:
There have been changes to timezone data that impact tzdata packages:

* Mongolia no longer observes Daylight Saving Time (DST).

* The Magallanes Region of Chile has moved from a UTC-04/-03 scheme to UTC-03 all year. Starting 2017-05-13 at 23:00, the clocks for the Magallanes Region will differ from America/Santiago.

Conditions:
-- Mongolia during DST portion of the year.
-- Comparing clock times in the America/Santiago zone with those in the Magallanes Region.

Impact:
Timezone data provided in tzdata will not match the area's time. Clocks for the Magallanes Region will differ from America/Santiago (its current timezone).

Workaround:
None.


649613-2 : Multiple UDP/TCP packets packed into one DTLS Record

Component: Access Policy Manager

Symptoms:
The system converts the server provided packet into PPP buffers. These PPP packets are used to pack into DTLS records. Currently there is a limit of about 14 KB of DTLS records, such that the system can pack multiple PPP records into one DTLS record.

However, creating bigger DTLS record can cause server IP Fragmentation. In the lossy environment, losing one IP fragment can cause the complete DTLS record to be lost, resulting in poor performance.

Conditions:
Multiple UDP/TCP packets packed into one DTLS Record.

Impact:
In networks with packet losses, the APM end-user application might suffer poor network performance.

Workaround:
None.


649513-1 : IP Intelligence: Policy diff doesn't work for categories

Component: Application Security Manager

Symptoms:
no validation for existence of fields for a nested struct

Conditions:
create 2 policies.
create difference in nested structs.

Impact:
compare policies with nested structs will not work as expected.


649177-1 : Testing for connection to SMTP Server always returns "OK"

Component: Application Visibility and Reporting

Symptoms:
When you click the SMTP GUI config "Test Connection" button it always gives green "OK" response, even if there is no network, or if the DNS response is NXDomain.

Conditions:
This is encountered when testing the SMTP connection using the GUI.

Impact:
Validation of SMTP server availability is incorrect

Workaround:
You can test SMTP at the command line by attempting to send a test email, as in this example (substitute user@example.com with your valid email address):

# echo "ssmtp test mail" | mail -vs "Test email" user@example.com


649171-3 : tmm core in iRule with unreachable remote address

Component: Local Traffic Manager

Symptoms:
TCP::unused_port <remote_addr> <remote_port> <local_addr> [<hint_port>] with a non reachable remote_addr, tmm cores

Conditions:
This occurs when using TCP::unused_port in an iRule and the remote address is not reachable

Impact:
Traffic disrupted while tmm restarts.

Workaround:
create faux route for the destination address


648954-1 : Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls

Component: Local Traffic Manager

Symptoms:
Configuration validation fails spuriously, including potentially as a result of a ConfigSync or modifying an iRule, with an error similar to the following:

    01020036:3: The requested rule (/Common/rule_uses_procs) was not found.

Referencing an iRule that previously existed, but has been deleted (or is being deleted as a result of a ConfigSync).

Conditions:
-- iRule using procedures in a different iRule.
-- iRule attached to virtual server.

Impact:
iRule procs are still referenced after deletion. Configuration validation fails spuriously.

Workaround:
Force reloading of the MCP binary database.

For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).


648873-4 : Traffic-group failover-objects cannot be retrieved via iControl REST

Component: TMOS

Symptoms:
When issuing a GET you get the following error message:
List property is not implemented! Detail [cm traffic-group failover-objects {...}].

(The ... represents the data that was presented as a list property.)

Conditions:
Trying to use iControl REST for getting failover-objects associated to floating traffic-groups

Impact:
No access to list of failover-objects associated to an specific floating traffic-group via the iControl REST interface

Workaround:
Use a different user interface (tmsh or GUI).


648806-2 : Invalid "with the first highest ratio counter" logging for pool member ratio load balance

Component: Global Traffic Manager (DNS)

Symptoms:
Invalid value for "with the first highest ratio counter" for wideip load balancing decision is logged.

Conditions:
Enabled logging for wideip load balancing decision.

Impact:
Invalid value is logged for "with the first highest ratio counter".


648650 : Upgrade from 11.6.1 to 13.0.0 fails when two parameters in URL added to anti-fraud profile get 'identify-as-username enabled'.

Component: Fraud Protection Services

Symptoms:
Upgrade from 11.6.1 to 13.0.0 fails when two parameters in URL added to anti-fraud profile get 'identify-as-username enabled'.

The system posts the following messages in /var/log/ltm:
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed.
-- 010719b4:3: URL can have only a single parameter identified as username in the Anti-Fraud profile '/Common/antifraud'. Unexpected Error: Loading configuration process failed.

Conditions:
Adding two parameters with 'identify-as-username enabled' using GUI.

Impact:
Upgrade fails. Configuration fails to load.

Workaround:
Before upgrade, check that every ANTIFRAUD URL has no more than one parameter with "identify as username" enabled.

To do so, delete a parameter or disable "identify as username".


648639-2 : TS cookie name contains NULL or other raw byte

Component: Application Security Manager

Symptoms:
The TS cookie name may intermittently contain NULL.

Conditions:
This can occur intermittently when ASM is provisioned and has a unique combination of security policy name and the server's cookie attributes (path and domain).

Impact:
False positives triggered on modified domain cookies.

Workaround:
To resolve this, change the policy security name.


648544-6 : HSB transmitter failure may occur when global COS queues enabled

Component: TMOS

Symptoms:
An HSB transmitter failure may occur if global COS queues enabled. The HSB transmitter failure is logged in the TMM log files.

Conditions:
With global COS queues enabled, the HSB's watchdog loopback packets are sent on HSB ring 2, instead of ring 0. If HSB ring 2 is heavily utilized, this could cause the loopback packets to be dropped. If this occurs, then the watchdog may trigger an HSB transmitter failure.

Impact:
If this issue occurs then the BIG-IP is rebooted.

Workaround:
Do not use global COS queues.


648320-2 : Downloading via APM tunnels could experience performance downgrade.

Component: Local Traffic Manager

Symptoms:
Multiple DTLS records can be packed into one UDP packet. When packet size is too large, packet fragmentation is possible at IP layer. This causes high number of packet drops and therefore performance downgrade.

Conditions:
When downloading using APM tunnels.

Impact:
High number of packet drops and inferior performance.

Workaround:
None.


648317-1 : Upgrade to 13.0.0 on B2100/B2150 with IOMMU enabled prevents vCMP guests from starting

Component: TMOS

Symptoms:
vCMP guests will fail to start on B2100 and B2150 when the user had enabled the input/ output memory management unit (IOMMU) before upgrading.

Conditions:
* Run a pre-13.0.0 version of the software.
* Run on a VIPRION B2100/B2150 blade.
* Enable IOMMU before upgrading, using the following command: sys db kernel.iommu.
* Upgrade to 13.0.0.
* vCMP is provisioned.

Impact:
Cannot deploy vCMP guests.

Workaround:
Use the grub_open and grub_close commands to manually add "intel_iommu=on" to their kernel command line, as follows:

~$ grub_open
/var/run/grub.conf.mdfy.24145
~$ <edit the file above>
~$ grub_close


648245-1 : When using a route TMM may use a smaller MTU

Component: Local Traffic Manager

Symptoms:
TMM uses a smaller MTU when connecting to a device via a configured route.

Conditions:
- Larger than 1500 bytes MTU configured on VLAN.
- Static, or dynamically learned route, to a destination, with no specific MTU defined.

Impact:
Effective MTU when using the route will be limited to 1500 bytes. This includes derived MSS in TCP connections.

Workaround:
Specify the required MTU on routes.


648060-1 : EdgeClient locked mode exclusion list admin UI doesn't allow underscore character

Component: Access Policy Manager

Symptoms:
EdgeClient locked mode exclusion list admin UI doesn't allow underscore character

Conditions:
An administrator is trying to configure EdgeClient locked mode exclusion list with hostname containing underscore character ('_').

Impact:
Hostnames with underscore are not allowed in the list, and you can't whitelist them

Workaround:
Exclusion list feature for locked mode is also configurable using local registry on the client machine, registry configuration allows underscore characters.

To add my_domain.com to the exclusion list please create registry key (key, not value) under key
HKLM\SOFTWARE\WOW6432Node\F5 Networks\RemoteAccess\AlwaysConnected\Exclusions, e.g. HKLM\SOFTWARE\WOW6432Node\F5 Networks\RemoteAccess\AlwaysConnected\Exclusions\my_domain.com\


648037-1 : LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash

Component: Local Traffic Manager

Symptoms:
tmm crashes after the LB::reselect iRule fails to connect to the server.

Conditions:
This issue can occur when a virtual server is configured with HTTP and the LB::reselect iRule. If the LB::reselect fails to connect to the server and there is not a monitor on the pool, tmm will crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure a monitor for the pool.


647988-2 : HSL Balanced distribution to Two-member pool may not be balanced correctly.

Component: TMOS

Symptoms:
When configuring a two-member pool as HSL destination and using "balanced" distribution, logs from iRule HSL::send may end up balanced to a single pool member.

Conditions:
- Two-member pool configured as remote-high-speed-log destination.
- The remote-high-speed-log distribution is set to "balanced"
- Data-Plane logging using for example but not limited to: iRule HSL::send.

Impact:
Log message may not be distributed correctly resulting in more load on a single pool member.

Workaround:
None.


647944-1 : MCP may crash when making specific changes to a FIX profile attached to more than one virtual server

Component: TMOS

Symptoms:
When a FIX profile is attached to more than one virtual server, making specific edits to the profile may result in MCP crashing and restarting.

Conditions:
A FIX profile is be in use and attached to more than one virtual server. You then edit the profile (and click "Update") in this order:

- Change the Error Action from "Don't Forward" to "Drop Connection"
- Add a new mapping to the Sender and Tag Substitution Data Group Mapping.

Impact:
Traffic disrupted while mcpd restarts.


647834-5 : Failover DB variables do not correctly implement 'reset-to-default'

Component: TMOS

Symptoms:
When the 'modify sys db' command option 'reset-to-default' is issued, the new value does not take effect, even though 'list sys db' displays the desired value.

Conditions:
This is known to affect at least the following failover-related DB variables:

log.failover.level
failover.nettimeoutsec
failover.debug
failover.usetty01
failover.rebootviasod
failover.packetcheck
failover.packetchecklog
failover.secure
mysqlhad.heartbeattimeout
mysqlhad.debug
mysqldfailure.enabled
mysqldfailure.haaction.primary
mysqldfailure.haaction.secondary

Impact:
The configuration change does not take effect.

Workaround:
Explicitly set the DB variable to the desired value.


647812-4 : /tmp/wccp.log file grows unbounded

Component: TMOS

Symptoms:
WCCP uses /tmp/wccp.log as output for Diagnostic information,
independent of log level or db key. This file can grow unbounded if there are never any WCCP packets sent. If packets are sent the file is cleaned up automatically.

Conditions:
This can occur if WCCP is configured but never goes beyond negotiation.

Impact:
/tmp/wccp.log grows unbounded, filling up the disk.


647158-4 : Internal virtual server inherits CMP hash mode from parent virtual server

Component: Service Provider

Symptoms:
An internal virtual server might behave in unexpected ways, such as abort a client connection before connecting to the server.

Conditions:
Virtual server with request-adapt or response-adapt profile and a vlan with 'cmp-hash' mode 'src-ip'.
Internal virtual server without a VLAN or 'cmp-hash' setting.

Impact:
The internal virtual server might sometimes abort when attempting to make a connection to the server. This occurs after a successful load-balance pick indicated by the LB_SELECTED event, but before a TCP SYN packet is sent to the server. As a result the parent virtual performs the service-down-action configured in the request-adapt or response-adapt profile.

Workaround:
If possible, do not use the cmp-hash mode 'src-ip'.


647071-1 : Stats for SNATs do not work when configured in a non-zero route domain

Component: Local Traffic Manager

Symptoms:
When creating SNAT in a Route Domain different from 0, the command 'tmsh show ltm snat' does not report any statistics.

Conditions:
This occurs on all SNATs in a route domain other than 0.

Impact:
No statistics for the SNATs

Workaround:
None.


646890-2 : IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512

Component: TMOS

Symptoms:
Changing the IKEv1 phase2 authentication algorithm to sha256, sha384, or sha512 does not work immediately, without a restart of the tmipsecd daemon.

Conditions:
If you change the ike-phase2-auth-algorithm attribute (inside an instance of ipsec-policy) to a value of sha256, sha384, or sha512, this causes a parse error when received by racoon. Thus the change does not take affect without a racoon restart.

Impact:
Cannot switch IKEv1 ipsec-policy to sha256, sha384, or sha512 authentication without either restarting BIG-IP or restarting tmipsecd.

Workaround:
Restarting the tmipsecd daemon causes a restart of all racoon processes, which causes the config to be re-read and then IKEv1 IPsec works correctly with SHA authentication algorithms.


646804-1 : call to tmctl in diskmonitor for the tmstat vmcp_stat table results in error: tmctl: vcmp_stat: No such table.

Component: TMOS

Symptoms:
diskmonitor added monitoring functionality for VM disks. As a result there is an call to tmctl in diskmonitor for the tmstat vmcp_stat table.

However, this call is also done on non-vCMP systems, which results in an error: tmctl: vcmp_stat: No such table.

Conditions:
Run diskmonitor on a non-vCMP system.

Impact:
The system posts the following error: tmctl: vcmp_stat: No such table. There is no functional issue when receiving this message on non-vCMP systems, so you can disregard the message.

Workaround:
None.


646800-1 : A part of the request is not sent to ICAP server in a specific case

Component: Application Security Manager

Symptoms:
The portion of the request that is not sent is not checked for viruses

Conditions:
ICAP is configured.

Impact:
There might be a false negative on anti-virus check

Workaround:
N/A


646643-1 : HA Standby Virtual Server with a lasthop pool may crash.

Component: Local Traffic Manager

Symptoms:
A long-running high availability (HA) Standby Virtual Server with a lasthop pool may crash.

Conditions:
HA Standby Virtual Server is configured with a lasthop pool.
It receives more than 2 billion (maximum value of 32 bit integer) connections.

Impact:
tmm on the next-active device crashes. The Active device isn't affected.

Workaround:
None.


646604-1 : Client connection may hang when NTLM and OneConnect profiles used together

Component: Local Traffic Manager

Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.

Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.

Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.

Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.


646495-1 : BIG-IP may send oversized TCP segments on traffic it originates

Component: Local Traffic Manager

Symptoms:
Traffic from the Linux host on BIG-IP may send TCP segments larger than the advertised TCP MSS of a remote host.

Conditions:
Received TCP MSS (plus protocol overhead) smaller than configured MTU of interface.
Linux host sending large TCP segments, such as SNMP getbulk replies.

Impact:
TMM may send traffic to a TCP host that exceeds the host's advertised MTU.

Workaround:
disable segmentation offload for the nvic


645684-3 : Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.

Component: Access Policy Manager

Symptoms:
Flash ActionScript3 application components are loaded into incorrect ApplicationDomain and in some rare cases this may cause errors in application.

Conditions:
This can occur when viewing Flash video while connected to APM.

Impact:
Flash applications might fail to render through Portal Access.

Workaround:
None


645635-1 : Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, configured units with sflow may incorrectly use 0.0.0.0 as Agent Address.

Conditions:
- vCMP guest deployed on a chassis with only Cluster IP set, and no individual blade IP addresses configured.
- sflow configured

Impact:
sflow may incorrectly use 0.0.0.0 as Agent Address.

Workaround:
Posible workarounds (either):
 - Using larger guests (more than 2 cores)
 - Configuring cluster blade IP addresses


645615-1 : zxfrd may fail and restart after multiple failovers between blades in a chassis.

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.

Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.

Impact:
zxfrd will create a core file and restart, picking up where it left off.

Workaround:
None.


645206-2 : Missing cipher suites in outgoing LDAP TLS ClientHello

Component: TMOS

Symptoms:
BIG-IP drops all SHA256 and SHA384 ciphers in the advertised ciphers list in the Client Hello when initiating LDAP/TLS with a pool member (in the case of a monitor). The same behavior is also seen for BIG-IP system auth via LDAP or AD when TLS is used.

Conditions:
You have LDAP servers requiring SHA256 and SHA384 ciphers for LDAP/TLS authentication.

Impact:
Servers requiring SHA for LDAP/TLS authentication will no longer be able to authenticate. This could suddenly break LDAP auth if you are upgrading from version 11.x where SHA256 and SHA384 existed.

