Release Notes : BIG-IP 12.1.0 New and Installation

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 12.1.0
Release Notes
Original Publication Date: 01/30/2019 Updated Date: 04/18/2019

Summary:

This release note documents the version 12.1.0 release of BIG-IP Local Traffic Manager and TMOS. You can apply the software upgrade to systems running software versions 10.1.0 (or later) or 11.x/12.x.

Contents:

Platform support

For comprehensive information about supported platforms, see:

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250
    • VIPRION B4300 blades in the 4400(J100)/4480(J102) and the 4800(S100)
    • BIG-IP 5200v, 5250v, 7200v, 7250v, 10200v, 10250v, 10350v, 12250v
  • PEM and CGNAT supported platforms
    • VIPRION B2100, B2150, B2250, B4300, B4340N
    • BIG-IP 5x00v(s), 7x00v(s), 10x00v(s)
    • BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition) (3 GB, 10 GB production and combination lab models)
    • PEM may be provisioned on the VIPRION B2100, but it is not recommended for production, only for evaluation. Use the B4300 or B4340N instead.
  • BIG-IP 800 platform support
    • The BIG-IP 800 platform supports Local Traffic Manager (LTM) only, and no other modules.

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • In the case of Access Policy Manager (APM) and SWG together, no module other than LTM may be provisioned, and LTM provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

BIG-IQ – BIG-IP compatibility

SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP LTM / VE 12.1.0 Documentation page.

New in 12.1.0

Networking

Enhanced Device Service Clustering with Mirroring using ECMP

When using ECMP on an upstream router to load balance packets for all-active high availability clustering, you can now enable a Spanning setting on a BIG-IP virtual address. This setting simplifies configuration of all-active clustering by causing the virtual address to become a member of multiple floating traffic groups within the device group. The result is that all devices in the device group can receive traffic from the ECMP-enabled upstream router, for the same application.

Mirroring in Message Routing Framework

The Local Traffic Message Routing Diameter Router and SIP Session Initiation Protocol (SIP) Router profiles now support mirroring functionality.

SIP firewall functionality

You can now use the BIG-IP system Session Initiation Protocol (SIP) message routing functionality in a firewall configuration, providing stateful handling of SIP communication and media flows. You configure a Local Traffic message routing SIP profile, router profile, and virtual server, and then use that configuration with an Advanced Firewall Manager (AFM) DoS profile. In this firewall configuration, the SIP session profile, SIP router profile, and virtual server use Application Level Gateway (ALG) functionality.

Multicast routing support

In version 12.1.0, we now support PIM sparse mode, and PIM sparse-dense mode along with PIM dense mode (which was released with version 12.0.0). This feature does not support BIG-IP systems in the role of a rendezvous point for PIM sparse mode. This feature is available with licensed ZebOS dynamic routing and a Multicast Routing Bundle license.

Support lw4o6 tunnels

In this release, the BIG-IP system supports Lightweight 4over6 (lw4o6) functionality, which provides IPv4 service over an IPv6-only network. The lw4o6 configuration refines DS-Lite functionality to reduce the network address and port translation (NAPT44) states.

Multipath TCP passthrough functionality

The TCP profile now provides you with multipath TCP (MPTCP) functionality that eliminates the need to reestablish connections when moving between 3G/4G and WiFi networks. For example, when using MPTCP functionality, if a WiFi connection is dropped, a 4G network can immediately provide the data while the device attempts to resume a WiFi connection, thus preventing a loss of streaming.

FIX Low Latency (FIX LL) support on 10000 and 12000 Series platforms

Organizations using Financial Information eXchange (FIX) protocol require low latency and minimal jitter due to the time sensitive nature of trading applications. In this release, users can select a FIX Low Latency (FIX LL) FPGA bitstream firmware version, which optimizes the purpose built hardware with ePVA technology. The FIX LL bitstream solution is supported on the 10000- and 12000-series platforms. (For more information about ePVA, see SOL12837: Overview of the ePVA feature available on AskF5.)

Support for VXLAN GPE encapsulation

BIG-IP support for VXLAN now includes VXLAN GPE encapsulation, which extends the existing VXLAN implementation to support the processing of VXLAN GPE-encapsulated Ethernet frames. This support adds a Next Protocol field to the current VXLAN header. For ease of configuration, this feature includes a new VXLAN GPE tunnel profile.

Configurable limit for the SSL session rate

The BIG-IP system now includes a way to limit the new SSL session rate per Client SSL or Server SSL profile, to prevent excessive load from disrupting the normal operation of the system when a reboot or reset occurs. With this feature, you can define the maximum number of active handshakes that the system allows before discontinuing a handshake and displaying a message to the user.

TCP Analytics in AVR

TCP statistics and analytics are now available with AVR for virtual servers with TCP or FastL4 profiles. Customers can understand a wide range of TCP related stats, such as RTT maximum/minimum/mean, number of new connections, mean connection time, and more, from an individual flow to an aggregated level.

Improved status reporting for devices in a device group

The tmsh command show cm device has been enhanced to improve visibility into the overall status of devices in a Device Service Clustering (DSC) device group. The command now displays useful information about traffic groups, such as the number of currently-active traffic groups on a device, the next-active device for each traffic group, and the load factor of each traffic group.

New BIG-IP behavior for certificate expiration in SSL forward proxy configurations

For SSL forward proxy configurations, the BIG-IP system now treats expired certificates differently depending on when the certificate expires. For example, if a certificate expires within the configured lifespan value specified in a Client SSL profile, the system sets the validity to date to the date of the original validity to date in the certificate. If the certificate expires after the configured lifespan value, the system sets the validity to date to the current time value plus the configured lifespan value.

CGNAT

CGNAT DNAT

In this release, a more robust DNAT algorithm ensures static consistent mappings for a set of configured subscriber addresses to a set of translation endpoints. The new algorithm is not affected by changes in DAG hash, the number of TMMs, the number of blades, or HA configuration. The latest DNAT utility (dnatutil) is backward-compatible and can be used to reverse-map, using logs from previous versions and algorithms, as well as new static mappings.

Policies

Local Traffic policies redesign

In this release, redesigned centralized policy management simplifies the way that you can manage traffic associated with a virtual server. Using policies involves three basic steps: creating a draft policy, publishing the policy, and associating the published policy with a virtual server. The new BIG-IP Local Traffic Management: Getting Started with Policies documentation provides additional details.

Configuration operations

Optimized SCF behavior for saving certificates and keys

To improve performance, the device certificates and keys used for trust between BIG-IP devices are no longer saved in an SCF tar file. Instead, they are saved unencrypted in the SCF text file. Users can still use the existing option to encrypt the entire SCF text file if encryption is required.

Hardware-related

VIPRION B4450 blade

This release provides support for the new VIPRION B4450 blade. For more information, see Platform Guide: VIPRION 4400 Series Platform Guide: VIPRION 4400 Series or Platform Guide: VIPRION 4800 Series.

DDM support

This release adds support for viewing Digital Diagnostics Monitoring (DDM) information for interfaces that support DDM. For more information, see F5 Platforms: Essentials.

Fixed CVE issues in 121.0

ID Number CVE Number
440213 CVE-2013-6629
479814 CVE-2014-3940 CVE-2014-4027
519943 CVE-2013-5704
527364 CVE-2015-1781 CVE-2013-7423
529393 CVE-2004-2771
529394 CVE-2014-7844
529405 CVE-2014-0230
530252 CVE-2015-3416
533413 CVE-2011-5321 CVE-2015-3636 CVE-2015-1593 CVE-2015-2830 CVE-2015-2922
533698 CVE-2015-2325
534075 CVE-2015-6834 CVE-2015-6835 CVE-2015-6836 CVE-2015-6834 CVE-2015-6834 CVE-2015-6837 CVE-2015-6838 CVE-2015-6833 CVE-2015-6832 CVE-2015-6831 CVE-2015-6831 CVE-2015-6831 CVE-2015-3152 CVE-2015-5589 CVE-2015-5590 CVE-2015-4643 CVE-2015-4642 CVE-2015-4644 CVE
534633 CVE-2015-5600
537235 CVE-2015-4732
537236 CVE-2015-2590
537244 CVE-2015-2628
537255 CVE-2015-3183
537540 CVE-2014-9297 CVE-2014-9298 CVE-2015-1798 CVE-2015-1799 CVE-2015-3405
538035 CVE-2015-3245 CVE-2015-3246
538058 CVE-2015-3209
538061 CVE-2014-8106
540767 CVE-2015-5621
540846 CVE-2015-5722
540849 CVE-2015-5986
542314 CVE-2015-8099
545322 CVE-2014-3565
545429 CVE-2015-6563
545430 CVE-2015-6564
546140 CVE-2015-7759
553902 CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196
554624 CVE-2015-5300 CVE-2015-7704
554841 CVE-2015-7850
555672 CVE-2015-7703
556383 CVE-2015-7181 CVE-2015-7182 CVE-2015-7183
557810 CVE-2015-4852
560180 CVE-2015-8000
560948 CVE-2015-3195
560962 CVE-2015-3196
562159 CVE-2015-7981 CVE-2015-8126 CVE-2015-8472
567475 CVE-2015-8704
567484 CVE-2015-8705
577826 CVE-2016-1286

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  • Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see SOL7727 - License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 10.1.0 (or later) or 11.x

When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.1.0 11.x

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.

Upgrading to 4th element versions from versions earlier than 11.5.0

You cannot directly update from pre-11.5.0 versions (e.g., v11.4.x, v11.2.x, etc.) to any 4th element version (e.g., v12.1.3.1, v13.1.0.1, etc.). Direct upgrade to 4th element versions is supported only from v11.5.0 and later. For pre-11.5.0 versions, you must first upgrade to v11.5.0 or later. The recommended upgrade path is from v11.4.1 to v12.1.3, and then to v12.1.3.1. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading earlier configurations

When you upgrade from an earlier versions of the software, you might need to know about or take care of these configuration-specific issues.

ID Number Description
588946 You can install v11.5.4 on the 12250v platform, but are unable to license BIG-IP. This is because v11.5.4 is not supported on the 12250v platform. Install BIG-IP v11.5.4 on a 12250v platform. BIG-IP v11.5.4 is not supported on the 12250v platform. Even though installation succeeds, it is not possible to license BIG-IP system. Workaround: Install a supported version of BIG-IP on the 12250v. Supported versions are 11.6.0 HF2 or later and 12.0.0 or later.
223704 When you import a single configuration file (SCF file) that contain VLANs of the same name that exist in different administrative partitions, the operation fails with a unknown operation error. Upgrading configurations with VLANs of the same name in different administrative partitions. Upgrade operation fails with a unknown operation error. Workaround: Before installing an SCF file, run the command: tmsh load sys config default. This returns the system to the default configuration, so subsequent configuration import operations should succeed as expected.
513501 When upgrading from a version prior to 11.5.0 to 11.5.0 or newer, the configuration might fail to load with an error similar to the following: LSN pool is configured with a prefix address that overlaps with a prefix address on another LSN pool. "On versions prior to 11.5.0, tmsh allowed users to configure overlapping DNAT and NAPT pools, even though this configuration is invalid and non-functional. Version 11.5.0 and later contain validation to prohibit such configurations. However, when upgrading versions newer than 11.5.0, a configuration that contains overlapping DNAT and NAPT pools fails to load." Configuration fails to load on upgrade. Workaround: Edit bigip.conf and locate the overlapping LSN pools. Either remove one of the pools or change the mode on the DNAT pool to NAPT.
434364 "When upgrading from 10.x or installing a 10.x originated UCS on 11.x, bigpipe is used to parse the newly created file-object definitions which had been generated from files in the 10.x install. If the filename being upgraded to file-object starts with a '.', then on initial load, bigpipe will give an error while trying to load the generated configuration, resulting in an error message similar to: BIGpipe parsing error (/config/bigpipe/bigip.conf Line 107): 012e0017:3: The requested item (.myfile.txt {) is invalid (external_monitor_file_object_key | show | list | help) for 'external monitor file object'" The installation of a UCS or configuration roll-forward from 10.x to 11.x in which the previous install had files that were upgraded to file-objects, but whose filename started with a '.' The UCS will not install properly, and/or the configuration on initial boot will not load. Workaround: Edit the name of the file-object in question which would be found in /config/bigpipe/bigip.conf to remove the leading '.' character from the object name, and make any references to the file-object match that change.
571333 When a VIP is configured with a fastl4 profile that enables full acceleration and offload state to embryonic, and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the "idle timeout" value of the fastl4 profile, but it should be set to the "tcp handshake timeout" instead. "1. Configure fastl4 profile with ePVA=full, offload state=SYN, apply to network VS 2. Ensure ARP entry exists for server node (static arp, ping, etc.) to satisfy requirements for offloading initial SYN 3. Send over SYN packet from client to server via VS" The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value. Workaround: Set the offload state to "established"
436075 Using syslog include field when the command 'syslog-ng -s' does not succeed before the upgrade. Using syslog include field. It is possible to roll forward an include field with invalid syntax. This will cause the configuration to fail to load. Workaround: When using the syslog include field, ensure that the command 'syslog-ng -s' succeeds before the upgrade.
581932 Upgrading to a newer version of the BIG-IP software removes the signatures that were installed using an IM signature package, and returns app signatures to the default version. "- New '.im' signature package installed manually using the BIG-IP GUI or tmsh. This adds extra applications and categories to the default signatures. - TMOS software upgraded to a newer version, for example installing a rollup hotfix or an engineering ho" "After rebooting into the new software volume, all the additional categories and applications are gone but the signature package is still showing as installed. This makes a simple re-installation of the new .im signature package impossible. The applications and categories are actually back to default settings for version 11.6.0." Workaround:

    "1. After rebooting into the new software volume, open the bigip.conf file with a text editor and remove all the configurations from the 'ltm classification signature-version' stanza:
            ltm classification signature-version {
            }.
            
      2. Manually remove the following files:
            /shared/lib64/libcec.so.11.6.0*.
            /shared/tmp/classification_update.conf*.
            /shared/lib64/libqmprotocols.so*.
            
      3. Create the file /service/mcpd/forceload  to force a reload of the mcpd binary database after the reboot by running the command: touch /service/mcpd/forceload.
            
      4. Reboot the system.
            
      5. Re-install the .im signature package."

436825 Under certain conditions, nodes (or any other object with an IP address) in a partition that belong to route domain 0 will be treated as part of the default route domain for the partition after an upgrade. "All of these conditions must be true: - A system is being upgraded from any TMOS v10.x release to any TMOS v11.x release after 11.1 or any TMOS v12.x release. Upgrading to 11.0.0 or 11.1.0 is not affected, but the upgrade process resets the partition's default-route-domain setting to 0. - It has a partition that has its default route domain set to a nonzero route domain. - That partition contains nodes with no route domain set (so the default is used). - That partition contains other nodes in route domain 0." Those objects might no longer be addressable or able to connect. Workaround: "Set the partition's default route domain ID to 0 before upgrading, then set it back to its previous value after the upgrade. This field is only used by the GUI and shell, so temporarily changing it to 0 will have no effect on the dataplane."
415961 The upgrade process does not migrate unassigned HTTP Class profiles to BIG-IP 11.4.0 and later When you upgrade a BIG-IP system to BIG-IP 11.4.0 or later, the upgrade process attempts to convert all assigned HTTP Class profiles to their equivalent local traffic policies. If an HTTP Class profile is not assigned to a virtual server, the upgrade process will not perform the conversion and the unassigned HTTP Class profile will no longer exist in the configuration of the upgraded BIG-IP system. Similarly, if you restore a UCS archive that contains unassigned HTTP Class profiles in BIG-IP 11.4.0 and later, the restoration process will not convert the unassigned HTTP Class profiles and these profiles will no longer exist. This behavior is by design. You might lose unused HTTP Class profiles in the configuration. Workaround: "When upgrading to BIG-IP 11.4.0 and later or saving a UCS archive from a pre-11.4.0 system, you should consider the following factor: Prior to upgrading or saving a UCS archive, ensure that all HTTP Class profiles are assigned to a virtual server."
523797 The upgrade operation might fail to update the file path name for snmp.process_name, causing a validation error. Upgrade from 10.x. The upgrade operation does not remove the parent path name from process-monitors, which might cause a validation error. Workaround: Edit the process name path to reflect the location. For more information, see SOL13540: The BIG-IP system may return inaccurate results for the prTable SNMP object at https://support.f5.com/kb/en-us/solutions/public/13000/500/sol13540.html
401828 The following configurations are invalid for a SIP virtual server: a) TCP virtual server with a UDP profile and a SIP profile. b) UDP virtual server with a TCP profile and a SIP profile. TCP virtual server with a UDP profile and a SIP profile, or a UDP virtual server with a TCP profile and a SIP profile. If such a configuration exists in previous versions, it loads in 11.3.x but may cause a core. Workaround: "Fix the configuration manually, as follows: a) A SIP TCP virtual server must have TCP as one of its profile type. b) A SIP UDP virtual server must have UDP as one of its profile type."
490139 Loading iRules from the iRules file deletes last few comment lines immediately preceding the closing bracket. This occurs when loading an iRule file from versions prior to 11.5.1. Although the comments are removed, this does not affect iRule functionality. Workaround: Put comments in places other than immediately above the closing bracket.
496663 iRule object in non-Common partition referenced from another partition results in upgrade/configuration load failure in 11.x/12.x. This occurs when upgrading/loading a configuration containing an iRule in one non-Common partition that references an object in another non-Common partition. A configuration of this type can be saved only using pre-11.x versions of the software. The config upgrade fails, and the UCS/configuration files cannot be loaded. The system posts an error message similar to the following: 'myucs.ucs' failed with the following error message: 'Rule [/UNCOMMONPARTITION/RULEABC] error: Unable to find rule_object (...) referenced at line xyz: [element]'. Workaround: None.
435332 If there are users defined on a version 10.2.1 BIG-IP system to have administrator or resource-admin roles, and they have partition access to a single partition, these user config objects fail to load during an upgrade to version 11.x/12.x. "Here is a sample user config from 10.2.1: user v-abban { password crypt '$1$UIPmGYdY$yewCx.a2qNDauz/UB1Jbp/' description 'v-abban' group 500 home '/home/v-abban' shell '/bin/false' role administrator in Common }" Upgrade or load UCS fails with the following error: 01070821:3: User Restriction Error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition. Workaround: Prior to upgrade, edit the bigip_sys.conf to have the role line as follows: ... role administrator in [All] }
532559 If the client-ssl profile is /Common/clientssl, its parent profile is supposed to be /Common/clientssl. But the configuration could potentially use 'defaults-from none'. "This condition could be caused by executing the following command when generating the configuration. 'tmsh modify ltm profile client-ssl clientssl defaults-from none'" The upgrade fails after booting into the new release, during the config loading phase. This occurs because the script extracts the line 'defaults-from none' and treats 'none' as its parent profile. Workaround: Edit the configuration prior to upgrading, changing the defaults-from value on the client-ssl profile to the name of that profile.
449617 If a configuration file includes a passphrase for an ssl-key file object, the object may fail to validate when loading the configuration. Passphrase present in ssl-key file object Configuration fails to load Workaround: Remove passphrase line from the file object.
450050 "Following upgrade from 10.x to 11.x/12.x, the config file fails to load. An error similar to the following is logged: load_config_files: '/usr/libexec/bigpipe load' - failed. -- BIGpipe parsing error (/config/bigpipe/bigip.conf Line xxxx): 012e0020:3: The requested item (respondasm {) is invalid (<profile arg> | show | list | edit | delete | stats reset) for 'profile'." "- Upgrading from 10.x to 11.x/12.x. - respondclass configuration directives exist in /config/bigip.conf, for example: profile respondclass XXXX { ... }" Configuration fails to load. Workaround: It is safe in version 11.0.0 and later to manually delete the block: profile respondclass XXXX {.
586878 "During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3. The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade." "The issue occurs when all the below conditions are met.

