F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Centralized Management
  4. Release Information: BIG-IQ Centralized Management 5.2.0
Supplemental Document : Release Information: BIG-IQ Centralized Management 5.2.0

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.2.0
Original Publication Date: 04/27/2017 Updated Date: 04/18/2019

BIG-IQ CM Release Information

Version: BIG-IQ-5.2.0
Build: 5741.0

Known Issues in BIG-IQ CM v5.2.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
625230 CVE-2016-5195 K10558632 Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
621413 CVE-2016-6304 K54211024 OpenSSL vulnerability CVE-2016-6304
565221 CVE-2015-2925 CVE-2015-5307 CVE-2015-8104 CVE-2015-7613 CVE-2015-7872 K31026324 K94105604 K90230486 Multiple Linux Kernel vulnerabilities
540056 CVE-2015-5364 CVE-2015-5366 K17309 K17307 Multiple Linux Kernel vulnerabilities
525368 CVE-2013-2596 CVE-2014-3690 CVE-2014-5471 CVE-2014-5472 CVE-2014-8159 CVE-2014-8884 CVE-2015-1421 K17199 Kernel Vulnerabilities
488801 CVE-2013-2596 CVE-2013-4483 CVE-2014-0181 CVE-2014-3122 CVE-2014-3601 CVE-2014-4608 CVE-2014-4653 CVE-2014-4654 CVE-2014-4655 CVE-2014-5045 CVE-2014-5077 CVE-2014-6410 K15852 Kernel Vulnerabilities
480424 CVE-2014-0205 CVE-2014-3535 CVE-2014-3917 CVE-2014-4667 K15680 Kernel Vulnerabilities
640649 CVE-2016-1669 K35655050 CVE-2016-1669 : NodeJS Vulnerability
623155 CVE-2016-4470 K55672042 Linux kernel vulnerability CVE-2016-4470
622257 CVE-2016-5829 K28056114 Linux kernel vulnerability CVE-2016-5829
618497 CVE-2016-2182 K01276005 OpenSSL vulnerability CVE-2016-2182
610216 CVE-2016-5696 K46514822 Linux TCP Stack vulnerability CVE-2016-5696
600379 CVE-2016-2177 K23873366 OpenSSL vulnerability CVE-2016-2177
597979-1 CVE-2016-5021 K99998454 Path sanitization for iControl REST worker
589931 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 K37603172 Multiple Samba vulnerabilities
582856 CVE-2016-1950 K91100352 Mozilla NSS vulnerability CVE-2016-1950
572608 CVE-2015-5312 CVE-2015-7497 CVE-2015-7498 CVE-2015-7499 CVE-2015-7500 CVE-2015-7941 CVE-2015-7942 CVE-2015-8241 CVE-2015-8242 CVE-2015-8317 K61570943 Multiple libXML2 vulnerabilities
570137 CVE-2015-7575 CVE-2015-8126 CVE-2015-8472 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0475 CVE-2016-0483 CVE-2016-0494 K50118123 Multiple Java vulnerabilities
561855 CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 K31372672 Multiple NSS Vulnerabilities
556431 CVE-2015-3245 CVE-2015-3246 K05770600 Linux libuser vulnerabilities
554513 CVE-2015-3238 K17494 PAM vulnerability CVE-2015-3238
548085 CVE-2015-5157 CVE-2015-8767 K17326 Multiple kernel vulnerabilities
542392 CVE-2011-5321 CVE-2015-3636 CVE-2015-1593 CVE-2015-2830 CVE-2015-2922 K51518670 Multiple Linux Kernel vulnerabilities
535886 CVE-2015-5600 K17113 OpenSSH vulnerability CVE-2015-5600
528771 CVE-2011-1098, CVE-2011-1154, CVE-2011-1155 K16869 K16870 K16871 Multiple Logrotate vulnerabilities
526154 CVE-2013-1740,CVE-2014-1490,CVE-2014-1491,CVE-2014-1492, CVE-2014-1544, CVE-2014-1545 K16716 Multiple Mozilla Network Security Services vulnerabilities
525360 CVE-2014-7822 CVE-2014-8369 K17237 Multiple Linux Kernel vulnerabilities
525279 CVE-2015-4000 K16674 TLS vulnerability CVE-2015-4000
515231 CVE-2015-1781 CVE-2013-7423 K16865 GNU C Library (glibc) vulnerability CVE-2015-1781 & CVE-2013-7423
486791-1 CVE-2014-6421 CVE-2014-6422 CVE-2014-6423 CVE-2014-6424 CVE-2014-6425 CVE-2014-6426 CVE-2014-6427 CVE-2014-6428 CVE-2014-6429 CVE-2014-6430 CVE-2014-6431 CVE-2014-6432 K16939 Resolution of multiple wireshark vulnerabilities
486622 CVE-2004-1060 K15792 Path MTU discovery vulnerability CVE-2004-1060
484319-1 CVE-2012-1571 CVE-2014-0237 CVE-2014-0238 CVE-2014-1943 CVE-2014-2270 CVE-2014-3479 CVE-2014-3480 K16954 File vulnerabilities
480421 CVE-2013-4238 K15638 Python vulnerability CVE-2013-4238
480240 CVE-2013-1620 K15630 Mozilla NSS vulnerability
474513 CVE-2013-1667 CVE-2012-5195 CVE-2012-5526 CVE-2012-6329 K15867 Multiple Perl Vulnerabilities
456217 CVE-2013-4113 K15169 PHP vulnerability CVE-2013-4113
613353 CVE-2016-2180 CVE-2016-6306 CVE-2016-6302 K90492697 Multiple OpenSSL Vulnerabilities
594397 CVE-2013-0169 K14190 TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169
588359-1 CVE-2016-0742 CVE-2016-0746 CVE-2016-0747 K23073482 Multiple nginx vulnerabilities
587511 CVE-2013-4397 K16015326 libtar vulnerability CVE-2013-4397
580015 CVE-2016-1286 K62012529 BIND vulnerability CVE-2016-1286
579744 CVE-2015-8776 K23946311 glibc vulnerability CVE-2015-8776
572613 CVE-2013-6629 K59503294 libjpeg vulnerability CVE-2013-6629
571432 CVE-2015-2730 K15955144 Mozilla NSS vulnerability CVE-2015-2730
568590 CVE-2015-8704 K53445000 BIND vulnerability CVE-2015-8704
563839 CVE-2015-7981 CVE-2015-8126 CVE-2015-8472 K81903701 K76930736 K21057235 Multiple libpng vulnerabilities
562693 CVE-2015-8000 K34250741 BIND Vulnerability CVE-2015-8000
547438 CVE-2014-8155 CVE-2015-0282 CVE-2015-0294 K17327 Multiple GNU TLS vulnerabilities
545723 CVE-2015-6564 CVE-2015-6563 K17263 Multiple OpenSSH vulnerabilities
545369 CVE-2014-3565 K17315 SNMP vulnerability CVE-2014-3565
542976 CVE-2015-5722 CVE-2015-5986 K17227 K17181 Multiple BIND vulnerabilities
541002 CVE-2015-2638 CVE-2015-4731 CVE-2015-4736 CVE-2015-4733 CVE-2015-4760 CVE-2015-2625 K17172 Multiple Java Vulnerabilities
538018 CVE-2015-3183 K17251 Apache vulnerability CVE-2015-3183
535884 CVE-2015-5477 K16909 BIND Vulnerability
533930 CVE-2015-3210 K17235 PCRE library vulnerability CVE-2015-3210
533924 CVE-2015-2325 K16983 PCRE library vulnerability CVE-2015-2325
531740 CVE-2014-9657 CVE-2014-9658 CVE-2014-9660 CVE-2014-9661 CVE-2014-9663 CVE-2014-9664 CVE-2014-9667 CVE-2014-9669 CVE-2014-9670 CVE-2014-9671 CVE-2014-9673 CVE-2014-9674 CVE-2014-9675 K16900 Multiple FreeType vulnerabilities
530268 CVE-2015-3416 K16950 SQLite vulnerability CVE-2015-3416
529394-1 CVE-2014-7844 K16945 CVE-2014-7844 : mailx Vulnerability
529393-1 CVE-2004-2771 K16945 CVE-2004-2771 : mailx Vulnerability
527639-1 CVE-2015-1791 K16914 CVE-2015-1791 : OpenSSL Vulnerability
527638-1 CVE-2015-1792 K16915 OpenSSL vulnerability CVE-2015-1792
527637-1 CVE-2015-1790 K16898 PKCS #7 vulnerability CVE-2015-1790
527633-1 CVE-2015-1789 K16913 OpenSSL vulnerability CVE-2015-1789
526171 CVE-2013-1960,CVE-2013-1961,CVE-2013-4231,CVE-2013-4232,CVE-2013-4243,CVE-2013-4244 K16715 Multiple LibTIFF vulnerabilities
525391 CVE-2014-9585 K17241 Linux kernel vulnerability CVE-2014-9585
525389 CVE-2014-9584 K17245 Linux kernel vulnerability CVE-2014-9584
525386 CVE-2014-9529 K17239 Linux kernel vulnerability CVE-2014-9529
525365 CVE-2015-1593 K17244 Linux kernel vulnerability CVE-2015-1593
525349 CVE-2015-3148 K16707 cURL vulnerability CVE-2015-3148
525347 CVE-2015-3143 K16704 cURL vulnerability CVE-2015-3143
522207 CVE-2013-7423 K16841 GNU C Library (glibc) vulnerability CVE-2013-7423
521050 CVE-2013-5704 K16863 Apache vulnerability CVE-2013-5704
511757 CVE-2015-1349 K16356 BIND Vulnerability
505646 CVE-2014-6040 CVE-2014-7817 K16010 K16435 Multiple Glibc vulnerabilities
503045 CVE-2015-0204 K16139 CVE-2015-0204 : OpenSSL Vulnerability
500788 CVE-2012-6657 K16011 Linux kernel vulnerability CVE-2012-6657
499075 CVE-2014-9293 K15934 CVE-2014-9293 : NTP Vulnerability
499073 CVE-2014-9294 K15935 NTP vulnerability CVE-2014-9294
487507 CVE-2014-2532 CVE-2014-2653 K15780 Multiple OpenSSH vulnerabilities
486354 CVE-2014-2497 CVE-2014-3538 CVE-2014-3597 CVE-2014-4670 CVE-2014-4698 CVE-2014-5120 CVE-2014-0238 K15761 Multiple PHP 5.x vulnerabilities
481806-1 CVE-2013-4002 K16872 Java Runtime Environment vulnerability CVE-2013-4002
480207 CVE-2014-3940 CVE-2014-4027 K15685 Multiple Linux Kernel vulnerabilities
479431-3 CVE-2014-3596 K16821 Apache Axis vulnerability CVE-2014-3596
476871 CVE-2014-4341 CVE-2014-4342 K15552 K15547 MIT Kerberos 5 vulnerability CVE-2014-4342
439068-1 CVE-2013-0221 CVE-2013-0222 CVE-2013-0223 K16859 SUSE coreutils vulnerabilities
416372-1 CVE-2012-2677 K16946 Boost memory allocator vulnerability CVE-2012-2677
622069 CVE-2014-3613 CVE-2014-3707 CVE-2014-8150 CVE-2015-3143 CVE-2015-3148 K16704 K16707 Resolution of multiple curl vulnerabilities


Functional Change Fixes

ID Number Severity Description
620231 3-Major The Web Application Security marks all devices as modified when restoring configuration from a snapshot


BIG-IQ Configuration - Network Fixes

ID Number Severity Description
632934 2-Critical BIG-IP name CIDR format is not accepted on BIG-IQ for Self IP: 10.9.91.254_24


BIG-IQ Device User Interface Fixes

ID Number Severity Description
654806 3-Major UI does not allow reactivation of regkeys in a regkey pool if the EULA has changed on the license server
654781 3-Major UI unable to reactivate a purchased pool license when the EULA has changed
639522 3-Major Device inventory CSV fails if a device is unreachable


BIG-IQ Monitoring - Dashboards & Reports Fixes

ID Number Severity Description
648597 3-Major Command needed to restore Access data after upgrading to the latest BIG-IQ system


BIG-IQ System User Interface Fixes

ID Number Severity Description
631015 2-Critical HA Failover initiated from Secondary node may leave the BIG-IQ cluster in "standalone" mode
645743 3-Major IE browser does not work with System -> This Device -> Email Notification Recipients
631874 4-Minor Audit Log Syslog Server Configuration


BIG-IQ Access Fixes

ID Number Severity Description
650367 2-Critical Object Deletion failure upon Deployment
588171 3-Major Under heavy sustained stress traffic over 500 sessions per second from the BIG-IP system, Logging Node fails to accept logs
581899 3-Major Logs and sessions info are missing in BIG-IQ Access reports


BIG-IQ Local Traffic & Management Fixes

ID Number Severity Description
618007 2-Critical BIG-IQ does not correctly link VLAN and interface configuration from Viprion when blade id is part of the interface name
614233-1 2-Critical Browser performance degredation with large number of discovered Profiles, Monitors and iRules that have unique fullPaths
580103-1 2-Critical ADC deployment fails because a DNS resolver is being used by the http-explicit profile.
635557 3-Major LTM fails to import certificate names beginning with *
633472-1 3-Major Deployment fails with "Could not determine which real kinds mapped to intermediate kind ADC_MONITOR_TCP_HALF_OPEN"
630438 3-Major User can create a "Standard" Virtual Server with *All Protocols and a 'None' Any IP profile.
628518 3-Major DSC Cluster: Importing LTM configuration for second device fails
624825 3-Major Error: Could not determine which real kinds mapped to intermediate kind ADC_SSL_CERT
621767 3-Major LTM service discovery fails if virtual address has route domain with "any" address
617607 3-Major Changing the state of pool members or virtual servers on manual sync DSC groups moves the group out of sync.
617178-1 3-Major Prefix Length value of None in custom source address persistence profile on BIG-IP gets parent's value on BIG-IQ after importing
610660-1 3-Major Unexpected difference and loss of inheritance for null-mask in Source Addr persistence profile on BIG-IP


BIG-IQ App Visibility and Reporting (AVR) Fixes

ID Number Severity Description
621986 3-Major Users can't generate AVR reports in WebApplication or Network Security modules against a BIG-IP HA setup
655185 4-Minor "Invalid registered claims" error may occur when creating reports in Monitoring -> REPORTS -> Security


AppIQ Fixes

ID Number Severity Description
643189 3-Major Statistics show inaccurate data when certain interval collection frequencies are used


BIG-IQ Configuration - Infrastructure Fixes

ID Number Severity Description
608932-1 3-Major DSC Sync status not correctly determined
617266 4-Minor Sevone PLA schedule end date cannot be extended if schedule is finished


BIG-IQ Device Management Fixes

ID Number Severity Description
614819 3-Major Devices under high load may show inaccurate status messages
612044-1 3-Major iHealth upload fails after BIG-IP upgrade from 11.5.x
611257 3-Major BIG-IQ signals success when assigning a license to an unmanaged BIG-IP hardware-based device
580726-1 3-Major License state information from REST worker is out of sync with device
573323-3 3-Major Remotely-authenticated user with Admin role changed to Guest by McpUsersEnumeratorWorker.
559599 3-Major BIGIQ 7000: GUI Registration Key box is not populated by default
603960 4-Minor Managed device license status is not updated
575659 4-Minor BIG-IP DSC Sync setting not modified on subsequent BIG-IP trust establishment


BIG-IQ Fraud Protection Service (FPS) Fixes

ID Number Severity Description
626476 2-Critical FPS Forwarding: Incorrect date value using {date} info tag
639241-1 3-Major Proxy IP - {proxy} field is forwarded only for SOC destination, User should be able to forward the field to all other destination as well
639234-1 3-Major Proxy host name {proxyname} does not get forwarded to any destination - Email, Syslog, Custom and SOC
631211 3-Major Manually reforward alerts matching transform rules
628858-1 3-Major Correct IP address is not shown for the client IP in some FPS alerts
627518-1 3-Major Unable to display Advanced Phishing Alerts
625630 3-Major GUI error when filtering alerts in custom date
620901 3-Major Missing "client IP" field in alert on BIG-IQ FPS dashboard
640928 4-Minor Remote Fraud Protection User Accounts do not appear in related-to search for a selected BIG-IQ user account.
621244 4-Minor vjail score not shown on dashboard for mobilesafe alerts
613245 4-Minor Alert Transform Rule import with CSV files larger than 8MB fails


BIG-IQ Network Security Fixes

ID Number Severity Description
557774 2-Critical BIG IQ Discovery fails if a DoS profile is configured with custom Bot Signature on the BIG IP
610135 3-Major Firewall or NAT policies may show false differences, in some conditions, when IP protocol 138 through 141 are used.
595822 3-Major Deployment will fail if a FW NAT Policy coexists with existing LTM pools (either SNAT/LSN/Automap or LTM Pool)
590492 3-Major Missing vector support under DoS Single Endpoint for 11.5.3 BIG-IP; also, GUI error doesn't provide info of unsupported vectors
617547 4-Minor Changing timer policy rule from a port-based to non-port-based protocol
595302 4-Minor DoS Profiles do not support correct upper range eveywhere


REST Framework and TMOS Platform Fixes

ID Number Severity Description
648305 2-Critical RADIUS Access-Requests are not fully RFC compliant.
637084 2-Critical Primary BIG-IQ UCS restore never completes successfully
629835 2-Critical Update to RHEL6 kernel
624679 2-Critical Managed devices was marked unavailable intermittently
647114 3-Major LDAP login may fail with empty bindUser.
643638 3-Major Duplicated routing table entry causes "Error: OID not increasing" from snmpwalk
640326 3-Major No audit log entry logged for the failed login attempt
630660 3-Major The bigiqsnmpd daemon cores
629725-1 3-Major Breaking up an HA pair does not remove the console from the Logging Configuration Cluster.
628365-1 3-Major Minimum Master Eligible Nodes can be set to value higher than the number of nodes in cluster
621321 3-Major Europe/Moscow timezone is incorrect
612566 3-Major FPS alerts or ASM Events or Access Reporting is empty after restoring a Logging Cluster Snapshot
609403 3-Major The BIG-IQ timezone is off-set for the SevOne Performance Logging Appliance monthly-scheduled push time
599845 3-Major Hardware compression test fails on BIG-IQ 7000.
590514-1 3-Major [Fixed] Certificate Expiration emails report stale Expiration Date
588651 3-Major BIG-IQ fails to manage a BIG-IP device when changing the device certificate of the device
585769 3-Major BIG-IQ Logging Snapshots: After scheduling a snapshot, the "Snapshot Schedules" reads "N/A"
581471 3-Major Updating an LDAP Auth Provider fails
584666 4-Minor Grid columns may be render partially or completely off-screen
583975 4-Minor BIG-IQ Logging configuration should not be performed on the Logging Node


BIG-IQ System Fixes

ID Number Severity Description
644953 3-Major Virtual Machines now require 4 CPUs / 16GB memory or 8 CPUs / 32GB memory
619890 3-Major BIG-IQ cannot be setup when configured with VLANs referencing trunks
631249 4-Minor Creation/Deletion of an Auth Provider may need a browser refresh to be able to see updated Auth Provider list
621627 4-Minor SNMP Client Allowed List has incorrect Mask value in builtin entry
613558 4-Minor Unable to delete System Self IP using Internet Explorer 11


BIG-IQ Web Application Security (ASM) Fixes

ID Number Severity Description
634264 2-Critical ASM: conflict related to policy signatures is not shown
635322 3-Major ASM: policies created on BIG-IQ with Automatic Policy Builder enabled are incompatible with BIG-IP v12 devices.
633284 3-Major ASM - import failure when using IP addresses with the same network and different masks
621516 3-Major ASM - import failure when policies originate from a device with users that have special characters in username
615180 3-Major Web Application Security deployment from a snapshot fails
606431 3-Major Certain Web Application Security related to searches take a long time to complete
593678 3-Major Critical error shown on deployment for 12.x devices with policies originated from 11.x devices
591982 3-Major Policy specific signature settings (enabled, in staging) may not be deployed correctly when deployment task deploys other relevant changes
590604 3-Major BIG-IQ does not manage the learn flag on BIG-IP policy sub violations - HTTP Protocol Compliance and Evasions
587060 3-Major New policies deployed to BIG-IPs may have wrong settings for user defined signatures if those are created on different BIG-IP devices
501561 3-Major Web Application Security does not allow changing the order of wildcard entities
598590 4-Minor Web Application Security - device modified indicator is not turned on when deploying the configuration from a snapshot.
596787 4-Minor Cannot export Web Application Security event logs in a CSV file using Chrome/Firefox
582626 4-Minor Web Application Security event logs do not show violation ratings

 

Cumulative fix details for BIG-IQ CM v5.2.0 that are included in this release

655185 : "Invalid registered claims" error may occur when creating reports in Monitoring -> REPORTS -> Security

Component: BIG-IQ App Visibility and Reporting (AVR)

Symptoms:
An "Invalid registered claims" error may occur when creating reports in Monitoring -> REPORTS -> Security -> Network Security (or Web Application Security) -> Reporting.