Workaround:
Configure LDAP servers not to be dependent on SHA256 and SHA384 ciphers.


645179-1 : Traffic group becomes active on more than one BIG-IP after a long uptime

Component: TMOS

Symptoms:
Traffic-groups become active/active for 30s after an uptime of 331.40 days.

The amount of time that is required to trigger this issue is dependent on the number of traffic groups. The more traffic groups, the shorter amount of uptime required to encounter this issue.

For example:

For 7 traffic groups it would take ~710 days.
For 15 traffic groups it would take ~331 days.

Conditions:
Two more BIG-IPs defined in a device group for sync/failover.
There are multiple traffic groups configured.
The BIG-IPs have a long uptime.

Impact:
Outage due to traffic-group members being active on both systems at the same time.

Workaround:
There is no workaround.

You would have to reboot all the BIG-IPs in the device group every so often. And the time frame is dependent on the number of traffic groups.


645058-4 : Modifying SSL profiles in GUI may fail when key is protected by passphrase

Component: Local Traffic Manager

Symptoms:
When a client SSL profile has a Certificate Key Chain (CKC) entry with a passphrase-protected key, attempting to modify/update the profile via the GUI may fail, and produce an error similar to the following:

01070313:3: Error reading key PEM file <Key_File_Path> for profile <Profile_Name>: error:0906A068:PEM routines:PEM_do_header:bad password read.

This can occur even when the passphrase already in the SSL profile is correct.

Conditions:
Upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.

Alternately, creating an SSL profile with a custom cert-key-chain name that references a passphrase-protected key, e.g.:

tmsh create ltm profile client-ssl example-profile defaults-from clientssl cert-key-chain replace-all-with { no { cert protected.crt key protected.key passphrase password } }

Impact:
User cannot update client SSL profile via the GUI.

Workaround:
Modifications to the profile can be made from tmsh. Alternately, delete the CKC and recreate it.


645036 : Removing pool from virtual server does not update its status

Component: Local Traffic Manager

Symptoms:
Removing a pool from a virtual server does not update the virtual server's status.

Conditions:
1) Create a pool and assign a monitor to it.
2) Ensure the pool goes green.
3) Create a virtual server without assigning the pool to it.
4) Ensure the virtual server stays blue (unknown).
5) Associate the pool to the virtual server.
6) Ensure the virtual server goes green (available).
7) Remove the pool from the virtual server.
8) The virtual server should go back to blue (unknown); however, it doesn't and stays green.

Impact:
The virtual will appear to be associated with a monitored pool when it is not. This should have no functional impact on the virtual server, since a virtual server without a pool has no traffic to pass, and associating a pool with the virtual server will reflect the pool status.

Workaround:
Restart the BIG-IP system. The status should be blue/unchecked once again after the BIG-IP is restarted.

Note: Restarting the BIG-IP system might have an impact on existing traffic. Because this issue is cosmetic, this workaround is not recommended for BIG-IP systems in production.


644979-1 : Errors not logged from hourly 1k key generation cron job

Component: TMOS

Symptoms:
Errors from the 1k key generation hourly cron job do not get logged as intended from the hourly 1024-bit key generation task.

Conditions:
This occurs during hourly generation of ephemeral keys.

Impact:
Errors from the 1k key generation hourly cron job do not get logged, and hourly generation of ephemeral keys fails.

Workaround:
Change "loggcercmd" to "loggercmd" in /etc/cron.hourly/genkeys-1024.


644975-2 : /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost

Component: TMOS

Symptoms:
Entries in /var/log/maillog similar to the following:
err sSMTP[25793]: Unable to connect to "localhost" port 25.

Conditions:
This happens when certain crontab configuration files do not specify MAILTO="" at the top, and some of the scripts appearing in those files output something to STDOUT or STDERR. This causes the system to try to send an email with that output, which will fail when ssmtp is not configured to use a valid mailhost.

Impact:
Error messages logged to /var/log/maillog. Note that the maillog file is rotated so it doesn't fill up the /var/log volume.

Workaround:
1) Run the "crontab -e -u root" command; this will open the root user's crontab configuration in your default text editor.

2) Move the MAILTO="" line to the top of the file, right under the "# cron tab for root" banner.

3) Save the file and exit the text editor to install the root user's new crontab configuration.

4) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/crontab file.

5) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/cron.d/0hourly file.

6) To verify that MAILTO=root does not appear anywhere else, run the following command: grep -i -r mailto /etc/cron*.

7) If the previous command shows MAILTO=root still appears in some files, also modify those file so that MAILTO=root becomes MAILTO="".


644873-3 : ssldump can fail to decrypt captures with certain TCP segmenting

Component: Local Traffic Manager

Symptoms:
ssldump fails to decrypt a capture. In rare circumstances, ssldump can crash.

The ssldump might display output similar to the following:
1 25 0.4781 (0.0000) S>CShort record
Unknown SSL content type 224
1 26 0.4781 (0.0000) S>CShort record
Unknown SSL content type 142
...
1 30 0.4781 (0.0000) S>CShort record
1 31 0.6141 (0.1359) S>CV231.213(45857) application_data

Conditions:
ssldump is decrypting traffic where an SSL record header spans TCP segments.

Impact:
ssldump can fail to fully decrypt the capture starting at the frame where the SSL record spans a TCP segment. Depending on the remaining data in the TCP stream, ssldump can crash.

Workaround:
None.


644725-2 : Configuration changes while removing ASM from the virtual server may cause graceful ASM restart

Component: Application Security Manager

Symptoms:
Configuration changes while removing ASM from the virtual server may cause graceful ASM restart.

Conditions:
A reconfiguration / headers configuration happens while the ASM is removed from a VIP. This may happen especially in scripts that create a config or remove a config.

Impact:
ASM restarts. The system goes offline. A failover may happen.

Workaround:
Ensure that there is some time between setting a configuration to removing ASM from the VIP.


644723-2 : cm56xxd logs link 'DOWN' message when an interface is admin DISABLED

Component: TMOS

Symptoms:
If you disable an interface, the interface is erroneously logged as DOWN:

Feb 12 23:14:09 i5800-R18-S30 info bcm56xxd[8210]: 012c0015:6: Link: 1.1 is DOWN

Conditions:
This is logged when disabling an interface.

Impact:
Log message says the interface is DOWN, it should say DISABLED.


644447-1 : sync_zones script increasingly consumes memory when there is network connectivity failure

Component: Global Traffic Manager (DNS)

Symptoms:
sync_zones memory usage exponentially increases during network disruption

Conditions:
Network interruption occurs during the "Retrieving remote DNS/named configuration" stage of a gtm_add operation.

Impact:
Memory increases exponentially, potentially resulting in an eventual out-of-memory condition.

Workaround:
None.


644220-4 : Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page

Component: Global Traffic Manager (DNS)

Symptoms:
Under LTM :: Virtual Servers :: Properties, the "Link" value sometimes displays "none" when it should display an actual link name.

Conditions:
This happens under certain configuration of Self IP / GTM Servers / GTM Links / LTM Virtual Servers.

Impact:
When conditions are met, the Virtual Server's link information displayed is not correct.

Workaround:
None.


644184-3 : ZebOS daemons hang while AgentX SNMP daemon is waiting.

Component: TMOS

Symptoms:
ZebOS daemons hang while AgentX SNMP daemon is waiting for return from external script.

Conditions:
- Dynamic routing is enabled.
- SNMP is enabled.
- SNMP calls an external script that takes several moments to return.

Impact:
Dynamic routing may be halted for the duration of AgentX daemon waiting for return from external script.

Workaround:
Do not configure AgentX to call external scripts that take several moments to return.


643860-5 : Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly

Component: Local Traffic Manager

Symptoms:
There is no indication that mcpd has restarted, but the system logs messages similar to the following:

-- In /var/log/tmm:
  notice MCP connection expired early in startup; retrying.

In/var/log/ltm:
  mcpd[5747]: 01070406:5: Removed publication with publisher id TMM1.

Conditions:
The file /dev/vnic is opened by something other than BIG-IP programs.

Impact:
The TMM processes will restart and fail to come up properly.

Workaround:
To recover, reboot the system.

Note: Do not perform file open operations on /dev/vnic. There is no need to.


643813-1 : ZoneRunner does not properly process $ORIGIN directives

Component: Global Traffic Manager

Symptoms:
During an import zone operation, ZoneRunner incorrectly associates the "@" directive with the zone name and not $ORIGIN specified.

Conditions:
If the zone file to be imported contains the $ORIGIN directive, the following "@" directives will reference the zone name, which is incorrect.

Impact:
Zones will not be imported correctly.

Workaround:
Use the named-compilezone tool to "normalize" the zone file before importing into ZoneRunner.

The syntax for this command is similar to the following:
named-compilezone -s full -o outputfilename zone_name input.file
(For information about the other available options, see the named-compilezone tool's man page.)

For example, given a zone file named example.com.file that contains the following information:

"example.com"
$TTL 3600
example.com. 86400 IN SOA ns1.example.com. hostmaster.ns1.example.com. 2017020201 10800 3600 604800 86400
@ IN NS ns1.example.com.
ns1.example.com. IN A 1.1.1.1
$ORIGIN alpha.example.com.
@ IN A 2.2.2.2
$ORIGIN bravo.example.com.
@ IN A 3.3.3.3

The command is as follows:

named-compilezone -s full -o example.com.file.full example.com example.com.file

The contents of the new file are:
example.com. 86400 IN SOA ns1.example.com. hostmaster.ns1.example.com. 2017020201 10800 3600 604800 86400
example.com. 3600 IN NS ns1.example.com.
alpha.example.com. 3600 IN A 2.2.2.2
bravo.example.com. 3600 IN A 3.3.3.3
ns1.example.com. 3600 IN A 1.1.1.1

Which is correct. This file can then be used to import into ZoneRunner.


643799-4 : Deleting a partition may cause a sync validation error

Component: TMOS

Symptoms:
Deleting a partition may cause the sync to peers to fail.

For example, on BIG-IP1:

tmsh delete auth partition P1
tmsh show cm sync-status
     Sync Summary
     Status Sync Failed
     Summary A validation error occurred while syncing to a remote device
     Details DG1: Sync error on BIG-IP2: Load failed from BIG-IP1 01070829:5: Input error: Invalid partition ID request, partition does not exist (P1)

Conditions:
Two or more BIG-IPs in a DSC device group, say DG1. A partition (P1) is created where the root partition folder (/P1) or a subfolder is assigned to DG1.

Objects have also been configured in the folder and the user deletes the partition, which will cause the folder and its contents to be deleted.

Impact:
The sync of this change may fail on peers.

Workaround:
Disable auto-sync on the device group if it's enabled, delete the partition on all of the peers, and re-enable auto-sync.


643777-1 : LTM policies with more than one IP address in TCP address match may fail

Component: Local Traffic Manager

Symptoms:
An LTM policy using a rule that attempts to match based on a list of IP addresses may fail if more than one IP address is used.

Conditions:
LTM policy rule with a 'tcp match address' statement that attempts to match against more than one IP address.

Impact:
The action configured with the match may not be taken.

Workaround:
Use one of the following workarounds:
- Use a subnet instead of single IP addresses.
- Use a datagroup with the list of IP addresses to match.
* Datagroup option only available 13.0.0 and above.


643768-1 : Invalid entries in SNMP allowed-address and SNMP community fields can cause upgrade failure.

Component: TMOS

Symptoms:
If there are invalid entries in the SNMP allowed-address field, or in the SNMP communities source field, upgrade to v13.0.0 fails to load the configuration on validation of the input, with this error signature:

01070911:3: The requested host (<host-ip-address>) is invalid for allow in snmpd (/Common/snmpd),
Unexpected Error: Loading configuration process failed.

Conditions:
This can happen when upgrading from a release older than 13.0.0, and there is an invalid entry in the SNMP allowed-address field or communities source field, such as:

sys snmp {
    allowed-address { 1.0.0.0/2.0.0.0 "1.1.1.1 2.2.2.2" 3.3.3.3,4.4.4.4 }
    communities {
        /Common/test {
            community-name test
            source 1.0.0.0/foo
        }
    }
}

Impact:
Upgrade to 13.0.0 fails if the configuration contains these invalid values, due to input validation that was added in this version.

Workaround:
Remove the invalid entries from these 2 field types before doing an upgrade to 13.0.0.


643459-4 : Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy

Component: TMOS

Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you are not able to log in to the Configuration Utility. Instead you will see a login error, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP.

Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.

Impact:
You are unable to login to the Configuration Utility.

Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP in the Referer header.


643210-3 : Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM

Component: Local Traffic Manager

Symptoms:
When mcpd (re)starts on a secondary slot, part of the initialization process triggers the delete of any netHSM keys on the SafeNet HSM.

Conditions:
This occurs on a chassis that is configured to use a SafeNet netHSM.

Impact:
The key is removed from the HSM and must be reimported to the HSM from a backup, if it exists.

Workaround:
When rebooting a secondary blade, temporarily remove the BIG-IP from the network it uses to connect to the SafeNet HSM. Once the BIG-IP is Active, it is safe to reconnect it to the network.


643041-1 : Less than optimal interaction between OneConnect and proxy MSS

Component: Local Traffic Manager

Symptoms:
When a client with low MSS is the first to establish a OneConnect flow pair and proxy MSS is enabled, the serverside will share the same low MSS. Successive connections from full-MSS clients may utilize this server-side flow, resulting in suboptimal throughput.

Conditions:
Configure a virtual server with both OneConnect and proxy MSS. Note: Proxy MSS is enabled by default beginning with v12.1.0.

Impact:
Decreased throughput, possible congestion due to small segments.

Workaround:
In some instances, it may be sufficient to disable proxy MSS. This too has the potential to increase segment count and decrease throughput.


642982-1 : tmrouted may continually restart after upgrade, adding or renaming an interface

Component: TMOS

Symptoms:
tmrouted continually restarts when it fails to resolve the interface index for a VLAN, VLAN group, or tunnel.

Conditions:
Dynamic routing configured, non-default partition name or VLAN names greater than 15 characters.

Impact:
Dynamic routing does not function.

Workaround:
Shorten VLAN, VLAN group, or tunnel name, or move the interface into the Common partition.


642923-1 : MCP misses its heartbeat (and is killed by sod) if there are a large amount of file objects on the system

Component: TMOS

Symptoms:
MCP may timeout and get killed by sod, causing mcpd to restart.

Conditions:
If there are a large number (tens of thousands) of file objects configured, such as SSL keys/certs and config is loaded.

Impact:
The system will restart.

Workaround:
Reduce the number of file objects configured.


642422-1 : BFD may not remove dependant static routes when peer sends BFD Admin-Down

Component: TMOS

Symptoms:
As a result of a known issue, the BFD feature used in an Dynamic routing configuration, may not remove static routes when configured to be dependant on the liveliness of the BFD peer.

Conditions:
- BFD configured and up.
- Static route configured and dependant on the BFD status of the BFD peer.
- BFD peer enters maintenance mode by user configuration, setting the BFD session to admin-down.

Impact:
Static route may not be removed on BFD session configured by peer to be and traffic may still be routed.


642314-1 : CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x

Component: TMOS

Symptoms:
gtm config load failure after upgrade from v11.x to v12.x or v13.x.

Conditions:
Create GTM pool with canonical-name ending with dot - for example "cname-with-dot.com." in v11.x and then upgrade to v12.x or v13.x.

Impact:
gtm config load failure after upgrade.

Workaround:
Remove trailing dots or set "Domain Validation" to "none".


642039-1 : TMM core when persist is enabled for wideip with certain iRule commands triggered.

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores with SIGSEGV.

Conditions:
This occurs when persist is enabled for wideip, and an iRule with the following commands triggered:
forward
reject
drop
discard
noerror
host

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable persist on wideip.

Note: Although this is not an ideal workaround, it provides a way that to use those iRule commands without causing a tmm core.


641512-5 : DNSSEC key generations fail with lots of invalid SSL traffic

Component: Local Traffic Manager

Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.

The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.

Conditions:
DNSSEC keys configured with periodic rollover. The certificate path queues an error (situations include but not limited to lots of SSL traffic with invalid certificates).

Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.

Workaround:
Restart the TMM after the new key generation is created.


641491-1 : TMM core while running iRule LB::status pool poolname member ip port

Component: Local Traffic Manager

Symptoms:
tmm core SIGSEGV

Conditions:
Attach an iRule to the wideip with LB:status with format of "ip port" that contains a space between the IP address and the port.