      1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
      2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
      3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, and versions 12.1.0 and later)." "Configuration fails to load. The system posts an error message that might appear similar to one of the following:
            -- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
            -- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
            Unexpected Error: Loading configuration process failed."
Workaround: "To workaround this situation, modify the configuration file before upgrading:
      1. Check the config file /config/bigip.conf.
      2. Identify the clientssl profile without a cert/key.
            For example, it might look similar to the following:
            ltm profile client-ssl /Common/cssl_no-cert-key2 {
            app-service none
            cert none
            cert-key-chain {
            """" { }
            }
            chain none
            defaults-from /Common/clientssl
            inherit-certkeychain false
            key none
            passphrase none
            }
            
            Note: The profile might have cert-key-chain name but not the cert/key.
            In other words, it could also appear similar to the following example:
            ltm profile client-ssl /Common/cssl_no-cert-key2 {
            app-service none
            cert none
            cert-key-chain {
            default { }
            }
            chain none
            defaults-from /Common/clientssl
            inherit-certkeychain false
            key none
            passphrase none
            }
      3. Remove the clientssl profile from /config/bigip.conf.
      4. Run the command: tmsh load sys conf.
      5. Re-create the clientssl profiles you need."

435482 "BIG-IP configuration object names that include a space may cause an upgrade or user configuration set (UCS) load to fail. As a result of this issue, you may encounter the following symptoms: Your attempts to upgrade the BIG-IP system or load a UCS fail. After loading a UCS file or upgrading from a configuration that has object names with spaces on BIG-IP 11.4.0 or a later version, the Configuration utility displays an error message similar to the following example: The configuration has not yet loaded. If this message persists, it may indicate a configuration problem. After loading a UCS file that has configuration object names that include spaces on BIG-IP 11.4.0 or a later version, a message appears similar to following example: Unexpected Error: Configuration cannot be saved unless mcpd is in the running phase. Save was canceled. See 'show sys mcp' and 'show sys service'. If 'show sys service' indicates that mcpd is in the run state, but 'show sys mcp' is not in phase running, issue the command 'load sys config' to further diagnose the problem." "This issue occurs when one of the following conditions is met: You attempt to upgrade a BIG-IP system from 11.3.0, or an earlier version, with a configuration that has configuration object names with spaces. You attempt to load a BIG-IP 11.3.0 or earlier UCS file, that has configuration object names with spaces, on BIG-IP 11.4.0 or a later version." The BIG-IP system upgrade or UCS load fails. Workaround: "To work around this issue, you can boot back to the previous BIG-IP 11.3.0 or earlier version and rename all affected configuration objects to exclude spaces before upgrading or saving a UCS file. Impact of workaround: Performing the suggested workaround should not have a negative impact on your system."
489015 An LTM request-log profile that references a non-existent pool can pass validation in 11.0.0 or 11.1.0, but fails in 11.2.0 or later, with an error similar to the following: 'The requested Pool (/Common/poolname) was not found.' "This issue occurs when all of the following conditions are met: The UCS file has a Request Logging profile configuration with at least one of the following conditions: A Request Logging profile references a non-existent pool. A Request Logging profile references a pool in a non-default administrative partition without specifying the path to the /<partition>/<pool>. You upgrade from 11.0.0 or 11.1.0 to 11.2.0 or later and roll forward the configuration. You attempt to load an affected UCS created on 11.0.0 or 11.1.0 to a system running 11.2.0 or later." This can cause a load failure when rolling forward the configuration. Workaround: Correct the request-log profile in the config either prior to upgrade or by editing the config after.