Impact:
The report will not generate, the UI will spin endlessly.

Workaround:
As a workaround, click "Dismiss" and refresh browser.

654806 : UI does not allow reactivation of regkeys in a regkey pool if the EULA has changed on the license server

Component: BIG-IQ Device User Interface

Symptoms:
Attempts to reactivate a license in a regkey pool cannot be completed because the Activate button is disabled.

Conditions:
This issue occurs when reactivating a license in a regkey pool that requires a new EULA to be accepted. The UI does not present the EULA to the user.

Impact:
The license cannot be reactivated via the UI.

Workaround:
The pool license reactivation must be completed via CLI.

1. Determine the regkey pool ID:
restcurl cm/device/licensing/pool/regkey/licenses/'?$select=name,id'
2. Save the EULA to a file
restcurl cm/device/licensing/pool/regkey/licenses/{id from step 1}/offerings/{regkey}/'?$select=eulaText,status' > /var/tmp/eula.txt
4. Edit /var/tmp/eula.txt and, at the end of the file, change the status from "ACTIVATING_AUTOMATIC_NEED_EULA_ACCEPT" to "ACTIVATING_AUTOMATIC_EULA_ACCEPTED"
5. curl -X PATCH --upload-file /var/tmp/eula.txt http://localhost:8100/cm/device/licensing/pool/regkey/licenses/{id from step 1}/offerings/{regkey}

Fix:
The UI now prompts the user to accept the new EULA when needed.

654781 : UI unable to reactivate a purchased pool license when the EULA has changed

Component: BIG-IQ Device User Interface

Symptoms:
Attempts to accept a new EULA when reactivating a purchased pool license generates an error similar to:

"The system returned an unexpected error (400 Bad Request). eulaText cannot be changed"

Conditions:
This issue applies when reactivating a purchased pool license and F5 has updated the EULA since the original activation.

Impact:
The purchased pool license cannot be reactivated via the UI.

Workaround:
The purchased pool license reactivation must be completed via CLI.

1. Determine the purchased pool license ID
 a. Prior to BIG-IQ 5.2:
restcurl cm/shared/licensing/pools'?$select=name,selfLink,state'
 b. In BIG-IQ 5.2 and later:
restcurl cm/device/licensing/pool/purchased-pool/licenses/'?$select=name,selfLink,state'
2. Note the selfLink for the pool in question; the selfLink path (selfLink minus the 'https://localhost/mgmt/' prefix) will be used in subsequent steps
3. Save the EULA to a file
restcurl {selfLink path}'?$select=eulaText,state' > /var/tmp/eula.txt
4. Edit /var/tmp/eula.txt and, at the end of the file, change the state from "WAITING_FOR_EULA_ACCEPTANCE" to "ACCEPTED_EULA"
5. curl -X PATCH --upload-file /var/tmp/eula.txt http://localhost:8100/{selfLink path}

Fix:
The UI now prompts the user to accept the new EULA when needed.

650367 : Object Deletion failure upon Deployment

Component: BIG-IQ Access

Symptoms:
When deploying a configuration from BIG-IQ to BIG-IP systems, un-referenced objects are deleted from BIG-IQ and thus, on the BIG-IP systems managed by that BIG-IQ. This deletion can fail on 12.1.0, 12.1.1, 12.1.2, and 13.0 BIG-IP devices.

Conditions:
1. 12.1.0, 12.1.1, 12.1.2, and 13.0 BIG-IP systems have the specific defect (see BZ 647108, 649929).
2. The BIG-IP systems have objects that are not referenced.
3. A deployment is attempted.

Impact:
The customer will not be able to deploy the configuration, unless they follow the workaround.

Workaround:
1. Users can delete the unreferenced objects on BIG-IP systems in advance, or
2. Prior to object import, upgrade all managed BIG-IP systems in advance.

648597 : Command needed to restore Access data after upgrading to the latest BIG-IQ system

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
After a software upgrade from to the latest BIG-IQ release and restoring the snapshot to retrieve the data, a command is needed to have the data successfully restored.

Conditions:
After a software upgrade from to the latest BIG-IQ release and restoring the snapshot to retrieve the data.

Impact:
User cannot successfully restore data if a command is not entered.

Workaround:
After upgrading from 5.0 or 5.1, the admin sends the POST request to the below rest API. This step is needed to restore session data after upgrading. The admin has to perform this step after Elastic snapshot restore is completed. Sessions that were created before the upgrade are not displayed in the Sessions Report or in the Active Sessions report if this step was not performed after the upgrade.

restcurl -X POST -u admin:admin http://localhost:8100/mgmt/cm/access/reports/access-es-upgrade-task -d ‘{ }’

Fix:
This issue has been fixed and you no longer need to perform additional steps to restore Access data after upgrade.

648305 : RADIUS Access-Requests are not fully RFC compliant.

Component: REST Framework and TMOS Platform

Symptoms:
The RFC states an Access-Request MUST contain either a NAS-IP-Address attribute or a NAS-Identifier attribute (or both).

Conditions:
Setup RADIUS authentication and some servers won't accept the Access-Requests

Impact:
Failing authentication with properly configured RADIUS server and BIG-IQ configuration.

Workaround:
The RADIUS server can be adjusted to be more lenient to the missing attributes.

Fix:
BIG-IQ will now always send a NAS-Identifier attribute with every RADIUS Access-Request. It will also include a NAS-IP-Address when possible.

647114 : LDAP login may fail with empty bindUser.

Component: REST Framework and TMOS Platform

Symptoms:
LDAP Authentication fails. This will most likely occur after an upgrade where it was previously working.

Conditions:
The LDAP auth provider has an empty string or a string with all spaces such as "" or " " for the bindUser field. This is different than null. The LDAP server also doesn't allow anonymous binding.

Impact:
Authentication requests from the auth provider will try to use the bindUser field to bind to the LDAP server. If the bindUser field is a blank string it will fail causing login attempts to fail.

Workaround:
Set the bindUser field to null.

Fix:
Fixed a case where an empty bindUser can cause LDAP authentication to fail.

645743 : IE browser does not work with System -> This Device -> Email Notification Recipients

Component: BIG-IQ System User Interface

Symptoms:
Creating new email recipients fails without providing any feedback to the user when using Internet Explorer.

Conditions:
Issue is applicable when using Internet Explorer.

Impact:
New email recipients cannot be created.

Workaround:
As a workaround, use a browser other than IE.

Fix:
Browser incompatibility issue was addressed.

644953 : Virtual Machines now require 4 CPUs / 16GB memory or 8 CPUs / 32GB memory

Component: BIG-IQ System

Symptoms:
Upon logging into a BIG-IQ virtual machine, if the BIG-IQ's configuration has fewer than 4 CPUs and/or less than 16GB of memory, the user will be presented with a dialog warning that their virtual machine configuration is no longer supported.

Conditions:
You are using a BIG-IQ virtual machine with less than 4 CPUs and/or less than 16GB of memory.

Impact:
Some functions of BIG-IQ may not function, and you may encounter performance issues.

Workaround:
Change the configuration of your BIG-IQ virtual machine to one of the two supported configurations:
- 4 CPUs, 16GB memory
- 8 CPUs, 32GB memory
Then restart the virtual machine.

Fix:
BIG-IQ warns users upon login if the virtual machine is configured with insufficient CPU and memory resources.

643638 : Duplicated routing table entry causes "Error: OID not increasing" from snmpwalk

Component: REST Framework and TMOS Platform

Symptoms:
When running the snmpwalk utility, an error is seen similar to:

Error: OID not increasing: IP-FORWARD-MIB::ipCidrRouteDest...

Conditions:
This issue occurs on typical BIG-IQ installs with the affected versions, because of a duplicate routing table entry.

Impact:
snmpwalk may fail or snmpd may core.

Workaround:
Deleting the duplicate routing table entry will temporarily work around this issue, but the duplicate entry will be restored on the next reboot.

In a bash command shell, run the "ip route" command. Examine the output to identify the two entries with the same destination network. Delete the entry that includes "metric 9" by running "ip route del <entry>", where <entry> is the line of "ip route" output that describes the entry. For example:

# ip route del 172.27.64.0/24 dev eth0 scope link src 172.27.64.29 metric 9

Fix:
BIG-IQ no longer has a duplicate routing table entry by default.

643189 : Statistics show inaccurate data when certain interval collection frequencies are used

Component: AppIQ

Symptoms:
You may observe "choppy" and/or inaccurate statistics in graphs.

Conditions:
This may occur when the statistics collection frequency is set at 2 minutes or greater.

Impact:
Graphs may not show accurate information / data.

Workaround:
Use the 30 seconds or 60 seconds frequency setting for all BIG-IPs desired for statistics collection.

640928 : Remote Fraud Protection User Accounts do not appear in related-to search for a selected BIG-IQ user account.

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
When you do a global search on a non local User Account or group, it finds the User Account together with any FPS Accounts to which it is assigned.
However, if you select the non local User Account in the search results and click Show in Related Items, the assigned FPS Accounts do not appear
on the list.

Conditions:
This can occur when doing a global search for a non local User Account.

Impact:
The issue makes related-to search asymmetric. Local User accounts are searchable from FPS accounts but not vice versa.

Workaround:
No workaround

Fix:
When you do a global search on a non local User Account or group, it finds the User Account together with any FPS Accounts to which it is assigned.
However, if you select the non local User Account in the search results and click Show in Related Items, the assigned FPS Accounts do not appear
on the list.

640649 : CVE-2016-1669 : NodeJS Vulnerability

Vulnerability Solution Article: K35655050

640326 : No audit log entry logged for the failed login attempt

Component: REST Framework and TMOS Platform

Symptoms:
No audit log entry logged for the failed login attempt.

Conditions:
Failed login attempt.

Impact:
Failed login attempts are not viewable from the audit logger.

Workaround:
Failed login attempts are logged to the /var/log/restjavad.*.log files

Fix:
Login activity is now reported in the audit log for both successful and failed attempts.

639522 : Device inventory CSV fails if a device is unreachable

Component: BIG-IQ Device User Interface

Symptoms:
BIG-IQ Configuration Management 5.1.0 device inventory CSV download fails.

Conditions:
If a managed device is not reachable, the UI will silently fail to give a download dialog when a user tries to Export Inventory.

Impact:
User is unable to get a device inventory report.

Workaround:
None.

Fix:
GUI now shows a warning if the device is unreachable when exporting the device inventory.

639241-1 : Proxy IP - {proxy} field is forwarded only for SOC destination, User should be able to forward the field to all other destination as well

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
Proxy IP - {proxy} field is forwarded only for SOC destination. The user should be able to forward the field to all other destinations (Email, syslog and Custom forwarding) as well.

Conditions:
When a forwarding rule has {proxyname} field in email/syslog template or in Custom forwarding: WS alert header/WS Alert Request.

Impact:
Proxy Ip address will not be shown at the destination

Fix:
The {proxy} field can now be forwarded to all forwarding targets.

639234-1 : Proxy host name {proxyname} does not get forwarded to any destination - Email, Syslog, Custom and SOC

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
Proxy host name {proxyname} does not get forwarded to any destination - Email, Syslog, Custom and SOC

Conditions:
- When a forwarding rule has SOC forwarding enabled and selected
  "Client Proxy HostName" field to forward

- When a forwarding rule has {proxyname} field in email/syslog template or in Custom forwarding: WS alert header/WS Alert Request

Impact:
Proxy hostname will not be shown at the destination

Fix:
This is fixed in 5.2.

637084 : Primary BIG-IQ UCS restore never completes successfully

Component: REST Framework and TMOS Platform

Symptoms:
If a UCS restore operation is attempted on a BIG-IQ that is the primary member of a primary-secondary pair, the restore operation will not complete successfully.

Conditions:
Always

Impact:
Inability to perform UCS restore on a primary BIG-IQ

Workaround:
The backup can be restored if the HA pair is broken first. After restoring the backup, the HA pair can be re-created.

635557 : LTM fails to import certificate names beginning with *

Component: BIG-IQ Local Traffic & Management

Symptoms:
Importing LTM for a device fails in BIG-IQ because BIG-IQ doesn't support traffic certificates that have names beginning with an asterisk.

Conditions:
This issue occurs when BIG-IP has one or more traffic certificates starting with an asterisk.

Impact:
The LTM service cannot be managed for affected devices.

Fix:
BIG-IQ now supports importing certificates with names that begin with an asterisk. See release notes for ID637937 regarding residual issues related to this scenario.

635322 : ASM: policies created on BIG-IQ with Automatic Policy Builder enabled are incompatible with BIG-IP v12 devices.

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
ASM: policies created on BIG-IQ with Automatic Policy Builder enabled are incompatible with BIG-IP v12 devices.
When deploying such policies critical verification errors are shown.

Conditions:
Policies are created on BIG-IQ and have the policy builder enabled.

Impact:
Critical verification errors are shown.

Fix:
Policies created on BIG-IQ are now compatible with 12.x devices, even after changing policy building configuration and enabling the automatic policy builder.

634264 : ASM: conflict related to policy signatures is not shown

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
ASM: conflict related to policy signatures is not shown.

Conditions:
This happens when there are policy signature changes in two or more policies and another non-signature change in one of the policies.

Impact:
As no conflict is shown, the policy is kept as is regardless of the change that happened on the BIG-IP.

Fix:
A certain case in which a conflict import was not showing up was fixed, and now the user is requested to resolve that kind of conflict.

633472-1 : Deployment fails with "Could not determine which real kinds mapped to intermediate kind ADC_MONITOR_TCP_HALF_OPEN"

Component: BIG-IQ Local Traffic & Management

Symptoms:
When deploying a change to one or more managed devices, deployment fails and restjavad shows an error similar to: AdcClusterDistributeTaskWorker] Error parsing difference summary: java.lang.IllegalArgumentException: Could not determine which real kinds mapped to intermediate kind ADC_MONITOR_TCP_HALF_OPEN

Conditions:
This issue applies when: 1) The deployment contains a change where a TCP monitor is involved (i.e. creating a new pool with such a monitor attached); 2) The deployment target is a BIG-IP cluster; 3) A TCP monitor exists with the same name in two or more managed devices, but it has different properties in at least one of the devices.

Impact:
Deployment fails.

Workaround:
Avoid having TCP monitors with same name but different properties across managed devices.

Fix:
BIG-IQ now allows deployments to succeed in this case.

633284 : ASM - import failure when using IP addresses with the same network and different masks

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
ASM import failure when using IP addresses with the same network and different masks.

Conditions:
The issue happens when a configuration is imported and contains IP Address whitelist records with the same address but different network masks.

Impact:
The issue causes a failure to import the configuration.

Fix:
Policy IP address configuration that had elements with the same addresses and different network masks was handled incorrectly, and importing such configuration was causing a failure. The handling of such IP address configuration items was fixed and no longer generates errors on import.

632934 : BIG-IP name CIDR format is not accepted on BIG-IQ for Self IP: 10.9.91.254_24

Component: BIG-IQ Configuration - Network

Symptoms:
BIG-IP supports a naming format for some objects where you can use an IP address. BIG-IQ seems not to handle this. For instance a self-ip can be names "10.9.91.254", however it does not support adding the CIDR to the end like this:

10.9.91.254_24

That is a valid Self IP name on BIG-IP and works for other objects that require IP and Masks.

Conditions:
BIG-IP supports a naming format for some objects where you can use an IP address. BIG-IQ seems not to handle this. For instance a self-ip can be names "10.9.91.254", however it does not support adding the CIDR to the end like this:

10.9.91.254_24

That is a valid Self IP name on BIG-IP and works for other objects that require IP and Masks.

Impact:
BIG-IQ cannot create these objects using a name with <ip>_<port> format.

Workaround:
Creation can be performed on BIG-IP and re-discovered and re-imported.

Fix:
BIG-IQ now accepts names with IP_CIDR as valid.

631874 : Audit Log Syslog Server Configuration

Component: BIG-IQ System User Interface

Symptoms:
When using the select all checkbox, the Remove button is not enabled.

Impact:
User is unable to remove all syslog servers when selecting them using the select all checkbox.

Workaround:
When attempting to remove all of the audit log syslog servers, remove them one at a time or check them all individually.

Fix:
The Select all checkbox now properly enables the remove button.

631249 : Creation/Deletion of an Auth Provider may need a browser refresh to be able to see updated Auth Provider list

Component: BIG-IQ System

Symptoms:
After creating an Auth Provider, Auth Providers page may not show the new provider. Similarly, when deleting a provider, it may still appear on the page.

Impact:
The Auth Provider page shows stale data.

Workaround:
To update the page with the latest data, perform a browser refresh on the page.

Fix:
BIG-IQ now automatically refreshes the page to show the current Auth Providers.

631211 : Manually reforward alerts matching transform rules

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
Its a RFE to allow user to forward specific alerts after applying transform rules again.

Conditions:
This feature is applicable only when user applies transform rule manually through UI.

Impact:
Without this feature there is no way for user to re-send updated alerts.

Fix:
This feature is now available. It will allow an admin to re-forward alerts when they match a rules. Typically this will be a new rule tat did not exist when the alert was first recieved.

631015 : HA Failover initiated from Secondary node may leave the BIG-IQ cluster in "standalone" mode

Component: BIG-IQ System User Interface

Symptoms:
When Promote-to-Primary has been initiated from the Secondary,

Conditions:
The secondary will become standalone.

Impact:
This can causes confusion for the customer.

Workaround:
In 5.1 the promotion should be initiated from the primary device, not the secondary.

Fix:
The option on the Secondary to promote to primary has been changed to 'Reset to Standalone'. Normally the promotion should be initiated from the primary.
This option in intended for use when the primary is not accessible.

630660 : The bigiqsnmpd daemon cores

Component: REST Framework and TMOS Platform

Symptoms:
The bigiqsnmpd daemon cores.

Conditions:
This happens in some circumstances such as when using the snmpwalk command on BIG-IQ.

Impact:
SNMP functionality is impaired.

Fix:
The snmp daemon no longer cores due to these conditions.

630438 : User can create a "Standard" Virtual Server with *All Protocols and a 'None' Any IP profile.

Component: BIG-IQ Local Traffic & Management

Symptoms:
User can click save when creating VS of type 'Standard', with Protocol '*All Protocols' and Any IP profile 'none'.

Conditions:
User is creating a Virtual Server and selects *All Protocols for Protocol.

Impact:
If this virtual server is deployed, BIG-IP will add a fastl4 profile. It will show up as Performance (Layer 4) type instead of standard.

Fix:
BIG-IQ now prevents the invalid combination of VS attributes.

629835 : Update to RHEL6 kernel

Component: REST Framework and TMOS Platform

Symptoms:
Rare race condition between two (or more) threads operating on the same buffer_head/journal_head may cause a kernel panic

Impact:
Unexpected machine reboot causing loss of service

Workaround:
None.

Fix:
Redhat provided an update to RHEL6.7
F5 backported to RHEL6.4, 6.5:

jbd2: Fix oops in jbd2_journal_remove_journal_head()
jbd: Fix oops in journal_remove_journal_head()

629725-1 : Breaking up an HA pair does not remove the console from the Logging Configuration Cluster.

Component: REST Framework and TMOS Platform

Symptoms:
When you remove the peer Console node from the BIG-IQ HA pair, the Console node remains in the Logging Configuration Cluster. On the GUI of either Console node, the System Management > BIG-IQ LOGGING > Logging Configuration screen shows the same number of "Nodes in Cluster" before and after the peer is removed.

Impact:
This has no effect on FPS services or HA. The Console nodes no longer share configuration information after you break up the pair, and resume sharing if you later rejoin them.

628858-1 : Correct IP address is not shown for the client IP in some FPS alerts

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
If an alert is received from a client that is behind multiple intermediate proxies, the wrong client IP is extracted from the alert.