For example:
gtm rule rule_crash_test {
    when DNS_REQUEST {
        LB::status pool pool-one member 10.2.108.100 80
    }
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use format "ip:port" or vsname instead of "ip port"
gtm rule rule_crash_test {
    when DNS_REQUEST {
        LB::status pool pool-one member 10.2.108.100:80
    }
}
Or
gtm rule rule_crash_test {
    when DNS_REQUEST {
        LB::status pool pool-one member pool_vs_name
    }
}


641450-4 : A transaction that deletes and recreates a virtual may result in an invalid configuration

Component: TMOS

Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.

Config load error:
    01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.

Configuration-change-time error in /var/log/ltm:
    err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>

Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).

Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.

Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
   1. Delete virtual server.
   2. Create virtual server (with an empty profile list).
   3. Modify the virtual server's profile list.


641273 : port-fwd-mode mode configuration object value

Component: Local Traffic Manager

Symptoms:
The port-fwd-mode object value of an interface object is not reset to the default value on loading a UCS.

Conditions:
Saved configuration / UCS must have port-fwd-mode in default (l3) state, and the current configuration must have port-fwd-mode set to "passive" mode.

Impact:
port-fwd-mode will continue to stay in the non-default state of "passive".

Workaround:
reconfigure the port-fwd-mode to the right value and save the configuration.


640924-2 : On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly

Component: Access Policy Manager

Symptoms:
On macOS Sierra (10.12) LED icons on Edge client's main UI, the buttons (Auto-Connect, Connect, Disconnect) are scaled incorrectly.

Conditions:
macOS Sierra (10.12.x) and Edge client application.

Impact:
This is a display issue only. There is no functional impact to the system.

Workaround:
N/A


640903-2 : Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen

Component: Global Traffic Manager (DNS)

Symptoms:
Extremely long page load on Link Controller Inbound Wide IP list page.

Conditions:
The preference settings "Records per screen" must be a high value. 50 or more will start causing the page to load very slowly.

Impact:
Extremely long page load time.

Workaround:
Prior to the fix, the workaround is to set the preference settings "Records per screen" to a low value. The default value of 10 is fine.


640863-1 : Disabling partition selector in DNS Resolver's Forward Zones

Component: TMOS

Symptoms:
The partition selector is enabled in DNS Resolver's Forward Zones.

Conditions:
Having Forward Zones in DNS Resolvers inside different partitions.

Impact:
Changing the partition in the Forward Zones page may error out.

Workaround:
Change the partition in the DNS Resolver List or use tmsh.


640565-2 : Incorrect packet size sent to clone pool member

Component: Local Traffic Manager

Symptoms:
Cloned packets do not obey the egress interface MTU, and clone pool members may get traffic exceeding the link MTU.

Conditions:
Clone pool is configured on a virtual server.

Impact:
Clone pool members may get traffic exceeding the link MTU.

Workaround:
Disable TSO using the following tmsh command:
tmsh modify sys db tm.tcpsegmentationoffload value disable.


640521-2 : EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices

Component: Access Policy Manager

Symptoms:
Connect to a public network which has Captive Portal and the Captive Portal uses jQuery library for mobile devices. EdgeClient does not render login page for such Captive Portal.

Conditions:
Use public network with Captive Portal that uses jQuery library for mobile devices.

Impact:
EdgeClient can not establish VPN connection.

Workaround:
Use a browser to authenticate to Captive Portal. For locked client, there is no suitable workaround.


640407-2 : Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF

Component: Service Provider

Symptoms:
A core may occur with message routing framework (MRF) virtuals or transport-config connections if trying to use certain iRule commands during CLIENT_CLOSED event.

Conditions:
Use of an iRule command that gets or sets state in a MRF protocol filter or MR proxy during CLIENT_CLOSED iRule event may core. This is because CLIENT_CLOSED event is raised after all state has been freed for the current connection.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use iRule command to get or set state during CLIENT_CLOSED iRule event.


640395-2 : When upgrading from 10.x to a version that supports spanning VIPs, the virtual address spanning property may not be set properly

Component: Local Traffic Manager

Symptoms:
When upgrading from 10.x to version 12.1.0 or later, a network virtual address that had ARP disabled will not have spanning automatically enabled.

Conditions:
Upgrading from 10.x to 12.1.0 or later. Must have a network virtual address configured with ARP disabled when upgrading.

Impact:
If you are not actually using the spanning feature, there is no impact.

If you are using the spanning feature, it will no longer work until it is explicitly enabled. This can result in the loss of traffic, as the upstream router will be sending packets to standby systems that will now refuse to process that traffic.

Workaround:
Upgrade to an intermediate version that implements the explicit ICMP-Echo setting for virtual addresses (e.g. 11.x) and then upgrade to the desired version.

Alternatively, you can manually set the spanning property on their virtual addresses as desired (after the upgrade).


640369-1 : TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, TMM may respond to an ICMPv6 echo request using the auto-lasthop mechanism, when this has been disabled on the vlan.

Conditions:
- Auto-lasthop disabled on the ingress vlan
- ICMPv6 echo request for a self-IP on the ingress vlan.
- Route to the client IP address via a different vlan

TMM may respond directly using the auto-lasthop feature and not via the route lookup.

Impact:
Traffic may not follow the expected path.


639859 : The CPU utilization of MCP can be high on standby box with autodos enabled

Component: Advanced Firewall Manager

Symptoms:
In an active-standby HA setup, with autodos enabled, the CPU utilization of MCP on standby box is high in high stress scenario. For example, the CPU utilization of the standby can be at 80% with 100 virtuals configured.

Conditions:
1. AFM Autodos enabled
2. Large number of virtuals configured

Impact:
Increase the CPU utilization by MCP on stand by box


639619-1 : UCS created on 11.6.0 that contains a secure attribute DWBL (Dynamic White/Black lists) feed list fails to upgrade to 13.0.0 with AFM and LTM on Virtual Edition (VE).

Component: TMOS

Symptoms:
UCS created on 11.6.0 that contains a secure attribute DWBL (Dynamic White/Black lists) feed list fails to upgrade to 13.0.0 with AFM and LTM on Virtual Edition (VE).

Conditions:
-- 11.6.0 UCS.
-- AFM configured.
-- Running on VE.
-- DWBL configured.

Impact:
Cannot load UCS or upgrade to 13.0.0.

Workaround:
None.


639505-2 : BGP may not send all configured aggregate routes

Component: TMOS

Symptoms:
As a result of a known issue, BGP may not send all configured Aggregate routes if one is a supernet of another.

Conditions:
- BGP established sessions.
 - BGP configuration contains several aggregate routes, one or more being a supernet of others.

Impact:
The smaller prefix aggregate (least specific), may not be sent to the BGP peer.


639395-3 : AVR does not display 'Max read latency' units.

Component: Application Visibility and Reporting

Symptoms:
AVR does not display 'Max read latency' units.

Conditions:
AVR, ASM, DoS, or AFM are provisioned.

Impact:
No units are displayed.

Workaround:
1. Edit the following file: /etc/avr/monpd/monp_disk_info_measures.cfg.
2. Add the following line at line 63: units=microsecond.
3. Restart monpd.


639283-1 : Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate

Component: Access Policy Manager

Symptoms:
Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate

Conditions:
* Virtual Server has untrusted certificate
* Using Custom Dialer or Windows logon integration features on client machine for establishing secure VPN

Impact:
Windows logon integration doesn't work. Cannot establish secure VPN connection before logging in to the machine.

Custom dialer doesn't work. Cannot establish secure VPN using Dial-up entry.

Workaround:
- Install trusted certificate to Virtual Server or whitelist untrusted certificate on the client machine.
or
- Use Edge Client to establish secure VPN connection.


639236-4 : Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute

Component: Service Provider

Symptoms:
Incoming SIP REGISTER messages are rejected by the SIP MRF parser when they contain Contact header expires value set to 0 that is not the last attribute

Conditions:
If the Contact header has an expires value of 0 and it's not the last attribute, for example:
Contact: <sip:+414000400@10.0.0.42:5060>;expires=0;q=0.1.

Impact:
REGISTER is rejected with a '400 Bad request' error message

Workaround:
None.


639039-5 : Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons

Component: Local Traffic Manager

Symptoms:
Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons.

Conditions:
Dynamic routing in use, and you change the host name of the BIG-IP.

Impact:
Dynamic routing information is lost and must be relearned.

Workaround:
When using dynamic routing, only change the host name during a maintenance window.


638715-1 : Multiple Diameter monitors to same server ip/port may race on PID file

Component: Local Traffic Manager

Symptoms:
Two 'Diameter_monitor' instances probing the same server (IP/port) from different pools may interfere with each other, causing one of the monitor instances to fail. This is caused by a possible race in creating a PID file for this 'Diameter_monitor' configuration.

Conditions:
Configuration with multiple Diameter monitors probing the same server IP/port.

Impact:
One Diameter monitor may fail, while the other Diameter monitor to the same server IP/port succeeds. On subsequent probe-retry, the failed monitor may now succeed.

Workaround:
A possible work-around is to establish different monitor periods for the two pools (such as 28 seconds and 31 seconds), so a simultaneous probe-collision will fail one monitor once, which upon retry will succeed (as three monitor failures are required for a virtual server to be marked down).


638091 : Config sync after changing named pool members can cause mcpd on secondary blades to restart

Component: TMOS

Symptoms:
After performing a ConfigSync, mcpd restarts and the following error is seen in /var/log/ltm:

     01070734:3: Configuration error: Invalid mcpd context, folder not found <foldername>

Conditions:
- Chassis cluster with at least two blades
- sync-failover device group set to full-sync and auto-sync disabled
- Changing a named pool-member in non-default partition without syncing between delete and create

Impact:
Secondary blades do not process traffic as they restart

Workaround:
To prevent blade restart, follow the workaround in K16592: ConfigSync may fail when deleting and recreating a pool member with a node name set (https://support.f5.com/csp/article/K16592).

To work around this issue, you can synchronize the configuration just after deleting the pool member and node, before re-creating the pool member. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure may impact client connectivity to the node. You should perform this procedure only during a maintenance window.

1. Log in to the BIG-IP system Configuration utility.
2. Navigate to Local Traffic :: Pools, and select the Pool with the member you want to delete.
3. From the top of the menu, click Members.
4. Select the checkbox next to the pool member you want to delete, and click Remove.
5. Navigate to Local Traffic :: Nodes.
6. Select the checkbox next to the node with the same name, and click Delete.
7. Navigate to Device Management :: Overview.
8. Select the local device by hostname (self).
9. Click the Sync option.
10. If the ConfigSync was successful, you may now re-create the pool member.


637979-2 : IPsec over isession not working

Component: TMOS

Symptoms:
User cannot send IPsec encrypted application data traffic through a secured iSession connection, just by configuring symmetric optimization to use IPsec for IP encapsulation.

Conditions:
Configure IPSec with iSession through the Quick Start screen and/or under the "Local Endpoint" configuration. Do not create any new IKE peers or traffic selectors.

Impact:
User is unable to send encrypted traffic using IPsec over the tunnel without additional configuration required for a typical IPSec setup.

Workaround:
Configuration needed for a typical IPsec setup should be made explicitly.
isession encapsulation should be set to "none", and proper IKE-peer, IPsec policy, and traffic selectors should be configured to capture isession traffic between the isession endpoints.

BIG-IP1 GUI:
[Local Endpoint]
Acceleration->Symmetric Optimization : Local Endpoint->Properties
WAN Self IP Address: <BIG-IP1-local-endpoint-ipaddress>
IP Encapsulation Type: None

[Remote Endpoint]
Acceleration > Symmetric Optimization : Remote Endpoints >New Remote Endpoint...
IP Address: <BIG-IP2-local-endpoint-ipaddress>

[IKE peer]
Network->IPsec : IKE Peers->New IKE Peer...
Remote Address: <BIG-IP2-local-endpoint-ipaddress>
Version: Version1
Presented ID Value: <BIG-IP1-local-endpoint-ipaddress>
Verified ID Value: <BIG-IP2-local-endpoint-ipaddress>

[IPsec policy]
Network->IPsec : IPsec Policies->New IPsec Policy…
Name:<isession_policy_name>
Mode: Tunnel
Tunnel Local Address: <BIG-IP1-local-endpoint-ipaddress>
Tunnel Remote Address: <BIG-IP2-local-endpoint-ipaddress>

[Traffic selector]
Network ->IPsec : Traffic Selectors ->New Traffic Selector...
IPsec Policy Name: <isession_policy_name>
Source IP Address: <BIG-IP1-local-endpoint-ipaddress>
Destination IP Address: <BIG-IP2-local-endpoint-ipaddress>

BIG-IP2 GUI: Analogous--just swap the local and remote endpoint addresses where they appear above


637827 : VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0

Component: TMOS

Symptoms:
The configuration fails to load with the following message:

01070523:3: No Vlan association for STP Interface Member 1.0
Unexpected Error: Loading configuration process failed.

Conditions:
In single-nic mode, the interface 1.0 exists and can be saved as a VLAN member. Upon re-deploying the virtual-machine from single nic mode to multi-nic, the 1.0 interface becomes pending and should no longer impact any configuration. However, a condition exists after a VLAN delete, where the associated (automatically created) stp member is not removed from the running config and can cause a load error.

Impact:
Load fails and requires manual intervention. Otherwise, the STP member is benign because vADC does not support STP.

Workaround:
Remove the STP interface member 1.0 and reload.


637613-4 : Cluster blade being disabled immediately returns to enabled/green

Component: Local Traffic Manager

Symptoms:
In some scenarios, disabling a blade will result in the blade immediately returning to online.

Conditions:
This can occur intermittently under these conditions:

- 2 chassis in an HA pair configured with min-up-members (for example, 2 chassis, 2 blades each, and min-up-members=2)
- You disable a primary blade on the active unit, causing the cluster to failover due to insufficient min-up-members.

Impact:
Disabling the primary blade fails and it remains the primary blade with a status of online.

Workaround:
This is an intermittent issue, and re-trying may work. If it does not, you can configure min-up-members to a lower value or disable it completely while you are disabling the primary blade. The issue is triggered when the act of disabling the primary blade would cause the number of members to drop below min-up-members.


636866-2 : OAuth Client/RS secret issue with export/import

Component: Access Policy Manager

Symptoms:
When the access profile with a OAuth Client/RS agent is configured, the OAuth server objects has a client secret and/or resource server secret to be configured.
When such an access profile is exported and then imported, the client secret or resource server secret may not be imported properly.

Conditions:
In OAuth client/RS use case, when an access profile is configured with OAuth client or Scope Agent.

Impact:
The APM OAuth client or Scope Agent may not run properly and end up in the fallback branch.

Workaround:
After importing the access profile, the OAuth server object needs to be modified with the proper client secret or resource server secret.


636823-4 : Node name and node address

Component: TMOS

Symptoms:
If you create a node with a name that is an IP address but the IP address is different than the name, it can produce an error when adding the node to a pool.

Conditions:
This can occur if the node name is, for example, /Common/10.10.10.10 and the IP address is 10.10.10.10%1

Impact:
When you attempt to add the node to a pool, an error will occur:

Node name /Common/10.10.10.10 encodes IP address 10.10.10.10 which differs from supplied address field 10.10.10.10%1

Workaround:
If you set the node name to an IP address it must be identical to the actual IP address.


636348-2 : BIG-IP systems configured for high availability (HA) and System Gateway Failsafe may fail to load their configuration after device trust is reset.

Component: Local Traffic Manager

Symptoms:
In the /var/log/ltm file you may observe an error message similar to the following example

01071837:3: The pool (/Common/http_pool) contains a reference to a gateway failsafe device (/Common/bigip1.f5.com), which does not exist on the system. Please specify a valid device for this configuration. Unexpected Error: Loading configuration process failed.

Conditions:
This issue occurs when all the following conditions are met:

-You have multiple BIG-IP systems in a High Availability (HA) configuration.
-You have configured System Gateway Failsafe
-You reset device trust
-You attempt to reload the configuration or reboot the device before recreating the device trust

Impact:
Configuration may fail to load

Workaround:
Remove Gateway Failsafe before resetting device trust


636149-1 : Multiple monitor response codes to single monitor probe failure

Component: Global Traffic Manager (DNS)

Symptoms:
A monitor probe failure to an external monitor (such as HTTP) will be logged by 'bigd' to '/var/log/ltm' when the probed resource is unavailable. In some cases for a probe resulting in an 'Unable to connect' error, multiple log entries will be made, with the *last* log entry being the error that triggered the log entry. The other monitor entries made during this event are not specifically relevant, as they are "stale" and due to previous monitor probe behavior that was previously logged.