Fixes in 12.1.0

ID Number Description
223042 The HTTP encrypt_cookies profile option will now cause all matching cookies with each specified cookie name to be encrypted, rather than a single cookie for each name.
227069 There is now a number-of-dots field for the dns commands to allow changes to ndots in /etc/resolv.conf, so DNS search domain list are honored as expected.
337826 HTTP::response is a new iRule which returns the entire header block from an HTTP response in a single string.
346829 This release correctly handles the behavior of proxy-mss and proxy-options attributes when TCP options differ on clientside and serverside, or when base MSS is different on the two TCP connections.
359905 You can now add a disabled pool member.
364994 TMM no longer restarts when a OneConnect profile is applied to a virtual server and OneConnect reuse is disabled on the server side by an iRule.
365219 Upgrades of high availability configurations from version 10.x to version 11.x or later now succeed, even if the 10.x system was still using the factory default admin password. It is recommended that you change the default admin password before deployment.
372118 Attempting to transition certs/keys/etc from a 10.2.x configuration to version 11.5.4, 11.6.0, 11.6.1, or 12.0.0 configuration using import_all_from_archive_stream now creates the file-objects on the target system in addition to the files being copied to the directories under /config/ssl/.
372473 The message is no longer logged when TMM crashes.
373949 The failover daemon has been fixed to recognize that the self-IP communication paths are non-functional while the TMM is starting up, and will not go Active until sufficient time has elapsed to conclude that the peer is not present. Since the device cannot successfully process traffic until the TMM is functional, this does not result in a delay in restoring service.
388274 LTM pool member link in the non-Common partition is now in the correct Network Map.
401893 The tilde character can now be used in HTTP Profile fields Response Headers Allowed and Encrypt Cookies.
402115 Empty stats results are now excluded from the reported memory in tmsh show sys memory. Each process on the platform will report one result, reporting the memory usage for that process. The results are otherwise unchanged.
402873 Source IP address for SNMP traps is now consistent if trap destination is configured on TMM interfaces.
404674 The ability to attach pre-existing SSL profiles was added to all relevant iApps in 11.4.0, so attempting to attach an SSL key/crt that has a passphrase no longer results in an error.
405635 This release contains a new tmsh command 'restart cm trust-domain' to restart device trust in this circumstances.
406001 Host-originated traffic can now use a nexthop in a different route domain.
410973 "One of the overdog daemon's responsibilities is to ensure that system daemons are still running. Daemons are required to regularly send a signal to overdog to indicate that they are still alive. In 12.0.0 and previous versions, overdog issues a 'bigstart restart' command if this test failed. This behavior has been changed to cause mcpd to abort and dump core. This should cause very little change; most system daemons will still restart as they did before. This change was done to make it quicker for F5 product development to investigate this class of issue. To go back to the old behavior, run 'modify sys daemon-ha mcpd heartbeat-action restart-all'. Note that this is distinct from 'heartbeat-action restart', which permits the core files to be generated."
413708 A problem of SNMP IPv6 UDP response from the BIG-IP system with an ephemeral source port has been solved.
417548 The out-of-memory error no longer occurs in the GUI when there are thousands of FIPS keys.
418890 All SSL keys from version 10.x can be loaded correctly using the UCS file.
421012 scriptd no longer incorrectly reports that it is running on a secondary blade when it is not.
422854 "In the output of the 'tmsh show sys hardware' command, the Blade and Chassis Model Names and Platform IDs are both reported consistently between VIPRION 4000-series and VIPRION 2000-series systems. The Blade Model Name is reported under the Platform section. The Blade Platform ID is reported under the System Information section. The Chassis Model Name and Platform ID are reported under the Chassis Information section."
425980 "The system_check utility now logs the blade number as part of CPU status alerts to the system console and log messages. Such detail is not made available on the LCD display."
429075 The F5.IsHandler.dll does not throw an exception when IIS is running on a virtual machine.
433466 Disabling bundled interfaces no longer affects the first member of associated unbundled interfaces.
433897 This release contains validation that prevents datagroup elements that are longer than 65535 bytes each, so no TMM core occurs, and the correct datagroup is used.
435946 The Traffic Management Shell now posts warning messages and prevents configuration of conflicting failover settings.
436212 Upgrades now complete successfully for copper 1 Gbps modules configured with media other than the 'auto' setting.
438385 Now, when an empty client certificate is received, the system clientssl ignores Certificate Verify message. Also, when an empty Certificate Verify message is received, but the Client Certificate is valid, the system sends an Alert with decode error. This is correct behavior.
441058 The system now loads the virtual IP addresses and associated SSL Certs/Keys in batches, so that TMM config load no longer exceeds its allowed CPU time.
441482 SWG on 1600/3600 provisioning is restricted due to platform memory limitation.
441888 The system now displays Hardware SYN Cookie Protection only on the platforms that support it.
442139 Aborted UDP connections with parked iRules will be cleaned up normally and no longer match incoming packets.
447958 A slow clientside SSL connection no longer results in a timeout, because the default SSL timeout is now indefinite.
452660 When configuring a new SNMPv3 trap destination, or modifying an existing one, the engine_id applies to only the local Big-IP system. The trap destination is still synchronized to HA peers, but the engine_id on these systems must now be locally configured on each.
455651 The parsing of regex and glob patterns has been improved for consistent behavior across MCP and TMM.
457149 User created when remote auth is configured will not have password expiry applied.
459471 create ssl-ocsp and ssl-cc-ldap config objects with different names.
460176 A Standalone unit does not spuriously assert that it is Active if the unit is not configured to be in a high availability (HA) pair when the serial cable is connected during failover. (This is the version 10.x behavior.)
471288 TMM now behaves as expected with session-related commands in iRules.
471835 The system can now invalidate an active port block if a translation request occurs during the short period of time between when a block expires and when we process the expiration, so PBA zombie statistics for the lsn-pool are now measured correctly.
472308 Enabling DHCP on the management interface no longer causes nodes in a DSC to get out of sync or otherwise work unexpectedly.
472376 The crash that can occur if a SIP virtual server is trying to send a message while a connection is shutting down will no longer occur.
473163 RAID disk failure and alert.conf log message now match, so appropriate SNMP traps are now issued when a disk is failing.
474149 In this release, if the peer device (non self device) has gone through the management IP address change, the system correctly removes the old IP address from its internal storage, so the system operates without the cosmetic 'config digest module error' message.
478458 Put limitation of active SSL handshake configuration per SSL profile.
481162 The vs-index is now the same on each blade in a chassis on a multi-blade VIPRION and on multi-blade vCMP guests.
481648 The ipaddrTable's ipAdEntIfIndex value now matches the ifTable's ifIndex value for the same interface.
481869 The issue has been addressed with two separate changes. The first results in a cluster member being marked down immediately when its blade is physically removed from the chassis. The second is the addition of a DB variable ("Clusterd.PeerMemberTimeout") that allows configuring of the timeout value used to determine when an unresponsive blade has been marked down. This controls how long before an unresponsive cluster member is marked down by its peers. Its default value is ten seconds, and it can be set as low as one second. This can help lower the delay before a failover occurs in the event of other blade power down scenarios, such as when a blade is powered down via the serial console or the 'bladectl' command.
482215 "Concurrent HTTP::collect calls are not supported. This is now described in iRules documentation along with information about how to work around that, as follows: Use a TCL variable as a flag to control calls to HTTP::collect. If HTTP::collect is called, then set that variable. If the variable is set when you want to call HTTP::collect again, then avoid doing so. Clear the variable in the HTTP_REQUEST_DATA/HTTP_RESPONSE_DATA events, when the HTTP::collect is finished. The variable is set, then use that knowledge not to call HTTP state-changing commands. The intent of iRules wanting to do conflicting work while a HTTP::collect can be recorded. When the collection is completed, then those commands can be executed (i.e., move the conflicting code from HTTP_REQUEST or HTTP_RESPONSE to HTTP_REQUEST_DATA or HTTP_RESPONSE_DATA)."
485293 Cleaned up shutdown mechanics for unmounting drives.
485432 If the management address of a BIG-IP is changed but management routes are configured with gateways in the old management address's subnet, the system generates a number of messages to acknowledge the broken configuration. This alerts you to the need to modify the management routes' gateways.
487194 Can now remove a profile from a virtual server and delete it inside a transaction.
487625 A corrupted filestore no longer causes qkview to hang.
487660 This release resolves CGNAT translation failures in persistence mode when cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN.
488188 This version of qkview responds to kill signals by deleting its temporary files before exiting, so no temporary files remain.
488417 Can now successfully load the configuration after upgrade if the admin account is disabled and replaced with a custom user, and no 'Input error: can't create user' error occurs.
488581 The Traffic Management Microkernel (TMM) process no longer restarts and produces a core file when using the SSL::disable client-side iRule command within an HTTP_REQUEST event.
489957 RADIUS::avp command now completes successfully when AVP contains multiple attribute (VSA).
490225 BIG-IP DNS/mcpd now checks for an existing key and does not import keys that already exist.
490801 "Upgrade to httpd 2.2.15-39 (from el6.6) provides the needed changes to mod_ssl to support TLSv1.1 and TLSv1.2."
493743 BIG-IP series 5000, 7000, 10000, and 12000 platforms and VIPRION B2100, B2200, and B4300 blades with hardware SYN cookie protection enabled by default no longer allow new connflow to be created after RST is sent.
494815 iControl REST now allows options parameter on DELETE, so iControl REST DELETE calls succeed as expected.
494867 Vendor ID cannot be 0. Upon update, if vendor-id is 0, set it to 3375. If user attempts to set vendor-id to 0, display warning and the system does not save the configuration.
496679 Renaming a device also renames the associated traffic-group's default device, so configuration load now completes successfully.
497104 The DNS cache hash table memory expansion warning message 'hash grow: malloc failed' now occur four times a minute instead of excessive number of times during the failed memory allocation events, so the log is no longer filled with excessive numbers of messages.
499614 GUI now handles cases where Monitors do not exists and returns 'Instance not found' message.
500786 Use FastL4 + HTTP-Transparent profile combination AND set http-transparent.enforcement.pipeline to "pass-through". This enables HTTP filter to run in "passthrough" mode. Hence avoid the excessive memory consumption.
501643 Connection no longer stalls after HTTP::collect in HTTP_REQUEST_DATA or the iRule.
502129 Persistence now works correctly when overridden via the persist iRule command.
503125 Excessive MPI net traffic no longer causes tmm panics on chassis systems.
503257 Persistence, connection limits and HTTP::respond or HTTP::redirect no longer result in RST.
503560 The validation logic is now changed so as to allow a Statistics profiles and an HTTP transparent profile to be attached to the same virtual server simultaneously.
503960 In addition to looking up the display name for a configuration item, the lookup will now attempt to resolve the configuration item ID to a user-readable string. This solution should work for most items in the configuration, allowing for more accurate diagnostics.
505071 For certain types of objects, an incorrect message was sent to the secondary blades' mcpd processes if an object of that type was deleted and then recreated within a single transaction. This caused mcpd to restart on every secondary blade. The correct message is now sent, even for this type of object.
505089 In this release, the system increments the syncookie reject stat only if a bad ACK could correspond to a syncookie the system issued.
506199 The system now ensures that VDAG entries get ordered correctly to avoid cases where VCMP guests on VDAG platforms might experience excessive TMM redirects after multiple guest provisioning cycles
510189 When creating a virtual server with a DNS Profile, you will receive an error message whenever you attempt to provide a context for only the client-side or server-side of a protocol profile (udp or tcp).
511782 The iRule HTTP_DISABLED is now triggered as expected when using HTTP::disable iRule command, requests using the CONNECT method, and Web-sockets traffic.
512130 Remote role group authentication now succeeds as expected with a space in LDAP attribute group name.
512618 This changes should provide a user to retrieve SA's based on specific addresses using racoonctl utility.
512954 ospf6d no longer crashes when a distribute-list is configured.
513239 Upgrade now successfully loads the config that contained an unsupported SSL profile cache-size attribute value. The system now changes the cache-size attribute value to 4194304, which is the cache-size max value beginning with version 11.5.0. You might see a message in the log similar to the following: Setting cache-size of serverssl profile (serverssl_profile_name) to 4194304. The cache-size max value is 4194304 from version v11.5.0 onwards.
513789 The system now correctly reports the following Syslog message as a warming: Inet port exhaustion.
514724 Allowed the crypto device to be restored and not keep the crypto-failsafe HA status in the fail state.
515764 The system now reports per-device PVA traffic stats in VLAN and interface stats.
517020 SNMP requests handling has been improved to ensure that requests no longer fail after a number of days.
517184 Validation has been added to prevent configuring a duplicate MAC masquerade address in multiple traffic groups.
517456 Resetting virtual server stats no longer increments cur_conns stat in clientssl profile, which is correct behavior.
517590 The pool member's status updates when the pool's monitor is removed.
517790 The transparent HTTP profile's passthrough-pipeline option now allows unexpected server-side ingress to switch the Transparent HTTP proxy into pass-through mode.
518086 Wait and try SafeNet hardware security module (HSM) communication when MCPD is fully loaded.
518141 The configuration now loads successfully upon upgrade, and no longer produces an error if the internal data-group with string type has records that contain open/close brace under data attribute.
518304 New FPGA firmware and BIG-IP software have been designed to avoid and to predict the FIX flow hash collision. This provides extremely low rate of collision even at very high load in ePVA. A DB variable is used to configure a standard FPGA firmware or this enhanced FPGA firmware. BIG-IP automatically adapts its new function when the new FPGA firmware is loaded.
519216 The CPU utilization is reduced when SSL/OpenSSL monitors are used to obtain availability status for 30 or more pool members.
520380 Enabled auto-sync and save-on-auto-sync no longer causes out-of-memory condition.
520682 In PBA mode connections now succeed and new port blocks are allocated as expected when subscriber attempts more than 512 connections to the same server IP and port.
521272 Fixes a memory leak in Authentication Token mechanism in restjavad.
521336 The retry of pkcs11d initialization no longer posts misleading error messages when pkcs11d retries to wait for other services such as tmm or mcpd.
521572 The system now guards against creating so many tokens at once that the system runs out of memory.
521617 In this release, when a qkview utility is executed on a vCMP hypervisor with virtual disk templates, "Data publisher not found" errors are no longer logged in the ltm log by mcpd.
521820 vcmpd no longer logs 'Failed to populate one or more rows in tmstat table ... from JSON' errors on startup.
522635 iRule LSN::inbound-entry create is successful and LSN inbound entry is created as expected.
522647 The cosmetic issue in which hostagentd logged 'Failed to create directory' on startup has been fixed. The fix eliminates any directory creation race conditions where one daemon attempts to create a directory whose parent directory is created by one of the other daemons.
522871 Nested wildcard deletion now deletes matched objects only.
523471 The SafeNet library has been updated, and pkcs11d no longer cores intermittently.
523763 Now, child SSL profiles are also validated when a configuration change is made to the parent SSL profile, which prevents a silently occurring invalid configuration.
523854 RTSP interleaved traffic passes reliably, even over an unreliable connection experiencing packet retransmission.
523924 You can create VLANs using the wizard on VCMP guest without an incorrect error message.
523992 tmsh error map is now included in /etc/alertd. tmsh error maps include certificate expiration warnings (i.e., BIGIP_TMSH_TMSH_CERT_EXPIRED, BIGIP_TMSH_TMSH_CERT_WILL_EXPIRE). This information is used to create alerts for tmsh related errors (e.g., certificate expiration warnings).
524107 When editing an iRule with regular expressions (regex), you can use the regex metacharacters without modification, and the system does not recommend an incorrect resolution.
524641 Wildcard NAPTR record call now completes successfully after deleting the NAPTR records.
524653 "In order to reduce iControl SOAP authentication from clients other than iControl, a user may modify the DB variable 'icontrol.webrootenforcement' to be enabled, then restart httpd. Use caution when enabling this feature in order to avoid invalidating existing SOAP clients. In particular, those SOAP clients the do not authenticate at the /icontrol/ webroot."
524657 This release correctly shows the prompt status in the case where no primary has been elected by adding '(NO PRIMARY) ' rather than 'P' for primary or 'S' for secondary. Previously, all blades would show 'S' for secondary, which is misleading. Also, the prompt does not show a status of 'PRIMARY DISABLED' if no primary has been elected.
524740 If the SCF or UCS being applied is using the management port for configsync operations, and the system where this configuration is being loaded has the DB variable 'configsync.allowmanagement' set to 'disable', the configuration now loads successfully.
524839 Moving self IPs between VLANs no longer leaves dynamic routing in an inconsistent state.
524861 Platform list in mkdisk now includes all supported BIG-IP platform numbers.
525133 Restarting TMM or running failover offline command no longer causes bigd 'emerg logger' error message.
525156 Password field is only be visible in the GUI if Security Type is set to Password. By default, Security Type is set to Normal. And it is optional all the time.
525557 FQDN ephemeral nodes are now repopulated after force deletion.
526431 The system now displays the virtual server iRule's full path instead of grouping them by partition.
526706 Setting cuSFP interface to media-sfp or media-fixed to none now generates an error, which is correct behavior. To disable the interface use "modify net interface X.Y disable".
526810 The crypto accelerator queue timeout may now be specified in milliseconds using the crypto.queue.timeout DB variable.
526974 Data-group member records no longer map empty strings to 'none'.
527011 An issue with intermittent lost connections with no errors on the external interface has been corrected.
527024 Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.
527027 Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.
527149 A FQDN node that was available now stays available after configuration load or reload.
527907 TCP reject virtual servers now correctly RST the connection.
528083 Daemon no longer cores on shutdown due to internal processing error.
528198 TMM now correctly sends RST when reject is executed in an FLOW_INIT event of an iRule.
528276 The device management daemon no longer causes a crash when a timeout condition occurs during an iControl query.
528310 Certificate Key Chain will inherit its partition from the parent SSL profile on creation.
528407 TMM no longer cores with an invalid lasthop pool configuration.
528559 Install Configuration on System :: Software Management :: Boot Locations page is now greyed out, and 'No' remains the default for users with only Resource Administrator rights.
528881 NAT names with spaces in them now upgrade properly.
528971 Selecting the 'Select All' check-box on the Traffic Groups page in the GUI now enables the 'Force to Standby' button. This allows setting all traffic groups to standby when using the select all check box.
529400 SSL profile configuration will display an error message indicating configured key/cert type does not match the configured cipher suites.
529508 Running the command: python / sniff_commit_id_update no longer produces a Segmentation Fault when receiving a malformed packet.
529627 The BIG-IP system now correctly upgrades the serverside connection of a LDAP virtual server to TLS.
530133 This release provides support for New Platform: BIG-IP 10350 FIPS. You can find more information in Platform Guide: 10000 Series, available here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/pg-10200v.html.
530264 Fix clears references to released memory when the parser discards whitespace.
530643 An issue has been resolved which caused the cmp_dest utility to return incorrect results.
530795 The BIG-IP system sends correct SEQ and ACK number in ICMP messages.
530812 The software emulation of the legacy DAG algorithm used on VIPRION PB100 and PB200 has been updated to more evenly distribute the source port numbers of sessions arriving at pool member services.
531724 This release improves the save time for LTM data-group configurations by approximately 25%.
531944 Racoon on the primary blade now comes up as expected after bigstart restart on the secondary blade.
531982 After a dropped message, parser is returned to a state where it is waiting for the next message.
532559 Upgrade no longer fails if 'defaults-from none' is under profile '/Common/clientssl'.
532799 The BIG-IP system now correctly uses ARP to determine the destination MAC of a host routed via a /32 vlan route.
533458 On HSB lockup, the system now generate a core file, which contains stats and the state of the HSB driver when the failure occurred to help diagnose the failure.
533480 The system now handles running qkview while creating 20,000 or more pools or removing an external monitor from the /config/filestore/files_d/Common_d/external_monitor_d directory, so these conditions no longer cause qkview crash or hang issues.
533790 You can now use the GUI to add/remove IP addresses from a data-group IP address list without affecting other IP addresses.
533813 You can now configure an internal virtual server in a partition and load the config successfully.
533820 The resolver cache now correctly includes the information available for the authority and additional sections if the information is available.
533826 The snmpd image no longer increases in size on a VIPRION system processor.
534076 SNMP v1 traps now correctly use the configured trap-source.
534111 The system now correctly syncs the default client-ssl profile that was modified with a new cert and key, so the active and standby unit configurations now have the correct cert/key settings after config sync.
534458 SIP monitor now correctly processes monitor responses when the use of whitespace in header fields differ.
534582 HA configuration no longer fails over when a standby system has only the base configuration loaded.
534890 When using session tickets, the session id sent is now correct.
535101 LSN pool configured with PBA mode no longer crashes with heavy load and udp_gtm_dns profile configured.
535299 Searching wide IP list now matches aliases.
535544 Post change the above mentioned properties will always be listed, irrespective if they have default value or not.
535759 SMTP monitor now closes the TCP connection (sends a FIN) after receiving a QUIT command from the client, so an SMTP monitor does not mark a server down when it is available.
536191 Transparent inherited TCP monitors no longer fail on loading configuration.
536505 Pool members now have traffic correctly forwarded to them if their status changes (that is, they become active/inactive) after sessions are created.
536746 "Specifying a search filter on LTM : Nodes List no longer affects the output on LTM : Virtual Address List. Virtual Address List now has its own fixed, general filter, and is not affected by filter settings on any other object."
537326 Configuration loading no longer fails with a NAT in DNS section.
537964 Ensure that all relevant monitor instances are deleted when replacing a pool's monitor.
538133 The system now shows a list of sensors in the sensor_limit_table or by the system_check utility, with the actions taken when the sensor data exceeds its defined limit.
538255 The crypto acceleration hardware driver for the 2200/4200 has been fixed to avoid memory corruption.
538603 TMM no longer produces a core file when attempting to retry to calculate the rate-limit on a pool member that has gone down.
538639 Performance improvements for P-256 ECDH and ECDSA algorithms.
538663 SSO token login now works with the correct role assignments to a remote user.
538705 The system now performs SYN cookie validation only on TCP flows.
538722 There is now a configurable maximum message size limit for restjavad. Restjavad still reaches an out-of-memory condition if it receives very large messages (approx 200 MB), but there is now an option of setting a 'hard cap' that causes restjavad to discard these large messages, preventing the out-of-memory condition.
538784 The system now correctly identifies an empty HTTP payload and sends the appropriate ICAP header, identifying that there is no HTTP payload included.
539361 TMSH output for the command 'tmsh show sys raid disk all-properties' has been modified, removing Wearout, Available Space and Remaining Life parameters. In addition, a single column indicating the results of the SMART Health Assessment.
539742 TMSH no longer shows an error message when listing pool with a port 2222 or 44818 pool member and other pool members.
539784 Added additional heartbeats during validation, so HA daemon_heartbeat mcpd no longer fails on load sys config.
539832 The BGP extended community attributes now work as expected.
540213 When a link local IPv4 self IP is in use and the DB variable config.allow.rfc3927 is set to disabled (which is the default), mcpd would previously fail to start on a newly inserted secondary blade. This no longer occurs.
540473 When the peer/clientside/serverside iRule contains parking commands, tmm no longer cores upon connection reuse.
540484 Fixed crash from incorrectly matching PPTP ALG traffic in forwarding fastl4 virtual server.
540530 Enabling the redirect-http-to-https setting on a vCMP guest no longer causes the block-device-images and block-device-hotfixes visible to the guest become inconsistent with what is present on the vCMP host.
540740 Reduce log level of low-level socket errors to INFO.
540871 Using the GUI to update/delete SNMPv3 users now works as expected.
540893 Fixed occasional RST in response to valid syncookie ACKs when under uneven load.
540923 TMSH now filters correctly when using the tmsh list ltm node command.
540949 LB::select is no longer visible in tab-completion help, so the issue of the command not working on CMP systems is no longer relevant.
541126 After restarting pkcs11d, Safenet connections no longer fail with the message 'cannot locate key'.
541134 HTTP/HTTPS monitor no longer transmits any L7 data when send attribute is set to 'none'.
541316 Device forced offline remains forced offline after restoring a UCS and rebooting.
541569 Now, when NAT-T is enabled, IPsec tunnel can be established as expected.
541571 FQDN ephemeral nodes are now repopulated after being force-deleted and re-created with different IP addresses.
541693 A child monitor now inherits time-until-up and up-interval settings from the parent monitor.
542009 tmm no longer loops and gets killed by sod when the system tries to process an invalid MPI message.
542191 Multiple snmpd views with the same community string is supported.
542292 The BIG-IP system now serves MIB files that Chrome no longer decompresses automatically.
542306 "The BIG-IP system no longer posts cosmetic messages similar to the following during bootup: _ready_set_initialize: tmstat_table_register() failed, err -1."
542564 "This release provides modifications to peak performance to significantly reduce the chance of node flapping. In addition, the ability to monitor bigd load has been added. Because bigd is not integrated with tmstats, the system logs load stats to the debug log file, /var/log/bigdlog. When debug logging is turned on, stats are mixed with the debug output. Load stats can be emitted independently with the following sys db var: modify sys db bigd.debug.timingstats value enable. With this db variable enabled, the system emits bigd load data to the debug log periodically (every 15 seconds per bigd process). The columns correspond to these stats: - load (0-100%) 1-minute mean. - load (0-100%) 5-minute mean. - number of monitor instances active for this bigd process. - number of active file descriptors, 30-second average, this process. - peak number of active file descriptors past 30 seconds, this process. In addition, the system logs warning messages to /var/log/ltm when bigd reaches 80%, 90%, and 95% load levels. The system logs an overload error to /var/log/ltm when bigd detects it is overloaded. The load level indicating overload is in the bigd.overload.latency sys db variable, which is set to 98% load, by default."
542672 The SSL key/cert/crl can now be imported from any location in the file system.
542724 TMM no longer crashes if there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions.
542742 SNMP now reports valid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).
542853 The tmm process no longer restarts when there is an LTM policy assigned to a virtual server, the policy actions utilizes Tcl command substitutions, and the command substitution is unsuccessful.
542860 Running TMSH command or racoonctl utility to delete IPsec SA's during HA Active to Standby or vice versa event does not result in TMM crash and IPsec SA's will be deleted as per the request.
542987 With the fix, ICMP traffic with identifier information is encapsulated in a MAP-E tunnel with correct MAP-E CE IPv6 address.
543220 Global traffic statistics now includes the correct PVA statistics in the GUI and in TMSH.
544028 This release corrects the issue in which the Verified Accept counter 'verified_accept_connections' might underflow.
544325 LTM now sends back an ICMP Destination Unreachable message Code 3 (port unreachable), which is expected behavior.
544375 Can now load certificates with sha1WithRSA or dsaWithSHA1_2 signature algorithm.
544481 Excessive DPD message exchange no longer causes the IPsec tunnel to fail.
544888 Once the TCP connection reaches established state, the idle timeout is now set to the value found in the associated profile. By default the profile timeout value is 300 seconds.
544913 Logging recursion no longer occurs in TMM during failover while the system is attempting to connect to the remote logging server.
544963 The default virtual disk image size has been increased to 150 GB. Furthermore, the 'vcmp.vdisk.new_image_size' DB var has been added to allow users to modify the size of newly created virtual disk images in the event that the new default value is not large enough.
544989 OSPF distance command no longer gives error and works as expected to modify Open Shortest Path First (OSPF) behavior.
545214 OSPF distance command now persists across ospfd restarts.
545263 Add limitation for active SSL handshakes to prevent CPU and memory exhaustion.
545745 The cosmetic messages containing 'err' and 'best err' are no longer posted on initial tmm startup when tmm.verbose logging on hardware accelerated devices.
545799 Dashboard now includes derived throughput history in export.
545849 The evaluation of load factors is now performed consistently, so that changing the HA Load Factor results in reassignment of the next-active device, if appropriate.
545986 dnatutil no longer aborts when encountering recoverable parse errors.
546085 Daemon no longer cores on shutdown due to internal processing error.
546183 'tmsh show sys traffic' now shows the correct 'No_license' counter.
546410 10.x upgrade now completes successfully, even when parent monitors appear later in the monitor list, or when there is no destination attribute in the child monitor.
546747 SSL connection can be successfully brought up regardless how many packets are used to send one ClientHello record.
546760 A problem of accessing null pointer in snmpd has been fixed.
547382 The virtual server that uses DSR pool now allows the pool-member to use the BIG-IP system's self-IP as the tunnel local, irrelevant to the application flow.
547532 Ensured that the complete state for addresses in the default route domain is propagated to secondary blades.
547732 TMM no longer cores on using SSL::disable on an already established serverside connection, it will now log a warning Connection error: hud_ssl_handler:605: disable profile (80)
547815 This release fixes a potential DNS transparent cache memory leak.
548053 User with 'Application Editor' role can now modify 'Description' field using the GUI.
548239 Route-maps used with BGP now correctly match route tags.
548385 The system now correctly loads key/cert/csr/crl files without an extension, so iControl calls that query those files from parent folder, now return correct results.
548452 This release adds validation of virtual server profiles, guaranteeing that a virtual server does not reference both an HTTP profile and an MBLB profile.
548563 The message cache is updated regardless of DO-bit state after TTL expiration. However, the cache prefers DO-bit TRUE messages, and will update the cached message if a newer one arrives with DNSSEC OK.
548583 TMM no longer crashes on standby device with re-mirrored SIP monitor flows.
548611 "The built-in limits for random early drops and memory reaping are now aligned with the sweeper. The configured low-water mark is used to drive all three algorithms, and memory reaping targets five percent below the configured low-water mark. Along with this, the tcpmemorypressure variables are deprecated, and no longer used to control random early drops: these are now driven by the sweeper global memory constraints. The random early drop logic has been revised to provide more stable behavior across all pressures. The memory reaper will target the global low-water mark minus five percent, in order to prevent sticking right at the point where the aggressive sweeper will activate."
548680 TMM no longer cores when reconfiguring more than one iApp that contains iRule procedures of the same name.
548866 When Tomcat runs out of memory and becomes unresponsive, it will restart itself automatically.
549406 The system now uses the destination route-domain specified in the SOCKS profile. This allows the SOCKS profile to work correctly when the destination is not in route-domain 0.
549494 The $RESPONSE_SIZE, $RESPONSE_MSECS, and/or $RESPONSE_USECS variables fail when used in request template, as it should. Failed substitutions evaluate to either empty strings (in the case of bare variables, e.g., $RESPONSE_SIZE) or the user-provided default text for the field (e.g., ${RESPONSE_SIZE:dummy_value} inserts the string 'dummy_value' in the request log).
549543 The DSR tunnel flow now sets the correct underlying network interface, so that the return monitor flow can match the originating flow, which results in the DSR monitor working as expected.
549782 The driver was corrected so that when the interface is brought down, all the xfrags currently in the ring buffer are freed.
549800 Renaming a virtual server now works as expected, and does not results in buffer overflow or failover.
549943 Remote users now authenticate when using LDAP Auth with SSL.
550193 TMM no longer crashes if the wrong mime types (text/javascript or any other invalid mime type) are configured in the Content-Type Selection list of HTML profiles assigned to virtual servers that also have rewrite-uri-translation configured.
550253 SNMP query responses for sysPacketFilterStatHits are now accurate.
550307 Setting the ssl_check_peer field is now effective for system-auth ldap configs.
550669 Resolved resource leak so monitors continue to work properly.
550689 "Updated H.ROOT-SERVERS.NET to reflect the new IPv4 and IPv6 addresses taking effect December 1st, 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53). For more information, see H-Root will change its addresses on 1 December 2015, available here: http://h.root-servers.org/renumber.html."
550694 Auto-recovery from a USB stalled-transfer condition has been implemented, which prevents the Status LED from blinking Amber on BIG-IP 2000, 4000, 5000, 7000, 10000 or 12000-series appliances.
551010 Gracefully recover from unexpected WAM storage queue state
551451 In this release, HTTP/2 ciphers always come before non HTTP/2 ciphers, at the top of the list, so they always in sync and do not result in connection errors.
551622 Configuring an interface as 'untagged' in a QinQ (double-tagged) VLAN no longer results in continually bcm56xxd crashes.
551661 If the monitor send-recv strings contain a double-quote ", character the system now adds quotes to the input.
551927 Use the nexthop VLAN for ePVA transformation for offloaded flow when available, instead of the incoming VLAN
552151 Improved the device exception handling so that errors are correctly propagated to compression clients, thus preventing the progressive failure of the compression engine, and stopping the offload to software compression (which was driving up the CPU).
552153 The profile-fk-class-id will not be saved in the config files. config saved through iCR will load successfully.
552176 Enforce order when processing delete requests in a transaction.
552532 Oracle monitor functions now as expected with UTC and other time zones.
552865 When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, the handshake now ignores the Certificate Verify signature error and lets the handshake continue. This is correct behavior.
552931 All FQDNs may now contain underscore character. The BIG-IP system now correctly load configurations that contain DNS Express Zones with underscores in the name.
552937 The TMM will no longer core due to not being able to handle the next pipelined request after a HTTP::respond or HTTP::redirect is used in a non-HTTP iRule event.
553236 The updatecheck script now successfully evaluates intervals between year changes.
553311 The tmm crash caused by the route pool configuration is fixed.
553576 Resolved intermittent erroneous "zero millivolt" reading from FND-850 PSU on BIG-IP 10000-/12000-series appliances.
553613 FQDN nodes now support session user-disable
553649 The SNMP daemon no longer locks up and become unresponsive when it is restarted.
553688 This release contains a fix that prevents a double free on error within the SPDY component.
553741 The color management library and functionality has been restored.
553776 BGP now always includes the correct nexthop on default route advertisements.
553909 "The sending of the configuration files in /config from the primary blade to secondaries could have been delayed if a large number of other files were concurrently modified on the primary blade that also need to be synchronized to the secondaries. There is now a separate queue for each directory mirrored between devices. A large number of file changes outside of /config will no longer affect file syncs in /config."
554295 The system now supports mirroring connections between BIG-IP appliances in a high availability configuration on CMP-disabled virtual servers. Note: If CMP is disabled, hardware syn cookie must also be disabled for virtual servers to mirror connections. This is expected behavior.
554444 When removing HTTP headers from a request or a response, LTM Policy no longer treats a missing header as an error, and no longer resets the connection as a consequence.
554593 This release fixes the SSL memory leak that occurred when the peer sent a certificate chain (Root-Intermediate-Leaf) but the BIG-IP system's SSL configuration has only Root certificate configured as a trusted CA.
554659 There is now a configurable maximum message size limit for restjavad. Restjavad still reaches an out-of-memory condition if it receives very large messages (approx 200 MB), but there is now an option of setting a 'hard cap' that causes restjavad to discard these large messages, preventing the out-of-memory condition.
554761 TCP Timestamps are now maintained on all negotiated flows.
554774 The operation now continues searching persistence records when 'match-across-services' is enabled until the operation finds a record that corresponds to the same pool.
554967 Truncated DNSSEC or iRule DNS packets are RFC-compliant.
555020 Connections are no longer reset when connecting to a L7 VIP on a BigIP in software Syncookie mode
555156 When changing the monitoring configuration, the health checks now resume for FQDN node types.
555356 Unsupported command options (such as 'reload-config', 'establish-sa', and 'vpn-connect') are now removed from the racoonctl utility.
555369 This release fixes a memory leak that occurred When rejecting non-TCP/UDP inbound traffic.
555432 bigip.conf or other configuration files would go missing on secondary blades once the configuration exceeded a certain size (approximately 8 MB). This has been fixed.
555549 The command to set the ltm note state to user-down now successfully brings pool member state offline.
555686 The system now ensures that the I2C bus muxes only enable a single interface, so the issue with interfaces on Copper SFPs OPT-0015 on 10000-series appliances no longer occurs.
556031 iRule execution error under virtual server with adaptation profile does not crash tmm
556103 This release improves the handling of external monitors that use SSL so that CPU utilization no longer increases.
556117 The system now treats mixed upper-lower case server-names as the same name, so server-name is no longer case sensitive.
556249 show net cmetric works again for n on-default route domains.
556284 GTM/LC sync now completes successfully even when the configuration being sync'd contains a custom GTM/LC monitor definition.
556380 Connection tear down checks for active connections and does not result in an assert when removing all peers while a connection is handling a transaction.
556560 "DNS messages which contain a record other than TSIG following an OPT record in the additional record section will be transformed in the message handler and the message inspection will be restarted. The transformation involves safely moving the OPT record to be last or second-to-last (in the presence of a TSIG record) position of the additional record section. 'Safely' means updating the relevant compression pointers. The subsequent code paths which depend on the OPT record's position now work as expected."
556568 The error in parsing fragmented ssl records has been resolved.
557144 Flapping dynamic routes no longer trigger a tmm crash.
557281 When syslog-ng is stopped manually (or when expected), audit_forwarder also exits, so the audit_forward process no longer consumes increasing CPU.
557452 Reduced the log level for cand reporting unsolicited data to the debug level.
557484 The system now supports cookie parsing to set cookie 'expires' attribute to 0 (for example, through the 'HTTP::cookie expires' iRule API).
557492 Connections Redirected counter now reports correct value under 'tmsh show sys tmm-traffic' and 'tmsh show sys tmm-traffic global' as well as under sysTmmStatCmpConnRedirected and sysGlobalTmmStatCmpConnRedirected SNMP OIDs.
557548 TMM has been changed to stop trying to reset the Nitrox after 3 attempts.
557645 Host communication on VIPRION 2200 and 2400 platforms behaves the same as host communication on non-VIPRION 2200 and 2400 platforms, as expected.
557648 Include Amazon EC2 web service tools from latest version of the toolset. Included is support for AWS pool autoscale functionality.
557783 TMM now uses the correct IPv6 global address when generating traffic to a remote address using ECMP routes via link-local next-hops.
558072 Thales HSM no longer requires both the Token (OCS) and Module keys must be entered when prompted for Thales HSM slot password, when only Module key protection is enabled.
558474 Made return value type consistent regardless of the IP address.
558517 The system no longer appends extra escape characters to monitor send/receive strings after upgrading.
558534 The TMM no longer crashes when the HTTP uri rewrite feature is used with APM.
558573 Pool profile update is performed by name rather than object ID, so MCPD no longer restarts on secondary blade after updating a pool using the GUI.
558612 The BIG-IP will not encounter a system failure when syncookie mode has been activated.
558779 The dot3 stats are now available.
559100 The system now allows forward slash in the certificate name to be imported to a sub-partition.
559377 This release fixes cookie parsing for empty cookie pair values so there are no iRule cookie parsing errors.
559584 A configuration containing a number of nested objects no longer takes a long time to list or save, so iControlREST no longer times out. Note: You might still encounter this issue in configurations that have greater than ~6000 nested objects, which is the largest number tested.
559933 tmm no longer leaks leak memory on the vCMP guest in SSL forward proxy configurations.
559939 Changing hostname on Standalone VIPRION no longer causes the non-primary blade to go RED / HA TABLE offline.
560231 The HTTP filter will no longer cause a RST packet to be sent instead of a FIN packet if a back-end server closes a connection while pipelined requests are buffered.
560423 Modifying VxLAN tunnel IP addresses now works. Only tunnels that have been created with a multicast flooding type and have a multicast remote IP address are supported.
560584 GUI will no long hide the Common Settings table for IKE Peer configuration when the "Disabled" state is selected. This will preserve any non-default values that have been set in the Common Settings table.
560683 The intermittent tmm crash no longer occurs in a high availability (HA) configuration with IPSEC traffic and multiple failovers.
560696 Upgrades no longer removes quotes and slashes from iRule references when there are file objects of the same name.
561859 Dropped packets no longer cause an occasional crash.
561962 The correct address is logged for the 'postNATDestinationIPv4Address' field of NAT64 IPFIX outbound logging messages.
562044 Statistics are now updated as expected when the statistics DB variable option 'merged.method' is set to 'slow_merge'.
562122 Adding a trunk no longer disables vCMP guests.
562292 TMM no longer crashes with iRules that contain a periodic after command, which itself contains a periodic after command whose contents park. These iRules now complete as expected.
562566 Persistence entries are no longer retained beyond their expiration.
563064 Cipher memory is freed when an IPsec tunnel is removed
563227 The race conditions involved around dropping an offline pool member have been resolved.
563475 The system now handles flows involved in hash collisions such that ePVA dynamic offloading no longer results in immediate eviction and re-offloading of flows.
563560 Archiving iStats had an internal leak that eventually leads to an overflow that causes the iStats to reset. This leak was fixed.
563591 tmm should not crash on this condition any more
563687 GTM/BIG-IP DNS sends an A query to the server if it receives AAAA responses with an RCODE other than 3.
564248 Persistence entries created when the HA connection is down are now marked for mirroring. They will be remirrored when the HA connection is reestablished.
564255 Can now use the GUI to view and enable/disable the ssl_check_peer setting for LDAP or Certificate LDAP for authentication.
564371 FQDN node status will now change to Unknown if monitoring is removed.
564427 Use of Management::KeyCertificate::get_certificate_list_v2 method in iControl no longer causes a memory leak.
565136 The statistics table that presented invalid statistics has been improved such that it will not cause merged to process invalid statistics data and thus will no longer core due to the issue of temporarily invalid statistics being published by some services.
565810 A OneConnect profile using an idle or strict limit-type no longer causes the tmm to core when attempting to shutdown idle connections.
566361 The system now avoids RAM Cache Key collisions, the correct object and response format are delivered from the cache, and tmm no longer cores.
567105 LDAP attributes are now correctly fetched for Remote Role Group matching.
567167 In complex situations involving HTTP Fallback, the TMM is more robust to unexpected events occurring.
567217 Support '-padding' option for CRYPTO::encrypt and CRYPTO::decrypt iRules.
567293 find-activate.pl no longer becomes stuck in an apparent infinite loop when unable to resolve root nameserver.
567836 This release handles parsing of the IPsec GUI when setting KBLifetime to max value, so parsing of KBLifetime values 2147483648 to 4294967295 occurs without error.
568078 HTTP Fallback mode no longer generates more than one abort when it encounters unexpected events.
568182 IPsec now removes IKE-SA on change traffic selector, so SA status now matches across systems.
568889 The BIG_IP system now correctly starts ZebOS daemons on the standby unit on a new blade that is starting up as a primary.
569236 Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again. This is part one of a two-part fix. Fixes for bug 583285 provide part two of the fix.
569280 The BIG-IP system now deletes the SA on both the original and the peer system in response to the commands erase/modify ike-peer.
569301 Customers using the f5.microsoft_sharepoint_2010_2013 iApp version 1.2.1 or older should upgrade to the latest version available from downloads.f5.com. Customers using LTM policies in their own iApps should implement the workaround as described.
569642 TMM no longer cores on deleting all routes on a unit with a mirroring fastL4 Virtual during HA connection loss and recovery.
570058 The double-release of the packet memory for the IKEv2 message has been fixed so that the rare sequence of IPsec configuration change does not cause TMM core.
570419 Use of session DB on multi-process appliances and blades no longer cores when bringing up blades as well as bringing peers online.
571210 Memory handling is improved so that large configs with large objects now successfully complete upon upgrade, load config, or sync.
571573 The BigIP now correctly enforces the poolmember/node connection limit.
571635 The link partner connected to a VIPRION B2100 or B2150 blade via an OPT-0016-002 optics module no longer registers link error counts when the VIPRION B2100 or B2150 blade reboots.
571700 Topology records are now ordered consistently.
572224 Vendor-specific RADIUS AVP commands no longer generate errors.
572255 With the fix to this bug there are two cases. If you change the httpd ssl-port while in a trust then the change is sync'ed to all devices in the trust. If you change this value on a standalone device and want to create a trust then, you must change the value on each target device first and then create the trust by adding each device.
572788 Dynamic routing functions properly on interfaces with names longer than 15 characters.
573402 When netHSM is used, the benign 'C_GetAttributeValue error' messages are no longer posted.
574045 Received BGP attributes using extended length are no longer rejected.
574153 SSL will clean up the connection immediately upon completion of all outstanding Nitrox requests when the TCP connection is shut down.
575595 Resolved a memory leak in mcpd resulting from a query of eviction policy stats.
575608 This release fixes the memory leak that could occur when querying virtual server stats.
575619 This release fixes the memory leak that could occur when querying pool member stats.
575626 The potential leak has been patched out of an abundance of caution.
575660 This release fixes the memory leak that could occur when querying system performance stats.
575671 This release fixes the memory leak that could occur when querying host information stats.
575708 This release fixes the memory leak that could occur when querying CPU information stats.
575735 This release fixes the memory leak that could occur when querying global CPU information stats.
576296 Resolved a memory leak in mcpd resulting from a query of SCTP profile stats.
576752 A Licensing Warning no longer displays when CGNAT is licensed and LTM is provisioned, which is correct functionality.
577683 L4 connection mirroring continues to update the idle timer on the standby unit after an HA channel flap and failover.