Conditions:
There has to be one or more intermediate proxies between client and server.

Impact:
Client IP address field populated is actually an intermediate device, which is a wrong value.

Fix:
The list of IP Addresses are now interpreted in the correct order. The client IP and proxy IP addresses are listed correctly in FPS alerts.

628518 : DSC Cluster: Importing LTM configuration for second device fails

Component: BIG-IQ Local Traffic & Management

Symptoms:
Unable to import LTM configuration of second device of a DSC pair. It fails with an error similar to: [ERROR][24 Oct 2016 17:36:47 CEST][/cm/adc-core/tasks/device-sync/77ece313-26c6-47d9-9b88-97fd7ea1732e/worker AdcDeviceSyncTaskWorker] Reject reentrant transition to status FAILED - java.lang.IllegalStateException

Conditions:
At least one LTM object is NOT "In Sync". For example, the same virtual has different properties in different devices (e.g. one has SNAT automap and another SNAT pool).

Impact:
Unable to import LTM configuration.

Workaround:
Identify the out-of-sync LTM objects in BIG-IP. Correct the LTM objects and ensure config sync occurs. Remove both DSC members from BIG-IQ. Re-discover and re-import LTM configuration for the DSC members.

Fix:
BIG-IQ now correctly imports LTM configuration from the second device of a DSC pair.

628365-1 : Minimum Master Eligible Nodes can be set to value higher than the number of nodes in cluster

Component: REST Framework and TMOS Platform

Symptoms:
On BIG-IQ System Management-> BIG-IQ LOGGING-> Logging Configuration page, Minimum Master Eligible Nodes can be given value higher than the "Nodes in Cluster" value shown on the page.

Impact:
The system overrides the incorrect value provided by the system and set it back to expected value based on its internal calculations.

627518-1 : Unable to display Advanced Phishing Alerts

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
Although Advanced Phishing alerts are received and counted, they are not displayed in the table.

Impact:
User is unable to see the alert in detail.

Fix:
Some alerts were showing up in the count for an alert type, but were not listed among the grouped alerts. These alerts did not have the property that the alerts were being grouped on. For example, they were missing the domain, and they were grouped on the domain. This is now fixed. Missing fields that are used for grouping are now grouped under a 'No Domain Available' group name.

626476 : FPS Forwarding: Incorrect date value using {date} info tag

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
When alert is forwarded, date is rendered with the minutes repeated in the month position. The format is dd.mm.yyyy HH:mm, while it should have been dd.MM.yyyy HH:mm.

Conditions:
This issue occurs only in alert forwarding with {date} tag.

Impact:
Unexpected date-format is forwarded as part of the alert.

Fix:
When forwarding alerts with dates, the time is rendered in correct format: dd.MM.yyyy HH:mm

625630 : GUI error when filtering alerts in custom date

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
UI shows error while searching for alerts with custom dates.

Conditions:
The issue only occurs when client is in a timezone with '+' in the string. This causes the query to be misinterpreted and error.

Impact:
User can not search alerts with custom date.

Fix:
When doing an advanced filter for FPS alerts, setting a custom time caused errors when filtering in some time zones. This is now fixed.

625230 : Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195

Vulnerability Solution Article: K10558632

624825 : Error: Could not determine which real kinds mapped to intermediate kind ADC_SSL_CERT

Component: BIG-IQ Local Traffic & Management

Symptoms:
An LTM evaluation/deployment fails with the error: Could not determine which real kinds mapped to intermediate kind ADC_SSL_CERT.

Conditions:
This issue may occur when the LTM evaluation/deployment occurs for clustered BIG-IPs.

Impact:
This issue prevents deployments to affected BIG-IPs.

Fix:
BIG-IQ now properly handles deployments in this situation.

624679 : Managed devices was marked unavailable intermittently

Component: REST Framework and TMOS Platform

Symptoms:
Firewall rules intended to restrict access to an ant daemon running on the system might incorrectly interfere with managed device traffic generated by the BIG-IQ system on port 54321.

Conditions:
BIG-IQ connection to managed devices with source port "54321".

Impact:
This may result in managed device being incorrectly marked unavailable.

Workaround:
As a workaround, add these iptables commands to the '/config/startup' script, and reboot the BIG-IQ system (or manually run these commands once). These commands modify the firewall rule to prevent interference with managed device traffic:

  /sbin/iptables -D INPUT -p tcp --dport 54321 -j REJECT --reject-with icmp-port-unreachable
  /sbin/iptables -D INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset
  /sbin/iptables -A INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset

Fix:
Firewall rules no longer incorrectly interfere with managed device traffic generated by the BIG-IQ system on port 54321.

623155 : Linux kernel vulnerability CVE-2016-4470

Vulnerability Solution Article: K55672042

622257 : Linux kernel vulnerability CVE-2016-5829

Vulnerability Solution Article: K28056114

622069 : Resolution of multiple curl vulnerabilities

Vulnerability Solution Article: K16704 K16707

621986 : Users can't generate AVR reports in WebApplication or Network Security modules against a BIG-IP HA setup

Component: BIG-IQ App Visibility and Reporting (AVR)

Symptoms:
When trying to generate an AVR report on a single or a group of devices an error "Proxy task failed" is returned.

Conditions:
Attempting to generate AVR reports against a BIG-IP HA cluster environment. This can happen also intermittently.

Impact:
Customer aren't able to generate AVR reports.

Fix:
When trying to generate an AVR report on a single or a group of devices an error "Proxy task failed" was returned. This could also happen intermittently.

The fix makes sure the outgoing AVR request from the BIG-IQ are destined to the queried device only and not replicated to the HA peers.

621767 : LTM service discovery fails if virtual address has route domain with "any" address

Component: BIG-IQ Local Traffic & Management

Symptoms:
Discovery fails with error: "Error while transforming Virtual Server, Details: java.lang.IllegalArgumentException: Invalid route domain (1:0)."

Conditions:
This issue applies to virtual addresses with a route domain and a "any" or "any6" address.

Impact:
LTM service discovery fails.

Workaround:
1) Manually edit bigip.conf and change the name of the virtual address named "any" to "0.0.0.0". Find line: "ltm virtual-address /Common/any%1" and change the "any" to "0.0.0.0". Load config via "tmsh load sys config" and save config via "tmsh save sys config".

Fix:
BIG-IQ now properly handles this case during LTM discovery.

621627 : SNMP Client Allowed List has incorrect Mask value in builtin entry

Component: BIG-IQ System

Symptoms:
On the SNMP Access - Client Allowed List screen, there is a single entry with default Mask set as "127.". This is wrong, only the address should be set as "127.".

Conditions:
The mask is not changed to a valid mask before saving.

Impact:
The default values shown on the screen are incorrect and must be corrected by the user.

Workaround:
Replace the mask with valid value.

Fix:
BIG-IQ has been updated to prevent this.

621516 : ASM - import failure when policies originate from a device with users that have special characters in username

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
ASM import failure when policies originate from a device with users that have special characters in the username.

Conditions:
One of the BIG-IP users that have a special character such as a '!' makes a change to a security policy before the configuration is discovered and imported.

Impact:
This issue causes an error when importing the configuration.

Fix:
Device configurations with usernames that contain the ! are no longer generating an error when being imported in BIG-IQ. Validation logic has been changed to accept those configurations.

621413 : OpenSSL vulnerability CVE-2016-6304

Vulnerability Solution Article: K54211024

621321 : Europe/Moscow timezone is incorrect

Component: REST Framework and TMOS Platform

Symptoms:
Incorrect time shown for Moscow

Impact:
Incorrect time shown for Moscow

Fix:
Fixed by bringing in latest timezone files.

621244 : vjail score not shown on dashboard for mobilesafe alerts

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
When Mobilesafe alerts are received with vjail score, it is not displayed on UI.

Impact:
The field and value is missing from UI.

Fix:
For some MobileSafe alerts, the vjail score was not shown. This is now fixed.

620901 : Missing "client IP" field in alert on BIG-IQ FPS dashboard

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
If client IP information is received from any source other than alert header, it was not collected.

Conditions:
If client IP information is received from any source other than alert header, it was not collected

Impact:
UI does not show client IP correctly. Alerts can not be searched using client-IP.

Workaround:
No workaround.

Fix:
Some alerts, such as copied pages phishing, did not have the client IP address set correctly if it was not in the header. This is now fixed.

620231 : The Web Application Security marks all devices as modified when restoring configuration from a snapshot

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
The Web Application Security marks all devices as modified when restoring a configuration snapshot, even when the restore operation does not change device configuration in working-config.

Conditions:
A restore operation is done that changes configuration for some of the devices.

Impact:
The issue may confuse users to think that a deploy operation is required.

Workaround:
An evaluation can be attempted to check whether deploy changes are needed. If not, the system will turn off the modified device indicator.

Fix:
The system now better detects which device configuration has changed during the restore operation, and only such devices are now marked with the modified device indicator.

Behavior Change:
When restoring Web Application Security configuration modified device indicator is now only turned on for devices that the restore operation changed their configuration. Before the change all devices would have their indicator turned on.

619890 : BIG-IQ cannot be setup when configured with VLANs referencing trunks

Component: BIG-IQ System

Symptoms:
After attempting to complete BIG-IQ's setup wizard, the following error appears in the restjavad logs repeatedly: [ERROR][27 Sep 2016 11:17:38 AEST][/shared/system/easy-setup EasySetupWorker] Unexpected exception: java.lang.NullPointerException

Conditions:
This issue occurs when BIG-IQ is configured with trunks for interfaces which are referenced via VLANs / Self IPs.

Impact:
BIG-IQ cannot be setup when configured with VLANs referencing trunks.

Workaround:
Use the CLI/tmsh to configure more complicated networking after running BIG-IQ setup.

Fix:
BIG-IQ's setup wizard can now be completed when the internal VLAN is configured with a truck. See release notes for ID635584 for remaining related issues.

618497 : OpenSSL vulnerability CVE-2016-2182

Vulnerability Solution Article: K01276005

618007 : BIG-IQ does not correctly link VLAN and interface configuration from Viprion when blade id is part of the interface name

Component: BIG-IQ Local Traffic & Management

Symptoms:
BIG-IQ does not correctly link VLAN and interface configuration from Viprion when blade id is part of the interface name.

Conditions:
This occurs with interfaces including blade names.

Impact:
When viewing the linkage between the interfaces and VLANSs the interfaces containing the blade id (e.g. "1/1.1") will not appear to be linked to the VLANs.

Fix:
BIG-IQ now properly imports interfaces for VLANs on Viprions.

617607 : Changing the state of pool members or virtual servers on manual sync DSC groups moves the group out of sync.

Component: BIG-IQ Local Traffic & Management

Symptoms:
Instant deployments (i.e., updating the BIG-IP state of a virtual server or pool member outside of the Change Management module) within a manually-synced, clustered BIG-IP environment will result in an error being thrown for one of the two BIG-IPs. Furthermore, the two BIG-IPs will be in Changes Pending state following the deployment.

Conditions:
BIG-IP cluster is setup as a manually-synced cluster (Sync-Failover group is set to Manual Sync).

Impact:
The deployment will fail to one of the two devices, and the BIG-IP devices will be left in Changes Pending state.

Workaround:
Log into one of the BIG-IP devices, and manually sync the changes from the one device that got the change to the other one (Click the "Changes Pending" link in the top-left corner). Or setting the cluster to automatically sync.

Alternatively, the cluster can be sync'd via the BIG-IQ UI using the Device Management -> DSC Groups and syncing in the DSC Group Properties.

Fix:
BIG-IQ now handles instant deployments in this scenario.

617547 : Changing timer policy rule from a port-based to non-port-based protocol

Component: BIG-IQ Network Security

Symptoms:
If a timer policy rule is changed from a port based protocol to non-port-based protocol, deployment will fail with device error when the change is deployed from the BIG-IQ to the BIG-IP.

Conditions:
Seen when a BIG-IP port-based timer policy rule is changed to non-port-based rule in a BIG-IQ deployment task.

Impact:
Timer policy rules cannot be changed from port-based to non-port-based rules using a BIG-IQ deployment task.

Workaround:
On the BIG-IQ, delete the port-based timer policy rule in the timer policy, and create a new non-port-based rule with the same name or a new name.

Fix:
A timer policy rule that is changed from a port based protocol to non-port-based protocol, no longer causes deployment failure.

617266 : Sevone PLA schedule end date cannot be extended if schedule is finished

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
If the last scheduled sevone PLA configuration push has occurred for a particular sevone PLA schedule, the end date for that schedule cannot be extended.

Conditions:
Seen on daily, weekly, and monthly schedules.

Impact:
User must create a new sevone PLA external logging device entry with a new schedule if end date is to be extended.

Workaround:
Create a new sevone PLA external logging device entry with new schedule that contains the desired end date.

Fix:
An existing PLA configuration push schedule can be extended into the future even after it has reached its previously configured end date.

617178-1 : Prefix Length value of None in custom source address persistence profile on BIG-IP gets parent's value on BIG-IQ after importing

Component: BIG-IQ Local Traffic & Management

Symptoms:
BIG-IQ cannot detect that a child source address persistence profile has inherited its parent's value. This is due to a defect on BIG-IP in versions before 11.6.

Conditions:
This issue only applies to BIG-IP versions below 11.6. This occurs when the parent source address persistence profile (source_addr) has a mask or prefix set and a child profile has this setting as "none".

Impact:
On BIG-IQ the prefix value will appear to be customized on the child source address profile even though on BIG-IP it is not.

Workaround:
If managing versions 11.5.x, do not set parent source address profiles' masks. Instead manage the mask on the children directly.

Fix:
BIG-IQ now supports setting the mask on the parent.

615180 : Web Application Security deployment from a snapshot fails

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Web Application Security deployment from a snapshot fails with error: Exception in verifyConfig: java.lang.NullPointerException.

Conditions:
The issue happens when deploying a configuration from a snapshot and the deployed changes include deletion of policies.

Impact:
The issue causes a deployment/evaluate failure.

Fix:
A deployment crash that involved deletion of policies was fixed.

614819 : Devices under high load may show inaccurate status messages

Component: BIG-IQ Device Management

Symptoms:
On a BIG-IQ under high load, there can be occasional displays of the "You are not licensed yet" banner, even though the device is licensed. Performance problems can also cause managed devices to falsely appear as "unhealthy".

Conditions:
This is an intermittent issue under certain high-load situations.

Impact:
This can be confusing to you. Certain actions may not succeed on devices that are marked "unhealthy".

Workaround:
Wait a few minutes, and the issue should resolve itself.

Fix:
BIG-IQ now shows the "You are not licensed yet" messaging only after confirming that is indeed the case.

614233-1 : Browser performance degredation with large number of discovered Profiles, Monitors and iRules that have unique fullPaths

Component: BIG-IQ Local Traffic & Management

Symptoms:
Browser performance is degraded on Virtual Servers, Pools, Pool Members and Nodes properties pages.

Conditions:
One or more BIG-IPs are discovered with hundreds/thousands of Profiles, Monitors or iRules and user navigates to a Virtual Server, Pool, Pool Member or Node properties page or attempts to create a new object of one of these types.

Impact:
Browser performance is degraded. In some browsers, such as Firefox, you may see a dialog that shows "A script on this page may be busy, or it may have stopped responding."

Workaround:
Use the latest version of Chrome browser for best performance.

Fix:
The performance of this area has been greatly improved.

613558 : Unable to delete System Self IP using Internet Explorer 11

Component: BIG-IQ System

Symptoms:
Nothing happens when trying to delete System Self IP via GUI.

Conditions:
Issue applies when using Internet Explorer 11.

Impact:
User is unable to delete System Self IP.

Workaround:
Use Firefox or Chrome browser. Self IP can also be removed via tmsh using: "tmsh delete net self <self_ip_name>". Or the REST API using: "restcurl -u <user:password> /mgmt/tm/net/self/~Common~<self_IP_name> -X DELETE"

Fix:
System Self IP's can now be deleted using Internet Explorer 11.

613353 : Multiple OpenSSL Vulnerabilities

Vulnerability Solution Article: K90492697

613245 : Alert Transform Rule import with CSV files larger than 8MB fails

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
Import of large CSV file fails.

Conditions:
Only when files are larger than about 8 MB

Impact:
User can not apply signatures, typically exported from SOC.

Workaround:
- Split the CSV file into multiple files less than 8MB.
- Ensure split happens along line boundary, so, complete lines are in files.
- Ensure CSV header (first line from original file) gets copied to each subsequent split file. That way each CSV file has its own header.
- Upload these smaller CSV file individually

Fix:
FPS Alert Transform Rule CSV files up to 32MB in size are now supported.

612566 : FPS alerts or ASM Events or Access Reporting is empty after restoring a Logging Cluster Snapshot

Component: REST Framework and TMOS Platform

Symptoms:
After running restore operation on the Data Collection Devices, FPS alerts or ASM events or Access Reporting do not display restored data.

Conditions:
You find the following in the restjavad logs
java.lang.IllegalArgumentException: status:403, body:{"error":{"root_cause":[{"type":"index_closed_exception","reaso
n":"closed","index":"websafe_2016-08-23t00-00-00-0700"}],"type":"index_closed_exception","reason":"closed","index":"websafe_2016-08-23t00-00-00-0700"},
"status":403}

Impact:
FPS alerts not visible (or ASM events or Access reports)

Workaround:
Query for closed indices
curl 'localhost:9200/_cat/indices?pretty

Then for each closed index run the following command
Worked around by issuing the command as follows:-
curl -X POST 'localhost:9200/<index_name>/_open'

Fix:
You will need to open closed indices so that the queries can work

612044-1 : iHealth upload fails after BIG-IP upgrade from 11.5.x

Component: BIG-IQ Device Management

Symptoms:
iHealth upload may fail with an the error "Request for POST on <IP address> failed: status:400". The failure message will also contain the text "Only requests [[Source: LOCAL], [Source: BIGIQ]] are supported".

Conditions:
This occurs following a BIG-IP upgrade from an 11.5.x version.

Impact:
iHealth upload may fail with an the error "Request for POST on <IP address> failed: status:400". The failure message will also contain the text "Only requests [[Source: LOCAL], [Source: BIGIQ]] are supported".

Workaround:
This issue can be resolved by removing BIG-IP from BIG-IQ management and then adding it back.

Fix:
This issue has been fixed in BIG-IQ 5.2.

611257 : BIG-IQ signals success when assigning a license to an unmanaged BIG-IP hardware-based device

Component: BIG-IQ Device Management

Symptoms:
BIG-IQ signals success when assigning a license to an unmanaged BIG-IP hardware-based device, however, the hardware device rejects the license.

Conditions:
Assigning a license from BIG-IQ to an unmanaged BIG-IP hardware device.

Impact:
The customer is led to believe the licensing operation was successful when it otherwise fails.

Fix:
BIG-IQ now prevents assigning a license to a hardware device.

610660-1 : Unexpected difference and loss of inheritance for null-mask in Source Addr persistence profile on BIG-IP

Component: BIG-IQ Local Traffic & Management

Symptoms:
After successful deployment and subsequent evaluation, BIG-IQ UI shows a difference where there should be none.

Conditions:
This issue occurs when a source address profile with "mask none" is created on BIG-IQ and deployed to a BIG-IP 11.5.x device.

Impact:
The persistence profile loses its inheritance nature. A mask overridden with "none" on BIG-IQ is ignored by BIG-IP. BIG-IP 11.5.x devices treat null as "none" in this context but should not. A false difference is presented to user.

Workaround:
Always explicitly override all properties with the desired value.

Fix:
BIG-IQ now has a workaround for cases where BIG-IP does not differentiate 'none' overrides.

610216 : Linux TCP Stack vulnerability CVE-2016-5696

Vulnerability Solution Article: K46514822

610135 : Firewall or NAT policies may show false differences, in some conditions, when IP protocol 138 through 141 are used.

Component: BIG-IQ Network Security

Symptoms:
When a BIG-IQ 5.0 with Firewall or NAT policies containing rules using IP protocols 138 through 141 is upgraded to 5.0 HF1 or later, there are cases when a false difference is shown for those protocols after deployment.

Impact:
The BIG-IQ will continue to show differences between its configuration and the BIG-IP's for these protocols until the workaround is executed. Functionally the BIG-IP will behave correctly.

Workaround:
To correct these erroneous differences, deploy any other pending changes to the device. Following the deployment, re-import the device choosing "USE BIG-IP" in the conflict resolution screen for the rules showing a protocol difference.