This is due to an error where the 'Could not connect' event appends a previous error message, rather than overwriting a possibly-present previous error message.

Conditions:
A monitor probe to an external monitor is attempted (such as over HTTP), resulting in an "Unable to connect" failure; and where that specific monitor previously reported an error (which is now appended).

Impact:
No system behavior is affected, but multiple log entries are made. The *final* log entry of "Could not connect" or "Unable to connect" is relevant, while the possible multiple log entries immediately above are "stale" and not relevant (as they are due to a previous issue that was previously successfully logged).

Workaround:
For an external monitor that generates a 'Could not connect' or 'Unable to connect' error, user should consider only the last-line for the '/var/log/ltm' log entry, and ignore possibly-present log entries associated with that specific monitor that might be appear immediately above the 'Could not connect' line.


636104 : If pool member is defined with port 0, member may not be visible on the HTTP dimension pane.

Component: Application Visibility and Reporting

Symptoms:
You are unable to see the pool member under the HTTP "pool" dimension.

Conditions:
Pool member is defined with port 0 and traffic is being sent to e.g. port 80.

Impact:
Not seeing the pool member under the HTTP "pool" dimension.

Workaround:
You can define a temporary pool member with the port that is being used (e.g. 80) and delete it after that.
But once defined once, it will go to the DB and will be shown from that point.
This is a partial workaround since it needs to be done for every port that is being used in traffic.


636031-1 : GUI LTM Monitor Configuration String adding CR for type Oracle

Component: TMOS

Symptoms:
If the value entered in for the Configuration String textbox wraps in the GUI, a CR character is added to the configuration file.

Conditions:
Create or edit an LTM Monitor type Oracle. Enter a value in the Configuration String textbox so that it wraps to the next line. Click Finish/Update.

Impact:
The /config/bigip.conf file contains CR characters in the file.

Workaround:
Manually edit the /config/bigip.conf file and remove the CR characters.


635703-2 : Interface description may cause some interface level commands to be removed

Component: TMOS

Symptoms:
Adding a description to the interface from within ZebOS may cause interface level routing protocol commands to be lost on restart.

Conditions:
- Add interface level description to a configuration with interface level routing protocol commands.
- Restart services, tmrouted, or reboot.

Impact:
Commands after the description will not appear in the imish running config and will not be loaded/functional.

Workaround:
Do not use interface level descriptions.


635257-3 : Inconsistencies in Gx usage record creation.

Component: Policy Enforcement Manager

Symptoms:
Duplicate usage records may be created or expected usage records may be missing.

Conditions:
A subscriber session is associated with the following policies:

1. At least 1 PEM policy with multiple rules containing the same usage monitoring key and applicationId or URLcat filter will result in the creation of duplicate usage records.

2. At least 2 PEM policies containing one or more rules with the same MK across policies will result in failure to create expected usage records.

Impact:
Failure to create usage records. Duplicate usage records will reduce the effective usage records supported per session. Both can result in inconsistencies with billing use cases.

Workaround:
To prevent duplicate usage records, do not create PEM policies with multiple rules that have the same usage monitoring key and applicationId or UrlCat filter.

To make sure all expected usage records are created, do not use the same monitoring key across multiple policies for the same subscriber.


634576-2 : TMM core in per-request policy

Component: Access Policy Manager

Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.

Conditions:
APM or SWG per-request policy with reject ending.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


634369-1 : Bigd crash (SIGABRT) while running iControl REST scripts against monitor configuration with FQDN nodes

Component: Local Traffic Manager

Symptoms:
Bigd crash (SIGABRT) while running iControl REST scripts against monitor configurations with FQDN nodes.

Conditions:
-- Bigd configured with FQDN nodes.
-- iControl REST calls are used to interact with system.

Impact:
Bigd crashes and restarts. Monitoring correctly resumes after the restart period.

Workaround:
None.


634022-1 : Active Directory authentication with Step-Up-Auth has degraded performance.

Component: Performance

Symptoms:
When using Active Directory to perform Step-Up-Authentication with APM, the number of authentications per second that APM can sustain is lower than what could be achieved with earlier releases. This is observed only on certain high end appliance platforms.

Conditions:
All the following must be true:
- APM is provisioned and configured to provide authentication services via the per-request access policy.
- Active Directory is used as the authentication method.
- A relatively high rate of authentication exists.
- One of the following BIG-IP appliances is in use:
  i108xx
  i78xx
  10xxx

Impact:
Performance in terms of authentications per second is degraded.

Workaround:
None.


633824-1 : Cannot add pool members containing a colon in the node name

Component: TMOS

Symptoms:
You are allowed to create nodes that contain a colon in the node name. If you later try to add the named node (e.g. 10.1.20.10:80), adding the node will fail and you will get an error similar to the following:

0107003a:3: Pool member node (/Common/10.1.20.10) and existing node (/Common/10.1.20.10:80) cannot use the same IP Address (10.1.20.10).

Conditions:
This occurs when attempting to add a node to a pool where the node name contains a colon in it

Impact:
You are unable to add the node to the pool and will get a validation error.

Workaround:
First rename the node to not contain a colon in it, then you can add the node to the pool without error.


633413-2 : IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI

Component: TMOS

Symptoms:
IPv6 addr can't be deleted; not able to add ports to addr in a data-group using the GUI. System posts an error similar to the following:
err mcpd[31438]: 01070378:3: The requested data group IP member network address (10.10.12.184) does match the netmask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff).

Conditions:
Modify IPv6 data-group in the GUI on the Local Traffic :: iRules :: Data Group List.

Impact:
Get error with unrelated IPv4 address.

Workaround:
Use tmsh to delete data group IP addresses in an iRules data group.


633217 : Countries in new DoS visibility tables will appear "N/A" after upgrade

Component: Application Visibility and Reporting

Symptoms:
After upgrade, countries in new DoS visibility tables will appear "N/A" on dashboard page and on the dimension pane on the right. But if you select an HTTP filter, you can sometimes see the countries on the right.

Conditions:
This occurs after upgrading to version 13.0.0 or later.

Impact:
Countries appear "N/A" in the DoS visibility page

Workaround:
No workaround.


633181-2 : A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section

Component: TMOS

Symptoms:
Certificate signing requests generated from the Configuration Utility or in tmsh on affected versions may have an empty 'Attributes' or 'Requested Extensions' section if no data was supplied for these fields during CSR generation. The correct behavior is to supply an empty set (a0:00) for the Attributes section and to omit the 'Requested Extensions' section if no data were supplied for these fields.

Conditions:
- Running an affected version of BIG-IP software
- Using tmsh or the Configuration Utility to generate the CSR
- Not filling in 'E-mail Address' and/or 'Subject Alternative Name' sections while generating the CSR

Impact:
Impact varies according to the CA signing the request. An empty attribute section is generally well-tolerated but may be incompatible with some CA's.

Workaround:
Use openssl from the bash command line to generate CSR's.
Solution article K14534 contains the appropriate procedure.


633110-3 : Literal tab character in monitor send/receive string causes config load failure, unknown property

Component: TMOS

Symptoms:
BIG-IP allows you to paste in monitor send or receive strings that contains tabs, but the tabs do not get quoted when it gets saved to the configuration. This will cause the configuration load to fail, with this error signature:

Loading configuration...
  /config/bigip_base.conf
  /config/bigip_user.conf
  /config/bigip.conf
Syntax Error:(/config/bigip.conf at line: <line>) "<text>" unknown property

Conditions:
This can occur if you copy/paste a monitor send or receive string and paste it into the send/recv string field in tmsh or the GUI.

Impact:
The monitor will not work as expected, and subsequent config loads will fail on unknown property.

Workaround:
Since you are still able to use the BIG-IP GUI, you can update the monitor send or receive string using \t to represent the tab, and save the changes.


631862-5 : Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk

Component: Local Traffic Manager

Symptoms:
When OWS sends a chunked response and the only chunk has a zero size, HTTP2 profile receives neither the response's body nor indication that the response has zero size.

Conditions:
A virtual server must have HTTP2 profile, and OWS must serve a response with Transfer-Encoding: chunked and a zero size chunk (empty body).

Impact:
On a stream with such response, BIG-IP doesn't generate a frame which would have END_STREAM flag. Some browsers may not handle the response properly. For example, a redirect may not be performed when the stream is not finalized. It results in incorrect page rendering on a client.

Workaround:
Use following iRule for broken URLs:

when HTTP_RESPONSE {
  if {[HTTP::header exists "Transfer-Encoding"] && [HTTP::status] eq 301} {
    HTTP::respond 301 -version 1.1 noserver Location [HTTP::header Location] Date [HTTP::header Date] Content-Type [HTTP::header Content-Type] Connection [HTTP::header Connection]
  }
}

A condition may be changed to narrow the iRule for specific URLs.
HTTP::respond may be modified to include other important headers and serve a proper status code.


631172-1 : GUI user logged off when idle for 30 minutes, even when longer timeout is set

Component: TMOS

Symptoms:
GUI user is auto-logged off when idle for 30 minutes, even though the configured idle timeout is longer.

Conditions:
User logged in to gui and idle for 20-30 minutes

Impact:
User is logged out of the GUI.

Workaround:
None.


629915 : Cannot login with Firefox and IE after toggling between wireless and wired networks.

Component: TMOS

Symptoms:
Cannot log into BIG-IP's Web GUI on Firefox and Microsoft Internet Explorer (IE) for the first 3-5 attempts after toggling the host computer's network between wireless and wired connections.

Conditions:
Using Firefox or IE browsers.
Toggling between a wired and wireless network connections.

Impact:
BIG-IP shows a "login failed" page in the Web UI. The user cannot login with correct credentials for 3-5 attempts. Note: The number of attempts may be timing-dependent.

Workaround:
Use any of the following options:
-- Use a Chrome browser.
-- Do not toggle between different networks for internet access (i.e., wired and wireless).
-- Keep trying to logon (i.e., try more than five times, or for a few minutes after toggling between networks).
-- Restart the browser.
-- Clear cookies.


629573 : No drill-down filter for virtual-servers is mentioned on exported reports when using partition

Component: Application Visibility and Reporting

Symptoms:
The selected filters will not appear in exported reports for virtual servers created under non 'Common' partitions.

Conditions:
When using virtual-servers and ASM policies under a non 'Common' partition, exported reports will not display the the selected drill-down filters.

Impact:
Exported reports will be displayed without the filters.

Workaround:
None.


629530-6 : Under certain conditions, monitors do not time out.

Component: Global Traffic Manager

Symptoms:
Some monitored resources are marked as "Unknown" when the actual status is "offline".

Conditions:
This can rarely occur when the monitor timeout period elapses when either no response has been received, or a response has been received indicating that the resource is "down" and the monitor is configured to ignore down responses. It is more likely to occur when many monitor timeout periods elapse at the same time, and the monitor timeout value is evenly divisible by the monitor's monitor interval.

Impact:
The status of the monitored resource is incorrect. This does not materially affect the operation of the system since resources marked "Unknown" will not be used.

Workaround:
Disable the affected resources, and then enable them again.


629178-2 : Incorrect initial size of connection flow-control window

Component: Local Traffic Manager

Symptoms:
When a client establishes an HTTP2 connection, both endpoints can update their flow-control windows for the connection but their initial sizes of connection flow-control windows must be 65,535. BIG-IP erroneously sets it immediately to a configured value instead. Discrepancy in the window size calculation can result in cancelling of the client's requests.

Conditions:
A virtual server that has an HTTP2 profile with a custom value for receive-window exceeding 79 (Kilobytes).

Impact:
BIG-IP updates another endpoint with a WINDOW_UPDATE frame for the connection once it reaches a certain threshold. It doesn't happen when receive-window is set above 79 (Kilobytes). If a client has a large request (e.g., POST with a large amount of data), it resets the stream with HTTP2 RST_STREAM frame, canceling the request.

Workaround:
Configure receive-window attribute in HTTP2 profile to a value below 80 (Kilobytes).


627760-4 : gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card

Component: TMOS

Symptoms:
When running gtm_add from one BIG-IP system to another, if the system being added already has the same DNSSEC key (dictated by DNSSEC key name), and you synchronize the FIPS card, then the FIPS card is wiped out (as expected), but the key is not re-added.

Conditions:
-- There is an existing DNSSEC key on one system.
-- A second system has a DNSSEC key of the same name.
-- Run gtm_add, with instructions to synchronize FIPS cards.

Impact:
No DNSSEC key of that name is present on FIPS card.

Workaround:
None.


626589-5 : iControl-SOAP prints beyond log buffer

Component: TMOS

Symptoms:
When trace logging is turned on, iControl SOAP can potentially print text beyond its log buffer.

Conditions:
Logging for iControl SOAP is turned on with trace level.

Impact:
iControl-SOAP can print out garbage log to /var/log/ltm and can potentially lead to instability with reading beyond a buffer.

Workaround:
Do not enable logging with trace level, which is not turned on by default.


625428-2 : SNMP reports incorrect values for F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit

Component: TMOS

Symptoms:
The F5 BIG-IP local mib has the wrong value definitions for
F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit
allowed(0),disallowed(1)
instead of
disabled(0),enabled(1)

Conditions:
This occurs on any platform that supports this MIB field and has LTM Pool configurations.

Impact:
Information mismatch


625098-7 : SCTP::local_port iRule not supported in MRF events

Component: Service Provider

Symptoms:
SCTP::local_port iRule not supported in MRF events

Conditions:
If MRF events are used, such as MR_INGRESS, MR_EGRESS and MR_FAILED events are used.

Impact:
SCTP::local_port won't work under MR events.


624909-1 : Static route create validation is less stringent than static route delete validation

Component: TMOS

Symptoms:
When creating a static route the BIG-IP ensures that there is a self-IP on the same interface, but does not check to make sure that there is a self-IP on the same interface that uses the same IP protocol (IPv4 vs. IPv6). If the route is created with only self-IPs that use different IP protocols, then the system will not allow you to delete any self-IPs on the same interface as the static route.

Conditions:
Using a static route that has one IP protocol on a given interface along with self-IPs that, while on the same interface, use a different IP protocol.

Impact:
Unable to delete certain self-IPs.

Workaround:
In order to delete the self-IPs you can either:

1) Delete the static route.
or
2) Create a self-IP on the same interface and using the IP protocol as the static route.


624692-4 : Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying

Component: TMOS

Symptoms:
SSL Certificate List page displays "An error has occurred while trying to process your request." or unable to view certificate information via iControl/REST.

Conditions:
Certificate with multi-byte encoded strings.

Impact:
Unable to view certificate list page or view certificate information via iControl/REST.


624635-1 : BIG-IP doesn't support more than 4 NICs on Hyper-V on Windows Server 2012

Component: TMOS

Symptoms:
BIG-IP doesn't support more than 4 NICs.
As a result of this issue, you may encounter following symptoms:
- BIG-IP boot time is increased.
- Number of interfaces attached to tmm aren't more than 4 NICs.
- In the /var/log/boot.log file, you observe messages similar to the following examples:
 + info plymouthd: udev still not settled. Waiting.udevd[367]: worker [380] unexpectedly returned with status 0x0100
 + info plymouthd: udevd[367]: worker [380] failed while handling '/devices/LNXSYSTM:00/device:00/PNP0A03:00/device:08/VMBUS:01/vmbus_11'
 + info plymouthd: udevd[367]: worker [373] unexpectedly returned with status 0x0100

RHEL7.2 (or newer) guests are similarly affected, so this issue is not unique to BIG-IP 7.2 kernels.

The issue isn't reproduced on Hyper-V on Window Server 2012 R2.

Conditions:
This issue occurs when all of the following conditions are met:
- Your hypervisor version is Hyper-V on Windows Server 2012.
- You have more than 4 NIC attached to BIG-IP.

Impact:
BIG-IP doesn't support more than 4 NICs on Hyper-V on Windows Server 2012.

Workaround:
None.


624626-4 : Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility

Component: TMOS

Symptoms:
You cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility, which returns an error message similar to the following example:

01020036:3: The requested Certificate File (/Common/example.crt) was not found

Conditions:
The presence of SSL certificates and keys created without the .crt and .key extensions. This might have happened, for example, if the SSL certificates and keys were created using the tmsh utility.

Impact:
Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility.