Behavior changes in 12.1.0

ID Number Description
346829 Defaults have changed to 'enabled' for the Proxy Options settings in TCP profile. This preserves existing behavior, except that proxy-mss now also examines the negotiated clientside MSS when deciding on advertised serverside MSS. In addition, tcpdump now reveals more frequent matching of payload side on clientside and serverside, likely resulting in higher CPU performance.
385237 The maximum size of a single iFile has been increased from 4MB to 32MB.
402627 "The fix will modify the behavior in the following manner: Behavior before the fix: The ip-address and port were expected to be updated only for redirected URI that used http scheme. Any other scheme was not supported. If the URI used any other scheme such as https:// the LTM would update only the ip-address but fail to update the port. This exposes the internal, potentially private, pool member information to the external world for https URIs. Behavior after the fix: When redirect-rewrite is enabled, LTM will replace the pool member ip-address and pool-member port in the 'Location' header of the HTTP redirect reply with virtual's ip-address and port when needed. If the Location header uses 'http://' as URI scheme, it will be replaced with 'https://'. The ip-address and port change will be independent of http to https change. So for example, if the redirect URI already uses https:// only the ip-address and port will be updated when needed, leaving the scheme unaltered. This assumes the virtual attached to the http profile will be the one handling the redirected https. Please note that if the URI has any scheme other than either http:// or https://, such as rtsp://, that URI's port will not be updated."
410973 "One of the overdog daemon's responsibilities is to ensure that system daemons are still running. Daemons are required to regularly send a signal to overdog to indicate that they are still alive. In 12.0.0 and previous versions, overdog issues a 'bigstart restart' command if this test failed. This behavior has been changed to cause mcpd to abort and dump core. This should cause very little change; most system daemons will still restart as they did before. This change was done to make it quicker for F5 product development to investigate this class of issue. To go back to the old behavior, run 'modify sys daemon-ha mcpd heartbeat-action restart-all'. Note that this is distinct from 'heartbeat-action restart', which permits the core files to be generated."
463475 When upgrading from an older version with network-HSM (Thales or SafeNet) installed, now there is no need for a new manual user-invoked netHSM installation after the upgrade.
474695 Added "failure-cause" option to "show ltm lsn-pool" TMSH command, to display reason for translation failures.
501339 "The system now prevents configuring a virtual server to use a SSL persistence profile together with a TCP profile that has Verify Accepted enabled. The Verify Accepted setting is not compatible with SSL persistence but some previous releases did not prevent this configuration. During the upgrade process, the SSL persistence profile will be removed from any virtual server that also uses a TCP profile that has Verify Accepted enabled."
502704 Added "forward_compact" option to --action to display range of translation endpoints instead of individual endpoint listing, thus abbreviate the forward mapping display.
510189 When creating a virtual server with a DNS Profile, you will receive an error message whenever you attempt to provide a context for only the client-side or server-side of a protocol profile (udp or tcp).
517315 Allow overlapping of lsn-pool translation members/backup-members, when translation port-range does not overlap.
518304 New FPGA firmware and BIG-IP software have been designed to avoid and to predict the FIX flow hash collision. This provides extremely low rate of collision even at very high load in ePVA. A DB variable is used to configure a standard FPGA firmware or this enhanced FPGA firmware. BIG-IP automatically adapts its new function when the new FPGA firmware is loaded. The DB variable is relevant only for LTM.
524843 Upgrades and UCS restore operations now fail when the value contains an embedded wildcard.
526170 "Before: ========== When we create Safenet or Thales HSM keys, the system does not validate whether or not External HSM is licensed. Now: ========== When External HSM is not licensed, the system does not allow you to create Safenet or Thales HSM keys. This applies to all three programs: fipskey.nethsm utility, TMSH command, and GUI. See examples below. [root@localhost:Active:Standalone] config # fipskey.nethsm --genkey -o test External HSM is not licensed. Key creation is not allowed. [root@localhost:Active:Standalone] config # tmsh root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create sys crypto key testlicense.key security-type nethsm Syntax Error: External HSM is not licensed, NetHSM key security type is not allowed."
528109 "The tmsh save sys config file command needs a mandatory passphrase to succeed. In case, no passphrase is provided an error shall be thrown.