Fix:
When a BIG-IQ 5.0 with Firewall or NAT policies containing rules using IP protocols 138 through 141 is upgraded to 5.0 HF1 or later, false difference are no longer shown for those protocols after deployment.

609403 : The BIG-IQ timezone is off-set for the SevOne Performance Logging Appliance monthly-scheduled push time

Component: REST Framework and TMOS Platform

Symptoms:
If the BIG-IQ time zone is different than the browser time zone for the browser accessing BIG-IQ, then the SevOne external logging device, monthly scheduled next push time, is offset as follows: monthly scheduled push time + (browser time - BIG-IQ time).

Conditions:
This occurs only for monthly push schedules.

Impact:
This time zone difference offset behavior results in an unexpected monthly scheduled push time.

Workaround:
When configuring a monthly push schedule, factor in any time zone difference between the browser time zone and the BIG-IQ time zone.

For example, if browser is being run in ET (eastern time zone), and BIG-IQ is sited in a data center in CT (central time zone), offset desired monthly push time by one hour, as follows: desired push time 12:00, configured push time 11:00. NOTE: There is one hour difference between ET and CT.

Fix:
This issue has been resolved in BIG-IQ version 5.2. Timezone offset for monthly schedules is calculated correctly.

608932-1 : DSC Sync status not correctly determined

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
If cm device-group name on BIG-IP is a subset of a hostname of a BIG-IP in group then config may not be parsed correctly.

Conditions:
cm device-group name is part hostname

example:
BigiIP device-group spain-madrid
BIG-IQ Cluster group name spain-madrid

hostname spain-madrid-bigip1.example.com

Impact:
BIG-IQ fails to manage device correctly.

Workaround:
rename device-group to a unique name.

remove BIG-IPs from BIG-IQ config

On BIG-IP
1) create new empty device group
2) move devices out of old device-group
3) put devices in new device group
4) del old device group
5 perform initial sync

On BIG-IQ discover devices

Fix:
DSC sync status is correctly determined even for groups that are sub string of device names.

606431 : Certain Web Application Security related to searches take a long time to complete

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Certain Web Application Security related-to searches take a long time to complete. This happens when a large number of devices is discovered and imported into BIG-IQ Web Application Security.

Conditions:
This happens when a large number of devices is discovered and imported into BIG-IQ Web Application Security, and performing a related-to search on signature sets.

Impact:
The search takes may take several minutes to complete.

Fix:
BIG-IQ related-to search performance on large scale configuration was improved so these searches are now faster than they were in previous releases.

603960 : Managed device license status is not updated

Component: BIG-IQ Device Management

Symptoms:
BIG-IQ's managed device license status does not reflect the current managed device's license status for 12 hours.

Conditions:
A BIG-IP with an experienced license has recently been reactivated or a new license granted.

Impact:
Incorrect managed device license status is shown for 12 hours.

Workaround:
PATCH /mgmt/cm/shared/event/alert-config/license_health
{
"eventCreationIntervalInMillis": 60000,
"pollingInterval": "1m",
"eventTimeWindow": "1h"
}

This sets the config to generate an event every minute, check for alerts every minute, and check events over the past hour. An alert should be thrown within a few minutes.

Note that in scale environments this will introduce thousands of new events into the system and may cause Toku slowness.

Fix:
The reactivated/new license status is now updated within a few minutes.

600379 : OpenSSL vulnerability CVE-2016-2177

Vulnerability Solution Article: K23873366

599845 : Hardware compression test fails on BIG-IQ 7000.

Component: REST Framework and TMOS Platform

Symptoms:
Internally executed hardware acceleration tests fail while running a platform-check utility command.

Conditions:
Running hardware acceleration tests with the platform-check utility command on the BIG-IQ 7000 series platforms.

Impact:
Tests fail.

Workaround:
None.

Fix:
Internally executed hardware acceleration tests now complete successfully on the BIG-IQ 7000 series platforms when running a platform-check utility command.

598590 : Web Application Security - device modified indicator is not turned on when deploying the configuration from a snapshot.

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Web Application Security - device modified indicator is not turned on when deploying the configuration from a snapshot.

Conditions:
Deployment from a previously saved snapshot is performed.

Impact:
Devices are not marked as modified in the BIG-IQ UI.

Workaround:
To check if the device is modified and evaluate changes.

Fix:
BIG-IQ Web Application Security now marks devices as modified (changes pending) when configuration deployment was done from a snapshot, since it is likely that there are changes in working config that are not yet deployed.

597979-1 : Path sanitization for iControl REST worker

Vulnerability Solution Article: K99998454

596787 : Cannot export Web Application Security event logs in a CSV file using Chrome/Firefox

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Exporting Web Application Security event logs fails silently without any errors in Web Application Security GUI when clicking the Select All option.

Conditions:
Issue happens when Select All option is used, which selects more than 50 event logs per screen, however users are able to download CSV files for smaller number of selected Web Application Security event logs in Chrome/Firefox.

Impact:
Users cannot retrieve event logs in a CSV file on Chrome/Firefox.

Workaround:
Event logs can be exported in a CSV file by using Internet Explorer as the browser, or by selecting fewer records at a time.

Fix:
Improvements were added to the server side code to improve scalability and support exporting of a larger number of events.

595822 : Deployment will fail if a FW NAT Policy coexists with existing LTM pools (either SNAT/LSN/Automap or LTM Pool)

Component: BIG-IQ Network Security

Symptoms:
Deployments will fail if a firewall NAT policy coexists with existing LTM pools (either SNAT/LSN/Automap or LTM Pool).
If a virtual server has a firewall NAT policy attached along with LTM pools (either SNAT/LSN/Automap or LTM Pool) configured, the deployment will fail.

Impact:
No verification warning or critical error is displayed to the user prior to the deployment failing.

Fix:
This erroneous configuration is now caught in the off-line verification phase of the deployment.

595302 : DoS Profiles do not support correct upper range eveywhere

Component: BIG-IQ Network Security

Symptoms:
Some BIG-IQ DoS Profile fields have incorrect upper boundaries for fields that support ranges. Where BIG-IP system supports up to 4294967295 for many fields, in some places BIG-IQ supports only a maximum value of 2147483647.

Conditions:
The following error messages might be displayed if you specify too large of a number for a DoS Profile field, "This value is too large" or
"The system returned an unexpected error (400 Bad Request). Invalid JSON posted - could not deserialize to class com.f5.rest.workers.security.shared.config.dosProfile.state.DosProfileApplicationState."

Impact:
When an incorrect upper range value is specified, the resulting error messages may not be as useful as possible.

Workaround:
When attempting to set the maximum value for a field, use 2147483647. Refer to the BIG-IP DoS Profile documentation to find the correct maximum value for a particular field.

Fix:
The correct maximum value is now indicated in all error messages for DoS Profile fields.

594397 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169

Vulnerability Solution Article: K14190

593678 : Critical error shown on deployment for 12.x devices with policies originated from 11.x devices

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Critical error shown on deployment for 12.x devices with policies originated from 11.x devices. The error states that policy builder settings and violation settings are inconsistent. Example: "Policy /Common/aaa: can't be used on a BIG-IP version 12.0.0. checkMaximumCookieHeaderLength value (true) on policy builder and the matching violation: VIOL_COOKIE_LENGTH (false) have different values." (slightly different cases exist).

Conditions:
The issue happens when automatic policy builder is enabled on the source policy.

Impact:
The policy can't be deployed.

Fix:
Policies that originated from 11.x with certain policy builder settings will no longer trigger critical errors on deployment to BIG-IP versions 12.x.

591982 : Policy specific signature settings (enabled, in staging) may not be deployed correctly when deployment task deploys other relevant changes

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Policy specific signature settings (enabled, in staging) might not be deployed correctly when the deployment task deploys other relevant changes.
If the deployment included any change that alters the signatures relevant for a policy, the signatures that are affected by this change are configured with the settings last set by BIG-IP system for those signatures, and not the settings that are saved in BIG-IQ.

Conditions:
This happens when policy signature settings are customized on BIG-IP/BIG-IQ and the change to deploy those customizations also includes changes that make these customized signatures relevant for policies. Such changes could include signature set filter changes, adding a signature set to a policy, or change in user defined signature attributes.

Impact:
Per policy signature settings are deployed incorrectly, and an additional deployment task may be required to set the user intended values.

Workaround:
Evaluate and deploy again when such changes are done

Fix:
When BIG-IQ manages a 13.x device, the interaction with BIG-IP improved so BIG-IP handles all signatures in the policy, not only those that match the signature sets. This eliminates the issue since changing signature sets no longer exposes older hidden configurations.
Behavior for versions before 13 is unchanged.

590604 : BIG-IQ does not manage the learn flag on BIG-IP policy sub violations - HTTP Protocol Compliance and Evasions

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
BIG-IQ does not manage the learn flag on BIG-IP policy sub violations - HTTP Protocol Compliance and Evasions. The configuration is not discovered/imported/deployed.

Conditions:
The issue is only relevant to management of BIG-IP devices of versions 12 and above.

Impact:
Deployment of policy configurations to BIG-IP devices will result in different behavior compared to that on the BIG-IP in which the policies originated from. Note that these are not policy enforcement settings (automatic learning).

Fix:
Support for management of the learn flag was added for the BIG-IP versions that support it.

590514-1 : [Fixed] Certificate Expiration emails report stale Expiration Date

Component: REST Framework and TMOS Platform

Symptoms:
Certificate Expiration emails report stale Expiration Date following certificate renewal.

This has been fixed in 5.2

Conditions:
Certificate expires on a managed system

Impact:
Cosmetic, the alert is still correct it just displays the wrong date

Workaround:
No work around for 5.0

Fix:
Certificate Expiration alert emails now include the correct expiration date when they are sent.

590492 : Missing vector support under DoS Single Endpoint for 11.5.3 BIG-IP; also, GUI error doesn't provide info of unsupported vectors

Component: BIG-IQ Network Security

Symptoms:
BIG-IQ Shared Security Device DoS only supports the following DoS Single Endpoint vectors for an 11.5.3 BIG-IP device: Any ICMP IPv4, Any ICMP IPv6, Any IPv4, and Any IPv6. The following vectors are not supported: Any UDP IPv4, Any UDP IPv6, TCP SYN without ACK IPv4, and TCP SYN without ACK IPv6.

An error like the following is shown when a user tries to configure unsupported Single Endpoint vectors for an 11.5.3 BIG-IP device:
"The system returned an unexpected error (400 Bad Request). dos-device-config is invalid on device bigip3.dmeast.acopianet.com (10.1.1.11), device doesn't support enhanced 11.6.0 features."

Conditions:
Select Device DoS from Shared Security. From Device DoS, under Device Configuration, select Single Endpoint. Both Single Endpoint Flood and Single Endpoint Sweep do not support the previously listed vectors with BIG-IP version 11.5.3.

Impact:
This issue results in the user being unable to use the unsupported vectors with BIG-IP version 11.5.3.

Fix:
All 11.5.3 DoS Single Endpoint vectors now supported.

589931 : Multiple Samba vulnerabilities

Vulnerability Solution Article: K37603172

588651 : BIG-IQ fails to manage a BIG-IP device when changing the device certificate of the device

Component: REST Framework and TMOS Platform

Symptoms:
When the device certificate of a managed BIG-IP device is changed the BIG-IQ device management for the related BIG-IP is compromised. The BIG-IP device would be unavailable for further device management workflows in the BIG-IQ user interface.

Conditions:
Changing the device certificate of a BIG-IP device while the BIG-IP is managed by a BIG-IQ.

Impact:
The BIG-IP device becomes unavailable in the BIG-IQ device management user interface.

Workaround:
Either of the following procedures would restore the availability of the managed BIG-IP device in the BIG-IQ device management user interface:
- re-discover the BIG-IP device using the BIG-IQ device management user interface
- restart the restjavad daemon on the BIG-IQ, using the BIG-IQ CLI and running the following command "bigstart restart restjavad"

Fix:
Either of the following procedures would restore the availability of the managed BIG-IP device in the BIG-IQ device management user interface:
- re-discover the BIG-IP device using the BIG-IQ device management user interface
- restart the restjavad daemon on the BIG-IQ, using the BIG-IQ CLI and running the following command "bigstart restart restjavad"

588359-1 : Multiple nginx vulnerabilities

Vulnerability Solution Article: K23073482

588171 : Under heavy sustained stress traffic over 500 sessions per second from the BIG-IP system, Logging Node fails to accept logs

Component: BIG-IQ Access

Symptoms:
BIG-IQ Logging Node drops logs if traffic on BIG-IP APM generates more than 4,500 logs per second for 10 minutes.

Conditions:
High number of sessions have to be created on the BIG-IP devices for a period of more than 10 minutes.

Impact:
Loss of logs on Logging node.

Workaround:
To try to work around this issue, load-balance the logs from the BIG-IP device to multiple BIG-IQ Logging Nodes, and enabling Access service on them.

Fix:
Design change to add flow-control to the logging node listener is added.

587511 : libtar vulnerability CVE-2013-4397

Vulnerability Solution Article: K16015326

587060 : New policies deployed to BIG-IPs may have wrong settings for user defined signatures if those are created on different BIG-IP devices

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
New policies deployed to BIG-IP devices might have the wrong settings for user-defined signatures if those are created on different BIG-IP devices.

Conditions:
This happens when user-defined signatures are created independently on different BIG-IP devices.

Impact:
Wrong policy settings will be set on the target BIG-IP devices. Subsequent evaluations will show differences.

Workaround:
Evaluate and deploy again to correct the wrong settings.
We also recommend that you add all user-defined signatures through BIG-IQ to avoid the issue.

Fix:
Interaction with the BIG-IP was improved and now on deployment of new policies the correct signatures are set with correct values.

585769 : BIG-IQ Logging Snapshots: After scheduling a snapshot, the "Snapshot Schedules" reads "N/A"

Component: REST Framework and TMOS Platform

Symptoms:
After creating a new Snapshot Schedule in BIG-IQ Logging, if the Snapshot Schedules field displays "N/A", this might indicate that a snapshot schedule won't run.

If you did not encounter an error message while creating the snapshot schedule, BIG-IQ should correctly create a new snapshot at the next scheduled time.

Impact:
When the Snapshot Schedule is listed as "N/A" it may or may not be running a snapshot schedule.

584666 : Grid columns may be render partially or completely off-screen

Component: REST Framework and TMOS Platform

Symptoms:
Some grid columns may not be visible when the grid is too wide to fit into the current browser window.

Conditions:
Some grid columns may not be visible when the grid is too wide to fit into the current browser window.

Impact:
The page may look incorrect and visible columns will appear hidden when a user changes the width of a column.

Workaround:
To work around this issue:
- Increase the width of your browser window until all columns are visible.
or
- Change the visible columns by clicking the gear icon at the upper right corner of the grid, and adding or removing columns until the desired columns are visible.

Fix:
A horizontal scroll bar is now provided when grid columns exceed the visible screen width.

583975 : BIG-IQ Logging configuration should not be performed on the Logging Node

Component: REST Framework and TMOS Platform

Symptoms:
When user logs into a Big-IQ Logging node and goes to System Management-> Logging Configuration

He can then choose to configure the indices or the Snapshot policy.

This will have no effect since it is on the logging node.

Conditions:
When user logs into a Big-IQ Logging node

Impact:
User does not see anything happen

Workaround:
Do the changes from BIG-IQ

Fix:
Logging configuration should not be modified on BIG-IQ Logging Node

582856 : Mozilla NSS vulnerability CVE-2016-1950

Vulnerability Solution Article: K91100352

582626 : Web Application Security event logs do not show violation ratings

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Web Application Security event logs do not show violation ratings, even when the BIG-IP system that sends the log records supports violation ratings.

Conditions:
Happens when BIG-IQ shows events from BIG-IP versions that support violation ratings.

Impact:
Violation ratings are not displayed.

Fix:
Web Application Security Event Logs now show the violation ratings coming in from the BIG-IP if the BIG-IP version supports it.

581899 : Logs and sessions info are missing in BIG-IQ Access reports

Component: BIG-IQ Access

Symptoms:
BIG-IQ Access reports are missing logs and session data.

Conditions:
This is usually seen under 2 circumstances:
1. Bigstart restart apmd tmm on the managed BIG-IP device.
2. The log-node/restjavad on the Log-node restarts.

Impact:
Loss of logs and session info in BIG-IQ Access Reporting.

Workaround:
To resolve this issue, log in to the command line of the managed BIG-IP and type the following command: bigstart restart tmm

Fix:
The fix is in HSL layer, which stops sending logs when it hits its internal queue full.
The fix is already checked into 13.0 branch and will be integrated into 12.1.0-hf2 branch once it is available.

581471 : Updating an LDAP Auth Provider fails

Component: REST Framework and TMOS Platform

Symptoms:
When attempting to change the "Bind Password" field, or when setting the "Connect Timeout" or "Read Timeout" fields to values greater than 2147483, users are unable to change the "Bind Password" value for LDAP auth providers.

Conditions:
When attempting to change the "Bind Password" field, or when setting the "Connect Timeout" or "Read Timeout" fields to values greater than 2147483.

Impact:
Users are unable to change the "Bind Password" value for LDAP auth providers.

Workaround:
To resolve this, delete and recreate the auth provider with the wanted "Bind Password" value.

580726-1 : License state information from REST worker is out of sync with device

Component: BIG-IQ Device Management

Symptoms:
The license information returned from the REST endpoint /mgmt/tm/shared/licensing/registration does not match the information returned from tmsh show sys license

Conditions:
1. Device has an expired license (for example, an expired Eval period)
2. That license is re-activated, so that inspecting the device manually shows it is no longer expired.

Impact:
The license state information returned from REST workers maybe be out of date with the information on the device.

Workaround:
Restart REST services on the BIG-IP device by typing bigstart restart restjavad

580103-1 : ADC deployment fails because a DNS resolver is being used by the http-explicit profile.

Component: BIG-IQ Local Traffic & Management

Symptoms:
ADC deployment fails because a DNS resolver is being used by the http-explicit profile. BIG-IQ does not know about this relationship, and BIG-IP does not allow the DNS Resolver to be removed when referenced by the HTTP Explicit profile.

Conditions:
User wants to deploy a deletion of a DNS Resolver which is referenced by a HTTP Explicit profile.

Impact:
Deployment will fail with a BIG-IP validation error.

Workaround:
To resolve this issue from BIG-IQ, add the device back the DNS Resolver's list of attached devices. Alternatively, on the BIG-IP device, remove the association of the HTTP Explicit profile to the DNS Resolver.

Fix:
BIG-IQ now manages the HTTP profile and can detect and prevent this situation.

580015 : BIND vulnerability CVE-2016-1286

Vulnerability Solution Article: K62012529

579744 : glibc vulnerability CVE-2015-8776

Vulnerability Solution Article: K23946311

575659 : BIG-IP DSC Sync setting not modified on subsequent BIG-IP trust establishment

Component: BIG-IQ Device Management

Symptoms:
If you add a new BIG-IP device to an existing DSC cluster and the Deployment Settings mode is different than the other devices in the cluster, BIG-IQ ignores the setting for the new device.

Conditions:
This is only an issue if the value for the DSC Sync mode is different from the existing DSC cluster sync mode on a device addition to an existing DSC cluster.

Impact:
This means the DSC Sync mode for the cluster remains set to the value initially configured for the first BIG-IP added to the DSC cluster group.

Workaround:
To correct this issue: (1) Click the name of the newly-added BIG-IP device on the BIG-IP Device inventory screen (2) From the Properties screen, click the Edit button for the Cluster Members setting. (4) Edit the Deployment Setting to match the other cluster members.

Fix:
This issue has been fixed in BIG-IQ 5.2.

573323-3 : Remotely-authenticated user with Admin role changed to Guest by McpUsersEnumeratorWorker.

Component: BIG-IQ Device Management

Symptoms:
Remotely-authenticated user with Admin role changed to Guest by McpUsersEnumeratorWorker.

This breaks incremental config sync. There will be errors in /var/log/ltm similar to this:

Oct 19 06:43:37 bigip10 err mcpd[20373]: 01071488:3: Remote transaction for device group /Common/jsyncfail to commit id 3 6343171031926035192 /Common/bigip11.jay.local 0 failed with error 01020036:3: The requested user role partition (admin9) was not found..
Oct 19 06:43:37 bigip10 err mcpd[20373]: 01020036:3: The requested user role partition (admin9) was not found.