Workaround:
You can use the tmsh utility to delete affected SSL certificates and keys. You would use commands similar to the following example:

tmsh delete sys crypto cert example
tmsh delete sys crypto key example


624231-3 : No flow control when using content-insertion with compression

Component: Policy Enforcement Manager

Symptoms:
Packets can get queued in PEM and cause performance impact.
It could cause memory corruptions in some cases

Conditions:
This issue can happen when system there is are a lot of connections with compression enabled, hardware offload is not enabled, and content insertion is enabled

Impact:
Performance impact to flows and possible system crash.

Workaround:
Enable hardware offload and use the pem throttle feature for content insertion


623536-7 : SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent

Component: TMOS

Symptoms:
Due to a syntax issue in /etc/alert/alertd.conf, SNMP traps sent for notifying RSTs sent due to maintenance mode on are not being sent.

Conditions:
Reset cause logging and maintenance mode are enabled
Snmp trap destination is configured and routable

Impact:
snmp traps are not sent

Workaround:
Adding custom trap in /config/user_alert.conf with escaped characters will workaround the issue:

alert BIGIP_IP_REJECT_MAINT_MODE_FIX "RST sent from (.*) Maintenance mode \(all VIP\/SNAT\/Proxy connections disabled\)" {
   snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.34"
}


623084-5 : mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp

Component: Local Traffic Manager

Symptoms:
mcpd will fail to load the configuration if the pre 11.6.0 configuration had a dhcp virtual server is configured using any profile that is not /Common/udp.

Conditions:
In pre 11.6.0 having a dhcp type virtual server with a profile other than /Common/udp and then upgrading to 11.6.0 or above.

Impact:
mcpd fails to load the configuration. The BIGIP will not be operational until the configuration is changed and loaded.

Workaround:
Before the upgrade change the profile to /Common/udp.

The same change can be made to the bigip.conf file after the upgrade. Then load the config with tmsh load /sys config


622619-6 : BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD

Component: TMOS

Symptoms:
MCPd cpu utilization is high and renders it unresponsive.

Conditions:
A ranged log query where the log files are excessively large, e.g., 1 GB uncompressed.

Impact:
MCPd is killed due to being unresponsive, which restarts multiple daemons.

Workaround:
Lower the logging level, thereby decreasing the size of the file which must be parsed.


621870-1 : Outage may occur with VIP-VIP configurations

Component: Local Traffic Manager

Symptoms:
In some VIP-VIP configurations, a system outage may occur while processing traffic.

Conditions:
VIP-VIP configuration

Impact:
System outage

Workaround:
None.


620556-2 : Fragmented packets on clone pool for L7 virtual server targeting another L7 virtual server through iRule

Component: Local Traffic Manager

Symptoms:
Fragmented packets may be transmited to clone pool members of virtual server, which is also forwarding its traffic to another virtual server.

Conditions:
One virtual server should be configured to forward traffic to another one using iRule, i. e.

when CLIENT_ACCEPTED {
  virtual another_virtual
}

This forwarding virtual should also have clone pool configured.

Impact:
Fragmented packet are transmitted to pool members, which affects performance and may trigger some intrusion detection systems.


619844-3 : Packet leak if reject command is used in FLOW_INIT rule

Component: Local Traffic Manager

Symptoms:
TMM memory usage (packets) increases steadily over time.

Conditions:
'reject' command is used in a FLOW_INIT rule

Impact:
Packet leak over time will consume TMM memory.

Workaround:
Do not use reject command in FLOW_INIT iRule


618595 : Duplicate SQL monitors updating pool member status incorrectly

Component: Local Traffic Manager

Symptoms:
If you have two identical SQL monitors, this can cause pool members to be incorrectly marked down.

Conditions:
This occurs if you have more than 1 identical SQL monitor for a pool.

Impact:
Pool members may be incorrectly marked down.

Workaround:
Ensure you only have one SQL monitor associated with a pool.


618463-4 : artificial low route mtu can cause SIGSEV core from monitor traffic

Component: Local Traffic Manager

Symptoms:
When configuring a monitor instance targeting an address reachable via a route with an artificially low route mtu, tmm can crash repeatedly.

Conditions:
see above

Impact:
Traffic disrupted while tmm restarts.

Workaround:
configure correct MTU


618222-1 : Loop detection implemention logic violates branch parameter compliance with RFC3261

Component: Service Provider

Symptoms:
Branch parameter compliance with RFC3261 dictates that:
 ACK for a non-2xx response will have the same branch ID as the INVITE whose response it acknowledges.
However in BIG-IP if loop detection is enabled, the branch parameter value differs.

Conditions:
This occurs when loop detection flag is enabled in the sipsession object.

Impact:
Branch parameter value of INVITE and ACK for a non-2xx response even though its part of the same transaction. Violates RFC3261.

Workaround:
Disable loop detection flag in sipsession object.


617578 : Inconsistent info between tmsh and WebUI for profile radiusLB-subscriber-aware

Component: TMOS

Symptoms:
On a BIG-IP provisioned with LTM only, the radius profile called radiusLB-subscriber-aware displays inconsistent information between tmsh and configuration utility

Conditions:
This occurs when looking at the radiusLB-subscriber-aware profile in both tmsh and the GUI.

Impact:
On a device that does not have PEM licensed:
root@(v12)(cfg-sync Changes Pending)(Active)(/Common)(tmos)# list ltm profile radius radiusLB-subscriber-aware
ltm profile radius radiusLB-subscriber-aware {
    app-service none
    defaults-from radiusLB
}

However, viewing the profile in the configuration utility Local Traffic :: Profiles : Services : RADIUS : radiusLB-subscriber-aware
Settings field Custom checkbox
Persist Attribute disabled
Subscriber Discovery enabled
Client Spec disabled
Protocol Profile(_sys_radius_proto_imsi) enabled

On a device which does not PEM licensed, the Protocol profile should be set to None but shows as enabled.


617324-1 : Service health calculation creates unjustified CPU utilization

Component: Anomaly Detection Services

Symptoms:
When ASM provisioned service health is calculated and published to all VSs with security profile, even if stress-based detection is not configured

Conditions:
AFM provisioned and configured hundreds of VSs with security profile

Impact:
High CPU utilization

Workaround:
No


616021-6 : Name Validation missing for some GTM objects

Component: TMOS

Symptoms:
BIG-IP fails to load GTM Configurations where names of some objects contain a control character.

Conditions:
User creates a GTM object with a control character in the name.

Impact:
Causes the config to fail to load.

Workaround:
Remove control characters prior to creating gtm objects.


615222-2 : GTM configuration fails to load when it has gslb pool with members containing more than one ":"

Component: Global Traffic Manager (DNS)

Symptoms:
GTM Virtual Servers or GTM Servers containing a colon ":" in their name would throw errors when attempting to use them as a GTM Pool Member through TMSH. If created through TMUI, and a configuration was saved and loaded, the same error would be thrown.

Example error:
01070226:3: Pool Member 20002 references a nonexistent Virtual Server.

Conditions:
1. Create virtual server of format <IP>:<PORT>.
2. Attempt to add this virtual server as a GTM Pool Member

Impact:
Unable to create GTM Pool Member from TMSH, or to load a configuration with this object in it.

Workaround:
None.


612086 : Virtual server CPU stats can be above 100%

Component: TMOS

Symptoms:
The CPU usage is reported as above 100%.

Conditions:
It is not known exactly what triggers this.

Impact:
The reported CPU usage values are invalid and do not properly report the actual CPU usage. The invalid values will be visible in results from tmsh commands, SNMP OID messages, and also in the GUI.

Workaround:
Use top to see the actual CPU usage, or tmctl to examine the stats for the individual CPUs.


609967-1 : qkview missing some HugePage memory data

Component: TMOS

Symptoms:
Some HugePage status data is missing from qkview, if the contents of /proc/meminfo does not list a units column for the Huge Page data.

Conditions:
/proc/meminfo file does not list units for HugePage data.

Impact:
HugePage data is missing from qkview diagnostics file.

Workaround:
Separately provide /proc/meminfo file.


606799-5 : GUI total number of records not correctly initialized with search string on several pages.

Component: TMOS

Symptoms:
GUI total number of records not correctly initialized with search string on several pages.

Conditions:
Searching on the Data Group File List, iFile List, and lw4o6 File Object List pages.

Impact:
GUI shows that there are two pages, but advancing to the second page shows empty page.

Workaround:
Avoid searching in the Data Group File List, iFile List, and lw4o6 File Object List pages to view all items.


605840-6 : HSB receive failure lockup due to unreceived loopback packets

Component: TMOS

Symptoms:
HSB reports a lockup due to a receive failure. Analysis of the HSB receive/transmit rings indicate that this is a false positive. Loopback packets were successfully transmitted, but not received, resulting in the receive failure. /var/log/ltm contains this signature: notice *** TMM 9 - PDE 19 - receive failure ***

Conditions:
Unknown.

Impact:
The unit is rebooted.

Workaround:
None.


604547-4 : Unix daemon configuration may lost or not be updated upon reboot

Component: TMOS

Symptoms:
The confpp script is invoked to pass TMOS configuration information to other non-TMOS daemons running on a BIG-IP system. When a BIG-IP system is rebooted, if TMOS configuration elements are parsed or configuration changes or other events occur early in the boot process, the corresponding changes may not be propagated to the confpp.dat file and processed by the confpp script. As a result, configuration information may not be propagated as expected to non-TMOS daemons.

A common symptom of this issue is that syslog-ng configuration is not updated to reflect the selection of the primary blade in a VIPRION chassis.

Conditions:
This issue may occur when booting an affected version of BIG-IP, such as:
- Rebooting blades in a VIPRION chassis.
- Rebooting a BIG-IP appliance or Virtual Edition instance.

Impact:
Expected configuration settings may not be applied to non-TMOS daemons upon a reboot.

For example, syslog-ng configuration may not be updated to include expected logging on the primary blade in a VIPRION chassis.

Workaround:
On a running BIG-IP system that shows symptoms of this issue, changing a db variable will trigger the confpp script to run and update the relevant non-TMOS daemons with appropriate settings from the current configuration. To implement this workaround, use the Traffic Management Shell (tmsh) to update a db variable.

For example:
tmsh modify sys db log.clusterd.level value "Informational"

This issue can be avoided by forcing the MCP configuration to be reloaded from configuration files instead of from the MCP binary database (mcpdb.bin).

For details, see:
K13030: Forcing the mcpd process to reload the BIG-IP configuration.


603681 : Updating pool members using iControl REST "PUT" resets monitors

Component: Local Traffic Manager

Symptoms:
Issuing an iControl REST call using 'PUT' on a pool results in a "replace-all-with" behavior that deletes and recreates the pool members with the specified attributes, and uses system-defaults for unspecified attributes. This delete-and-replace behavior causes the monitor status to reset to 'unchecked' for the newly-created pool members; and if health monitors are applied to pool members, the status will eventually transition based on health checks (e.g., to "up" or "down").

This behavior may be surprising if the user expected the iControl REST call using 'PUT' on a pool to leave the monitor status unchanged for individual pool members.

Conditions:
Issuing an iControl REST call using 'PUT' to modify a pool.

Impact:
The iControl REST 'PUT' method on a collection overwrites all the members of that collection (e.g., all the members are deleted and re-created using the information provided).

Because modifying a pool using 'PUT' causes all the pool members to be deleted and recreated, each pool member health status reverts to 'unchecked' (because the pool member is newly-created). If health monitor(s) are applied to pool members, then each pool member will eventually transition to a new status based on the result of subsequent health checks (e.g., to "up" or "down").

Workaround:
Use the iControl REST 'PATCH' method to individually modify members of a pool. This method is "safe" in that it will modify only that pool member, and the monitor health status will persist (based on its previous state and any associated health monitors).

Note: You should generally prefer 'PATCH' over 'PUT' for iControl REST calls to modify collections. Using 'PATCH' will (safely) modify individual pool members, while using 'PUT' on the pool will cause "replace-all-with" to delete-and-recreate pool members (thereby resetting individual pool member health status).


603380-7 : Very large number of log messages in /var/log/ltm with ICMP unreachable packets.

Component: Local Traffic Manager

Symptoms:
With ICMP unreachable packets, every packet generates a log message in /var/log/ltm. This results in a very large number of log messages, which takes up space without providing additional information.

Conditions:
ICMP unreachable packets.

Impact:
Very large number of log messages in /var/log/ltm.

Workaround:
None.


602708-3 : Traffic may not passthrough CoS by default

Component: Local Traffic Manager

Symptoms:
As a result of a known issue traffic being forwarded by TMM may not passthrough the CoS received.

Conditions:
IP forwarding Virtual server.
Traffic received with priority other than 3.

Impact:
Traffic is set to priority 3 and may cause issues on other networking devices.

Workaround:
Create a default Class of Service configuration or apply QoS settings in the FastL4 profile.


601727 : Some FQDN nodes are not correctly created

Component: Local Traffic Manager

Symptoms:
When an FQDN node resolves to multiple addresses, the nodes for the resolved-addresses may not be correctly created.

Conditions:
When an FQDN node resolves to multiple addresses in an address pool, and the DNS resolution gives a subset of the addresses in the pool instead of returning all the addresses.

Impact:
Some addresses returned by the DNS resolution may cause the node disappear from BIGIP

Workaround:
Set up the DNS server to always return all the addresses. In other words, the DNS resolution should be stable.


600836 : Manager role functions differently in GUI and CLI.

Component: Advanced Firewall Manager

Symptoms:
The restriction of "Manager role" is different in GUI and CLI. Specifically:

  GUI - Manager role can't modify security policy of virtual server.
  CLI - Manager role can modify security policy of virtual server.

Conditions:
Using GUI and CLI with Manager role user account.

Impact:
Differing roles make usage confusing.

Workaround:
None.


600458-1 : TCP resets occuring under high load

Component: Performance

Symptoms:
When a BIG-IP is under a high load, a large number of TCP resets is occurring. This affects flow teardown only. Some of those resets are due to spurious retransmissions of client or server FIN-s. Some are due to ePVA reordering client's final ACK with FIN.

Conditions:
A BIG-IP is under a high load.

Impact:
Possible minimal performance loss.

Workaround:
Configure a small time-wait, for example, 0.5.


599048-5 : BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option

Component: Local Traffic Manager

Symptoms:
As part of the OCSP Stapling feature, the BIG-IP periodically connects to an OCSP server to certify to its clients that an SSL certificate has not been revoked. It was discovered that these side connections to OCSP servers incorrectly do not use the TCP TIMESTAMPS option.

Conditions:
Use of the OCSP Stapling feature.

Impact:
Usage of the TCP TIMESTAMPS option can help reduce the time a previously used tuple remains in TIME_WAIT on the OCSP server. Therefore, this can help ensure a new connection from the BIG-IP system to the OCSP server re-using a recent tuple is not rejected by the OCSP server. Note that there is little impact even if sporadically a single connection to the OCSP server fails. The BIG-IP will quickly try again, and clients that receive non-stapled SSL SERVER HELLO messages can perform their own validation of the returned SSL certificate.

Workaround:
None


598650-5 : apache-ssl-cert objects do not support certificate bundles

Component: TMOS

Symptoms:
The Traffic Management Shell (tmsh) documents command options for apache-ssl-cert objects that suggest that Apache SSL Certificates (apache-ssl-cert objects) support certificate bundles.
References to certificate bundles in context of the 'bundle-certificates', 'subject' and 'is_bundle' fields are in error, and should refer to single certificates only.
Apache SSL Certificates (apache-ssl-cert objects) do not actually support certificate bundles.
On BIG-IP v11.5.0 and later, attempting to create Apache SSL Certificate objects from a certificate bundle will result an error like the following:
01070712:3: Values (/Common/certificate_name) specified for Certificate Bundle Entity (/Common/certificate_name.0 /Common/certificate_name): foreign key index (certificate_file_object_FK) do not point at an item that exists in the database.

Conditions:
Attempting to create Apache SSL Certificate objects from a certificate bundle.

Impact:
Unable to create Apache SSL Certificate objects from a certificate bundle.


598437-2 : SNMP process monitoring is incorrect for tmm and bigd

Component: TMOS

Symptoms:
The default configuration for SNMP process monitoring causes an error of "Too many bigd running", and "No tmm process running".

snmpwalk -c public -v 2c localhost prErrMessage
UCD-SNMP-MIB::prErrMessage.1 = STRING: Too many bigd running (# = 2)
...
UCD-SNMP-MIB::prErrMessage.6 = STRING: No tmm process running

Conditions:
Depending on system capacity and configuration, more than one "bigd" process may be running, resulting in the incorrect report of "Too many bigd running".

The system does not properly count instances of the "tmm" process. In older releases, the system always detected a single "tmm" process, even if more than one existed. In the affected releases, no "tmm" process is detected.