            ex:
            (tmos)# save sys config file hello.scf
            Data Input Error: ""passphrase"" passphrase should be provided or use the no-passphrase option
            
            (tmos)# save sys config file hello.scf no-passphrase
            Saving running configuration...
            /var/local/scf/hello.scf
            /var/local/scf/hello.scf.tar
            
            (tmos)# save sys config file hello passphrase myphrase
            Saving running configuration...
            /var/local/scf/hello
            /var/local/scf/hello.tar
            Encrypting configuration files ...
            
            In case, the passphrase is not needed than use the no-passphrase option.
            
            (tmos)# save sys config file hello.scf no-passphrase
            Saving running configuration...
            /var/local/scf/hello.scf
            /var/local/scf/hello.scf.tar"

529400 It throws the error message if there is no usable ciphers of the clientssl profile, i.e., the cert/key type of cipher string don’t match it of the configured cert/key. In the past we didn’t throw error for this bad configuration.
530133 This release provides support for New Platform: BIG-IP 10350 FIPS. You can find more information in Platform Guide: 10000 Series, available here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/pg-10200v.html.
539130 "bigd now logs child process exit messages in /var/log/bigdlog (so bigd.debug must be enabled) rather than in /var/log/ltm. This allows the logging to be controllable. Successful command exits are also logged for completeness since this the log messages only appears when debugging is enabled."
544325 "In version 11.2.1 and earlier, the system responded to a request with an ICMP packet containing the type code 'port unreach' when a UDP virtual server pool member was down due to no available pool members. For the same scenario in versions 11.3.0 through 11.4.1, the system sends no ICMP packet. In versions 11.5.0 through this hotfix/release, the system sends an ICMP packet containing the 'administratively filtered' type code for the same scenario. In this hotfix/release, the 11.2.1 behavior is restored. In this case, the system responds with an ICMP packet containing the type code set to 'port unreach'."
544924 Removed irrelevant daglib related information from dnatutil summary display for DNAT log version 4, since dag is no longer use in determining the client mapping, as of 12.1.
545263 New db variable "tmm.ssl.maxactivehandshakes" limits the total number of active SSL handshakes. By default this variable is set to '0', which means no limit.
545849 Assignment of traffic groups to devices using the HA Load Factor failover method did not produce predictable results. Once all devices in the Device Service Cluster are upgraded to the new version, the assigned loads will be distributed more evenly.
547642 CGNAT Deterministic NAT validation will prevent configuration of Virtual Server with LSN Pool, when the ratio of client addresses to translation endpoints is less than one.
547997 "Installation of a FIPS 140-2 Compliant Mode license causes reordering of ciphersuites defined by a given cipherstring in the clientssl/serverssl profile. The reordering part of changes can be replicated by the addition of ""@fips"" keyword to the list of ciphersuite. @fips action is similar to e.g. @speed in that both cause reordering (@speed causes causes reordering of ciphersuites by speed). In addition, we introduced the FIPS set. In BIG-IP 12.1.x FIPS set is defined as ""ALL:!rc4:!camellia:!des:!adh:!ecdh_rsa:!ecdh_ecdsa"". FIPS is a dynamic set and is allowed to change between major releases (similar to e.g. DEFAULT set). Customers would need to manually place FIPS into the profile's cipherstring as needed. These changes are not expected to introduce any upgrade issues. There are no persistent automatic modifications done to customer-defined clientssl/serverssl profile configuration as a result of this change."
548279 The /cm/autodeploy/config-install REST endpoint will no longer exist, accessing it will give a 404 error.
552022 "Server health-impact calculation ignores server-side connection resets impact for 2 minutes upon the change of configuration that can cause massive connections resets. This is implemented in order to avoid false attack declaration in the case of configuration change. The configuration changes that can cause massive connections resets are: Adding/changing of virtual server's attached profiles: http, ssl, one connect, compression etc. Changing of default pool Changing in the attached default pool: load balancing method, number of pool members"
553741 Restores correct color management to WAM's image optimization feature.
556901 "This change returns the FTP monitor to behavior similar to that of 11.5 and prior releases: An IPv4 node with monitor mode port now uses PORT rather than EPRT. An IPv4 node with monitor mode passive (the default) now uses PASV rather than EPSV. An IPv6 node with monitor mode port now actually monitors with port mode using EPRT. An IPv6 node with monitor mode passive is unchanged in this release."
557504 Will no longer enforce minimal translation-port-range base on number of TMMs on the BIGIP.
560405 The 'virtual' iRule API has been changed to support a secondary target IP address and port to redirect the connection to, from a given virtual server. The new signature of the 'virtual' iRule API is:

virtual [<name>] [<ipaddr> [<port>]]

where:

<name> = name of the virtual server to redirect the connection from
<ipaddr> = target IP address of the remote endpoint to route the connection to, through the specified virtual server.
<ipaddr> can also have a route-domain (%)
<port> = port of the remote endpoint to route the connection to, through the specified virtual server

570716 The default of 'net ipsec ike-peer anonymous state' has been changed from enabled to disabled.
583631 Formerly, the version present in the ClientHello and the version present in the outer record would match. Now, if the sys db variable, `SSL.OuterRecordTls1_0,' is set to `enable' the version present in the outer record will be TLS 1.0 regardless of the version in the ClientHello. This is the default.

Known issues

ID Number Description
221963 When you are logged on to a cluster management address, and you or another user subsequently promotes one of the secondary blades to the primary, you and the other user might need to log on again. This occurs when using cluster management and promoting secondary blades to the primary. You and other users might need to log on again. Workaround: None.
221973 BIG-IP system ignores a pool member's response and marks the pool member down after the configured timeout. This issue occurs when all of the following conditions are met: -- An ECV health monitor such as TCP, HTTP has been assigned to a pool or pool member (Note: HTTPS ECV monitors are implemented differently than HTTP and TCP monitors and are not affected by this issue.) -- A pool member responds after the assigned health monitor has sent three probes to it. The pool member will not be available to serve the clients' requests. For example, if the HTTP monitor is configured with an interval of 5 seconds and a timeout of 31 seconds, and the BIG-IP system receives the pool member's response after the third HTTP monitor probe has been sent, the BIG-IP system ignores the pool member's response and mark the pool member down after the timeout of 31 seconds. Workaround: To work around this issue, you can set the monitor interval to a value greater than the affected pool member's response time under the expected production load. For more information, see SOL9104: The BIG-IP system may ignore a pool member's response to health monitor probes, available here: https://support.f5.com/kb/en-us/solutions/public/9000/100/sol9104.html.
222034 If HTTP::respond is called in LB_FAILED with large headers and/or body, the response might be truncated. The Content-Length header value is correct; it is the content itself that is truncated. This issue occurs when all of the following conditions are met: -- HTTP::respond is used in the LB_FAILED event to return a large response. -- No other TCP data has been sent to the client. The response sent by the BIG-IP system will be truncated. For example, with slow-start enabled, and no data sent to the client yet, the response will be truncated after two packets. Other TCP profile configurations will truncate at different points. Workaround: To work around this issue modify the iRule. For example, instead of directly using HTTP::Respond inside of an LB_FAILED event, perform a 302 Redirect to another URI, which can then be handled by an unaffected event. For more information, see SOL9456: Using the HTTP::respond iRule command in the LB_FAILED event may result in truncated responses, available here: http://support.f5.com/kb/en-us/solutions/public/9000/400/sol9456.html.
222184 When the license expires, if you are on the License Summary page on a partition other than Common, the system automatically returns you to the Common partition, but does not activate the Reactivate button. This occurs if you are on the License Summary page on a partition other than Common The system automatically returns you to the Common partition, but does not activate the Reactivate button. Workaround: The workaround is to select a different partition and then reselect the Common partition. This should reset the Reactivate button to an active state.
222221 The BIG-IP system may fail to complete an SSL handshake. This issue occurs when all of the following conditions are met: -- The affected virtual server is processing the client SSL connection with an iRule. -- The iRule uses the TCP::close command in the CLIENTSSL_HANDSHAKE event. The TCP::close command can be used in the CLIENTSSL_HANDSHAKE event to close the client connection. For example, the iRule closes the client connection if the hostname requested by the client does not match the common name in the SSL cert. As a result of this issue, you may encounter the following symptoms: -- The client SSL connection stalls until the TCP connection is timed out by the BIG-IP system. -- The client SSL connection fails at the Change Cipher Spec Protocol during the SSL handshake. Workaround: To work around this issue, you can insert a delay with the after command for the TCP::close command. Impact of workaround: Depending on the type and volume of the connections, the after command may introduce noticeable latency. F5 recommends that you test any such changes in an appropriate environment. For more information, see SOL14037: The BIG-IP system may fail to complete an SSL handshake , available here: http://support.f5.com/kb/en-us/solutions/public/14000/000/sol14037.html
222273 Many load balancing methods are implemented so that the system divides the connection limit among running Traffic Management Microkernel (TMM) services. If you set the connection limit to low values. The results you see might not be what you expect. For example, some nodes might receive more connections than you expect, and other nodes that you expect to receive connections might not receive any. These apparent anomalies are discernible only with small numbers of connections, and disappear with large numbers of connections. Workaround: None.
222287 On multi-core platforms running in CMP mode, rates configured in a rate class are internally divided between the active TMM instances. This occurs on multi-core platforms running in CMP mode. As a result, each flow is restricted to bandwidth equal to the configured rate divided by the number of active TMM instances. Workaround: In order to achieve the actual rate set on the rate class, the system must be processing at least one flow on each active TMM instance. For more information, see SOL10858: Rate classes on CMP systems are divided among active TMM instances, available here: http://support.f5.com/kb/en-us/solutions/public/10000/800/sol10858.
222338 Use of Cache::Disable in iRule: A 304 response to a non-conditional get. If a cached document has exceeded its life time, the BIG-IP system attempts to refresh it by issuing a conditional get to the OWS. If an HTTP_RESPONSE iRule exists and contains a Cache::Disable statement, then the OWS 304 response will be forwarded to the client. An illegal result code will be returned for some requests. Workaround: Do not disable the cache on 304 responses.
222688 "-- Attempts to add files to the '/shared' filesystem will fail -- Daemons continually restart" "Some standard customer workflows that describe use of the filesystem. Adding new software images to '/shared/images', for example. Other system stresses, such as memory exhaustion, can result in coring processes, which in turn fill the '/shared' filesystem with core files." system is unusable Workaround: look for things that can be removed form the shared filesystem, such as software images. look for other system stress events, such as tmm cores, that are continuing to fill the '/shared' filesystem.
222690 The persist none iRule command disables persistence for the current connection. If cookie persistence is enabled for a virtual server referencing an iRule, and the LB::reselect command is called after the persist none iRule command, cookie persistence is not disabled for the connection. "For example, the following configuration illustrates the issue:

pool default_pool {
member 10.10.10.4:80 down session disable
}
pool fail_pool {
member 10.10.10.5:80
}
rule fail_rule {
when LB_FAILED {
persist none
LB::reselect pool fail_pool
}
}
virtual vs {
destination 10.10.10.6:80
ip protocol tcp
profile http tcp
persist cookie
pool default_pool
rule fail_rule
}"

In the example, the initial load balancing attempt to the default_pool pool will fail, since sessions are disabled for the pool member. The LB_FAILED iRule event will execute, which sets the persistence to none. In addition, the LB::reselect command will load balance the connection to the fail_pool pool. The connection to the pool member 10.10.10.5 will succeed, but the BIG-IP LTM will incorrectly place a persistence cookie in the response to the client. Workaround: "You may be able to work around this issue by using the HTTP::cookie command in the HTTP_RESPONSE event to remove the BIG-IP cookie from the response before it is sent to the client. For example, the following revised iRule removes the BIG-IP persistence cookie that would be set in the response when the fail_pool was selected:

rule fail_rule_no_cookie_for_you {
when LB_FAILED {
persist none
LB::reselect pool fail_pool
}
when HTTP_RESPONSE {
HTTP::cookie remove BIGipServerfail_pool
}
}