Additionally, logged in users will receive this message and be logged out:

Your user account role has been changed, you must re-authenticate.
Current session has been terminated.
Enter any key to end your session.

Conditions:
This occurs when a customer has remote authentication configured (such as TACACS or RADIUS), has logged in at least once, and has their BIGIP managed by BIGIQ

Impact:
Logged in users are logged out. Incremental config sync no longer works.

Workaround:
Perform a full sync

Fix:
This issue has been fixed in BIG-IQ 5.2

572613 : libjpeg vulnerability CVE-2013-6629

Vulnerability Solution Article: K59503294

572608 : Multiple libXML2 vulnerabilities

Vulnerability Solution Article: K61570943

571432 : Mozilla NSS vulnerability CVE-2015-2730

Vulnerability Solution Article: K15955144

570137 : Multiple Java vulnerabilities

Vulnerability Solution Article: K50118123

568590 : BIND vulnerability CVE-2015-8704

Vulnerability Solution Article: K53445000

565221 : Multiple Linux Kernel vulnerabilities

Vulnerability Solution Article: K31026324 K94105604 K90230486

563839 : Multiple libpng vulnerabilities

Vulnerability Solution Article: K81903701 K76930736 K21057235

562693 : BIND Vulnerability CVE-2015-8000

Vulnerability Solution Article: K34250741

561855 : Multiple NSS Vulnerabilities

Vulnerability Solution Article: K31372672

559599 : BIGIQ 7000: GUI Registration Key box is not populated by default

Component: BIG-IQ Device Management

Symptoms:
During initial setup for the BIG-IQ 7000 platform, the license registration key is not populated.

Impact:
BIG-IQ cannot be licensed without a known registration key.

Workaround:
To work around this issue, paste the key into the field. For new hardware platforms, you can find the key in the /config directory.

Fix:
This issue has been fixed. The key is now populated automatically.

557774 : BIG IQ Discovery fails if a DoS profile is configured with custom Bot Signature on the BIG IP

Component: BIG-IQ Network Security

Symptoms:
If you enable and modify the default values for the Bot Signatures or Bot Signature Categories settings
on a version 12.0 BIG-IP device, and then attempt to discover that BIG-IP device using a BIG-IQ system, the discovery will fail because the BIG-IQ DoS Profile only supports the default values for these parameters.

Additionally, if you configure a new Bot Signature category and use the category to create a bot signature list, the Action must be set to a value of None. If the Action is set to a value of Block or Report, discovery of the BIG-IP device will fail even if Bot Signatures are disabled on the BIG-IP device in the DoS profile.

Impact:
Discovery failure makes BigIQ unable to manage Big-IPs with certain configuration.

Workaround:
Do not enable and modify the default values for the Bot Signatures or Bot Signature Categories settings on a version 12 BIG-IP device and then attempt to discover that device using a BIG-IQ system.

Fix:
Discovery of a version 12.0 BIG-IP device no longer fails after you modify the default values for Bot Signatures or Bot Signature Categories settings in Shared Security.

556431 : Linux libuser vulnerabilities

Vulnerability Solution Article: K05770600

554513 : PAM vulnerability CVE-2015-3238

Vulnerability Solution Article: K17494

548085 : Multiple kernel vulnerabilities

Vulnerability Solution Article: K17326

547438 : Multiple GNU TLS vulnerabilities

Vulnerability Solution Article: K17327

545723 : Multiple OpenSSH vulnerabilities

Vulnerability Solution Article: K17263

545369 : SNMP vulnerability CVE-2014-3565

Vulnerability Solution Article: K17315

542976 : Multiple BIND vulnerabilities

Vulnerability Solution Article: K17227 K17181

542392 : Multiple Linux Kernel vulnerabilities

Vulnerability Solution Article: K51518670

541002 : Multiple Java Vulnerabilities

Vulnerability Solution Article: K17172

540056 : Multiple Linux Kernel vulnerabilities

Vulnerability Solution Article: K17309 K17307

538018 : Apache vulnerability CVE-2015-3183

Vulnerability Solution Article: K17251

535886 : OpenSSH vulnerability CVE-2015-5600

Vulnerability Solution Article: K17113

535884 : BIND Vulnerability

Vulnerability Solution Article: K16909

533930 : PCRE library vulnerability CVE-2015-3210

Vulnerability Solution Article: K17235

533924 : PCRE library vulnerability CVE-2015-2325

Vulnerability Solution Article: K16983

531740 : Multiple FreeType vulnerabilities

Vulnerability Solution Article: K16900

530268 : SQLite vulnerability CVE-2015-3416

Vulnerability Solution Article: K16950

529394-1 : CVE-2014-7844 : mailx Vulnerability

Vulnerability Solution Article: K16945

529393-1 : CVE-2004-2771 : mailx Vulnerability

Vulnerability Solution Article: K16945

528771 : Multiple Logrotate vulnerabilities

Vulnerability Solution Article: K16869 K16870 K16871

527639-1 : CVE-2015-1791 : OpenSSL Vulnerability

Vulnerability Solution Article: K16914

527638-1 : OpenSSL vulnerability CVE-2015-1792

Vulnerability Solution Article: K16915

527637-1 : PKCS #7 vulnerability CVE-2015-1790

Vulnerability Solution Article: K16898

527633-1 : OpenSSL vulnerability CVE-2015-1789

Vulnerability Solution Article: K16913

526171 : Multiple LibTIFF vulnerabilities

Vulnerability Solution Article: K16715

526154 : Multiple Mozilla Network Security Services vulnerabilities

Vulnerability Solution Article: K16716

525391 : Linux kernel vulnerability CVE-2014-9585

Vulnerability Solution Article: K17241

525389 : Linux kernel vulnerability CVE-2014-9584

Vulnerability Solution Article: K17245

525386 : Linux kernel vulnerability CVE-2014-9529

Vulnerability Solution Article: K17239

525368 : Kernel Vulnerabilities

Vulnerability Solution Article: K17199

525365 : Linux kernel vulnerability CVE-2015-1593

Vulnerability Solution Article: K17244

525360 : Multiple Linux Kernel vulnerabilities

Vulnerability Solution Article: K17237

525349 : cURL vulnerability CVE-2015-3148

Vulnerability Solution Article: K16707

525347 : cURL vulnerability CVE-2015-3143

Vulnerability Solution Article: K16704

525279 : TLS vulnerability CVE-2015-4000

Vulnerability Solution Article: K16674

522207 : GNU C Library (glibc) vulnerability CVE-2013-7423

Vulnerability Solution Article: K16841

521050 : Apache vulnerability CVE-2013-5704

Vulnerability Solution Article: K16863

515231 : GNU C Library (glibc) vulnerability CVE-2015-1781 & CVE-2013-7423

Vulnerability Solution Article: K16865

511757 : BIND Vulnerability

Vulnerability Solution Article: K16356

505646 : Multiple Glibc vulnerabilities

Vulnerability Solution Article: K16010 K16435

503045 : CVE-2015-0204 : OpenSSL Vulnerability

Vulnerability Solution Article: K16139

501561 : Web Application Security does not allow changing the order of wildcard entities

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Web Application Security does not allow changing the order of wildcard entities.

Conditions:
None

Impact:
Users cannot change the order of wildcard entity evaluations

Fix:
BIG-IQ now supports changing the order of wildcard evaluations for different policy elements.

500788 : Linux kernel vulnerability CVE-2012-6657

Vulnerability Solution Article: K16011

499075 : CVE-2014-9293 : NTP Vulnerability

Vulnerability Solution Article: K15934

499073 : NTP vulnerability CVE-2014-9294

Vulnerability Solution Article: K15935

488801 : Kernel Vulnerabilities

Vulnerability Solution Article: K15852

487507 : Multiple OpenSSH vulnerabilities

Vulnerability Solution Article: K15780

486791-1 : Resolution of multiple wireshark vulnerabilities

Vulnerability Solution Article: K16939

486622 : Path MTU discovery vulnerability CVE-2004-1060

Vulnerability Solution Article: K15792

486354 : Multiple PHP 5.x vulnerabilities

Vulnerability Solution Article: K15761

484319-1 : File vulnerabilities

Vulnerability Solution Article: K16954

481806-1 : Java Runtime Environment vulnerability CVE-2013-4002

Vulnerability Solution Article: K16872

480424 : Kernel Vulnerabilities

Vulnerability Solution Article: K15680

480421 : Python vulnerability CVE-2013-4238

Vulnerability Solution Article: K15638

480240 : Mozilla NSS vulnerability

Vulnerability Solution Article: K15630

480207 : Multiple Linux Kernel vulnerabilities

Vulnerability Solution Article: K15685

479431-3 : Apache Axis vulnerability CVE-2014-3596

Vulnerability Solution Article: K16821

476871 : MIT Kerberos 5 vulnerability CVE-2014-4342

Vulnerability Solution Article: K15552 K15547

474513 : Multiple Perl Vulnerabilities

Vulnerability Solution Article: K15867

456217 : PHP vulnerability CVE-2013-4113

Vulnerability Solution Article: K15169

439068-1 : SUSE coreutils vulnerabilities

Vulnerability Solution Article: K16859

416372-1 : Boost memory allocator vulnerability CVE-2012-2677

Vulnerability Solution Article: K16946


Known Issues in BIG-IQ CM v5.2.x
These known issues apply specifically to this release. Unless listed in this note as Fixed, known issues that appear in versions 5.0.0 and 5.1.0 may also apply to this release. See the appropriate release note for known issues from previous releases.

BIG-IQ Configuration - Access Issues

ID Number Severity Description
645725 2-Critical Cannot re-import from a SWG-provisioned device after upgrading.
659958-1 3-Major Active Directory Groups update does not show any groups
658892-1 3-Major Deployment fails with error : Failed submitting iControl REST transaction ....: status:400,..... unknown property","errorStack":[],"apiError":2}
647189-1 3-Major Deployment to version 12.1.1 device fails with error ""Encountered unsupported operation 16 at /apm/policy/access-policy/..../subroutine-properties"


BIG-IQ Configuration - Local Traffic Issues

ID Number Severity Description
650218 3-Major Client SSL - BIG-IP 11.5.1 HF7 - overridden yet unchanged Cert Key Chain in Client SSL profile causes discovery failure
641451 3-Major Deployment error when overriding the certificate-key chain on a Client SSL profile.
653529 4-Minor Deployment fails when attempting to deploy more than 4000 certs in a single deployment across multiple BIG-IPs
653528 4-Minor Deployment fails when attempting to deploy more than 1100 certificates and key pairs (2200 files) to a single BIG-IP
637937 4-Minor Similarly named keys/certs on BIG-IPs of different versions appear as distinct objects in BIG-IQ if the name includes special characters
637728 4-Minor SSL keys/certificates on BIG-IP with + or ~ in the name cause a discovery failure in BIG-IQ
636086 4-Minor Certificates and keys that are copied between BIG-IP are not match on the BIG-IQ


BIG-IQ Configuration - Network Issues

ID Number Severity Description
660022 3-Major BIG-IQ does not support creating route with default address


BIG-IQ Configuration - Security - Network Security Issues

ID Number Severity Description
658780-1 3-Major A port misuse policy rule marked for deletion will have the deletion state cleared when a new rule is added.


BIG-IQ Deployment - Evaluate & Deploy Issues

ID Number Severity Description
648546 3-Major Cannot deploy a certificate with server-ssl


BIG-IQ Device User Interface Issues

ID Number Severity Description
658039-1 4-Minor Failure to reactivate some licenses when EULA has changed


BIG-IQ Monitoring - Alerts & Notifications Issues

ID Number Severity Description
647177-1 3-Major BIG-IQ system performance can degrade with high numbers of accumulated snapshots


BIG-IQ Monitoring - Dashboards & Reports Issues

ID Number Severity Description
653760-1 3-Major Token Table is not updated in real time on the drill down screen
652975-1 3-Major OAuth Client timeline doesn't show right data if timeframe is changed
639896-1 3-Major Cannot view SWG Reports and download CSV Reports on Standby BIG-IQ
647068 4-Minor Sharepoint and OWA Application data missing in the Access Application Dashboard
627105-1 4-Minor Incorrect Error when clicking on Tokens under Monitoring --> Access --> Federation --> OAuth --> Authorization Server --> Tokens


BIG-IQ Search Issues

ID Number Severity Description
641427-1 3-Major Portal Access Rewrite not be searchable by Global Search


BIG-IQ System User Interface Issues

ID Number Severity Description
655987-1 3-Major When upgrading devices with large configurations to 5.2, user may encounter errors when setting the Master Key in the setup wizard


BIG-IQ Access Issues

ID Number Severity Description
660828 3-Major Deployment Failure: "transaction failed: ... : file (/config/filestore/files_d/Common_d/customization_group_d/:Common:...) expected to exist"
659829-1 3-Major Evaluation error for Local Traffic and Network. Failed to inflate referenced items for unspecific referrer.
655123-1 3-Major Unable to open Network Access, LDAP, AD, CRLDP, TACACS, or Radius server object UI for edit.
652758 3-Major Fail to restore from snapshot
642976-1 3-Major Deployment diff shows unused objects to be deleted during deployment
636188-1 3-Major Access Events in iRule requires an Access Profile associated with Virtual
629213-1 3-Major Set filespace quota for file objects
629041 3-Major Access deployment failure with error "DNS resolver /Common/<dns resolver name>: Referencing a non existing route domain /Common/<route_domain_name>."
618101 3-Major Access Reporting UI take 30 seconds or more to load.
612292-1 3-Major Customization file changes are not deployed when customization template and customization group objects are created in deployment
659424-1 4-Minor Deployment failure due to SAML object deletion
505455-1 4-Minor Adding a device to Access Group fails: Unable to calculate working config ID


BIG-IQ Local Traffic & Management Issues

ID Number Severity Description
659729-1 3-Major Filtering by the text 'http' in LTM Profiles grid takes a long time to complete
651892 3-Major Some Rewrite profiles created on BIG-IP cannot be updated or deleted by BIG-IQ
651186-1 3-Major SSL certificate in non-PEM format can not be imported and managed
650405 3-Major Error while transforming Profile Client SSL when BIG-IP in DSC (Failed to transform secure field value)
643825 3-Major Inability to remove Certificate and/or Key used by serverssl profile in specific cases for v11.6.0 and v11.6.1
641237 3-Major Inability to delete SNAT pool with SNAT transaction from some versions of BIG-IP.
614199-1 3-Major Profile - Client SSL - Cannot deploy Certificate Key Chain changes to root clientssl profile
646929 4-Minor BIG-IQ cannot remove overrides for LWS Separator field on HTTP explicit profiles.
624368 4-Minor BIG-IQ fails to discover Rewrite profiles that have a corrupt passphrase on BIG-IP


AppIQ Issues

ID Number Severity Description
653467-1 2-Critical Retaining more than 10 hours of raw statistical data may cause chart timeouts when querying for Last Day or Last 12-hours of data
647127-1 2-Critical Removal of Data Collection Device may result in a Elastic Search cluster health status of "red"
656112-1 3-Major Scroll bars are not present on device health, device, traffic, DNS, and local traffic statistics UI
651998-1 3-Major When /var partition reaches configured limit, collection of statistics from BIG-IP will stop, and older data may be automatically removed by BIG-IQ
644884-1 3-Major Sort-Selected rows of data in dimension panes may show N/A for data
642862-1 3-Major BIG-IQ will show statistics for system iRules, which may not be listed in the BIG-IP's UI
644860-1 4-Minor BIG-IQ may take a while to resume statistics collection after a time skew issue has been corrected


BIG-IQ Device Management Issues

ID Number Severity Description
590791-1 3-Major Rediscovery fails due to required REST framework upgrade although the error message does not indicate this
627255 4-Minor When discovering a cloned BIG-IP, error message does not provide sufficient information


BIG-IQ Fraud Protection Service (FPS) Issues

ID Number Severity Description
656788 3-Major FPS Alert sorting results not always as expected
635584-1 3-Major BIG-IQ setup wizard fails with "Cannot delete IP X.X.X.X because it would leave a route unreachable"
656861 4-Minor Re-using a filter with a country and region fails to provide region in the filter
649067-1 4-Minor Specifying certain characters in the wrong field can result in failed queries and no matching results
642550 4-Minor If you use Go To to reach an alert near the end of the list, you cannot scroll until you refresh.


BIG-IQ Network Security Issues

ID Number Severity Description
648876-1 3-Major Discovery of a BIG-IP Advanced Firewall service may fail if the service is newly provisioned on the BIG-IP
632900 3-Major Bot Signatures/Bot Signature Categories User Defined Flag Behavior
632813-1 3-Major Removing the global-fqdn policy may fail. The deployment may need to be done in 2 steps.
638131 4-Minor Deploying a DoS profile imported from a BIG-IP 11.6.x to a 12.x or higher would fail when Proactive Bot Defense is enabled
582701-1 4-Minor At Scale, HTML Report fails to render in IE and Edge.


REST Framework and TMOS Platform Issues

ID Number Severity Description
656828 2-Critical Setting the master key after upgrading a system with a large configuration from 5.x to 5.2 could result in an unsuccessful encryption of objects.
658358-1 3-Major Minimum master eligible node setting set by user is overwritten by default calculated value when zone of the log node is changed
650404 3-Major A list screen may not always show all items
645768 3-Major TMSH command 'tmsh show sys hardware' is incomplete for VE systems
645721-1 3-Major If you use HTTPS over a proxy for a custom-alert receiver, you need to re-install the receiver's certs after upgrade
632201 3-Major Users who are members of more than 40 user groups may fail to login.
630648-1 3-Major BIG-IQ HA: Zone of the secondary console node is set to default when two BIG-IQ console nodes are paired
620791 3-Major BIG-IQ 5.2.0 images imported into previous versions of BIG-IQ may not be available after restart
599844 3-Major Ltm log has GET_MEDIA and chmand error and failure messages on shutdown
590022-1 3-Major Added a Logging Node, it appears to be added (In the Logging Configuration -> logging node Count increases) but does not show up in the list on Logging Nodes page
658163-1 4-Minor AVR statistics are not available on the Secondary BIG-IQ
652954-1 4-Minor BIG-IQ 5.x does not allow clustered BIG-IP devices to be added to custom device groups created in BIG-IQ 4.x
622676 4-Minor Dual management routes in the main routing table
599838 4-Minor notice HA: ha_enabled_put(daemon_heartbeat, tmm, FALSE/TRUE)
596082-1 4-Minor Incorrect information displayed by HA Inventory page in HA Error state
660424-1 5-Cosmetic httpd service fails to start on boot


BIG-IQ Web Application Security (ASM) Issues

ID Number Severity Description
658702-1 3-Major After upgrading BIG-IQ to 5.2.0, already discovered 11.5.4 devices may fail on Web App Security rediscovery.
657640 3-Major Issue deploying new ASM policy to BIG-IP with disallowed WebSocket URLs configured in policy
649425 3-Major Discovery failure occurs due to BIG-IP ASM software unexpected service restart
645199 3-Major ASM - Inheritance comments deployment issue
642196 3-Major ASM deployment failure with a deadlock error message on Signature Set configuration changes
639967 3-Major ASM deployment failure with deadlock on Data Guard configuration changes
630437 3-Major Parent policy items not shown when searching for items related to the child policy
628451 3-Major Child policy items not shown when searching for items related to the parent policy
624756 3-Major Discovery failure occurs due to BIG-IP ASM software unexpected service restart - auto detect language
615822 3-Major Deployment failure reported when attempting to deploy a change to TMOS v11.5.4 that would change a manual-type signature set to a filter-based signature set
606953 3-Major Deployment of a new asm policy may result in failure.
579422 3-Major Evaluation shows unexpected differences after deployment for policy building settings (enabled)
585505-1 4-Minor Discovery and import allows a change in a policy's application language, but a deployment fails when application language is to be changed

 

Known Issue details for BIG-IQ CM v5.2.x

660828 : Deployment Failure: "transaction failed: ... : file (/config/filestore/files_d/Common_d/customization_group_d/:Common:...) expected to exist"

Component: BIG-IQ Access

Symptoms:
Deployment failure with error similar to the one below:

Deployment Failure: "transaction failed: ... : file (/config/filestore/files_d/Common_d/customization_group_d/:Common:...) expected to exist"

Conditions:
Deployment fails when advanced customization is involved.

Impact:
The BIG-IQ APM deployment fails.

Workaround:
On the failed device, remove the object that uses the customization group, which in-turn will remove the customization-group, then deploy to the device again.