Impact:
SNMP monitoring of system health incorrectly reports error conditions.

Workaround:
For the 'bigd' problem, the administrator can change the the process-monitor max-processes to allow for more instances of "bigd". For example:

(tmos)# modify sys snmp process-monitors modify { bigd { max-processes infinity } }

max-processes should be set to the same value as the sys dbvar bigdb.numprocs or "infinity" if the dbvar is set to "0", allowing bigd to dynamically adjust the number of processes.

There is no viable workaround for the tmm process count problem.


592870-4 : Fast successive MTU changes to IPsec tunnel interface crashes TMM

Component: TMOS

Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.

Conditions:
This occurs when quickly changing the IPsec tunnel interface MTU.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.


591732-1 : Local password policy not enforced when auth source is set to a remote type.

Component: TMOS

Symptoms:
Local password policy not enforced when auth source is set to a remote type. Any non-default password policy change is not enforced for local users.

Conditions:
1) Some part of the local password policy has been changed from the default values, for example, changing the password minimum-length to 12 where the default is 6.

2) The auth source is set to a remote source, such as LDAP, AD, TACACS.

Impact:
The system does not enforce any of the non-default local password policy options.

For example, even if the minimum-length is set to 12, a local user's password can be set to something less than 12.

Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).

Workaround:
None.


588752-1 : APM Login Performance may be degraded

Component: Performance

Symptoms:
A high number of logins per second can cause increased latency. The actual login rate that can cause the increased latency depends on the Access Policy configuration and network characteristics. In a typical configuration and network setup, you should not observe noticeable latency if logins per second is less than a few hundred.

Conditions:
Very high rate of login requests. More noticeable if the login-per-second rate is more than several hundred.

Impact:
End users will experience slower login or login failure.

Workaround:
None.


587821 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.

Component: TMOS

Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.

In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.

Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.

Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.

Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.

Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.


586621 : SQL monitors 'count' config value does not work as expected.

Component: Local Traffic Manager

Symptoms:
SQL monitors 'count' config value does not work as expected.

Conditions:
SQL monitor in use with the 'count' config value specified. The 'count' value is intended to record the number of times the connection to the back-end database is re-used before it is disconnected. However, the value is not correctly recording the number in this release.

Impact:
SQL monitor might use a 'count' value that is incorrect.

Workaround:
Add 101 to the desired value. For example, if the desired count is '5', use '106' instead.


585043-1 : Question mark prevents TMSH from loading configuration file

Component: TMOS

Symptoms:
When loading system configuration for TMSH, if some properties have value question mark, TMSH would fail to complete the loading.

Conditions:
-- Use TMSH to load configuration.
-- string, vector of string properties have ? as value
-- ? is the stand alone value. i.e. ? has no characters before or after it and it is not part of a string

Impact:
TMSH fails to load system configuration file

Workaround:
None.


583930-1 : Virtual Edition supports only 2 numa domains

Component: TMOS

Symptoms:
VMware ESX version 5.5 and greater can expose NUMA topology to guests, sometimes exposing more NUMA nodes than the two numa nodes supported by Virtual Edition. This causes a TMM core, with the following error message in /var/log/tmm:

"sys_get_numa_info: <N> exceeds max nodes of 2"

Conditions:
BigIP Virtual Edition running on VMware ESX 5.5 or greater, with 16 vcpus configured

Impact:
Traffic disrupted while tmm restarts.

Workaround:
in VMware ESX, modify the guest hardware configuration to present a maximum of two sockets to the Virtual edition guest. So if you configure an 8 CPU VM, set Cores per Socket to 4.


583306 : Using management port as config sync address might allow its deletion.

Component: TMOS

Symptoms:
If you assign the management port as a config sync address, it's possible to delete the management port without complaint. This causes quite a few problems in multiple places (updating the sys_device, adding devices to trust, etc.)

Conditions:
management-ip while configured as a config sync address.

Impact:
Can delete management-ip.

Workaround:
None, other than do not delete management-ip when it's configured as a config sync address.


583272-3 : "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth

Component: Access Policy Manager

Symptoms:
Browser shows a "corrupted connect error" when access policy runs On-Demand Cert Auth on an IPv6 virtual server.

The root cause is that in packet capture, the APM sends an HTTP 302 with invalid brackets around the hostname, like this:
Location: https://[login.example.com]/my.policy

Brackets around IPv6 addresses are for raw IPv6 addresses. They are illegal for DNS names that represent an IPv6 address.

Conditions:
IPv6 virtual server, and On-Demand Cert Auth in the access policy. Only applies if a DNS hostname is used. Raw IPv6 addresses are not affected.

Impact:
Client is unable to authenticate.

Workaround:
None.


583084-4 : iControl produces 404 error while creating records successfully

Component: TMOS

Symptoms:
iControl produces 404 error while creating gtm topology record successfully.

Conditions:
Creating gtm topology record without using full path via iControl.

Impact:
Result code/information is not compatible with actual result.

Workaround:
Use full path while creating gtm topology record using iControl.


582606 : IPv6 downloads stall when NA IPv4&IPv6 is used.

Component: Access Policy Manager

Symptoms:
When downloading large files through network access, downloads can appear to stall for a period of time and then resume.

Conditions:
This occurs when Network Access is configured with an IPv4&IPv6 resource

Impact:
Downloads occasionally stall with download speed going to 0, and then they resume.

Workaround:
It is possible that disabling large receive offload will work as a mitigation. To do so, run the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable.


582595-4 : default-node-monitor is reset to none for HA configuration.

Component: TMOS

Symptoms:
default-node-monitor is reset to none for high availability (HA) configuration.

Conditions:
Scenario #1
Upgrading HA active/standby configuration, and reboot standby.
Where configuration consists of the following:
  * ltm node with a monitor.
  * ltm default-node-monitor with a different monitor.

Scenario #2
Given a HA active/standby configuration with an ltm default-node-monitor configured, set device-group sync-leader.

Impact:
Monitoring will stop after upgrading or setting sync-leader for all nodes that relied on the default-node-monitor.

Workaround:
Reconfigure a default-node-monitor.


582331 : Maximum connections is not accurate when TMM load is uneven

Component: Local Traffic Manager

Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections per virtual server.

Conditions:
This occurs when the load disaggregated to available TMMs is uneven.

Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in lower-than-expected maximum connections.

Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.


581851 : mcpd, interleaving of messages / folder contexts from primary to secondary blade

Component: TMOS

Symptoms:
MCPD on secondary blades restart with Configuration error.

Conditions:
Clustered system (VIPRION or vCMP guest). The issue occurs when the system interleaves commands from different contexts. For example, this might occur when one system requests continual persistence records resets, and another requests continual TCP statistics resets.

Impact:
Secondary blades restart services, resulting in performance degradation or failover.

Workaround:
Issuing commands as part of a transaction will help to reduce the chances of this issue but it may still be hit during the natural course of running commands on a single ssh instance in succession.


580697-1 : VIPRION 2200 platform might not pass traffic properly after FPGA firmware switch.

Component: TMOS

Symptoms:
After a FPGA firmware switch on VIPRION 2200 platforms without a system reboot, some internal higig ports might not operate properly.

Conditions:
Using tmsh or GUI to switch FPGA firmware on VIPRION 2200 platforms.

Impact:
This might result in the system not handling traffic properly.

Workaround:
After any FPGA firmware switch, reboot the entire chassis by running the following command: clsh reboot.


579760 : HSL::send may fail to resume after log server pool member goes down/up

Component: TMOS

Symptoms:
High speed logging: asymmetric bandwidth loss might result in no bandwidth tracking.

Conditions:
This will occur if the log server pool only has a single member in it, and that member goes down and up while HSL::send is occurring during traffic processing. For a period of time after the logging node comes back up, logging events will fail to be sent. Sometimes it never recovers and tmm needs to be restarted.

Impact:
While this condition occurs, HSL::send events will not be sent to the log server.

Workaround:
If possible, configure log server pools with multiple members to avoid this condition.


579252 : Traffic can be directed to a less specific virtual during virtual modification

Component: Local Traffic Manager

Symptoms:
Traffic can be directed to an less specific virtual during virtual modification. It could also be dropped if there is no less specific virtual server.

Conditions:
net self external-ipv4 {
    address 10.124.0.19/16
    traffic-group traffic-group-local-only
    vlan external
  }
  net self internal-ipv4 {
    address 10.125.0.19/16
    traffic-group traffic-group-local-only
    vlan internal
  }

  ltm pool redirect-echo {
    members { 10.125.0.17:7 }
  }
  ltm virtual fw {
    description "less-specific virtual"
    destination 10.125.0.0:any
    ip-forward
    mask 255.255.255.0
    profiles { fastL4 }
    translate-address disabled
    translate-port disabled
    vlans-disabled
  }
  ltm virtual redirect-echo {
    description "enable/disable this one"
    destination 10.125.0.20:echo
    ip-protocol udp
    mask 255.255.255.255
    pool redirect-echo
    profiles { udp }
    vlans { external }
    vlans-enabled
  }

Impact:
Traffic can be directed to less specific virtual server

Workaround:
No known workaround at this time other than applying configuration changes in a manner that avoids doing them on a unit that is handling the traffic. Applying changes on the standby and then failing over and syncing or utilizing a maintenance window would be common schemes to achieve a separation between production traffic and configuration changes.


574160-7 : Publishing DNS statistics if only Global Traffic and AVR are provisioned

Component: Application Visibility and Reporting

Symptoms:
AVR does not publish DNS statistics if LTM is not provisioned.

Conditions:
LTM is not provisioned.

Impact:
The DNS chart does not show statistics.


571333-7 : fastL4 tcp handshake timeout not honored for offloaded flows

Component: TMOS

Symptoms:
When a VIP is configured with a fastl4 profile that enables full acceleration and offload state to embryonic, and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the "idle timeout" value of the fastl4 profile, but it should be set to the "tcp handshake timeout" instead.

Conditions:
1. Configure fastl4 profile with ePVA=full, offload state=SYN, apply to network VS
2. Ensure ARP entry exists for server node (static arp, ping, etc.) to satisfy requirements for offloading initial SYN
3. Send over SYN packet from client to server via VS

Impact:
The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value.

Workaround:
Set the offload state to "established"


570281 : Cannot modify 'ip-address' attribute of static ARP / NDP entries

Component: Local Traffic Manager

Symptoms:
Attempting to modify the 'ip-address' attribute of a static ARP / NDP entry results in the following error:
Syntax Error: 'ip-address' may not be specified in the context of the 'modify' command. 'ip-address' may be specified using the following commands: create, list, show

Conditions:
Attempting to modify the 'ip-address' attribute of a static ARP / NDP entry.

Impact:
Note: Starting in 11.6.0, the 'ip-address' attribute of an ARP/NDP record can no longer be modified. This is as-designed functionality. However, the BIG-IQ SCVMM plugin fails to work properly as a result, which might impact some configurations. For example, when the LTM gateway device is running versions later than 11.5.3, it could fail because the syntax that worked in 11.5.3 no longer works in 11.6.0 and later.

Workaround:
None.


569316-4 : Core occurs on standby in MRF when routing to a route using a transport config

Component: Service Provider

Symptoms:
If routing a message to a route that uses a transport-config to define how to create an outgoing connection, the standby device will core.

Conditions:
routing a message to a route that uses a transport-config to define how to create an outgoing connection.

Impact:
The standby device will core.

Workaround:
NA


567490-1 : db.proxy.__iter__ value is overwritten if it's manually set

Component: TMOS

Symptoms:
When setting the "BIND Forwarder Server List" on the "Configuration : Device : DNS" page, the system stores the values in the sysdb variable db.proxy.__iter__. When changing the value using tmsh or iControl, the db.proxy.__iter__ value is overwritten when subsequently viewing the value in the GUI.

Conditions:
When setting these values in sysdb via tmsh or REST, the values are set, but then upon re-visiting Configuration : Device : DNS in the GUI, the values in the sysdb variable are reset to their former values.

Impact:
BIND Forwarder Server List values do not persist.

Workaround:
Use the GUI to change the BIND Forwarder Server List values.


565603 : Large number of stat arp entries on a BIG-IP system

Component: TMOS

Symptoms:
Many static arp entries for 127.20.X.X network are set for the 'tmm_bp' device on a running BIG-IP system. These will appear with any command that displays the kernel arp table, such as the 'arp' command.

Conditions:
-- Any platform with any set of modules provisioned.
-- Running a command that displays the kernel arp table (for example, the 'arp' command).

Impact:
This is a cosmetic issue only. 'arp -an' will return over 520 entries.

Workaround:
None needed. This is cosmetic.


563689-1 : ZebOS configuration cannot be loaded via imish when service password-encryption is set

Component: Local Traffic Manager

Symptoms:
When "service password-encryption" is configured in ZebOS, encrypted passwords cannot be loaded through imish. imish will print "% Invalid input detected at '^' marker." and the password will not be loaded.

Conditions:
Dynamic routing is configured with "service password-encryption" in ZebOS config file or running config, run "imish -f <file>" or paste encrypted password into imish.

Impact:
ZebOS configuration will be incompletely loaded.

Workaround:
The config will be properly read if tmrouted is restarted. Restarting tmrouted will interrupt all dynamic routing.

The config can also be loaded without restarting tmrouted by configuring the cleartext passwords manually. They will be encrypted when the configuration is saved.


562267 : FQDN nodes do not support monitor alias destinations.

Component: Local Traffic Manager

Symptoms:
FQDN nodes do not support monitor alias destinations.

Conditions:
Configure a monitor with an alias address or port. The system will either prevent you from configuring, or the monitor will only be directed to the node address or port.

Impact:
The BIG-IP system does not send health checks to the configured monitor alias port. Monitor doesn't work as expected.

Workaround:
Depending on the functionality needed, you might be able to work around this by using an alternative configuration.


558893-4 : TMM may fail to forward FTP data connections when multiple PORT/EPRT commands are used in succession referring to the same IP/PORT

Component: Local Traffic Manager

Symptoms:
TMM may fail to forward FTP data connections when PORT/EPRT commands are used in succession referring to the same IP/PORT.

Conditions:
FTP Virtual server configured with an FTP profile that does inherit-parent-profile disabled.
A client to request EPRT and then PORT commands referring to the same IP/PORT.

Impact:
TMM may reset the connection in some cases.

Workaround:
Change the ftp profile to enable the inherit-parent-profile option.


552444-3 : Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD

Component: Access Policy Manager

Symptoms:
Dynamic drive mapping in network access may not work if
mapping is configured to use session variable, and session variable is received from LDAP/AD.

Conditions:
Drive mapping is received from LDAP/AD and contains double slash in the path, e.g. "\\server\path"

Impact:
Dynamic drive mapping may not function.

Workaround:
For example using session.ad.last.attr.homeDirectory attribute value to drive map. Assign variable and escape the textra backslashes added by APM.

homeDirectory = return [regsub -all {\\\\} [mcget {session.ad.last.attr.homeDirectory}] {\\}]


550739-3 : TMSH mv virtual command will cause iRules on the virtual to be dis-associated

Component: TMOS

Symptoms:
After renaming a virtual server that has attached iRules, the resulting virtual server configuration in tmm no longer has the iRules attached. The configuration in mcpd does not match the running configuration in tmm.

Conditions:
Must use the 'mv' command on an ltm virtual with iRules.

Impact:
Configuration is not as expected.

Workaround:
After moving the virtual, remove the iRules on it and re-add them.


549927-1 : iRule validation does not check RULE_INIT/virtual are disallowed in proc calling

Component: Local Traffic Manager

Symptoms:
iRule validation does not check RULE_INIT/virtual are disallowed in proc calling

Conditions:
Under RULE_INIT event call a proc which has virtual command.

Impact:
Pass validation while it should not.

Workaround:
Do not call virtual command inside proc.


547692-4 : Firewall-blocked KPASSWD service does not cause domain join operation to fail

Component: Access Policy Manager

Symptoms:
KPASSWD service runs on tcp/464 and udp/464. If both of these ports were blocked, BIG-IP would not be able to properly set the machine account password for the created machine account. However, there is a bug on BIG-IP as well, which fails to report this failure back to the administrator.

As the machine account itself was successfully created on ActiveDirectory side without the correct password, and BIG-IP's failure to report the KPASSWD failure problem, the domain join operation seems had worked perfectly.