Note: The HTTP_RESPONSE event is triggered after the BIG-IP LTM has added the persistence cookie to the HTTP headers. Note: The default persistence cookie name is derived from the name of the pool to which the request was sent. For more information about the BIG-IP persistence cookie, refer to SOL6917: Overview of BIG-IP persistence cookie encoding. The workaround has the added benefit of preserving any persistence information for the original load balancing pool should it again become available. If you want to completely remove the persistence cookie from the client, you can use the HTTP::cookie command in the HTTP_RESPONSE event to set an expired version of the BIG-IP cookie in the response before it is sent to the client."
222862 Using tmsh to configure network mirroring (also referred to as connection mirroring), the BIG-IP system erroneously allows configuration of identical primary and alternate mirroring addresses. Using tmsh to configure the BIG-IP system to use identical IP addresses for the primary and alternate mirror address settings. The BIG-IP system interleaves the two inbound data streams, processing them as if they were one. As a result, the mirroring messages become garbled, and the mirrored connection table on the standby system is not updated, as expected. If a failover occurs when the redundant system's connection table is not synchronized with the primary, connections that do not match the connection table on the standby system are dropped once it becomes active. Workaround: In 11.x or later, configure the primary and secondary mirror addresses to use different IP addresses. In 10.x, configure the self and peer alternate mirroring address settings to use different IP addresses than the configured primary mirroring address settings. In 9.x, configure the self and peer alternate mirroring address settings to use different IP addresses than the configured primary mirroring address settings. Note: F5 also recommends configuring the alternate mirror address on a separate VLAN whenever possible, to maximize the protection offered by the network mirroring feature.
223031 If you run the tcpdump utility from a B4100 blade on a VIPRION chassis containing a mix of B4100 and other blades, the process does not show packets from the other blades. This happens on a VIPRION chassis with a mix of B4100 and other blades. tcpdump does not report packets from the other blades. Workaround: To work around this issue, run the tcpdump operation from the other blade.
223412 When configuring a ConfigSync peer IP address, the IP address must reside in the default route domain. The default route domain has an implicit value of zero (0). For example: 192.168.20.100%10. "Checking configuration on local system and peer system... Peer's IP address: 192.168.20.100%10 Caught SOAP exception: Error calling getaddrinfo for 192.168.20.100%10 (Temporary failure in name resolution) Error: There is a problem accessing the peer system. BIGpipe parsing error: 01110034:3: The configuration for running config-sync is incorrect. On BIG-IP 11.x or later, the system returns an error message that appears similar to the following example: err mcpd[5766]: 01071430:3: Cannot create CMI listener socket on address 192.168.20.100%10, port 6699, Cannot assign requested address" ConfigSync operations will fail if you configure a peer address that contains an explicit route domain ID. Workaround: The workaround is to not use route domains for ConfigSync operations. For more information, see SOL12089: ConfigSync operations fail when you configure a ConfigSync peer address with an explicit route domain ID, available here: http://support.f5.com/kb/en-us/solutions/public/12000/000/sol12089.html.
223421 If a disk is removed from an array, the serial number of the disk persists in the system until the drive is manually removed. This occurs on multi-disk systems. The serial number of the disk persists even after the disk is removed from the array. Workaround: There is no workaround for this issue. The serial number of the disk persists in the system until the drive is manually removed.
223426 If you apply to a virtual server a TCP profile with the MD5 signature setting enabled, the virtual server incorrectly accepts connections regardless of whether the peer presents the MD5 option. This affects both client-side and server-side connections. Note that the problem does not affect TCP connections established from the BIG-IP host (for example, BGP connections). Enabling the TCP option for MD5 signatures does not cause TCP connections without MD5 signatures to be rejected or ignored. However, when the MD5 signature setting is enabled, and an MD5 signature is present, the MD5 signature is validated. The MD5-configured virtual server incorrectly accepts connections regardless of whether the peer presents the MD5 option. Workaround: None. For more information, see SOL12241: A virtual server with the MD5 signature setting enabled in its TCP profile does not reject or ignore non-MD5 optioned connections, available here: http://support.f5.com/kb/en-us/solutions/public/12000/200/sol12241.html.
223542 You must delete and recreate a trunk to change its speed. This occurs when you change the speed of an existing interface in a trunk. You cannot change the speed. Workaround: You must either delete all the interfaces and add them back at the new speed, or delete the trunk and recreate it.
223634 The Traffic Management Shell (tmsh) may not display dynamic Address Resolution Protocol (ARP) entries as expected. In BIG-IP 11.x/12.x, the show net arp Traffic Management Shell (tmsh) command displays dynamic ARP entries for all route domains. Additionally, you can display dynamic ARP entries for specific route domains by using the show arp any %route domain id command; however, you cannot specify the default route domain 0. In BIG-IP 10.x, the show net arp Traffic Management Shell (tmsh) command displays ARP entries for only the default domain. This issue occurs when you have a BIG-IP system with more than one route domain configured, and you view dynamic ARP entries using tmsh. ARP entries appear to be missing for route domains other than the default (BIG-IP 10.x). The system is unable to display only those dynamic ARP entries specific to the default route domain 0 (BIG-IP 11.x/12.x). Workaround: If you are in the tmsh utility (in 10.x or 11.x/12.x), you can run the bigpipe utility to view dynamic Address Resolution Protocol (ARP) entries for a different route domain. To do so, run the command run until bigpipe arp args... at the tmsh command line. For more information, see SOL12623: The Traffic Management Shell may not display dynamic ARP entries as expected, available here: http://support.f5.com/kb/en-us/solutions/public/12000/600/sol12623.html.
223651 An SSH File Transfer Protocol (SFTP) client might emit an error message containing 'Received message too long' when the user is unprivileged and may not use SFTP. This occurs when using a user with insufficient privileges uses SFTP. 'Received message too long' posted for SFTP client when the user is unprivileged. This is a known issue with SSH. For more information, see 2.9 - sftp/scp fails at connection, but ssh is OK, available here: http://www.openssh.com/faq.html#2.9. Workaround: The user must be authorized to use SFTP/SCP.
223796 When an SFP is not inserted in a VIPRION interface socket, the interface status should show 'MS' (missing); instead, the interface status might show 'DN' (down). This occurs on a VIPRION chassis where there is no SFP in the interface socket. The interface status might show 'DN' (down). Workaround: None.
223885 If you apply a hash persistence profile to a FastL4 virtual server, the virtual server stops processing traffic. Note: The hash persist profile was extended in 10.0.0 with new options, but is no longer supported in combination with FastL4 virtual servers. In addition, when the hash persistence profile is initially applied and during each subsequent configuration load, the BIG-IP system logs messages to the /var/log/tmm file: notice hudfilter_init: 'HASH' is not a bottom-level filter. ... mcp error: 1031000 in mcpmsg_to_database. This occurs when using hash persistence profile with FastL4 virtual servers. FastL4 virtual servers stop processing traffic after a hash persistence profile is applied. Workaround: The workaround is to use universal persist instead. You can also use the TCP or UDP profile instead of FastL4. If a hash persistence profile was applied to a FastL4 virtual server, you can restore traffic by deleting and recreating the virtual server with a different virtual server name. For more information, see SOL12078: FastL4 virtual servers stop processing traffic after a hash persistence profile is applied, available here: https://support.f5.com/kb/en-us/solutions/public/12000/000/sol12078.html.
224073 Pinging the floating self-ip from the command line of the same system results in a no response to the ping. This no-response reply does not indicate that the floating self-ip is not working and is not responding to normal ping operations. This occurs when the floating self-IP tries to ping from the BIG-IP system command line. This results in a no response to the ping. Workaround: To work around this, issue the ping from another host in the network.
224294 SASP monitor validates timeout and interval although these values are not used by the monitor. This occurs when using SASP monitor timeout and interval. This causes certain SASP monitor configurations not to load. Workaround: None.
224372 When you are connected using the serial console to a multi-drive platform, you might see benign messages similar to the following: warning kernel: RAID1 conf printout and warning kernel: disk 0, wo:0, o:1, dev:dm-14. The messages are also logged in /var/log/kern.log file. This occurs when you are directly connected by serial console of a multi-drive system, such as 6900, 8900, and 8950 platforms. These benign messages appear during the time a drive is rebuilding. Note that the messages appear only when you are directly connected by serial console. They do not appear when you are logged in using SSH. Workaround: This messages are benign, and you can safely ignore them.
224402 When you specify a custom configsync user (that is, an account other than admin), if you have specified a maximum number of password failures, the configsync account is subject to the password lockout after the specified number of failures. This occurs for configsync users when maximum password failure is set. The configsync account is subject to the password lockout after the specified number of failures. Workaround: To work around this issue, use the admin account as the ConfigSync user, or reset the non-standard account that is locked out.
224406 The dashboard cannot handle numbers that exceed 32 bits. If a statistic goes above that number, dashboard values will be incorrect. This occurs dashboard and numbers that exceed 32 bits. When this occurs, there will be incorrect dashboard values. Workaround: There is no workaround; however, in normal operation, the values do not reach that limit.
224520 The bcm56xxd service's small form-factor pluggable (SFP) plug_check mechanism (for example, bs_i2c_sfp_plug_check()) looks for module-detect signal changes every five seconds, and can miss a pluggable media type swap (that is, a swap from fiber SFP to copper SFP or SFP+) because the check does not look at pluggable media type changes. This occurs when changing pluggable media. This can result in link failures, due to internal media settings that are still associated with a previously populated pluggable module. Workaround: None.
224665 The Proxy Exclusion List setting is not aware of administrative partitions. As of BIG-IP 10.1.0, VLAN group objects reside in administrative partitions. This means that you can create a VLAN group in an administrative partition, and then give users the authority to view and manage the object in only that partition. Proxy exclusion is a VLAN group setting, so the partition restrictions should be in effect. However, the system does not prevent you from adding proxy exclusion for a VLAN group in another partition. Doing so may result in issues for the VLAN group. Using VLAN groups and proxy exclusion. Results in issues for the VLAN group. Workaround: None. For more information, see SOL12711: The Proxy Exclusion List setting is not aware of administrative partitions , available here: http://support.f5.com/kb/en-us/solutions/public/12000/700/sol12711.html.
224881 On AOM-equipped platforms, changing the management IP via the front-panel LCD multiple times might result in fields on the LCD being displayed with a value of 0.0.0.0. Repeatedly changing management IP using front-panel. Fields on the LCD are displayed with a value of 0.0.0.0. Workaround: The correct values will be displayed after a system restart.
225358 Both units probe both gateway fail-safe pools regardless of their unit IDs. This occurs in HA configurations. Members of a redundant configuration continue to probe both gateway fail-safe pools. Workaround: Reload config via "tmsh load sys config".
225431 Disabling the LCD System Menu does not persist across restarts. This is for diagnostic purposes. This occurs when you disabled the LCD display and restart the system. The LCD display setting is not saved. Workaround: To prevent access or configuration changes from the LCD Systems Menu, you can re-enable and then disable the LCD System Menu after each system restart. For more information, see SOL11363: Disabling the LCD System Menu does not persist across restarts, available here: http://support.f5.com/kb/en-us/solutions/public/11000/300/sol11363.html.
225588 Error conditions such as unreachable IP addresses, and unavailable TACACS+/RADIUS services, are not logged to /var/log/ltm for the TACACS+ RADIUS audit forwarding accounting feature. This occurs when you configure the feature using a non-existent IP or a good IP that is not running TACACS+ or RADIUS, and run some tmsh commands. Entries are logged in /var/log/audit, and no error messages are logged in /var/log/ltm. Workaround: None.
226113 "When rebooting the BIG-IP 6900, 8900, 8950, 11050, and PB200 platforms, an error message may display on the system console for approximately 15 seconds. The error message will appear similar to the following examples: ACPI: Unable to locate RSDP ACPI Error: A valid RSDP was not found (20090903/tbxfroot-219)" This occurs on BIG-IP 6900, 8900, 8950, 11050, and PB200 platforms. "This message is benign and indicates that an ACPI capable kernel is booted on a system without ACPI support. Note: This message is also generated while booting to EUD versions 12.7.0 through 12.7.3. Note: The console may also display an error message that appears similar to the following example during the reboot cycle: Memory for crash kernel (0x0 to 0x0) notwithin permissible range. For information about this error message, refer to SOL11620: Error Message: err kernel: Memory for crash kernel (0x0 to 0x0) notwithin permissible range." Workaround: None.
226964 Node marked down by a monitor that is waiting for a manual resume mistakenly displays Enabled state when it is actually down. After a health monitor configured for manual resume has marked a node down, the Configuration utility incorrectly reports the node as Enabled instead of Forced Offline. After a health monitor configured for manual resume has marked a node down, the Configuration utility incorrectly reports the node as Enabled instead of Forced Offline. This issue only affects nodes. The issue does not affect pools or pool members. Node remains disabled, but the GUI reports Enabled. Workaround: You can work around this issue by clicking the Enabled (All traffic allowed) option and clicking Update. For more information, see SOL11828: After a health monitor configured for manual resume has marked a node as down, the Configuration utility incorrectly reports that the node is still enabled, available here: http://support.f5.com/kb/en-us/solutions/public/11000/800/sol11828.html.
227281 When a full-proxy HTTP virtual with ramcache, fallback, and deferred accept configured; executes, a reject command in a CLIENT_ACCEPTED event TMM restarts. This occurs when the virtual server is configured with all of the following elements: - HTTP profile configured with Cache Setting and a fallback host. - iRule that uses the CLIENT_ACCEPTED iRule event, along with a reject statement. - The TCP profile Deferred Accept setting is enabled. If a virtual server that is configured with the previous settings receives a connection that triggers the reject iRule statement, the TMM process may restart and temporarily fail to process traffic. Workaround: To work around this, remove the fallback host statement in the HTTP profile that is used by the virtual server.
246726 A virtual address is defined as the IP address with which you associate one or more virtual servers. A virtual server is represented by an IP address and a service. The BIG-IP system continues to process traffic for virtual servers after disabling the related virtual address. When a virtual address is disabled in LTM, TMM still processes traffic for the virtual IP addresses on that virtual address. For example, if you define virtual servers of 10.10.10.2:80, and 10.10.10.2:443 on the BIG-IP system, then 10.10.10.2 is the virtual address. If you disable the virtual address of 10.10.10.2, the BIG-IP system continues to process traffic for the virtual servers. Traffic is still processed. Workaround: Disable virtual servers instead. For more information, see SOL8940: The BIG-IP system processes traffic for virtual servers after disabling the virtual address, available here: https://support.f5.com/kb/en-us/solutions/public/8000/900/sol8940.html
246871 When you are on the license summary general properties screen and you refresh the browser after you reactivate a license, the system prompts you to log on again. This occurs after reactivating a license on the license summary general properties screen, and then refreshing the browser. The system prompts you to log on again. Workaround: Do not refresh the browser.
246962 The system counts route domain health check traffic as part of IPv6 traffic statistic totals. If your configuration has a monitor on a pool in a routing domain, you will see an increase in IPv6 traffic. If you remove the monitor from the pool, the IPv6 statistics stop increasing (assuming there is no actual IPv6 traffic). If occurs with configurations that have a monitor on a pool in a routing domain. With this configuration, you will see an increase in IPv6 traffic. If you remove the monitor from the pool, the IPv6 statistics stop increasing (assuming there is no actual IPv6 traffic). Workaround: Remove the monitor from the pool.
246983 A display issue in the browser-based Configuration utility makes it appear as if users can modify user settings that they should not be able to access. For example, a user logs on using an account assigned a non-administrator role. When that user changes the password and clicks Update, the screen temporarily redisplays with available settings for file, partition, and shell access. This might occur in some Internet Explorer or Firefox browsers after changing a password. Although the user can manipulate the controls, and select different settings, the system does not accept the change. Workaround: None, however this is a browser issue. Internet Explorer and Firefox might allow user to see contents of change-select controls after the form has been submitted. The controls are disabled, even though it might appear that they are functional.
247012 If you use a SIP or HTTPS monitor on a server that requires authentication using a certificate signed by a certificate authority (CA), the monitor must use certificates signed by a CA that the server recognizes. Do not configure a monitor using certificates signed by an Intermediate CA because the monitor does not send such certificates to the server. This occurs when using non-CA-signed certificates on SIP or HTTPS monitors that communicate with servers that require CA-signed certificates. Authentication fails. Workaround: Use CA-signed certificates.
247200 When a user configured for one role is logged on to the browser-based Configuration utility, and you change that user's role to another type, also using the Configuration utility, the system logs off that user. This occurs when changing the user role while that user is logged on. When that user logs back on, the system writes to the catalina.out file error messages such as com.f5.mcp.io.McpIOException: java.io.EOFException: Error while reading message at. Workaround: None, however, these messages are benign, and you can safely ignore them.
247216 The help frame crops the right edge of some of the formula definitions on the Performance statistics screen. This occurs when viewing formula definitions on the Performance statistics screen. The right side of the text is cropped, and there is no horizontal scroll bar. This is as-designed behavior. Workaround: Click the Launch button to view the full text.
247241 Occasionally, when you create an installation repository on a USB thumb drive from the BIG-IP system, the operation fails while copying the repository files to the thumb drive. (The failure might also occur when reading or writing any large file to the thumb drive from the BIG-IP system.) mount USB thumb drive and attempt to copy large files between drives. When the failure occurs, the system reboots and writes a log entry similar to the following in the /var/log/ltm file: -- Dec 10 11:13:12 local/8900 notice overdog[2401]: 01140108:5: Overdog scheduling exceeded 1/2 timeout of 5 seconds (measured:8060 ms) Workaround: Create the installation repository on a USB thumb drive using a Linux workstation, as documented in the BIG-IP Systems: Getting Started Guide. In any case, do not perform the operation on a BIG-IP system that is actively in production to prevent the potential failure from affecting live traffic.
247300 "You should not use the SSL::respond method with a CLIENTSSL_CLIENTCERT iRule event with a COMPAT mode cipher, as it can result in a handshake failure." "This occurs when you use the SSL::respond method with a CLIENTSSL_CLIENTCERT iRule event with a COMPAT mode cipher." This results in a handshake failure. Workaround: None.
247310 There is an extremely rare chance that, if the high-availability mirroring connection fails and recovers, the result might be a new persistence record and an expired record using the same key to send their respective messages. For example, if a record comes in that would have matched an old one on the active system, it is possible that the old record's expiration action might arrive after the new record's update action. If the key matching the old record expires, the standby system incorrectly deletes the corresponding new record. This occurs when high-availability mirroring connection fails and recovers in the time between checking persistence entries. When this occurs, there might be a new persistence record and an expired record using the same key to send their respective messages. If the key matching the old record expires, the standby system incorrectly deletes the corresponding new record. Workaround: None, but the possibility of encountering the issue is very rare.
247709 "When you change the idle timeout in System :: Preferences, the system must restart the httpd process. This results in a set of error messages similar to the following example:

   err httpd[6246]: [error] [client 127.0.0.1] Invalid method in request OPTIONS * HTTP/1.0
   err httpd[6320]: [error] (9)Bad file descriptor: apr_socket_accept: (client socket)
   warning httpd[3064]: [warn] RSA server certificate CommonName (CN) `dhcp-137' does NOT match server name!?
   warning fcgi-[6376]: [warn] FastCGI: server ""/usr/local/www/mcpq/mcpq"" started (pid 6377)
   err httpd[6379]: [error] [client 127.0.0.1] Invalid method in request OPTIONS * HTTP/1.0
   warning httpd[3064]: [warn] long lost child came home! (pid 6239)"