660424-1 : httpd service fails to start on boot

Component: REST Framework and TMOS Platform

Symptoms:
When booting a BIG-IQ device you may see a message indicating the httpd service fails to start: "Starting httpd: [FAILED]".

Conditions:
When booting the BIG-IQ.

Impact:
No impact to BIG-IQ functionality. httpd is not required for BIG-IQ to function correctly and this message can be ignored.

660022 : BIG-IQ does not support creating route with default address

Component: BIG-IQ Configuration - Network

Symptoms:
After BIG-IQ deploys a new route with the default address cannot discover and reimport a device where that route has been deployed.

Conditions:
Deploying a route with "0.0.0.0/0" address. Deploying it to a BIG-IP device and reimport that same device

Impact:
Unable to import device once deploying with a failure message:
"Invalid route Default: Change destination network from '0.0.0.0/0' to 'default' is not allowed"

Workaround:
Create the default route directly on the BIG-IP device.

659958-1 : Active Directory Groups update does not show any groups

Component: BIG-IQ Configuration - Access

Symptoms:
Active Directory, LDAP groups are not displayed even after the administrator clicks "Update" from the Active Directory > LDAP Groups screen.

Conditions:
This issue happens when the administrator does not have advanced shell access on the BIG-IP system.

Impact:
Admin has to type in the active directory group details manually or copy it from the BIG-IP system.

Workaround:
Give advanced shell access for the administrator on the BIG-IP system.
To give the administrator access to the Advanced Shell, use the following command syntax:

modify /auth user <UserID> shell bash

659829-1 : Evaluation error for Local Traffic and Network. Failed to inflate referenced items for unspecific referrer.

Component: BIG-IQ Access

Symptoms:
Access Deployment fails with error

"Evaluation error for Local Traffic and Network. Failed to inflate referenced items for unspecific referrer."

Conditions:
Access Deployment fails when "Include LTM Objects" is selected and a access policy that has RouteDomainSelectionAgent is configured in Access Group.

Impact:
Access Deployment Failure.

Workaround:
Step 1) Deploy LTM for the device
Step 2) Deploy Access for the device. Do not select "Include LTM Objects" for Access Deployment.

659729-1 : Filtering by the text 'http' in LTM Profiles grid takes a long time to complete

Component: BIG-IQ Local Traffic & Management

Symptoms:
The LTM profiles grid will show a spinner for 30 or more seconds until results are returned. Note that queries for other text is not affected.

Conditions:
User enters 'http' in to the filter bar in the LTM profiles grid and hits the Enter key.

Impact:
The user may have to wait for longer than expected to see the results of this query.

Workaround:
User can use a different or more specific query. For example if the user is searching for the http-explicit profiles, they can filter with 'explicit'.

659424-1 : Deployment failure due to SAML object deletion

Component: BIG-IQ Access

Symptoms:
This symptom observed on BIG-IQ is caused by a defect on BIG-IP systems.

This defect happens when BIG-IQ attempts to delete unreferenced SAML objects on deployment.

When this happens, the deployment will fail, and the following message will be displayed:


Failed submitting iControl REST transaction 1487875767493967: status:400, body:{"code":400,"message":"transaction failed:01070734:3: Configuration error: a
pm aaa saml-idp-connector: Cannot delete saml-idp-connector /Common/ipd.cooper.local
because it is being used by
aaa-saml-server (/Common/saml_sp)","errorStack":[],"apiError":1}

Conditions:
When unreferenced SAML objects are deleted by BIG-IQ at time of deployment.

Impact:
Failure to perform a BIG-IQ deployment.

Workaround:
Customers can administer BIG-IP, and remove the unused SAML objects, or reference them by a dummy Access Policy. Alternatively, BIG-IP systems call be upgraded once appropriate hotfixes are available.

658892-1 : Deployment fails with error : Failed submitting iControl REST transaction ....: status:400,..... unknown property","errorStack":[],"apiError":2}

Component: BIG-IQ Configuration - Access

Symptoms:
Deployment fails after editing Advance Resource Assign Agent in policy or Resource Assign Agent in macro.

Conditions:
Deployment fails after editing Advance Resource Assign Agent in policy or Resource Assign Agent in macro.

Impact:
Access Configuration could not be deployed

Workaround:
Open Advance Resource Assign Agent(s) in policy and Resource Assign Agent(s) in macro (if any) to apply below fix:
1) Go to Advance mode for expressions
2) Put backslash \ in front of any double-quotes " i.e. " => \"
3) Save

658780-1 : A port misuse policy rule marked for deletion will have the deletion state cleared when a new rule is added.

Component: BIG-IQ Configuration - Security - Network Security

Symptoms:
A port misuse policy rule marked for deletion will not be deleted if a new rule is added in the same edit session after the rule has been marked for deletion.

Conditions:
The user marks a port misuse policy rule for deletion and subsequently adds a new rule to the policy in the same edit session.

Impact:
A rule marked for deletion will not be deleted under these conditions.

Workaround:
When a rule will be deleted and a new rule added to a port misuse policy, perform the delete and save actions first for rules that are to be deleted, followed by the addition of the new rules.

658702-1 : After upgrading BIG-IQ to 5.2.0, already discovered 11.5.4 devices may fail on Web App Security rediscovery.

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
After upgrading to 5.2.0, rediscovery of an 11.5.4 device may fail with "Duplicate item. Key already exists: name : brute-force-attack-prevention".

Conditions:
11.5.4 managed device present when upgrading to BIG-IQ version 5.2.0.

Impact:
Unable to rediscover (in Web App Security) the device after upgrade

Workaround:
Following an upgrade, if the above error occurs on Web App Security rediscovery, perform the following:

- remove the device
- discover/import the device (LTM,ASM)
- rediscover/reimport the device (LTM,ASM)

658358-1 : Minimum master eligible node setting set by user is overwritten by default calculated value when zone of the log node is changed

Component: REST Framework and TMOS Platform

Symptoms:
If the BIG-IQ Data Collection Devices --> Settings --> Minimum Master Eligible Devices setting is set by the user and if the BIG-IQ Data Collection Devices --> Zone setting is changed by the user, the Minimum Master Eligible Devices setting will be set to a new code calculated value.

Conditions:
1. Override the Minimum Master Eligible Devices setting from the UI
2. Modify the Zone setting of a BIG-IQ Data Collection device

Impact:
The Minimum Master Eligible Devices setting may or may not be different from what the user had previously set. It could impact how the customer expects the BIG-IQ elasticsearch cluster expects to behave during a disaster. But under normal operations of the BIG-IQ this setting has no impact on the product functionality.

Workaround:
Whenever the BIG-IQ Data Collection Devices --> Zone setting is changed, the Minimum Master Eligible Devices setting can be reset in the UI by the customer based on their environment and requirements.

658163-1 : AVR statistics are not available on the Secondary BIG-IQ

Component: REST Framework and TMOS Platform

Symptoms:
If a user logs into a Secondary BIG-IQ, they will get an error if they try to view AFM or ASM Application Visibility and Reporting (AVR) statistics:

* Monitoring --> REPORTS --> Security --> Network Security --> Reporting

* Monitoring --> REPORTS --> Security --> Web Application Security --> Reporting.

Conditions:
Logging onto the secondary system of a BIG-IQ HA pair

Impact:
The user will see a dialog with a Dismiss button and an error such as the following:

Error on server request
shared/analytics/event-analysis-tasks/5a165c86-7c03-4bc7-9577-484d7c13db93

Selecting the Dismiss button will result in additional dialog buttons appearing.

Workaround:
Refresh the Secondary BIG-IQ page.

658039-1 : Failure to reactivate some licenses when EULA has changed

Component: BIG-IQ Device User Interface

Symptoms:
Attempts to reactivate a license when the EULA has changed generates a message similar to: "The system returned an unexpected error (400 Bad Request). Validation of PATCH failed."

Conditions:
This can occur for utility, volume and FPS licenses when the user navigates away from the license properties page before accepting the new EULA and then returning later.

Impact:
License fails to complete the reactivation.

Workaround:
When the user returns to the license properties page, clicking "Finish Reactivation" opens a new page with a "Reactivate" button which generates the error. Instead of clicking "Finish Reactivation" on the license properties page, the user can click the "Accept" button at the bottom right of the page to accept the new EULA and complete the reactivation.

657640 : Issue deploying new ASM policy to BIG-IP with disallowed WebSocket URLs configured in policy

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
After deploying a new policy to a 13.0 BIG-IP device and doing another evaluation, differences involving the addition of a Plain Text Profile named "Default" might appear. Deploying the second evaluation will fail with an error that the Plain Text Profile cannot be deleted.

Conditions:
The issue happens when deploying to a 13.0 BIG-IP device and the policy has Disallowed WebSocket URLs. The issue happens if the BIG-IP device does not have a fix to bug 658062.

Impact:
Difference shown after deployment and failure of second deployment.

Workaround:
In order to fully deploy the configuration if the unexpected difference appears, it is needed to remove all disallowed WebSocket URLs on the BIG-IP directly before doing another evaluation.

656861 : Re-using a filter with a country and region fails to provide region in the filter

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
Alert filters that are re-used do not have the region code set in the UI filter.

Conditions:
If a filter with a country and region is saved, or a filter that has been run is edited, the region is not correctly shown in the UI. Also, the regions for the selected country are missing.

Impact:
Re-running the same filter will not filter on the region as expected.

Workaround:
Re-select the original country name. Clear any dangling 'region name' text in the 'Additional Query Parameters' field. Then select the region. Re-run the query. Each consecution run of the saved filter with correct country and region information will complete successfully.

656828 : Setting the master key after upgrading a system with a large configuration from 5.x to 5.2 could result in an unsuccessful encryption of objects.

Component: REST Framework and TMOS Platform

Symptoms:
After upgrading the BIG-IQ system from 5.x to 5.2, when the user logs into the BIG-IQ UI, the user will be required to go through the setup wizard. When the master key passphrase is entered and the Next button clicked, the master key is created and the encryption upgrade starts.

The following two symptoms can occur:

Symptom 1:
If the encryption upgrade does not finish within five minutes, the user will see a 504 gateway timeout exception in the UI. This is a possible indication that the encryption upgrade will not succeed, so the user should click the Dismiss button, log out from the UI, and check to see if symptom 2 occurs after waiting another five minutes.

Symptom 2:
If the encryption upgrade does not complete in ten minutes, in the /var/log/restjavad.0.log file the following error message is observed:

[ERROR][12 Apr 2017 11:07:00 EDT][/cm/shared/secure-storage/masterkey SecureStorageMasterkeyGenerator] The BIG-IQ ran into error 'Encryption upgrade has failed to run to completion due to Timed out during execution of command. This may result in some attributes that are encrypted with the old encryption scheme that need to be manually upgraded.' when upgrading encrypted values. This may cause some encrypted values to be unusable.

If Symptoms 1 and 2 are both seen, the customer should proceed with the workaround.

Conditions:
The pre-upgraded 5.x system has large number of objects requiring encryption.
example:
The BIG-IQ system managed several hundred BIG-IP's, had several hundred rules, etc (a very large system) then such a system upon upgrade to 5.2 could have an issue setting the encryption master key upon first logging in to the BIG-IQ 5.2 UI.

Impact:
If the encryption upgrade fails, the upgraded BIG-IQ system will be unstable to use. There will be several errors in the product and in the log files.

Workaround:
If both symptoms 1 and 2 are seen, the customer can work around the issue as follows:

1. Log in to the BIG-IQ shell (not the UI)
2. cd /var/config/rest/tokuupgrade/encryption
3. sh run_encryption_upgrade.sh
4. Wait for the execution of this command to complete. When the execution completes, the following message will be displayed: "The Encryption upgrade script is complete"
5. Log back in to the UI and finish executing the setup wizard.

656788 : FPS Alert sorting results not always as expected

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
There are 2 sorting scenarios that can result in alerts not being sorted as expected. In one case alerts may appear to no longer be included in the results. In the other case, sorting by alert type may not be correct when

Conditions:
(1) Sorting alerts by type, when the type has been changed by a transformed rule to the name of the transform rule.
(2) Sorting alerts when there are a large number of rules matching the query.

Impact:
Sorting rules may make it difficult to locate anticipated alerts.

Workaround:
Be sure that query results are small enough (matching < 9500 alerts) so that alerts can be properly sorted. If sorting by alert type, remember alerts that match transformed rules will have their name changed, but they can be located inthe sorted list based on their alert type.

656112-1 : Scroll bars are not present on device health, device, traffic, DNS, and local traffic statistics UI

Component: AppIQ

Symptoms:
When viewing graphs of statistical data for device health, device traffic, DNS, or local traffic graph pages, there are no scroll bars allowing you to scroll up and down to view content unable to fit in the browser window.

Conditions:
This occurs when view graph data as described by the title.

Impact:
You may not notice additional graphs hidden from view.

Workaround:
To scroll down to view graphs unable to fit in your browser window, you can do one of the following:

1. If your mouse has a wheel used for scrolling, position the mouse in the graphing panel, then you can scroll up and down using the wheel.

2. Click in the graph panel, then you can use the up-arrow, down-arrow, page-up, and page-down windows to scroll.

3. Resize your browser windows such that all charts fit into the window.

655987-1 : When upgrading devices with large configurations to 5.2, user may encounter errors when setting the Master Key in the setup wizard

Component: BIG-IQ System User Interface

Symptoms:
When setting the Master Key, the request may run for a long time and may time out. If the request times out, it was likely still successful but is taking some extra time to complete due to the existing configuration on the system.

Conditions:
The BIG-IQ is running a large configuration, and is upgraded to BIG-IQ version 5.2.

Impact:
You may need to wait until the Master Key is established on the device. After the request times out, wait for a few minutes and refresh the page. If the page tells you that the Master Key has already been set, you can safely complete the setup wizard.

655123-1 : Unable to open Network Access, LDAP, AD, CRLDP, TACACS, or Radius server object UI for edit.

Component: BIG-IQ Access

Symptoms:
When a user clicks an instance of the following objects, UI does not open the object for edits. There is no response for the user mouse click.

Object Types: LDAP, AD, CRLDP, TACACS, or Radius server

Conditions:
This happens after import/reimport of Access.

This is due to the fact that pool used by the object instance of kinds LDAP, AD, CRLDP, TACACS, or Radius server does not exist in "LTM".

This is due to the fact that route-domain used by Network Access object does not exist in "LTM".

Impact:
Object instances of kind Network Access, LDAP, AD, CRLDP, TACACS, or Radius server could not be edited.

Workaround:
Users must rediscover and reimport LTM for the corresponding device to which the object (LDAP, AD, CRLDP, TACACS, or Radius server) belongs.

653760-1 : Token Table is not updated in real time on the drill down screen

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
Drilling down on the Access Token Count screen doesn't show the right number of tokens in the table the first time.

Conditions:
Happens during the drill down action.

Impact:
Minimal.

Workaround:
Refresh the page, all tokens will show up.

653529 : Deployment fails when attempting to deploy more than 4000 certs in a single deployment across multiple BIG-IPs

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Attempting to deploy more than 4000 certificates and key objects will result in deployment failure

Conditions:
Trying to deploy more than 4000 across multiple BIG-IPs

Impact:
Deployment fails and the 'restjavad' daemon must be restarted using the TMSH command 'bigstart restart restjavad' on BIG-IQ to get the device fully operational again, as BIG-IPs may be marked as unavailable.

Workaround:
Split the deployment by either reducing the number of devices or number of certificates and keys per deployment

653528 : Deployment fails when attempting to deploy more than 1100 certificates and key pairs (2200 files) to a single BIG-IP

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Deployment failure with an error of 'Failed submitting iControl REST transaction.'

Conditions:
Attempting to deploy more than ~1100 certificates and key pairs (2200 files) to a single BIG-IP

Impact:
Deployment failure with an error of 'Failed submitting iControl REST transaction'

Workaround:
Split the deployment to contain below 2200 file objects

653467-1 : Retaining more than 10 hours of raw statistical data may cause chart timeouts when querying for Last Day or Last 12-hours of data

Component: AppIQ

Symptoms:
When viewing data for Last 12 hours or Last Day for Virtual Servers or Pool and Pool Members, you may see timeouts when BIG-IQ attempts to display the data.

Conditions:
This occurs from a confluence of several potential items:
1. The default retention for the raw data time layer is set at greater than 10 hours.
2. Your environment does not have sufficient Data Collection devices to support the scale of your environment.
3. The storage for your Data Collection devices is too slow.

Impact:
Charts for virtual server and pool & pool member inspector pages may show timeouts when querying for last 12 hours and last day of data.

Workaround:
The BIG-IQ uses the raw time layer for the 12-hour and Last Day queries if the retention policy for the raw time layer is greater than 12 hours and 24 hours respectively. This causes a significant I/O burden to fulfill the query request. In some cases, this may be due to poor storage I/O performance for your Data Collection device(s) and/or not enough Data Collection devices to serve the needs of your environment. The BIG-IQ supports up to 5 Data Collection devices for collection of statistical data. When configuring virtual instances of Data Collection devices, ensure the underlying physical storage is spread out across physical disks, rather than shared on the same physical disk. If the issue cannot be resolved with infrastructure changes, you can change the raw time layer default back to 10 hours. F5 plans to address this issue in a future release.

652975-1 : OAuth Client timeline doesn't show right data if timeframe is changed

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
If you change the timeframe on a report you will notice the timeline not showing the correct data.

Conditions:
This is intermittent, and it's unclear when it can occur.

Impact:
Timeline on a report is not updated if timeframe is changed and may not represent the timeline desired.

Workaround:
Refresh the browser and the data will be displayed properly

652954-1 : BIG-IQ 5.x does not allow clustered BIG-IP devices to be added to custom device groups created in BIG-IQ 4.x

Component: REST Framework and TMOS Platform

Symptoms:
BIG-IQ 5.x fails to properly add a device to a custom device group. The error message in the UI is "Unable to establish trust with this device. Delete the device and re-add it."

Conditions:
This issue is applicable when the BIG-IP is a clustered device and the device group is a custom device group that was created in BIG-IQ 4.x.

Impact:
The BIG-IP device cannot be properly managed via the device group.

Workaround:
Remove the device from the device group, which should clear any "Unable to establish trust" error on the BIG-IP devices inventory. Take a UCS backup of the BIG-IQ. Remove the device-group-key-pair for the device group using: "restcurl -X DELETE shared/device-group-key-pairs/{group name here}". Then add the device to the device group again.

652758 : Fail to restore from snapshot

Component: BIG-IQ Access

Symptoms:
Failure to restore a snapshot taken from a previous BIG-IQ version to the current 5.2 version.

Impact:
The snapshot could not be restored.

Workaround:
Access Snapshots taken from a previous release is not supported in version 5.2.

651998-1 : When /var partition reaches configured limit, collection of statistics from BIG-IP will stop, and older data may be automatically removed by BIG-IQ

Component: AppIQ

Symptoms:
You may observe two behaviors:
1. Current statistics from BIG-IPs are not shown on graphs
2. Older statistics from BIG-IPs may no longer be available

Conditions:
This occurs when the data store for statistics reaches the configured limit

Impact:
Loss of current and potentially older statistical data, resulting in graphs showing no data and/or flat areas of no data.

Workaround:
There are several actions you can take:
1. Increase the /var partition on your Data Collection Devices.
2. Increase the maximum percent of storage BIG-IQ may consume for statistical data.
3. Reduce the frequency of data collection from each BIG-IP.
4. A combination of one or more actions listed above.
Please consult product documentation.

651892 : Some Rewrite profiles created on BIG-IP cannot be updated or deleted by BIG-IQ

Component: BIG-IQ Local Traffic & Management

Symptoms:
Using BIG-IQ to update or delete a URI translation rewrite profile that was created via the BIG-IP UI may fail with a message like "transaction failed:01020036:3: The requested rewrite rules URI (/Common/rewrite-custom uri_c931dcd3-acbe-34cf-81c9-a27b64738bb0) was not found."

Conditions:
This issue applies to URI translation rewrite profiles created via the BIG-IP UI that have a parent profile that includes one URI rule.

Impact:
This issue can cause BIG-IQ deployments to fail.

Workaround:
This issue can be resolved by using BIG-IP (tmsh or UI) to remove the inherited URI rule from the affected profile and then recreating it. Afterwards, discover/import the LTM service for the relevant device to update the profile in BIG-IQ.