However, since the password information is never set on ActiveDirectory side, this causes this machine account effectively unusable because BIG-IP would never be able to establish a working SCHANNEL with ActiveDirectory server because of this password mismatch.
creation is LDAP (+ Kerberos GSS-API with SASL binding), the machine account itself is generated. Furthermore, as password setting for machine account is not allowed to be performed by administrator, this situation obfuscate the fact the KPASSWD was failing as AD server never receives thus AD never logged any failure on this matter, while BIG-IP fails to detect the KPASSWD failure, and so as administrator's user experience goes, everything seems perfectly worked for domain join.

Conditions:
Out of DNS, LDAP, KERBEROS, KPASSWD services which are required for domain join operation, only KPASSWD is blocked.

Impact:
Created machine account is effectively unusable due to password mismatch, and BIG-IP would never be able to establish a working SCHANNEL, this renders NTLM authentication feature to be not working.

Workaround:
Allow KPASSWD to reach ActiveDirectory server


544906-4 : Issues when using remote authentication when users have different partition access on different devices

Component: TMOS

Symptoms:
User validation failing when adding a partition when the [All] partition already exists, or when adding [All] partition if a specific (non-All) partition is already configured for that user.

For example, on config sync, the system might post an error similar to the following: error 01070821:3: User Restriction Error: Once configured for specific partition(s), user cannot have [all].

Conditions:
Devices configured for remote authentication.

User A on device 1 with role on all-partitions.

User A on device 2 with role restricted to a single partition.

Perform operation that involves accessing partitions on each device. For example, a config sync operation. The config sync issue occurs because one device is trying to sync an [All] partition to a peer that has a non-All partition already configured for a user.

Impact:
The system posts User Restriction Errors and operations (such as config sync) fail.

Workaround:
Switch to local authentication on device 1 to perform operations on multiple devices on which a single user has different partition access configured. After completing the operations, switch back to remote authentication on device 1.


543208-2 : Upgrading v11.6.0 to v12.x in a sync-failover group might cause mcpd to become unresponsive.

Component: TMOS

Symptoms:
Failover event on traffic-group-1 causes mcpd to generate messages like this:

01070711:3: Caught runtime exception, Failed to collect files (Invalid IP Address: )..
01070712:3: Caught configuration exception (0), Failed to sync files..
...
0107134b:3: (Child rsync being terminated due to timeout. Total size in Kb: 0 timeout in secs: 10 start-time: Mon Aug 24 11:35:42 2015 max-end-time: Mon Aug 24 11:35:42 2015 time now: Mon Aug 24 11:35:42 2015 ) errno(0) errstr().
01070712:3: Caught configuration exception (0), Failed to sync files..

Conditions:
-- Some systems in the trust are running a pre-12.x version of TMOS.
-- Some systems in a device group have been upgraded to 12.x.
-- A failover event occurs on traffic-group-1.
-- This appears to be most evident in APM configurations.

Impact:
mcpd on the devices running pre-12.x version may become unresponsive. Upgrade fails.

Workaround:
None.


542347-3 : Denied message in audit log on first time boot

Component: TMOS

Symptoms:
After booting BIG-IP for the first time, you may see a 'denied' message for the lastlog file in /var/log/audit.log:

type=AVC msg=audit(1440786377.593:32): avc: denied { read write } for pid=5922 comm="login" name="lastlog" dev=md2 ino=18 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file.

Conditions:
This can occur on first time boot of devices that contain version 11.x software in one of the image slots.

Impact:
This error message is benign and can be ignored.

Workaround:
None needed. This is cosmetic and does not indicate an issue with the system.


539026-4 : Stats refinements for reporting Unhandled Query Actions :: Drops

Component: Local Traffic Manager

Symptoms:
There are five drop down sections for Unhandled Query Actions:
Allow
Drop
Reject
Hint
No Error

but in statistics page, there are only four Unhandled Query Actions:
Drops
Rejects
Hints
No Errors

Drops refers to the dropped packets for the system, not specifically for Unhandled Query Actions. It would be more clear if there were one dropped packets stats for the system, and another specifically for Unhandled. And also add stats for Allow packets under Unhandled.

Conditions:
Statistics pages for Unhandled Query Actions :: Drops.

Impact:
May be confusing to determine what the statistics mean.

Workaround:
None.


535717 : Password history is not enforced when root, Administrator, or User Manager changes another user's password

Component: TMOS

Symptoms:
When logged in as root, or as a user with Administrator or User Manager role, an attempt to change a user's password will succeed, even if the new password is in password history. (An ordinary user changing their own password will be prevented from making this change.)

Conditions:
password-memory field of auth password-policy set to nonzero value

Impact:
Privileged users might circumvent the password history restriction.

Workaround:
To mitigate this, you should only permit management access to BIG-IP systems over a secure network, and limit shell access to trusted users.


530927-7 : Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed

Component: TMOS

Symptoms:
If a trunk is created from interfaces that have lower than max speed (e.g., 100full-duplex on 1GbE links) adding a new interface fails.
When this occurs, the system posts an error similar to the following:
01070619:3: Interface 1.4 media type is incompatible with other trunk members.

Conditions:
Interfaces use a lower speed then their capacity.
Trunk is created where the highest speed of any of the members is this reduced speed.
Interface, also lowered, is added to the trunk.

Impact:
Interface cannot be added to the trunk.

Workaround:
Remove all interfaces, readd them all at the same time.


530530-5 : [mcpd] TMSH "range" filter for 'show sys log' fails to work as expected

Component: TMOS

Symptoms:
TMSh 'show sys log' is not working expected with 'range' filter.

Conditions:
Use range filter for 'tmsh show sys log'.

Impact:
tmsh could not filter log correctly with 'range' filter.

Workaround:
Specify a range at least 8 hours of designated time.


528314 : Generating new default certificate and key pairs for BIG-IP ssl profiles via CLI will not be reflected in GUI or in tmsh

Component: TMOS

Symptoms:
Using CLI to generate new default certificate and key pairs for BIG-IP ssl profiles are not reflected in GUI or in tmsh.

Conditions:
Using OpenSSL commands to generate a new default certificate and key pair, as described in SOL13579: Generating new default certificate and key pairs for BIG-IP ssl profiles, available here: https://support.f5.com/kb/en-us/solutions/public/13000/500/sol13579.html.

Impact:
After the renewal, tmsh list sys file ssl-cert default.crt command or the general properties in the GUI SSL Cert List shows the old one. This is a cosmetic issue only. The system uses the new default.

Workaround:
Perform a force reload of mcpd by running the following commands: -- touch /service/mcpd/forceload. -- tmsh restart sys service mcpd.


528295-11 : Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.

Component: TMOS

Symptoms:
A 10.x UCS containing LTM virtual servers with ARP set to disable. Loading the 10.x UCS on 11.4.x or later system leads to the ARP and ICMP echo setting value being flipped each time the load occurs.

Conditions:
Reloading a 10.x UCS containing virtual servers on 11.4.x or later system.

Impact:
ARP and ICMP echo setting value being flipped each time the load occurs. Note that the ICMP echo virtual field will be flipped even if ARP is enabled.

Workaround:
Delete the LTM virtual servers on the 11.x/12.x version system prior to re-loading the 10.x UCS.


527119-5 : Iframe document body could be null after iframe creation in rewritten document.

Component: Access Policy Manager

Symptoms:
End users report being unable to use certain page elements in chrome (such as the Portal Access menu), and it appears that Javascript has not properly initialized.

Conditions:
The body of a dynamically created iframe document could be initialized asynchronously after APM rewriting. The issue is specific to Chrome browser and results in JavaScript errors on the following kind of code:
    iframe.contentDocument.write(html);
    iframe.contentDocument.close();
    <any operation with iframe.contentDocument.body>

One of applications known to contain such code and fail after APM rewriting is TinyMCE editor.

Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access.

Workaround:
Revert rewriting of the document.write call with a post-processing iRule.
The workaround iRule will be unique for each affected application.


523985-1 : Certificate bundle summary information does not propagate to device group peers

Component: TMOS

Symptoms:
Certificate summary information about individual certificates in a bundle does not propagate to device group peers after a config sync.

Conditions:
A certificate file is create in a folder synced to a device group.

Impact:
Certificate information about the bundle is not displayed on peers. However, the bundle itself is intact and available.

Workaround:
None.


523797-1 : Upgrade: file path failure for process name attribute in snmp.

Component: TMOS

Symptoms:
The upgrade operation might fail to update the file path name for snmp.process_name, causing a validation error.

Conditions:
Upgrade from 10.x. to 11.5.1 or later.

Impact:
The upgrade operation does not remove the parent path name from process-monitors, which might cause a validation error.

Workaround:
Edit the process name path in /config/BIG-IP_sys.conf to reflect the location. For more information, see K13540: The BIG-IP system may return inaccurate results for the prTable SNMP object at https://support.f5.com/csp/article/K13540.


520877-2 : Alerts sent by the lcdwarn utility are not shown in tmsh

Component: TMOS

Symptoms:
Beginning in BIG-IP version 12.1.0, the 'tmsh show sys alert lcd' command displays the list of alerts sent to the LCD front panel display.

The command-line utility lcdwarn can be used to send alert messages to the LCD front panel display.

Alert messages sent to the LCD front panel display by the lcdwarn utility are not included in the list of alerts shown by the 'tmsh show sys alert lcd' command.

Conditions:
This occurs when using the lcdwarn utility to send alert messages to the LCD front panel display. Such messages are typically sent for testing purposes.

This problem occurs on affected BIG-IP software versions running on all BIG-IP and VIPRION hardware platforms.

Impact:
The 'tmsh show sys alert lcd' command may not include all alert messages sent to the LCD front panel display. Messages sent by the lcdwarn utility are not shown.

Workaround:
None. This is a cosmetic issue.


519612-2 : JavaScript challenge fails when coming within iframe with different domain than main page

Component: Advanced Firewall Manager

Symptoms:
The JavaScript Challenge fails when coming within an iframe that is on a different domain than the main page.

Conditions:
1. The web application uses an iframe coming from a different domain than the main page, AND
2. Any of the following options are enabled on an ASM Policy or Application DoS Profile attached to the Virtual Server which is handling the iframe:
  a. DoS Client-Side Integrity Defense Mitigation (affecting only during attack mitigation)
  b. DoS CAPTCHA Mitigation (affecting only during attack mitigation)
  c. Device-ID (fingerprint)
  d. Web Scraping Bot Detection Challenge
  e. Proactive Bot Defense (with/without "Block Suspicious Browsers")

Impact:
On the browser, the iframe will fail to load, leaving a white box, or the following message:
"Please enable browser cookies to view the page content."
There may be error messages in the browser's console.

Workaround:
It is possible to workaround the problem using Proactive Bot Defense (DoS Profile) and iRules.
This works even if the problem is in Web Scraping and DoS profile was not previously used.

The following steps must be done for the Virtual Server handling the iframe, as well as the one handling the main page.

1. Attach a DoS profile to the Virtual Server (if not already attached).
2. Disable TPS-based detection (unless already enabled, or it is desired).
3. Enable Proactive Bot Defense on the DoS profile (if not already enabled).
   a. Disable "Block Suspicious Browsers" (unless already enabled, or it is desired).
   b. Configure Cross-Domain Requests to "Allow configured domains; validate upon request".
   c. Add the domain of the main page to the Related Site Domains.
4. Attach the following iRule to the virtual server:
ltm rule rule_fix_cross_domain_challenges {
    when HTTP_REQUEST {
        set refdom ""
        regexp -nocase {^https?://([^/]*).*$} [HTTP::header referer] -> refdom
        log local0. "uri [HTTP::uri] host [HTTP::host] referer [HTTP::header referer] refdom $refdom"
        if { $refdom ne "" && $refdom ne [HTTP::host] } {
            BOTDEFENSE::cs_allowed false
        }
    }
}
NOTES:
1. The challenges must run on the main page. The following rule block could be used to force the challenges to run on a specified URL or URLs.
    when HTTP_REQUEST {
        if { [HTTP::uri] eq "/" } {
            BOTDEFENSE::cs_allowed true
        }
    }
2. If additional URLs are getting blocked or challenged as a result of Proactive Bot Defense and it is unwanted, it is possible to control them in the iRule by checking for URLs and using the "BOTDEFENSE::action allow" command.


517829 : BIG-IP system resets client without sending error report when certificate is revoked

Component: TMOS

Symptoms:
When the BIG-IP system is configured for OCSP authentication, if the OCSP server reports that a certificate has been revoked, client connections are reset without sending SSL error alerts.

Conditions:
BIG-IP system configured for OCSP authentication.

Impact:
Client connections are reset without sending SSL error alerts.

Workaround:
Use the following iRule for the OSCP authentication profile instead of the system-supplied iRule:

when CLIENT_ACCEPTED {
    set tmm_auth_ssl_ocsp_sid 0
    set tmm_auth_ssl_ocsp_done 0
}


when CLIENTSSL_CLIENTCERT {
    if {[SSL::cert count] == 0} {
        return
    }
    set ssl_version [SSL::cipher version]
    set tmm_auth_ssl_ocsp_done 0
    if {$tmm_auth_ssl_ocsp_sid == 0} {
        set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
        AUTH::subscribe $tmm_auth_ssl_ocsp_sid
    }
    AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
    AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
    AUTH::authenticate $tmm_auth_ssl_ocsp_sid
    SSL::handshake hold
}


when CLIENTSSL_HANDSHAKE {
    set tmm_auth_ssl_ocsp_done 1
}


when AUTH_RESULT {
    if {[info exists tmm_auth_ssl_ocsp_sid] && ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
        set tmm_auth_status [AUTH::status]
        array set tmm_auth_response_data [AUTH::response_data]
        if {$tmm_auth_status == 0} {
            set tmm_auth_ssl_ocsp_done 1
            SSL::handshake resume
        }
        elseif {($tmm_auth_status == 1) && ($tmm_auth_response_data(ocsp:response:status) eq "revoked")} {
            if { $ssl_version equals "TLSv1.2" } { set hex_version "0303" }
            elseif { $ssl_version equals "TLSv1.1" } { set hex_version "0302" }
            elseif { $ssl_version equals "TLSv1.0" } { set hex_version "0301" }
            else { reject }
            set hex_response "15${hex_version}0002022C"
            set bin_response [binary format H* $hex_response]
            TCP::respond "$bin_response"
            TCP::close
        } elseif {($tmm_auth_status != -1) || ($tmm_auth_ssl_ocsp_done == 0)} {
            reject
        }
    }
}


517609-4 : GTM Monitor Needs Special Escape Character Treatment

Component: Global Traffic Manager (DNS)

Symptoms:
When searching received data for bytes that are regex metacharacters such as $ (dollar sign), . (period), ? (question mark), etc., the search string typically requires backslash characters to escape these. Such escaped characters result in non-matching behavior in GTM monitors without warning in the GUI. The GUI also validates Perl (non-POSIX) character classes such as \d rather than [:digit:], but these Perl extensions do not search properly.

Conditions:
Any running GTM monitor.

Impact:
If a GTM monitor's expression contains regex Perl extension character classes or escaped regex metacharacters, a member's status might be incorrectly labeled.

Workaround:
When escaping a regular expression metacharacter, an \x5C can be entered as a substitute for a backslash. If searching for whitespace or digits, use [:space:] and [:digit:] rather than \s and \d.
 
For example, searching for 'HTTP/ 1.1' in a GTM HTTP monitor, you can enter the search expression HTTP/ 1\x5C.1, which the regex compiler interprets as 'HTTP/ 1\.1', to search for the period character rather than interpreting the period ( . ) as the 'any non-null byte' metacharacter.


516280-3 : bigd process uses a large percentage of CPU

Component: Local Traffic Manager

Symptoms:
With a very large number of monitors, the bigd process can consume more than 80% CPU when a slow HTTP server returns an error.

Conditions:
~8000 HTTP/HTTPS monitors, and a slow HTTP server returns a 500 error.

Impact:
bigd process uses a large percentage of CPU.

Workaround:
None.


516167-1 : TMSH listing with wildcards prevents the child object from being displayed

Component: TMOS

Symptoms:
The tmsh list command is attempted with an identifier that specifies use of wildcard match character (*) , the results returned may not print the nested objects contained within the parent object.

For example, the list ltm pool* command will print all pools that begin with the word pool, but will fail to list the profiles that are within the pool.

Conditions:
tmsh list with a wildcard character specified for parent object.

Impact:
Missing details of nested objects when tmsh list is invoked with wildcard character (*) specified in the object identifier

Workaround:
None.


513310-2 : TMM might core when a profile is changed.

Component: Local Traffic Manager

Symptoms:
TMM might core when a profile is changed.