Change the idle timeout in System :: Preferences. There are a number of err httpd error messages. These messages occur primarily as a result of the process restart, and you can safely ignore them. Workaround: None needed. This is a cosmetic issue.
247727 When you create a new profile or edit an existing profile using the all-properties option of the tmsh utility, unless you remove some options, the properties might produce unexpected behavior. This occurs when creating or editing profiles using the all-properties option. All properties become custom; that is, profile properties no longer inherit parent settings. Workaround: Use the tmsh utility create and modify commands operations. When you do so, the system preserves the profile's properties inheritance.
247894 The iRule substr function cannot use a string with a number in it as a terminating character. This occurs when using iRules. The iRule converts that string to integer and incorrectly uses it as a substring length. Workaround: Do not use a string with a number in it as a terminating character.
247981 Controlling PMTU and route metrics is a global setting. However different traffic profiles for fast L4 versus full proxy might need different settings, which is not supported. Setting different traffic profiles for fast L4 versus full proxy, specifically, setting the dbvariable tm.enforcepathmtu to disabled, and configuring an L7 virtual server containing a remote pool member with an intermediate MTU smaller than the clientside. Some traffic flows might use sub-optimal PMTU settings. Connections might fail after the maximum number of retransmissions of the segment that is too large. Workaround: None.
248489 If the user configuration set (UCS) file you roll forward at installation time contains a problem, subsequent system load operations can fail. If this happens, the remote users and administrators cannot log on to the system. This occurs when rolling forward the UCS fails. Remote users and administrators cannot log on to the system. Workaround: To work around the situation, log on to the system as the root user or as the admin local user.
248742 Using the command line, you can enable or disable a nonexistent interface. For example, issue 'tmsh modify /net interface [x/]y.z ...' where x is an invalid blade number and/or y.z is an invalid interface. This occurs when using the command line to enable or disable a nonexistent interface. The 'tmsh show net interface' or 'b interface show' command displays the nonexistent interface. Although the system does not make use of the interface, there is no way to delete the nonexistent interface except to manually edit bigip_base.conf. Workaround: Manually edit bigip_base.conf to remove the unintended interface.
251295 Some configured packet filter rules or rate classes may not work as expected. "This issue occurs when the following condition is met: The name of an affected packet filter rule or rate class exceeds 29 characters. Note: In BIG-IP 11.x and later, the 29-character limit includes the partition name of the object. When you create a packet filter rule or rate class, the BIG-IP system does not restrict the number of characters within the object name. However, the system uses only 29 characters and does not validate the size of the name to uniquely identify the object within the system." "The affected packet filter rule or rate class may not function as expected. As a result of this issue, you may encounter one or more of the following symptoms: BIG-IP iHealth lists Heuristic H835782 on the Diagnostics : Identified : High screen. -- The affected rate class does not function as expected. -- If there are multiple packet filter rules with the same 29 characters, any changes made to a higher-order packet filter rule will override a lower-order packet filter rule. As a result, the lower-order packet filter rule does not behave as expected." Workaround: "Although there is no workaround, you can prevent this issue from occurring by renaming the affected objects with shorter (fewer than 30 characters, including the partition name). Note: Make sure to account for the partition, which is prepended to the object's name in BIG-IP 11.x and later."
284910 The BIG-IP system may continue to generate server-side TCP connections to pool members after the associated virtual server configuration is deleted. To improve connection speeds for Performance HTTP virtual servers, the BIG-IP system primes connections to the pool members. When a client makes a connection to the virtual server, if an existing server-side flow to the pool member is idle, the BIG-IP LTM system marks the connection as non-idle and sends the client request over it. This issue occurs when all of the following conditions are met: -- The configuration contains a Performance HTTP virtual server that references the base FastHTTP profile. -- The Performance HTTP virtual server processes at least one connection before being deleted. -- The Performance HTTP virtual server configuration is removed. As a result of this issue, you may encounter the following symptoms: -- Packet traces show the BIG-IP system connecting to pool members from its non-floating self IP address. -- The BIG-IP connection table includes an entry showing the recurring connections. In the following example, the any6.any connection table entry represents the client-side IP address, and 10.11.16.221 is the BIG-IP self IP address: 'any6.any any6.any 10.11.16.221:44321 10.11.16.253:80 tcp 9 (tmm: 0)' Workaround: To work around this, you can delete the pool and restart TMM. For more information, see SOL13850: The BIG-IP system may continue to create server-side TCP connections to pool members after the associated virtual server configuration is deleted , available here http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13850.html.
291327 Configuring a virtual server for multicast communications inside a route domain does not work. This occurs when configuring a virtual server for multicast communications inside a route domain. The resulting configuration does not work. Do not configure a virtual server for multicast communications inside a route domain. Workaround: None, but this appears to be a rare condition.
291541 If there are static Address Resolution Protocol (ARP) entries targeted to the management network in either the existing configuration or in the configuration being installed or used in a ConfigSync operation, the configuration may fail to load. This occurs when performing a config sync or loading a configuration containing static ARP entries targeted to the management network. When this occurs, the configuration may fail to load. An error message is logged to the /var/log/ltm file similar to the following example: '01070712:3: Caught configuration exception (0), Netlink reply from kernel has error: -101 - routing.cpp, line 883' Workaround: "To work around the issue, first delete any static ARP entries targeted at the management network and then complete the configuration load or ConfigSync operation. ***Procedure for BIG-IP v11.x/12.x: ----- 1. Log in to the Traffic Management Shell (tmsh) by entering the following command: tmsh. 2. Display the list of static ARP entries configured on the BIG-IP system by typing the following command: show net arp all. 3. Identify the relevant static ARP entry. 4. Remove the relevant entry by typing the following command, where Name is the name of the address being deleted: delete net arp Name. For example: delete net arp /Common/192.168.1.1. 5. Save the change by typing the following command: save /sys config. ***Procedure for BIG-IP v10.x: ----- 1. Log in to the BIG-IP command line as the root user. 2. Display the list of static ARP entries configured on the BIG-IP system by typing the following command: bigpipe arp static list. 3. Identify the offending static ARP entry. 4. Remove the offending entry by typing the following command: bigpipe arp IP_address delete. 5. Save the change by typing the following command: bigpipe save all."
291689 When you use the Weighted Least Connections (Node) load balancing method, you must set a connection limit for each node prior to adding the pool member to the pool. This occurs with Weighted Least Connections (Node) and connection limits. If you fail to specify the connection limit for the node prior to adding the pool members, the system presents a configuration validation error. Workaround: "In this release, you must use the following process to accomplish this: 1. Create a pool that uses the Weighted Least Connections (Node) load balancing method. 2. Explicitly create the node entries for the pool members on the Local Traffic Nodes Node List (create) screen. 3. For each node, specify a value other than 0 (zero) in the Connection Limit box. 4. Return to the pool configuration screen by clicking its link in the Local Traffic Pools Pool List. 5. Select the Members tab and add the pool members to the pool, using the same IP addresses as the nodes that you configured in the earlier step."
291704 If you replace a copper (Cu) small form-factor pluggable (SFP) with a fiber SFP, the link might remain down, even when connected to an active peer. This occurs when you replace a copper SFP with a fiber SFP. When this occurs, the link might remain down. Workaround: The workaround is to issue a bigstart restart bcm56xxd command. From the command line, 'bigstart restart bcm56xxd'.
291719 When the Configuration utility restarts, system writes benign messages to catalina.out. This occurs when the Configuration utility restarts The system writes messages to catalina.out: 'log4j:ERROR A 'org.apache.log4j.ConsoleAppender' object is not assignable to a 'org.apache.log4j.Appender' variable,' 'log4j:ERROR The class 'org.apache.log4j.Appender' was loaded by log4j:ERROR,' '[org.apache.catalina.loader.StandardClassLoader@1359c1b] whereas object of type,' and 'log4j:ERROR'org.apache.log4j.ConsoleAppender' was loaded by [WebappClassLoader.' Workaround: None, but these messages are benign, and you can safely ignore them.
291723 At system startup, you might see messages about unrecognized md component devices. This occurs because datastor volumes are not intended to be combined into a redundant array. The disk management subsystem unintentionally tries to join them into an array, but fails. "The system posts messages similar to the following: -- mdadm: Unrecognized md component device - /dev/mapper/vg--db--sda-mdm.app.wom.dat.datastor. -- mdadm: Unrecognized md component device - /dev/mapper/vg--db--sdb-mdm.app.wom.dat.datastor." Workaround: None, but no adverse result occurs, and you can safely ignore these messages.
291742 In the ltm.log file, you might see mcpd warning messages similar to the following: warning mcpd[3002]: 01070156:4: Could not remove file /config/bigip/auth/pam.d/tmm_ldap. Please remove this file manually. Messages in ltm.log show issues with removing files that do not exist. When you navigate to the specified directory, you do not find the files. These messages are incorrect, and you can safely ignore them. Workaround: None.
291756 On a multi-drive system, when you remove a drive, LED status might not reflect status correctly. This occurs when removing a drive on multi-drive systems. If the LED is flashing when you remove a drive from the unit, the LED status does not turn green (as it should) when disk replication begins. If the LED is not flashing, the LED turns green immediately in the transition to replicating a drive. Workaround: None, but this is a cosmetic issue only, and has no effect on functionality.
291761 When you complete a new installation, the Firefox browser may not recognize the SSL certificate. This occurs only on a new installation when using the Firefox browser. When this occurs, the Configuration utility posts the message 'Please wait while this BIG-IP device reboots, shutting down device.' This spins forever and never returns. This behavior is Firefox-browser specific, so when the certificate is no longer viewed as valid, the Firefox browser ignores subsequent HTTP requests. Workaround: Although there is no specific workaround, the issue happens only when doing a fresh install using the Firefox browser. A configuration you roll forward includes the device certificates, so this is not an issue. The Microsoft Internet Explorer browser posts an accept-certificate dialog box when you restart the system.
291784 If you set the import save value to 1 (one) and import a single configuration file (SCF), the import operation stops. This occurs when setting the import save value to 1. After initiating the SCF import, the import operation halts and does not resume. Workaround: To work around this issue, set the import save value to 2 or more. Note that the default value is 2.
291786 When you use the domaintool utility to delete a domain when you are configuring Kerberos delegation, if that domain serves as the default, the system removes the domain but leaves it as the designated default. "Add a domain using the domaintool which sets it as the default. Remove the domain using the domaintool." Deleted domain still defined as the default in krb5.conf Workaround: To work around this issue, change the default to a different domain before the delete operation.
333340 Monitors that are monitoring pool members using the IPv6 link local address are marked down. This occurs when pointing the monitor at the pool member's link local IPv6 address (FE80::/10 prefix). The monitor fails to connect to the pool member, so the pool member will never be marked up. Workaround: You can avoid this issue by not configuring nodes or pool members using IPv6 link-local unicast addresses; instead use IPv6 global unicast addresses or IPv6 unique local unicast addresses.
336986 If a hard drive is in the process of replicating and an install to a non-existent volume set is started, the array status for the replicating drive will transition to 'failed' while the volume sets are created. They are created at the very beginning of the installation, so this failed status should last no more than 1 minute. After the volume set is created, the status will go back to 'replicating', as expected. This occurs when installing to a control plane that doesn't exist yet, for example, in the middle of replication. The array status shows 'failed'. Workaround: None.
337934 For remoterole configurations in which one of the attributes ends in 'role' will have that attribute truncated. Also this could happen with an attribute that ends in 'deny' and has a deny directive. remoterole attributes ending in 'role'. May also happen with attributes ending in 'deny'. Parsing truncates attributes. Workaround: None.
338426 Clusterd can core on shutdown under certain circumstances. This occurs with vCMP, and only happens when clusterd is shutting down. When this occurs, clusterd can assert. Workaround: None, but clusterd has taken care of all notifications to other system components, so the core can be safely ignored.
342319 When you add a Domain Name System (DNS) server to the BIND forwarder server list from the Configuration utility, the recursion option is set to no and the forward option is not set. The parameters 'recursion yes' and 'forward only' are not being updated in named.conf when creating entries in the BIND Forwarder Server List from the GUI. This issue may cause some DNS queries that are sent to the BIG-IP system to fail. Workaround: You can work around this issue by setting the recursion and forward options. For more information, see SOL12224: Configuring the BIND forwarder server list does not correctly set additional options for the named.conf file, available here: http://support.f5.com/kb/en-us/solutions/public/12000/200/sol12224.html.
342325 If username and password have not been configured for a RADIUS accounting monitor, it will try to connect with a NULL username-password. This occurs when the username and password have not been configured for a RADIUS accounting monitor. The system attempts to connect with a NULL username-password. Workaround: Configure the username and password for the RADIUS accounting monitor before attempting a connection.
342423 The statsd process computes the value for system-wide CPU usage using a formula: process 'A' CPU usage divided by the number of CPUs on the chassis. Assuming a chassis is fully populated with PB100 blades, the average is divided by 16. If a blade drops out, the number of CPUs is now 12, so while that blade is out of circulation, the data is divided by 12. However, even for the 5-second window: it is possible that the average might be calculated incorrectly. This occurs when calculating average system-wide CPU usage when a blade drops out. For example: -- From time1 to time4, there are 16 CPUs on the box, and processA is using 96% of its CPU. -- At time5, one of the blades drops out. -- The calculation to compute CPU and system usage happens at this time. -- Before the blade dropped out, the system-wide average was 96/16 = 6. When the blade drops out, the system-wide average is 96/12 = 8. Workaround: None. However, this is a small difference. Although blades going down should not happen often, when it does happen, it is only the first 5-second system-wide average that is affected. The next average will be correct.
344226 Trying to create a CRLDP server using a name that already exists fails. The resulting error message does not indicate the problem. This occurs when creating a CRLDP server using a name that already exists. The operation fails with the message 'An error has occurred while trying to process your request.' The more accurate message that says 'The requested CRLDP server ('crldp_server_name') already exists in 'partition_name'.' does not get displayed. Workaround: Try creating a CRLDP server with another name, if the system posts the message: 'An error has occurred while trying to process your request.'
345092 "When a RAID system is booting, the system posts the message: Press 'CTRL-I'; to enter Configuration Utility..." This occurs on RAID systems during boot. Pressing Ctrl-I has no effect. It is not possible to enter the Configuration utility this way. This is a hardware constraint. Workaround: Instead, you can configure RAID parameters through TMOS.
348431 "If you cancel a qkview when it is being generated via the GUI, a zero-byte sized qkview will be created. Subsequent attempts will still generate a zero-byte qkview (even when deleting the previous qkview). Canceling qkview generation via the GUI does not stop the qkview process; until its finished or killed, qkviews will have size zero." Cancel a qkview while being generated via the GUI; immediately re-generate a qkview via the GUI. Confusion and inability to generate a qkview. Workaround: "Wait until qkview process has finished or kill the process and regenerate. Removing the lock file (# rm /shared/tmp/.qkview_lock) will also allow it to work, but having 2 processes overwriting each other's the temp files is not recommended."
349242 The load balancing method 'Ratio Least Connections (node)' does not perform correctly with 'Performance (Layer 4)' virtual servers. This occurs when using the Ratio Least Connections load balancing method. Does not perform correctly with 'Performance (Layer 4)' virtual servers. Workaround: None.
349629 "The error is usually similar to : 01070257:3: Requested VLAN member (1/2.1) is currently a trunk member Unexpected Error: Loading configuration process failed." Changes to vlan/trunk/port may cause UCS load to fail. Config will fail to load. Workaround: None.
351934 Booting with SSD installed, you will be able to see the SSD sled activity light blinking while the other spinning media sleds do not. This happens when booting with SSDs installed. SSD tray blinks while booting. Workaround: None, but this is cosmetic behavior.
352560 Proxy SSL is incompatible with persistence profiles. This occurs with persistence profiles and Proxy SSL. The result does not work. Workaround: None, but persistence profiles and Proxy SSL should not exist on the same virtual server.
352840 When using partition default route domains, an attempt to load a previously saved configuration which had a different default route domain on a VIPRION may result in the secondary daemons restarting. Load a configuration with a different default route domain to the previously saved one on a VIPRION. Secondary daemons restarting. Workaround: To work around this, load the default configuration before loading a config that has a different default route domain on any partition.
353249 LTM Virtual Server Bytes in/out and Packets in/out values may be larger than expected on PVA platforms, when using FastL4 profile with PVA in 'Assisted' mode. This occurs when using the FastL4 profile with PVA in 'Assisted' mode. LTM Virtual Server Bytes in/out and Packets in/out values may be larger than expected. Workaround: None.
353621 You can get an error from tmsh when adding a device to the trust-domain that says the device cannot be found. This occurs in TMSH, if the 'name' option is omitted. This only occurs in TMSH. Adding devices in the GUI does not result in an error. The system posts the error: 'The requested device (10.10.20.30) was not found.' Workaround: This error actually indicates the 'name' parameter was not specified in the command. The message does not indicate that there is a connectivity issue to the device being added to the domain.
354467 When you create an opaque VLAN group before creating the route domain to assign it to, opaque mode does not work. This occurs with VLAN groups created before the associated route domain. In this case, opaque mode does not work Workaround: To work around this issue, you can add the VLAN group to the route domain and then set its mode to opaque, or if you are already in this state, you can restart tmm.
354518 "Some BIG-IP blades and appliances use an RJ-45 type connector for the Serial Console port, which can be confused with an Ethernet port. If you accidentally connect an active Ethernet cable to the Serial Console port on certain BIG-IP platforms, you will likely see garbled content on the serial terminal." "The following BIG-IP platforms use an RJ45-type connector for the Console port, and implement automatic baud-rate detection to attempt to synchronize the serial console port with the serial terminal that is connected to it: - VIPRION B2100 blade - BIG-IP 2000-series appliances - BIG-IP 5000-series appliances - BIG-IP 7000-series appliances - BIG-IP 10000-series appliances Part of the updated functionality of the Always-On Management (AOM) serial port includes auto-baud, meaning that when you connect a cable to the Console port and issue a break from the keyboard, the system enables scrolling through baud rates using the return key. If you accidentally plug an active Ethernet cable (that is, a cable carrying network traffic rather than serial terminal data) into the Console port, when you power up the blade, the auto-baud functionality might engage, even though the cable is not connected to a valid serial terminal. This occurs because, depending on the traffic on the cable, network communications can simulate the effect of issuing a break, which initiates auto-baud." If you are already in this condition, after you remove the Ethernet cable and connect a valid serial cable, you will likely see garbled content on the serial terminal until you reset the AOM serial port's baud rate to match the terminal's baud rate. Workaround: "To synchronize AOM and terminal baud rates

1. Issue a break (using the <BREAK> key on the keyboard).
2. Press return to have AOM cycle through the supported baud rates (115200, 57600, 38400, 19200, and 9600)
3. When the baud rates are synchronized, the following prompt appears --- Press <ESC>( for AOM Command Menu. You can then press Esc ( to access the AOM Command Menu."