651186-1 : SSL certificate in non-PEM format can not be imported and managed

Component: BIG-IQ Local Traffic & Management

Symptoms:
BIG-IQ fails to import DER encoded certificates/keys.

Conditions:
This applies when manually importing DER encoded certificates/keys from an external source or when trying to convert an unmanaged certificate/key from BIG-IP into a managed certificate/key.

Impact:
DER encoded certificates/keys cannot be managed by BIG-IQ.

Workaround:
DER encoded certificates/keys can be converted to PEM format to allow them to be managed by BIG-IQ.

650405 : Error while transforming Profile Client SSL when BIG-IP in DSC (Failed to transform secure field value)

Component: BIG-IQ Local Traffic & Management

Symptoms:
Due to a BIG-IP defect, discovery may fail due to an invalid passphrase. Logs messages will include the error: "Failed to transform secure field value".

Conditions:
This may occur when BIG-IPs are configured in a DSC pair and there is one or more profiles configured with a passphrase.

Impact:
As a result, the LTM service cannot be managed for the affected BIG-IP.

Workaround:
Restart restjavad/icrd on the BIG-IP that fails discovery and re-discover.

650404 : A list screen may not always show all items

Component: REST Framework and TMOS Platform

Symptoms:
Not all rows of a list screen may appear when viewing a page that contains multiple objects.

Conditions:
This can happen when returning to a listing page after drilling down into one of the objects from the listing page and either pressing the back button, the Save & Close button, or the Cancel button.

Impact:
The page may look incorrect until refreshed or the user scrolls within the list.

Workaround:
There are two known workarounds for this issue: 1) scroll the items list with the mouse or scrollbar, or 2) refresh the page.

650218 : Client SSL - BIG-IP 11.5.1 HF7 - overridden yet unchanged Cert Key Chain in Client SSL profile causes discovery failure

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Discovery of the LTM service for a BIG-IP fails with the error: "Unable to parse tmsh output: java.lang.IllegalArgumentException: malformed or empty array: "" { }"

Conditions:
This can occur for older BIG-IPs that allow a Client SSL profile to be saved without a certificate/key.

Impact:
This prevents the LTM service for the BIG-IP device from being managed in BIG-IQ.

Workaround:
The issue can be resolved by correcting the configuration for the relevant Client SSL profile(s) by adding a certificate/key.

649425 : Discovery failure occurs due to BIG-IP ASM software unexpected service restart

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
BIG-IP has an issue that may cause a restart of services (tracked by BIG-IP bug 644725).
Since the restart on BIG-IP might cause connectivity issues from BIG-IQ, discovery/deployment issues might occur.

Conditions:
This issue might happen when the managed BIG-IP device is affected by bug 644725.

Impact:
Discovery/deployment failures.

Workaround:
Patch the BIG-IP device with a fix to bug 644725.

649067-1 : Specifying certain characters in the wrong field can result in failed queries and no matching results

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
Filters for some data with special characters result in failed queries.

Conditions:
If a user enters data in some fields with special (\+: etc) characters that are not usually found in the field, the query may fail and result in an error message from the database.

Impact:
Another way must be found to do the query. See the online help for details.

Workaround:
Enter the data in the correct field. See the online help for details on valid characters.

648876-1 : Discovery of a BIG-IP Advanced Firewall service may fail if the service is newly provisioned on the BIG-IP

Component: BIG-IQ Network Security

Symptoms:
Discovery of the Advanced Firewall service may fail with an error message similar to: check if iControl REST service is running on the BIG-IP

Conditions:
A BIG-IP Local Traffic service is already imported on the BIG-IQ and then the Advanced Firewall service is provisioned on the BIG-IP and that service is then discovered by the BIG-IQ.

Impact:
The Advanced Firewall service cannot be discovered on the BIG-IQ due to a BIG-IP REST service issue.

Workaround:
If the discovery fails with the indicated symptoms, the restjavad service must be restarted on the BIG-IP. The user should log onto the BIG-IP shell and execute the following command: bigstart restart restjavad

648546 : Cannot deploy a certificate with server-ssl

Component: BIG-IQ Deployment - Evaluate & Deploy

Symptoms:
Failure to deploy a certificate referenced by a new server-ssl profile. If a server-ssl profile inherits from the 'serverssl' system profile, it will be deploy successfully, but if the server-ssl profile inherits from any other profile, a deployment will fail.

An error is generated:
"transaction failed:0107134a:3: File object by name (/Common/some-ca-bundle.crt) is
missing."

Conditions:
This issue occurs when attempting to deploy at least 3 objects together: 1) a new traffic certificate, 2) a parent server-ssl profile, and 3) a child server-ssl profile referencing the traffic certificate from 1) and inheriting from the server-ssl profile from 2).

Impact:
Deployment will fail.

Workaround:
Deploy the traffic certificate or the parent server-ssl profile in a separate deployment task.

647189-1 : Deployment to version 12.1.1 device fails with error ""Encountered unsupported operation 16 at /apm/policy/access-policy/..../subroutine-properties"

Component: BIG-IQ Configuration - Access

Symptoms:
Deployment to version 12.1.1 device fails with error ""Encountered unsupported operation 16 at /apm/policy/access-policy/..../subroutine-properties"

Conditions:
The deployed BIG-IP system is version 12.1.0.

Impact:
Cannot deploy the new configuration to the BIG-IP system.

Workaround:
Upgrade to 12.1.3 or 13.0, which addresses this issue.

647177-1 : BIG-IQ system performance can degrade with high numbers of accumulated snapshots

Component: BIG-IQ Monitoring - Alerts & Notifications

Symptoms:
When managing large configurations with BIG-IQ, accumulated configuration snapshots can consume database resources to the point of slowing down general system performance. This slowdown is typically encountered when viewing large collections of objects in the UI. It may also be encountered when performing deployment evaluation and/or new device discovery.

Conditions:
Managing large configurations.

Impact:
System performance may be affected.

Workaround:
If general system performance issues are encountered, navigate to the Deployment->Snapshots menu, check the snapshot count for each service and delete old snapshots. On that page you can multi-delete by selecting more than one snapshot in the list and clicking the delete button. Once the selected snapshots have been deleted, verify that system performance has returned to normal.

647127-1 : Removal of Data Collection Device may result in a Elastic Search cluster health status of "red"

Component: AppIQ

Symptoms:
Removing a Data Collection Device (DCD) from a cluster that contains statistics data may cause the cluster to contain one or more unassigned data shards.

Conditions:
You desire to remove a DCD when statistics collection is enabled for one or more BIG-IPs.

Impact:
When the DCD elastic search cluster transitions to "red" status, the cluster may become unusable.

Workaround:
The following workaround can be performed:

1. Log into BIG-IQ as an administrator

2. Click on the "System" tab

3. Open up the "BIG-IQ Data Collection" on the left navigation menu.

4. Click on "BIG-IQ Data Collection Devices"

5. Click Add, and enter the DCD's information.

Once successfully added to the BIG-IQ cluster, you will need to enable statistics data replication:

1. From the BIG-IQ Data Collection Devices user interface,
click "Settings".

2. Then, click Statistics Collection

3. Click Configure

4. Click Advanced Settings

5. Check the box next to "Enable Replicas"

6. Click Save & Close

Next, wait for the elastic search cluster to show a status of Green, then the DCD can removal can be re-tried.

647068 : Sharepoint and OWA Application data missing in the Access Application Dashboard

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
You cannot view the Sharepoint and OWA Application names in the Application Dashboard.

Conditions:
After applying the classification profile to the Sharepoint and OWA Application virtuals in the BIG-IP system, Sharepoint and OWA Application data are not displayed in the BIG-IQ Access Application Dashboard.

Impact:
Sharepoint and OWA Application data is missing in the BIG-IQ Access Application Dashboard

Workaround:
Update classification signatures on the BIG-IP device to fix the issue. You can download signature updates from F5 Networks, and schedule the system to automatically update the signatures. You can also manually install the classification signatures and updates from BIG-IP system under Traffic Intelligence > Classification > Signature Update.You can refer to BIG-IP-> PEM BIG-IP Policy Enforcement Manager-> Implementations Updating Signatures for Application Recognition for detailed steps to update classification signatures.

646929 : BIG-IQ cannot remove overrides for LWS Separator field on HTTP explicit profiles.

Component: BIG-IQ Local Traffic & Management

Symptoms:
BIG-IQ cannot unset overrides on the LWS Separator field for HTTP profiles. This is due to a defect on the BIG-IP. This override can be removed on BIG-IP and the device rediscovered/reimported.

Conditions:
User tries to remove the LWS Separator override on the HTTP explicit profile.

Impact:
The value will always remain overridden in the child profile.

Workaround:
Manually unset the override on the BIG-IP and then rediscovery and reimport the BIG-IP.

645768 : TMSH command 'tmsh show sys hardware' is incomplete for VE systems

Component: REST Framework and TMOS Platform

Symptoms:
Much of the expected machine information is not reported about the BIG-IQ VE device when using the TMSH command 'show sys hardware'. Disk information is missing entirely. The information that is included is minimal.

Conditions:
Device is an AWS VE

Impact:
Incomplete information reported from tmsh show sys software

Workaround:
All the information can be obtained from running the command 'halid -aq halid'

645725 : Cannot re-import from a SWG-provisioned device after upgrading.

Component: BIG-IQ Configuration - Access

Symptoms:
Reimporting after upgrading from BIG-IQ version 5.0 or 5.1 fails with error "Access Group is not SWG provisioned, but the device is SWG provisioned.".

Conditions:
Reimport fails after upgrade from BIG-IQ 5.0 or 5.1 when the device has SWG provisioned.

Impact:
Access Group is not usable.

Workaround:
Delete the Access Group and re-create it in version 5.2.

645721-1 : If you use HTTPS over a proxy for a custom-alert receiver, you need to re-install the receiver's certs after upgrade

Component: REST Framework and TMOS Platform

Symptoms:
If you have a custom-alert receiver that receives alerts over HTTPS, you need to install the SSL certs from that receiver to forward alerts over a proxy. After an upgrade to a later release of BIG-IQ software, you need to install the same certs again to continue forwarding alerts to that receiver.

Conditions:
You use an FPS Custom-Forward Alert Rule to forward alerts over HTTPS, and over a proxy, to your own custom-alert machine. You downloaded certs from your custom-alert machine previously so that you could forward through the proxy, over HTTPS.

Impact:
Extra installation of the certs after an upgrade.

Workaround:
Re-install the certs from the same custom-alert receiver after the BIG-IQ upgrade.

645199 : ASM - Inheritance comments deployment issue

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Inheritance comments may not be deployed to BIG-IP if the deployment is adding the policy to the BIG-IP.

Conditions:
The issue is due to BIG-IP bug tracked by ID 645506 which impacts inheritance comments on new policies being imported by the BIG-IP.

Impact:
The comments are not deployed, and additional evaluation will show a difference.

Workaround:
Install a BIG-IP fix for bug ID 645506, or re-evaluate and deploy to get the comments deployed.

644884-1 : Sort-Selected rows of data in dimension panes may show N/A for data

Component: AppIQ

Symptoms:
When sorting data in dimension tables, pinned / sort-selected items may show up as "N/A".

Conditions:
In the table of data for a specific dimension (such as Virtual Servers), BIG-IQ only shows the top-100 items meeting the sort criteria as determine by the column chosen and sort order (descending, ascending). If a specific row has been pinned using the "Sort Selected" action and the sort criteria is changes such that the rows pinned no longer are in the top-100, the data for the pinned rows will show as "N/A".

Impact:
None

Workaround:
You can choose a different column and sorting order resulting in the sort-selected rows showing data if row meets the top-100 criteria.

644860-1 : BIG-IQ may take a while to resume statistics collection after a time skew issue has been corrected

Component: AppIQ

Symptoms:
If the time difference between BIG-IQ and BIG-IP drifts more than 5 minutes, statistics collection stops. After correcting the time skew issues, BIG-IQ may not receive new statistics from the device for a period of time, eventually resuming statistics collection.

Workaround:
If the collection of statistics does not resume, remove the BIG-IP exhibiting the issue from BIG-IQ, correct any remaining time issues, then add the BIG-IP back to the BIG-IQ inventory. To avoid time skew issues, F5 recommends configuring NTP on all BIG-IP and BIG-IQ devices.

643825 : Inability to remove Certificate and/or Key used by serverssl profile in specific cases for v11.6.0 and v11.6.1

Component: BIG-IQ Local Traffic & Management

Symptoms:
When an ltm profile server-ssl using Certificate and/or key, key and certificate property override is unset.
BIG-IQ cannot remove that certificate and key in the same deployment.

Conditions:
1. Discover an ltm profile server-ssl using Certificate and/or key.
2. Unset the certificate override and/or key override.
3. Delete the certificate and key.
4. Deploy to BIG-IP.

Impact:
Deployment will fail with the message
"File object by name (/Common/cert.key) is in use."

Workaround:
Set the server-ssl to the desired value and do not unset the override certificate and key override.

642976-1 : Deployment diff shows unused objects to be deleted during deployment

Component: BIG-IQ Access

Symptoms:
Unused objects are deleted when you deploy a configuration change. The deployment diff shows objects to be deleted.

Conditions:
These objects are not used in the policy that gets deployed to device from BIG-IQ.

Impact:
Objects that are not used in policy in BIG-IP will get deleted.

Workaround:
A dummy policy that is not assigned to any virtual server can be created in BIG-IP or in BIG-IQ and those objects can be added in corresponding agents in the policy. Assigning those objects to the dummy policy will not delete it during deployment.

If the dummy policy is created in BIG-IP, user may have to reimport the shared configuration from the device.

642862-1 : BIG-IQ will show statistics for system iRules, which may not be listed in the BIG-IP's UI

Component: AppIQ

Symptoms:
When viewing statistics for iRules, BIG-IQ will show statistics for system iRules, which do not display in the BIG-IP UI.

Impact:
None.

Workaround:
There is no workaround to suppress the system iRules.

642550 : If you use Go To to reach an alert near the end of the list, you cannot scroll until you refresh.

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
If you use the Go to Alert Number field to reach the end of a long list of alerts, such that the screen does not fill with a full page of alerts, the scroll bar does not appear.

Conditions:
You go to an alert that is very close to (within 20-25 of) the last alert.

Impact:
Scrolling is impossible.

Workaround:
Click Refresh, or refresh the entire browser.

642196 : ASM deployment failure with a deadlock error message on Signature Set configuration changes

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
A deployment task may fail when changes involve Signature Sets, due to a deadlock on the BIG-IP.

Conditions:
The issue happens when a Signature File Update operation is performed while the deployment task is also running.
Note - BIG-IQ itself will not perform a Signature File Update task during deployment operations to the BIG-IP.

Impact:
Deployment failures.

Workaround:
Wait for the Signature File Update operation to complete and re-deploy, or avoid deployment when Signature File Update operations are running. Note that the BIG-IP supports scheduling of Signature File Update operations.

641451 : Deployment error when overriding the certificate-key chain on a Client SSL profile.

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Deployment error when overriding the certificate-key chain on a Client SSL profile.

Conditions:
On removal of the "Override" setting on the non-root ClientSSL certificate-key chain attribute.

Impact:
This change cannot be deployed to the BIG-IP and deployments will fail.

Workaround:
Specify an override value on the profile. These can be the same as the parent profile.

641427-1 : Portal Access Rewrite not be searchable by Global Search

Component: BIG-IQ Search

Symptoms:
Searching for an Portal Access Rewrite object via global search does not return any results and may return an error.

Conditions:
Using the global search for a Portal Access Rewrite object.

Impact:
You will not be able to search any Portal Access Rewrite object via global search

Workaround:
Customer will have to navigate to Portal Access Rewrite object list screen and do a search using the filter bar.

641237 : Inability to delete SNAT pool with SNAT transaction from some versions of BIG-IP.

Component: BIG-IQ Local Traffic & Management

Symptoms:
On BIG-IQ there is inability to delete a SNAT pool with SNAT translation and deploy to BIG-IP.

An error occurs similar to:

"transaction failed:01070321:3: Snat translation address /Common/1.2.3.4 is still referenced by a snat pool."

Conditions:
Configure a SNAT pool with SNAT translation.
Deleting the SNAT pool and deploying to BIG-IP.

Impact:
Deployment will fail.

Workaround:
Delete the SNAT pool and SNAT translation directly on the BIG-IP device

639967 : ASM deployment failure with deadlock on Data Guard configuration changes

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Rarely, a Web Application Security deployment task may fail due to a deadlock on the BIG-IP. A second deploy would usually be successful.

Conditions:
The issue may happen when Data Guard changes are deployed, and the BIG-IP does not have a fix for ID 639905.

Impact:
Deployment task failure.

Workaround:
Install the BIG-IP fix for ID 639905 or attempt another deployment task.

639896-1 : Cannot view SWG Reports and download CSV Reports on Standby BIG-IQ

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
Request failed error message pops up when admin attempts to view SWG Reports or certain access reports like Browser OS, Geo-location,Access Profile Usage from the Stand-by BIG-IQ device. Admin cannot perform CSV download from Stand-by BIG-IQ device.

Impact:
Admin cannot view SWG Reports and few Access Reports , cannot download CSV reports from the stand-by BIG-IQ device.

Workaround:
Admin can view the reports and perform CSV downloads from the Active BIG-IQ device.

638131 : Deploying a DoS profile imported from a BIG-IP 11.6.x to a 12.x or higher would fail when Proactive Bot Defense is enabled

Component: BIG-IQ Network Security

Symptoms:
When a BIG-IQ Centralized Management user discovers a BIG-IP device that is 11.6.x, the Bot Signature Check is disabled and is read-only in a DoS profile.

Deploying a DoS profile imported from a BIG-IP 11.6.x to a 12.x or higher would fail, when Proactive Bot Defense is enabled.

Conditions:
Deploying a DoS profile imported from a BIG-IP 11.6.x to a 12.x or higher, when Proactive Bot Defense is enabled.

Impact:
User cannot deploy a DoS profile imported from a BIG-IP 11.6.x to a 12.x or higher, when Proactive Bot Defense is enabled.

Workaround:
First, in the Dos Profile, select the Application Security Proactive Bot Defense tab, and record the current setting of the Operation mode setting. Then set Operation mode to off. You can set it back to its previous value.
As a result, the Bot Signature Check in Bot Signature screen is set to Enabled automatically.
At this point the Bot Signatures and Bot Signature Categories should be visible and editable.
Save the configuration.

637937 : Similarly named keys/certs on BIG-IPs of different versions appear as distinct objects in BIG-IQ if the name includes special characters

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
BIG-IP v11.x APIs improperly escape special characters in key/certificate names. This was fixed at BIG-IP v12.0.0.

Conditions:
These issues occur when a mixture of BIG-IPs running both v11.x and v12+ are used in conjunction with BIG-IQ to manage SSL keys/certs.

Impact:
Users may see a keys/certs named with special characters (e.g. *.domain.com) represented multiple times on BIG-IQ (once with escaping and once without). Also, such keys/certs created on BIG-IQ or imported from BIG-IP v12+ cannot be deployed from BIG-IQ to BIG-IP v11.x devices.

Workaround:
These issues can be avoided by renaming keys/certs so they do not include special characters.

637728 : SSL keys/certificates on BIG-IP with + or ~ in the name cause a discovery failure in BIG-IQ

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
When a BIG-IP has an SSL key or certificate with + or ~ in the name, discovering the LTM service for the BIG-IP fails.

An error is generated:

"Error querying SSL Cert Bundle Certificate from..."

Conditions:
BIG-IP has an SSL key or certificate with + or ~ in the name.

Impact:
Services on BIG-IP cannot be managed by BIG-IQ.

Workaround:
There is no workaround aside from changing the name of affected keys/certs on BIG-IP.

636188-1 : Access Events in iRule requires an Access Profile associated with Virtual

Component: BIG-IQ Access

Symptoms:
Error during deployment:

"Failed submitting iControl REST transaction ...: status:400, body:{"code":400,"message":"transaction failed:01071912:3: ACCESS_... event in rule (/.../...) requires an associated ACCESS profile on the virtual-server (/.../...).","errorStack":[],"apiError":1}"

Conditions:
This issue happens when deploying LTM or Access Deployment that includes LTM objects. A virtual server in the device has iRule that uses some Access Event assigned.

Impact:
Failed to deploy LTM or APM that includes LTM objects.