Conditions:
A "standard" type virtual server configured with the TCP or SCTP protocol profile, and a Persistence, Access or Auth profile. This issue might occur in either of the following scenarios:
-- Change profile on the active device.
-- Change profile on the standby device and perform a config sync to the active ones.

Impact:
TMM might core. Traffic disrupted while tmm restarts.

Workaround:
None.


505037 : Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop

Component: Local Traffic Manager

Symptoms:
Modifying a monitored pool with a gateway failsafe device might put secondary into restart loop.

Conditions:
Only occurs in clustered environments, when modifying a monitored pool to set the gateway failsafe device while the secondary is down. Symptom occurs when the secondary comes back up and attempts to update the health status of a pool.

Impact:
Secondary in a restart loop.

Workaround:
Remove the gateway failsafe device. Re-apply when the blade is up.


499348-6 : System statistics may fail to update, or report negative deltas due to delayed stats merging

Component: TMOS

Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.

The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.

Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This can occur when the system is spawning/reaping processes on a frequent basis (e.g., a large number of external monitors).

This can also occur if iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server, as this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis.

Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.

Workaround:
This issue has two workarounds:

1. Reduce the frequency of changes in the statistics data structures, which depends on what is triggering them. For instance, reduce the frequency of configuration changes, or the use of 'SSL::profile' in iRules (if those are the trigger), or reduce the number/frequency of processes being spawned by the system (if that is the trigger).

2. Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. This can be done by setting the 'merged.method' DB key to 'slow_merge' using the following command:
    tmsh modify sys db merged.method value slow_merge.


486735 : Maximum connections is not accurate when TMM load is uneven

Component: Local Traffic Manager

Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections virtual server.

Conditions:
This occurs when the load disaggregated to available TMMs is uneven.

Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in higher-than-expected maximum connections.

Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.


477992-4 : Instance-specific monitor logging fails for pool members created in iApps

Component: Local Traffic Manager

Symptoms:
Errors when enabling Debug Monitoring for an iApp-created pool member and disabling strict updates for the iApp.

Conditions:
Create pool members via an iApp, and attempt to enable logging on the pool member.

Impact:
Instance-specific monitor logging fails for pool members created in iApps. The log is never created. The system posts error messages in /var/log/ltm stating the log file cannot be opened.

Workaround:
If logging is required, bigdlog is available. To enable logging, run the following command: tmsh modify sys db bigd.debug value enabled.


477786 : Inconsistent behavior sending RST on self IP with Port Lockdown None

Component: Local Traffic Manager

Symptoms:
Depending on the release, sending a SYN packet to a self IP address with Port Lockdown set to Allow None might respond to the SYN with a RST packet, or might silently drop the SYN.

Conditions:
With Port Lockdown configured to Allow None, the LTM behaves differently upon receiving a SYN packet. In 11.2.1 HF16, 11.3.0 and 11.4.1, when receiving a SYN packet the LTM replies with RST.

In 11.4.0, and in all other versions of the BIG-IP software, when receiving a SYN packet the LTM does not reply (sends a REJECT).

Impact:
Inconsistent behavior based on version; sometimes RST in response to SYN on closed port, and sometimes nothing (REJECT). Because the traffic is not allowed in either case, there is no fundamental impact. This is primarily a behavioral difference between releases.

Workaround:
None.


469366-4 : ConfigSync might fail with modified system-supplied profiles

Component: TMOS

Symptoms:
A config sync operation might fail with a parent-profile-not-found error message, despite the fact that the parent profile is present in the running configuration of both systems.

Conditions:
On the sync target (the system receiving the configuration, and the one that reports a sync failure), a system-supplied profile (e.g. /Common/serverssl) has been modified, and is present in /config/bigip.conf.

Impact:
An administrator is unable to synchronize system configurations. The system might post messages similar to the following example: '01020036:3: The requested parent profile (/Common/serverssl) was not found.'

Workaround:
One of the following: 1. Manually replicate the changes on the base profile to the system that is sourcing the config sync.
2. Undo the changes to the base profile on the system that is receiving the config sync (to do so, save the configuration, manually remove the base profile from /config/bigip.conf, and then re-load the configuration), and then perform a force sync operation. 3. Perform a sync in the other direction.
Important: Performing a sync in this direction overrides any unsync'd changes on the other system.


469035-1 : A SecureVault rekey operation may fail if configuration contains a blank password protected by SecureVault

Component: TMOS

Symptoms:
If the configuration includes encrypted items (for example, an LDAP bind password) that are empty strings, a SecureVault rekey operation fails.

Conditions:
Empty string as encrypted configuration item. This might occur when using the tmsh command 'modify /sys crypto master-key, or during the introduction of a device into a Trust Domain.

Impact:
The rekey operation fails, and the system posts an error similar to the following: with this error: 01071029:5: master_decrypt failed during rekey. This might result in a ConfigSync failure.

Workaround:
Do not use empty strings as passwords. Alternately, remove the problematic configuration object (which may require changing system authentication to a different source), perform the rekey operation, and then recreate the configuration.


468505-1 : TMSH crypto commands do not work with the TMSH batch mode

Component: TMOS

Symptoms:
tmsh crypto commands will fail when executed in tmsh batch mode.

Conditions:
tmsh batch mode and 'sys crypto' commands.

Impact:
tmsh crypto commands will fail when executed in tmsh batch mode.

Workaround:
Run the tmsh 'sys crypto' commands outside of a 'cli transaction' i.e. not in batch mode.


462043-3 : DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms

Component: Local Traffic Manager

Symptoms:
On the 5000 and C2400 platforms, when the DB variable 'qinq.cos' is set to 'inner'; a packets inner priority bits do not determine the CoS mapping when the incoming packet is customer-tagged and the outgoing interface is service-tagged.

Conditions:
On 5000 and C2400 platforms.

Impact:
Incorrect egress CoS queue mapping. In this case, all packets are mapped to CoS queue 0.

Workaround:
None.


455066-3 : Read-only account can save system config

Component: TMOS

Symptoms:
A read-only user can run the tmsh save sys config command, which saves the configuration including changes made by other read/write users.

Conditions:
This occurs when logged in as a read-only user and running save sys config in tmsh.

Impact:
Read-only users are able to run save sys config in tmsh.


454640-1 : mcpd instances on secondary blades might restart on boot

Component: Local Traffic Manager

Symptoms:
Secondary blades' mcpd instances might restart on boot.

Conditions:
This might occur intermittently on VIPRION bladed systems or VCMP guests. This might be the result of a race condition that occurs when /config is synced between the blades and when the mcpd process starts.

Impact:
The mcpd process restarts on secondary blades. The process eventually returns to normal, and the system finishes booting. The system posts messages similar to the following: 01071038:5: Secondaries couldn't load master key from the database. 01070734:3: Configuration error: Configuration from primary failed validation: 01071029:5: Master Key not present.

Workaround:
This issue has no workaround at this time.


449158 : Using an iRule nexthop to "vlan:mac address" does not forward the packet

Component: Local Traffic Manager

Symptoms:
iRule: nexthop to 'vlan:mac address' does not forward the packet.

Conditions:
HTTP request to a port 80 virtual server with a default pool and an iRule that specifies nexthop to a MAC address on the internal VLAN.

Impact:
Packet forwarding does not occur.

Workaround:
None.


440572-1 : Empty X-WA-Surrogate header in WAM symmetric deployment

Component: WebAccelerator

Symptoms:
In WAM symmetric deployment, the X-WA-Surrogate header is used to communicate OWS lifetime values from the central device to the remote. In some cases, an empty X-WA-Surrogate header may be sent.

Conditions:
Occurs when central originates a 304 response when the original response from OWS does not contain cache-control headers.

Impact:
This occurs only when OWS sends no cache-control headers, so the remote still computes the correct lifetime, making the impact minimal.

Workaround:
None.


435419-2 : Install of partial epsec file causes mcpd to crash, followed by multiple cores.

Component: Access Policy Manager

Symptoms:
Install of partial epsec file causes mcpd to crash, followed by multiple cores.

Conditions:
-- Attempt to upload a current epsec file.
-- Upload stalls and appears hung.
-- Close the web browser used for uploading epsec.
-- Attempt to install the partially uploaded file.

Impact:
mcpd crashes, followed by multiple cores.

Workaround:
Upload the epsec file completely, and try the installation again.


419345-1 : Changing Master Key on the standby might cause secondaries to restart processes

Component: TMOS

Symptoms:
Changing Master Key on the standby of an HA configuration on a chassis might cause secondaries to restart processes.

Conditions:
This occurs when you modify the master key on standby chassis.

Impact:
Users might not be able to access the cluster. The secondary blades of that chassis might experience continuous restarts of mcpd and other daemons, accompanied by 'decrypt failure' messages in the ltm log.

Workaround:
Run the command bigstart restart on secondaries to return system functionality. In general, you should change master keys on the primary in the cluster.


396273-1 : Error message in dmesg and kern.log: vpd r/w failed

Component: TMOS

Symptoms:
When running dmesg, you might see errors similar to the following: 0000:17:00.0: vpd r/w failed. This is typically considered a firmware issue on the device, and you can contact the card vendor for a firmware update.
This error can be seen in /var/log/kern.log as well.

Conditions:
This can occur whenever 'lspci -vv' (or 'lspci -vvv', e.g., during qkview generation) is executed.

Impact:
This is a benign firmware message, and you can safely ignore it.

Workaround:
There is no workaround, but this is not a functional issue.


381258-7 : 'with' statement in web applications works wrong in some cases

Component: Access Policy Manager

Symptoms:
Web-application misbehavior (exception, wrong rendering, and so on).

Conditions:
If the JavasScript operator 'with' is used in web-application code and, if after rewriting, 'F5_ScopeChain' is found within the 'with' statement in these contexts:

...F5_Inflate_xxxxx(F5_ScopeChain,...

...F5_Deflate_xxxxx(F5_ScopeChain,...

...F5_Invoke_xxxxx(F5_ScopeChain,...

then there is probability of this issue.

Impact:
Web-application functionality.

Workaround:
As a workaround, an iRule can be used for changing an 'interesting' variable name within the function's body. No general iRule exists. For each case, a custom iRule must be created as workaround.


378967-12 : Users are not synchronized if created in a partition

Component: TMOS

Symptoms:
Users in partitions attached to sync-only device groups do not sync to other devices in that device group.

Conditions:
There are users whose active partitions are attached to a sync-only device group.

Impact:
This affects sync-only device groups only, not the failover device group.

Workaround:
None.


375434 : HSB lockup might occur when TMM tries unsuccessfully to reset HSB.

Component: TMOS

Symptoms:
An HSB lockup might occur when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This failure can also result in a "DMA lockup on transmitter failure" reported in the TMM log files.

Conditions:
This occurs on HSB platforms that have AMD processors, which include the BIG-IP 6900, 8900, 8950, 11000, and 11050N platforms, and the VIPRION B4200 and B4200N blades.

Impact:
The HSB is non-functional and requires reinitialization. This occurs after the BIG-IP is rebooted, which is automatically triggered when this condition occurs.

Workaround:
None.


307037-2 : Dynamic Resources Are Assigned But Not Accessible

Component: Access Policy Manager

Symptoms:
Resources appear assigned in session record but are not accessible by the client.

Conditions:
This issue occurs if the resources are assigned via Variable Assign agent.

Impact:
Resources are unavailable to client.

Workaround:
In the VPE, add a branch with Resource Assign agent that will never reach. With the Resource Assign agent, assign all the resources that are referenced by Variable Assign agent.


248914-3 : ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address

Component: Local Traffic Manager

Symptoms:
When self IP or virtual addresses are configured on a vlangroup, ARP replies for that address will have the locally administered bit set in the ARP payload, but the source MAC of the frame will have this bit clear.

Conditions:
vlangroup in translucent mode with self IP and/or virtual addresses configured.

Impact:
This may cause destination lookup failures on the layer 2 network.

Workaround:
Use transparent mode instead of translucent mode on the vlangroup.


225492-2 : Ramcache might disallow valid cache configurations that are very near the limit.

Component: Local Traffic Manager

Symptoms:
Ramcache might disallow valid cache configurations that are very near the limit.

Conditions:
Configurations whose aggregate ramcache size falls over the max value calculated by ramcache.

Impact:
The last cache will not be initialized, as it exceeds the max, per ramcache.

Workaround:
None.


222690-1 : The persist none iRule command does not disable cookie persistence for the connection when used with the LB::reselect command.

Component: Local Traffic Manager

Symptoms:
The persist none iRule command disables persistence for the current connection. If cookie persistence is enabled for a virtual server referencing an iRule, and the LB::reselect command is called after the persist none iRule command, cookie persistence is not disabled for the connection.

Conditions:
For example, the following configuration illustrates the issue:

pool default_pool {
member 10.10.10.4:80 down session disable
}
pool fail_pool {
member 10.10.10.5:80
}
rule fail_rule {
when LB_FAILED {
persist none
LB::reselect pool fail_pool
}
}
virtual vs {
destination 10.10.10.6:80
ip protocol tcp
profile http tcp
persist cookie
pool default_pool
rule fail_rule
}

Impact:
In the example, the initial load balancing attempt to the default_pool pool will fail, since sessions are disabled for the pool member. The LB_FAILED iRule event will execute, which sets the persistence to none. In addition, the LB::reselect command will load balance the connection to the fail_pool pool. The connection to the pool member 10.10.10.5 will succeed, but the BIG-IP LTM will incorrectly place a persistence cookie in the response to the client.

Workaround:
You may be able to work around this issue by using the HTTP::cookie command in the HTTP_RESPONSE event to remove the BIG-IP cookie from the response before it is sent to the client.

For example, the following revised iRule removes the BIG-IP persistence cookie that would be set in the response when the fail_pool was selected:

rule fail_rule_no_cookie_for_you {
when LB_FAILED {
persist none
LB::reselect pool fail_pool
}
when HTTP_RESPONSE {
HTTP::cookie remove BIGipServerfail_pool
}
}

Note: The HTTP_RESPONSE event is triggered after the BIG-IP LTM has added the persistence cookie to the HTTP headers.

Note: The default persistence cookie name is derived from the name of the pool to which the request was sent. For more information about the BIG-IP persistence cookie, refer to SOL6917: Overview of BIG-IP persistence cookie encoding.

The workaround has the added benefit of preserving any persistence information for the original load balancing pool should it again become available. If you want to completely remove the persistence cookie from the client, you can use the HTTP::cookie command in the HTTP_RESPONSE event to set an expired version of the BIG-IP cookie in the response before it is sent to the client.


222409-7 : The HTTP::path iRule command may return more information than expected

Component: Local Traffic Manager

Symptoms:
The HTTP::path iRule command is intended to return only the path of the HTTP request. However, if the HTTP request specifies an absolute URI for the request URI, the HTTP::path command returns the entire URI, which includes not only the path, but also any protocol scheme, host name, and port included in the request URI value.

The first line of an HTTP request from a client to a server is referred to as the request line. The request line begins with a method token, followed by the request URI and the protocol version. A typical HTTP request line appears similar to the following example:

GET /dir1/dir2/file.ext HTTP/1.1

In this example, the method token is GET, the resource URI is /dir2/dir2/file.ext, and the protocol version is HTTP/1.1.

Conditions:
However, some clients (most notably proxies) may send an HTTP request for the same resource by specifying the absolute URI in the request, which appears similar to the following example:

GET http://www.example.org:80/dir1/dir2/file.ext

In this example, the method token is GET, the resource URI is http://www.example.org/dir2/dir2/file.ext, and the protocol version is HTTP/1.1.

Impact:
The HTTP::path iRule command should return the following path value for both requests:

/dir1/dir2/file.ext

However, since the HTTP::path command actually returns the value of the request URI, the entire absolute URI is returned for the request in the second example, which specifies the following absolute URI in the request URI:

www.example.org:80/dir1/duir2/file.ext

Note: Both requests in the example above conform to the HTTP request specification as defined in Section 5 of RFC2616: HyperText Transfer Protocol.

Note: For more information about the HTTP::path iRule command, refer to HTTP:path on the F5 Networks DevCentral website. A separate DevCentral login is required to access this content; you will be redirected to authenticate or register if necessary.

Workaround:
You can work around this issue by parsing the path element from the return value for the HTTP::path command. To do so, use the following iRule wherever HTTP::path is called:

when HTTP_REQUEST {
log local0. "Path: [URI::path [HTTP::path]]"
}




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************
Generated: Fri May 12 11:56:00 2017 PDT
Copyright F5 Networks (2017) - All Rights Reserved

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)