Workaround:
1) Remove the iRule Assignment from Virtual Server.
2) Deploy Apm that includes LTM Objects
   or
   Full LTM deployment and APM deployment.
3) ReAssign the iRule to the Virtual Server in LTM
   and do a full LTM deployment again.

636086 : Certificates and keys that are copied between BIG-IP are not match on the BIG-IQ

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Discovering devices with the same keys and/or certificates that were copied from one BIG-IP to another by using the paste text feature will result in conflict during BIG-IQ discovery/import of the second device.

Conditions:
Issue applies when multiple devices with the same certificates and/or keys that were copied using the paste text feature in BIG-IP.

Impact:
Conflict page will be displayed on the identical keys and/or certificates. During deployment, those identical items will be displayed as different.

Workaround:
When copying a key and/or certificate from on BIG-IP to another without using BIG-IQ, use the "Upload File" option versus the "Paste Text" to import the key and/or certificate to the other device.

635584-1 : BIG-IQ setup wizard fails with "Cannot delete IP X.X.X.X because it would leave a route unreachable"

Component: BIG-IQ Fraud Protection Service (FPS)

Symptoms:
BIG-IQ setup wizard fails to configure management address with error "Cannot delete IP X.X.X.X because it would leave a route unreachable".

Conditions:
This issue is applicable when trunking used for VLANs not named internal. The BIG-IQ UI does not support configuring trunks, but such configuration can be created via other means (e.g. tmsh).

Impact:
As a result, system setup cannot be completed.

Workaround:
BIG-IQ system setup should be completed prior to creating trunks on new installations. For upgrade scenarios, the network configuration has to be removed so that system setup can be completed, after which the network configuration can be restored.

632900 : Bot Signatures/Bot Signature Categories User Defined Flag Behavior

Component: BIG-IQ Network Security

Symptoms:
In some cases, user created Bot Signatures and Bot Signature Categories imported from BIG-IP are classified as "system defined" on the BIG-IQ after import. This behavior is true even if a bot signature or bot signature category is designated as "user defined" on BIG-IP.

Conditions:
Seen when discovering user defined bot signatures from "pre 13.0.0" version BIG-IP devices.

Impact:
Bot Signatures and Bot Signature Categories created by a user on the BIG-IP get re-classified as "system defined" upon import into the BIG-IQ. Bot signatures so classified are not editable in BIG-IQ.

Workaround:
To make the bot signature editable in BIG-IQ simply reset the bot signature or bot signature category to "user defined" to match the "user defined" setting in BIG-IP.

632813-1 : Removing the global-fqdn policy may fail. The deployment may need to be done in 2 steps.

Component: BIG-IQ Network Security

Symptoms:
When doing a deployment in which the DNS resolver is removed from the Global FQDN Policy (effectively turning fqdn off on the BIG-IPs), this may fail with the following device error:

"Configuration error: dns-resolver can't be removed (atleast 1 AFM rule with source or destination fqdn attribute set.)"

This is due to an issue in the BIG-IP transaction processing.

Conditions:
This happens when a DNS resolver is configured on the BIG-IP and there are any address-lists or rules that use FQDN in the firewall.

Impact:
The deployment will fail. There is a workaround to do this in 2 phases.

Workaround:
In order to get around this issue, the deployment will need to be done in 2 phases. First, all address lists and rules that use FQDNs will need to be removed from the BIG-IP (deployment 1). Second, the global-fqdn can then remove the DNS Resolver to turn off firewall fqdn (deployment 2).

632201 : Users who are members of more than 40 user groups may fail to login.

Component: REST Framework and TMOS Platform

Symptoms:
If a user who is a member of more than 40 BIG-IQ user groups attempts to log into the UI, they may fail to login and get the error: 413 Request Entity Too Large responses.

Conditions:
User is a member of more than 40 user groups and attempts to log into the UI.

Impact:
Login will fail for these users.

Workaround:
Remove the user from user groups until the user is able to login again.

Go to System > User Management > Users and click a user name to manage the user group memberships.

630648-1 : BIG-IQ HA: Zone of the secondary console node is set to default when two BIG-IQ console nodes are paired

Component: REST Framework and TMOS Platform

Symptoms:
Zone of the secondary console node is set to default when two BIG-IQ console nodes are paired.

There is no impact if the Zone of the secondary console node is set to "default" or incorrectly set or gets overwritten when the BIG-IQ console devices are paired.

Conditions:
When the BIG-IQ HA pair is initiated, the data in the database on the secondary device gets overwritten. Therefore if the Zone on the BIG-IQ console is set to a value prior to BIG-IQ HA pairing is done and is chosen to be the BIG-IQ secondary device, then after the HA pairing is complete the Zone information on the BIG-IQ secondary is overwritten with the Zone named "default".

Impact:
None that affects the functionality of the product. It appears in the UI under System --> BIG-IQ HA that the Zone on the secondary device is set to "default".

Workaround:
After the BIG-IQ HA is setup, navigate to the System --> BIG-IQ HA page. Select the machine with Type "Secondary". Choose an existing Zone or create a new Zone as appropriate and click on Update.

630437 : Parent policy items not shown when searching for items related to the child policy

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
When performing related-to queries on Web Application Security objects, if a policy is set with a parent policy, the parent objects are not shown in the related-to query results.

Conditions:
This happens when policy inheritance (Layered Policies) is configured.

Impact:
Users might not see results they are expecting to see on related-to queries when layered policy relationships are involved.

629213-1 : Set filespace quota for file objects

Component: BIG-IQ Access

Symptoms:
Unable to download new file objects due to "exceeds storage quota" error.

Conditions:
Default storage quota is 500MB, if use wants to store more than that amount the quota must be changed.

Impact:
Inability to add new file objects

Workaround:
To extend the storage quota, use the restcurl command to set a new value. Current value is obtained by:

# restcurl cm/system/file-object-configuration/storageDir
{
  "directoryPath": "/var/config/rest/fileobject",
  "generation": 4,
  "kind": "cm:system:file-object-configuration:fileobjectconfigurationstate",
  "lastUpdateMicros": 1491948519420631,
  "maxFilespaceBytes": 524288000,
  "name": "storageDir",
  "selfLink": "https://localhost/mgmt/cm/system/file-object-configuration/storageDir"
}

Use restcurl with PATCH verb to update maxFilespaceBytes:

restcurl -X PATCH cm/system/file-object-configuration/storageDir -d '{"maxFilespaceBytes":1000000000}'

{
  "name": "storageDir",
  "directoryPath": "/var/config/rest/fileobject",
  "maxFilespaceBytes": 1000000000,
  "generation": 5,
  "lastUpdateMicros": 1491948923168173,
  "kind": "cm:system:file-object-configuration:fileobjectconfigurationstate",
  "selfLink": "https://localhost/mgmt/cm/system/file-object-configuration/storageDir"
}

629041 : Access deployment failure with error "DNS resolver /Common/<dns resolver name>: Referencing a non existing route domain /Common/<route_domain_name>."

Component: BIG-IQ Access

Symptoms:
Access deployment failure with error "DNS resolver /Common/<dns resolver name>: Referencing a non existing route domain /Common/<route_domain_name>."

Conditions:
An error occurs during deployment when trying to deploy Access that includes a Local Traffic deployment as well.

Impact:
Access deployment fails.

Workaround:
The DNSResolver refers to the RouteDomain and it is not created and deployed on the BIG-IP system. As a workaround, create a RouteDomain for the device in BIG-IQ Local Traffic, and do a full Local Traffic deployment. After deploying Local Traffic, deploy Access again.

628451 : Child policy items not shown when searching for items related to the parent policy

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
When performing related-to queries on Web Application Security objects, and the results contain parent policies that are related-to the searched object, only objects that are directly related-to the parent policy will be returned and not objects that are related-to the child policies that are using this parent policy.

Conditions:
This happens when policy inheritance (Layered Policies) is configured.

Impact:
Users might not see results they are expecting to see on related-to queries when layered policy relationships are involved.

627255 : When discovering a cloned BIG-IP, error message does not provide sufficient information

Component: BIG-IQ Device Management

Symptoms:
When discovery fails due to attempting to discover a "cloned" BIG-IP, the error message does not provide enough information to guide the customer to how to resolve the issue.

Conditions:
Discover both a BIG-IP and a cloned BIG-IP from one BIG-IQ, the discovery returns error, but not specify that the second BIG-IP is a cloned BIG-IP.

Impact:
Customer may not identify the root cause the issue.

Workaround:
Fix the configuration of the cloned BIG-IP by updating the machine-id.

627105-1 : Incorrect Error when clicking on Tokens under Monitoring --> Access --> Federation --> OAuth --> Authorization Server --> Tokens

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
An error message appears when clicking on Tokens under Monitoring --> Access --> Federation --> OAuth --> Authorization Server --> Tokens

Conditions:
This error is seen only when No token record is yet created on BIG-IQ and a user navigates to the Token page.

Only seen if No tokens are present in BIG-IQ Access OAuth Federation elasticsearch index.

Impact:
No functional impact. It is an incorrect error message.

Workaround:
This error will not be seen if some logs are received from the managed BIG-IP which are in turn responsible for the OAuth token records seen under Reports.

624756 : Discovery failure occurs due to BIG-IP ASM software unexpected service restart - auto detect language

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
BIG-IP has an issue that may cause a restart of services (tracked by BIG-IP bug 644725).
Since the restart on BIG-IP might cause connectivity issues from BIG-IQ, discovery/deployment issues might occur.

Conditions:
The BIG-IP must be affected by bug 644725, and one of the policies language must be set to 'auto-detect'.

Impact:
Discovery/deploy issues.

Workaround:
Either patch the BIG-IP with a fix to the issue or manually set the policy language on the BIG-IP.

624368 : BIG-IQ fails to discover Rewrite profiles that have a corrupt passphrase on BIG-IP

Component: BIG-IQ Local Traffic & Management

Symptoms:
BIG-IQ fails to discover Rewrite profiles that have a corrupt passphrase on BIG-IP

Conditions:
BIG-IP has a custom rewrite profile from the GUI.

Impact:
BIG-IQ cannot discover the BIG-IP.

Workaround:
Use tmsh on the BIG-IP to create the custom profile instead of the GUI.

622676 : Dual management routes in the main routing table

Component: REST Framework and TMOS Platform

Symptoms:
Dual management routes might exist in the default routing table, main. On version 11.6.0, the the system also produces an error message when querying SNMP ipCidrRouteTable.

Impact:
On affected versions earlier than 11.6.0, there are dual management routes in the main routing table. On version 11.6.0, you might also receive an error upon querying SNMP ipCidrRouteTable and/or snmpd core.

Workaround:
To recover from this issue, delete the duplicate route.

Duplicate route may return after a reboot.

620791 : BIG-IQ 5.2.0 images imported into previous versions of BIG-IQ may not be available after restart

Component: REST Framework and TMOS Platform

Symptoms:
When a BIG-IQ 5.2.0 image is imported into any previous BIG-IQ version (5.1.0 and earlier), it will be available in System management. However, if BIG-IQ services are restarted, the software image may no longer be available.

Conditions:
Restarting servcies (specifically, csyncd) on a BIG-IQ 5.1.0 or earlier that has a BIG-IQ 5.2.0 image imported.

Impact:
The BIG-IQ 5.2.0 image is not available for upgrades.

Workaround:
Re-import the 5.2.0 ISO for it to be available for upgrading the BIG-IQ device.

618101 : Access Reporting UI take 30 seconds or more to load.

Component: BIG-IQ Access

Symptoms:
This happens when one or more BIG-IP devices discovered in the BIG-IQ system is not reachable from BIG-IQ.

Impact:
Access Reporting UI takes 30 seconds or more to load.

Workaround:
1) Navigate to Devices tab.
2) Identify the devices whose status is "Red"
3) Check if the devices are reachable (ping) from BIG-IQ.
4) Either remove or resolve the device connectivity issue of the device.

615822 : Deployment failure reported when attempting to deploy a change to TMOS v11.5.4 that would change a manual-type signature set to a filter-based signature set

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
If you attempt to deploy a change to an v11.5.4 BIG-IP where the change includes the migration of a manual-type signature set to a filter-based signature set, the deployment task will fail with the following error:

error code:500 Can't use an undefined value as a HASH reference

Conditions:
TMOS v11.5.4 experiences an issue when attempting to change the type signature set from manual to filter-based. This issue is tracked by BIG-IP issue ID 615930.

Impact:
Deployment tasks will continue to fail while this type of change is listed in the change set being deployed to the v11.5.4 BIG-IP

Workaround:
Deployment tasks to this device will continue to fail until the change of signature set type is reverted or the signature set is replaced.

614199-1 : Profile - Client SSL - Cannot deploy Certificate Key Chain changes to root clientssl profile

Component: BIG-IQ Local Traffic & Management

Symptoms:
Due to an issue on BIG-IP BIG-IQ cannot update the Cert Key Chain values for root profiles more than once. This operation is blocked on BIG-IQ to prevent modification from BIG-IQ which could lead to permanently blocking deployments from BIG-IQ.

An error occurs:
"transaction failed:010717e1:3: Client SSL profile cannot contain more than one set of same certificate/key type."

Conditions:
User needs to modify the Cert/Key chain values for the root Client SSL Profile.

Impact:
Cannot deploy Certificate Key Chain changes to root clientssl profile

Workaround:
Manage these setting on BIG-IP and re-discover and import.

612292-1 : Customization file changes are not deployed when customization template and customization group objects are created in deployment

Component: BIG-IQ Access

Symptoms:
Customization file changes are not deployed when customization template and customization group objects are created in deployment.

Deployment is successful. On a subsequent evaluation, it indicates that BIG-IQ customization group is different from the one on BIG-IP.

Conditions:
When customization template and corresponding customization group is deployed first time to a non-source device, deployment is successful.

Impact:
Customization group files are not deployed in such cases.

Workaround:
Perform one more deployment and it deploys the customization group correctly.

606953 : Deployment of a new asm policy may result in failure.

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
The deployment of a new Web Application Security policy to a BIG-IP device is failing, and an "ASM subsystem error" appears in the BIG-IP's asm log.

Conditions:
This was related to an intermittent BIG-IP bug 606285, where a previous attempt to delete a policy by the same name failed during the removal process.

Impact:
Deployment failure.

Workaround:
If the deployment of a new Web Application Security policy to a BIG-IP device is failing, check the asm log on the BIG-IP. If an "ASM subsystem error" is shown, perform these two commands on the BIG-IP:

tmsh list asm policy one-line | wc -l

tmsh list asm policy one-line all-properties | wc -l


if the numbers from the two queries do not match, we have a mismatch on the BIG-IP that needs to be corrected. To correct, remove the policy from bigip.conf:

# tmsh save sys config
# vim /config/bigip.conf
remove this section
-------
asm policy /Common/<policy_name> {
    encoding utf-8
}
-------
save and quit
# tmsh load sys config

and re-try your deployment from the BIG-IQ.

599844 : Ltm log has GET_MEDIA and chmand error and failure messages on shutdown

Component: REST Framework and TMOS Platform

Symptoms:
Upon a reboot or power cycle from BIGIP, shutdown messages may contain "err chmand[8242]: 012a0003:3: GET_MEDIA failure (status=0xc) page=0x14 reg=0x0 : File mgmtif/BourneMgmtIfSvc.cpp Line 385" messages.

Conditions:
Host is up and running. A reboot or power cycle is issued

Impact:
None.

599838 : notice HA: ha_enabled_put(daemon_heartbeat, tmm, FALSE/TRUE)

Component: REST Framework and TMOS Platform

Symptoms:
On VIPRION B2250 and B4300/B4340N blades, you might encounter log entries of this type: notice HA: ha_enabled_put(daemon_heartbeat, tmm, FALSE): error 01140012 or notice HA: ha_enabled_put(daemon_heartbeat, tmm, TRUE): error 01140012.

Conditions:
This occurs only on VIPRION B2250, B4300, B4340N blades.

Impact:
The system posts the error messages. These messages are benign and can be safely ignored.

596082-1 : Incorrect information displayed by HA Inventory page in HA Error state

Component: REST Framework and TMOS Platform

Symptoms:
1) The "Promote to Primary" button is functional for the secondary BIG-IQ peer when it is selected from the list, even though the cluster is in an unhealthy HA error state.
2) The "Last Successful Sync" field incorrectly displays a successful Sync completion for the first 10 minutes after the initial, unsuccessful BIG-IQ Cluster synchronization attempt.

Conditions:
Something happened that prevented the initial HA Synchronization from completing or otherwise led HA cluster to become unhealthy.

Impact:
The secondary peer in the BIG-IQ HA cluster is falsely presented as up-to-date and available for failover when actually the data from the primary peer has not been synchronized, and an HA failover is impossible.

Workaround:
1. Use the Status bar at the top of the screen to determine the definitive health status of the BIG-IQ HA cluster and its peers.
2. If the Status bar shows "HA Error", do NOT use the "Promote to Primary" functionality of the secondary peer.
3. As soon as possible, break up the unhealthy cluster by removing the secondary device on the primary device's BIG-IQ HA screen.
4. Re-add the secondary device to form a new BIG-IQ HA cluster.
5. Allow the synchronization to complete, ensure that the status indicators at the top display green/healthy status on both peers.

590791-1 : Rediscovery fails due to required REST framework upgrade although the error message does not indicate this

Component: BIG-IQ Device Management

Symptoms:
The BIG-IP service re-discovery might fail with a generic error message if the BIG-IP system needs a REST framework upgrade.

Conditions:
The BIG-IP device is upgraded offline and a BIG-IP REST framework upgrade is required but hasn't been done.

Impact:
Service rediscovery may be failed with non specific error message.

Workaround:
View the BIG-IP Device inventory list to see if the device needs a REST framework upgrade. Make the required upgrades to the REST framework.

590022-1 : Added a Logging Node, it appears to be added (In the Logging Configuration -> logging node Count increases) but does not show up in the list on Logging Nodes page

Component: REST Framework and TMOS Platform

Symptoms:
When you add a logging node, it may take a long time and you could receive an error message. However, if you then go to the Logging Configuration page, you can see that the log node count increased.

This means that adding the Logging node took longer than expected. It is added partially to the BIG-IQ system.

Conditions:
This could happen if there was a network issue intermittently on a VM. When the user adds a logging node, it might appear after a couple of minutes in the elastic search cluster (indicated by the incremented logging node count)

Impact:
Logging node not added to the BIG-IQ.

Workaround:
Go through the UI to add the logging node again.

585505-1 : Discovery and import allows a change in a policy's application language, but a deployment fails when application language is to be changed

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
When 2 devices share the same policy but with a different application language the policy cannot be passed from one BIG-IP device to another through the BIG-IQ

The cause of this issue is that BIG-IP doesn't allow a change in the application language field.

Workaround:
1. Clone the policy and attach the cloned policy to the virtual server instead of the original and deploy
2. Attach the original policy to the virtual server instead of the cloned policy and deploy
3. Remove the cloned policy from the BIG-IQ

582701-1 : At Scale, HTML Report fails to render in IE and Edge.

Component: BIG-IQ Network Security

Symptoms:
In IE & Edge browsers, the HTML report fails to generate when the report has too much data to display, which can be caused by the user selecting a large number of devices to generate the report and/or the data per device is too large.

Impact:
Reports are not available while using certain browser.

Workaround:
There are two possible workarounds:
1) Use Firefox/Chrome.
2) Try reducing the number of devices selected for the report.

579422 : Evaluation shows unexpected differences after deployment for policy building settings (enabled)

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Evaluation shows unexpected differences after deployment for policy building settings (enabled). This is due to BIG-IP device behavior that alters the configuration when the configuration is synchronized.

Conditions:
This happens when deploying to BIG-IP device groups (clusters).

Impact:
Policy building mode on the BIG-IP device is not configured as set in the BIG-IQ configuration.

505455-1 : Adding a device to Access Group fails: Unable to calculate working config ID

Component: BIG-IQ Access

Symptoms:
Adding a device to an Access group fails when a device-specific object on the non-source device refers to an object that does not exist on the source device.

Conditions:
Adding a device to Access Group fails when there exists a shared object that is referred from a "Device-specific" object in the device being added.

Impact:
Failed to add the device to the Access Group.

Workaround:
To identify and resolve the issue, look into logs for errors such as "Failed to re-work references" and "Unable to calculate working config id". The logs will have information on the type of object that needs to be fixed on the BIG-IP system.



This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************
Generated: Wed Apr 26 14:27:41 2017 PDT
Copyright F5 Networks (2017) - All Rights Reserved
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information