355299 PVA acceleration can be configured on a platform without a physical Packet Velocity ASIC present. This occurs when configuring PVA acceleration on a platform without PVA present. No acceleration can occur, because the platform does not support it. Workaround: None, but the setting has no actual effect and is harmless.
355564 The Error message 'The requested unknown (/Common/traffic-group-1/Common/bigip1) was not found.' might appear in the log during startup. This message does not indicate a problem, and can be ignored in this situation. Configuration is new or has been set to defaults. The error message will appear in the log during the device name change. There is no impact, as the message appears due to the device name changing. Workaround: None.
355616 LTM virtual-address objects are only shown in tmsh list output when specifically requested, as in 'list ltm virtual-address', not in commands such as 'list ltm'. This occurs when running the command: tmsh ltm. Virtual-address objects are not shown. This is expected behavior. Workaround: Use the command: list ltm virtual-address.
356485 The command 'tmsh list ltm' displays used pool twice, once with its members, once with pool properties. Running the command 'tmsh list ltm'. Displays used pool twice Workaround: To work around this, use the command 'tmsh list ltm pool' instead.
356611 You can invoke imish (the shell for configuring dynamic routing) from tmsh. When you subsequently press Ctrl + Z, sshd and imishd start consuming CPU until the imish shell times out. This occurs when tmsh is not the login shell. If the system is already in this state, run the fg command, and then exit imish. This occurs when invoking imish from tmsh and press Ctrl + Z. sshd and imishd start consuming CPU until the imish shell times out. Workaround: None, but suspending tmsh is not recommended behavior.
357656 When you use bigstart restart to restart all daemons on a guest on VIPRION platforms, the system logs a benign ltm log message. This occurs when restarting all daemons on a guest on VIPRION platforms. "The system logs the message: notice chmand[7975]: 012a0005:5: Chmand cleanup: Slot:Led:Color (1:3:0) not succeed: virtual void Hal::NullAnnunSvc::ledSet(Hal::LedFunction&, Hal::LedColor&, uint32_t&, uint32_t&, uint32_t&)." Workaround: None, but this is a benign message and you can safely ignore it.
358063 If you issue the command 'restart sys service all' from the tmsh shell, the next command you issue results in the error message: 'The connection to mcpd has been lost, try again.' This occurs when restarting services. The connection to mcpd is lost when mcpd is stopped and restarted. A message indicating the lost connection is expected behavior. Workaround: Try the command again.
358099 If two devices have different provisioned modules, then the application with those modules configured in one device might not be able to sync to the other device. This occurs when syncing two devices that have different provisioned modules. The two devices are out of sync and cannot recover in this situation. Workaround: For sync to occur correctly, both devices must have the same provisioning.
358191 "If the user resets device trust and changes the host name of the device, the other devices in the trust domain still show the unchanged, former host name and show the device as still attached." This occurs in a trust configuration. Resetting a device name has no effect on other devices in the trust configuration. Workaround: None. This is as-designed behavior.
358575 The traditional ConfigSync mechanism has been replaced with a more robust MCP-to-MCP communication mechanism. As a result, UCS files now load the full configuration in all cases, and no longer have the concept or ability to only load the 'shared' portion. This occurs when attempting to load a UCS file that was created on a different device. Cannot load UCS files created on a different device. Workaround: None.
359393 In order to be compliant with the FIPS-140 standard. Keys cannot be exported from a FIPS card in plain text, hence they can only be exported by encrypting them with the master key on the FIPS card. This occurs when the master key on the FIPS card has changed since the keys have been exported. In this case, it is not possible to import the keys back into the card. Workaround: None.
359491 When a system's hostname is set by the user via the tmsh setting 'modify sys global-settings hostname new-hostname.example.com' only the local copy of the self device is set. Remote copies of the hostname are not updated accordingly. Thus, running the command 'list cm device name-of-device hostname' would have the hostname 'new-hostname.example.com' on the local machine and 'old-hostname.example.com' on other machines in the trust domain. Update or set the hostname using tmsh. Login to another host in the trust domain and check the first hostname. Hostname returned for a remote host in a trust domain does not match the host name defined on that host locally if set using tmsh. Workaround: The 'cm device hostname' property of devices is cosmetic, so this is harmless. Modifying an object in the trust will cause it to sync. For example, tmsh modify cm device <name> description <description> will trigger a sync and update the hostname.
360047 If two headers with the same key exist in an HTTP request or response, RAM cache will look at only one of them. Two Cache-Control headers with the same key exist in a response. "If a web application fails to combine the bodies of two headers of the same key, the meta-data meaningful to RAM cache will not be complete, or may not impact cache processing as expected. In the case where the meta-data semantics are mutually exclusive, only the application designer can know how to resolve the inconsistencies." Workaround: Use an iRule to combine the contents of headers into a meaningful semantic, where those headers have the same key value.
360122 The iControl method System.Statistics.reset_all_statistics() does not reset iStats. This occurs when running the iControl method System.Statistics.reset_all_statistics(). Does not reset iStats. Workaround: "To work around this, do the following: 1. bigstart stop. 2. Remove all files (not directories) in /var/tmstat2. 3. bigstart start."
360134 6400, 6800, 8400, and 8800 platforms with Cavium NITROX Federal Information Processing Standards (FIPS) cards do not support secure SSL renegotiation with RC4 ciphers. Initial SSL handshakes are unaffected, but attempts to perform mid-connection rehandshakes fail when SSL secure renegotiation is negotiated. This occurs on the 6400, 6800, 8400, and 8800 platforms with FIPS cards using secure SSL renegotiation with RC4 ciphers. Initial SSL handshakes are unaffected, but attempts to perform mid-connection rehandshakes fail. Workaround: You can work around this by disabling SSL renegotiation or RC4 ciphers. Platforms with Cavium NITROX-PX FIPS cards are unaffected.
360485 Node statistics, especially after a statistics reset, may be too high for a node whose address is in a lasthop pool. Lasthop pool configured. Inaccurate node stats. Workaround: None.
360530 If a lasthop pool is in use for mirrored traffic, connections mirroed to the standby will not be processed if the lasthop pool's IP address is unresolved by ARP/NDP. Connection mirroring, lasthop pool (disabled autolasthop). Affected flows will not resume on the standby after failover. Workaround: Add a monitor to the lasthop pool so its IP address is resolved before connections arrive.
360675 Creating a configuration object with a FIPS 140 key will always create a key in the FIPS 140 device even when the configuration objects are not saved. FIPS 140 key handling. Configuration objects that are not saved will require the user to delete FIPS 140 keys manually from the device. Workaround: Manually delete keys using the following command: tmsh delete sys crypto fips by-handle. List key handles using the following command: tmsh show sys crypto fips.
361036 When the AOM powers down the Host for cause (for example, over temp) it abruptly stops the Host, bypassing a normal graceful power-down sequence. Occurs when the Host is powered off for cause. Because of this, some log messages sent from the AOM to the Host might be lost. Workaround: None.
361181 You can run the command 'fipsutil -f init' to force re-initializing the FIPS card or 'fipsutil reset' to reset the FIPS card. Both these operations delete all the keys in the card. However, issuing the command does not delete the BIG-IP configuration objects representing those keys. It also does not modify SSL profiles utilizing those keys. When there are BIG-IP configuration objects referencing to such FIPS keys, these operations will result in the failure to load configuration on reboot. This occurs when running the command 'fipsutil reset' or 'fipsutil -f init' and when BIG-IP has configuration objects referencing keys on the FIPS card. The system posts messages similar to the following: 'notice mcpd[5816]: 01390002:5: The size of the configuration DB has been extended by 2097152 bytes, now using a total of 10485760 bytes', 'err mcpd[5816]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: FipsMgr::get_handle_from_modulus error unable to obtain handle. Modulus(e1:fb:55...ef:89:b3), FIPS:ERR_HSM_NOT_INITIALIZED. ', 'err mcpd[5816]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: fips_insert_masked_object error on import, ERR_HSM_NOT_INITIALIZED. ', 'err mcpd[5816]: 01070712:3: Caught configuration exception (0), unable to import FIPS 140 key (/Common/fipspartition) from key file.) - sys/validation/FileObject.cpp, line 4714. ', 'err tmsh[6948]: 01420006:3: Loading configuration process failed. ' Workaround: "To avoid this situation, delete the FIPS keys and remove the usage from profiles before resetting or re-initializing the FIPS device. If the system gets into the failure condition, you can recover by completing this procedure: 1. Edit the bigip.conf file where the FIPS key is referenced. Delete all occurrences of the key. 2. Delete the key from /config/ssl/ssl.cavfips 3. Find and delete the key from filestore/files_d/partition-name/certificate_key_d/ 4. Run 'tmsh load sys config partitions all' to make sure the config loads. After this point, the config should load without issue after a reboot."
361470 An error message is posted when a virtual server's destination address is entered into tmsh with invalid IPv4 or IPv6 numbering or a hostname. This occurs when entering invalid IPv4 or IPv6 numbering or a hostname in tmsh. The system posts an error message similar to the following 'The requested virtual address (/PATH/ADDRESS) was not found.' Workaround: None.
362225 Disabling connection queuing via "tmsh edit" while connections are queued causes the queued connections to become stuck. This occurs when using tmsh edit while connections are queued. Queued connections become stuck. Workaround: The workaround is to use tmsh modify command instead of edit.
362874 There is a misleading Upgrading Device Trust banner that can appear on GUI. The banner indicates that the device is waiting for its peer to be contacted. This occurs when a device that is configured to be in a redundant pair is upgraded to version 11.x/12.x, but its peer device cannot be contacted. After upgrading, the GUI might post the following message for several hours: 'Upgrading Device Trust Device trust is still being upgraded. Please do not make modifications to Device Management or Traffic Groups pages while this message is displayed.' Workaround: If the peer device is no longer in use, the following workaround should be used to remove the banner message: * Set the trust.configupdatedone db variable to 'true'. * Set the failover.isredundant db variable to 'false'. * Restart devmgmgtd. * Reset trust.
363216 A virtual server might indicate 'vlans-disabled', but does not include a list of which ones are disabled if that list is empty. The tmsh list command does not indicate that a VLAN is disabled. This can bee seen only in GUI. "This occurs when you add a VLAN to a virtual server. The default setting is disabled. For example, this means that the virtual server is disabled for no VLAN entries, which is the default setting:

ltm virtual sample_vs {
    destination any:any
    profiles {
        fastL4 { }
    }
    vlans-disabled
}"

Silently disables the VLAN added to a virtual server. Workaround: Running the command 'list ltm virtual all-properties' indicates whether the VLAN is enabled or disabled.
363541 You can create an 'and' rule for the default node monitor that includes the monitor '/Common/none'. This occurs with the none monitor. When this occurs, the state of the node is not reported correctly, and it is inconsistent among devices in a traffic group. Workaround: None.
363912 In rare occasions, when there are no monitors assigned as the default node monitor, an entry 'none' may appear in the Active select box on the 'Default Monitor' page in the Configuration utility. This still represents the fact that no monitors are selected as the default node monitor and the BIG-IP system operates as such. This occurs because tmsh allows /Common/none for the default-node-monitor. GUI displays correctly, but 'none' is not in GUI by default. Workaround: None. This is a cosmetic issue that has no impact on system functionality.
364522 A user with the app_editor role can create an app service; however, because app_editor users cannot create objects (they can only update and enable/disable them), app_editor users actually cannot create an app service. This occurs with users with the app_editor role. App_editors cannot add pool members unless node already exist. Workaround: "There are two workarounds: 1. Use the new add_member_v2 method, which does not have this constraint (the add_member command is deprecated). 2. Have a user with the appropriate role create/manage the node address prior to using add_member."
364588 Running the show cmd from /Common to display pool in another partition does not show all of the information. This occurs when you run the show command from /Common partition to display the details of a pool in another partition. The monitor instance line is missing. Workaround: To work around this, navigate to the partition first. Then the show command presents the expected results.
364717 There is an issue when using the node-port option with the delete command for persistence persist-records. This occurs when using the delete command to delete persistence records on a nonexistent port. The system deletes all the persist table entries irrespective of the port specified. In addition, the show command with nonexistent port displays all the entries irrespective of the port specified. Workaround: None, except to ensure that the port exists before deleting the persist table entries.
365395 SNMP traps not being sent for some temperature sensor alerts on BIG-IP 6900 and BIG-IP 89xx platforms. BIG-IP 6900 and BIG-IP 89xx platforms. No SNMP alerts when thresholds are crossed. Workaround:
365555 The DES ciphers have been deprecated for TLS V1.2 but TMM is including them. These ciphers are supported on earlier versions of SSL/TLS, such as SSLv3 and TLS v1.0, which are widely used. TLS v1.2 is trying to depreciate and move to higher standards. Workaround: None. F5 recommends that you do not use these ciphers.
365756 During the load of an invalid SCF file, once an error occurs, the user is left in the administrative partition folder where the error occurred. If the user attempts a second load, the system posts an error: 'Data Input Error: 01070734:3: Configuration error: Invalid mcpd context, folder not found'. This occurs when loading an invalid SCF file. The system changes the active directory to the folder that has the error. Workaround: Fix the SCF file, changing the directory/context to /Common and attempt to reload.
365757 Mixed mode is presented as an option for extra disks. When trying to change the mode for logical disks, the system presents all options in the GUI and tmsh, even those that are not valid. When applied, this configuration option presents an error message: '01071372:3: Cannot change the mode for logical disk (HD2) from (NONE) to (MIXED). Disks cannot be changed to MIXED or CONTROL modes.' Workaround: Only None and Datastor are functional modes for extra disks.
365767 Using the 'verify' or 'from-terminal verify' option in tmsh when loading an .scf file on a VIPRION system causes mcpd to restart. Load .scf file using tmsh on a VIPRION platform. mcpd restarts. Workaround: To work around this issue, do not use the verify option on VIPRION.
366060 There is an issue that is rarely encountered in FTP mirroring. FTP mirroring occasionally fails when connections come from tmm0. "When it does fail, the idle timer on the standby is not updated and the connection is reaped in the 30-50 second range." Workaround: None.
366193 Very long URI strings may cause delays in processing. When a URI exceeds an average size, the system may slow down as it attempts to handle an excessively long string. Some processing delays. Workaround: This can be mitigated in application design, but there is no solution for existing applications that use excessively long URIs.
367072 Running the command 'tmsh show sys hardware' on appliance-based system shows a Registration Key field with a -- value, even on licensed systems. This field is designed only for chassis-based systems, so you can ignore the value This occurs on appliance-based systems when running the command. The Registration Key field contains a -- value. Workaround: There is no workaround, but this field is designed only for chassis-based systems, so you can ignore the value.
367198 Running 'tmsh show sys hardware' on appliances shows a blank Registration Key field. This occurs when running this command on hardware other than VIPRION chassis. Blank Registration Key field. Workaround: This is by design; this field is intended for VIPRION chassis only.
367714 When accessing the serial console on some BIG-IP platforms, if the baud rate is changed repeatedly on the serial client, the serial console port may cease functioning. In this case, a reboot of the BIG-IP system is required to restore serial console functionality. "This problem is known to occur on BIG-IP 6900 appliances, and may also occur on BIG-IP 1600, 3600, 3900, 8900, 8950, 11000 and 11050 appliances. This problem has been observed to occur more frequently when connecting to the BIG-IP serial console from a client using a USB-to-Serial adapter. Different makes and models of USB-to-Serial adapters do not perform identically." The serial console interface to the affected BIG-IP system is lost. A reboot of the BIG-IP system is required to restore serial console functionality. Workaround: The BIG-IP system can be accessed via the management IP address, or by the AOM management IP address if so configured. For more information, see SOL13331: The BIG-IP serial console port may lock up when the terminal emulator is configured with a mismatched baud rate, available at http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13331.html.
367996 Chunked HTTP responses might not be unchunked before they are compressed and forwarded to the client. This issue occurs when the following conditions are met: - The NTLM and OneConnect profiles are applied to a virtual server. - HTTP compression is enabled on the virtual server. This can also be triggered when replacing the NTLM profile with an APM access policy configuration on the virtual server Client connections might fail. Workaround: To work around this issue, you can either modify the type of response chunking or disable compression. For more information, see SOL14030: The BIG-IP system may fail to unchunk server response when compression is enabled, available here: https://support.f5.com/kb/en-us/solutions/public/14000/000/sol14030.html.
368888 The system allows you to create a virtual server (which creates the virtual address) in traffic-group 2 and a SNAT translation IP in traffic-group 1, and then to assign the SNAT IP to the virtual IP address, even though doing so could cause asymmetric routes if these traffic-groups were not active on the same unit. This occurs with multiple traffic groups and SNAT translation tables. This configuration might cause asymmetric routes. Workaround: To workaround this, only perform this type of configuration when two traffic groups are active on the same unit.
369352 When logged in as a resource administrator "load sys config default", which restores the configuration to factory defaults, doesn't prompt for verification as it should. If you execute the command from a normal administrator role you do get a prompt. "Login as a resource administrator run ""load sys config default"" restore begins without a verification prompt." System restore initiated without prompt when run as a resource administrator. Workaround: None.
371164 Since traffic groups are not bound to any specific VLAN, so Neighbor Discovery (ND) for link-local addresses go out on all VLANs. This occurs because traffic groups are not bound to any particular VLAN or interface. Since MAC is bound to the traffic group, it is not bounded to particular VLAN either. "Using MAC masquerade addresses on VLANs. TMM creates new link-local address for each masquerading MAC. Thus, the same link-local address might be used on all interfaces, which means that the system might use the same MAC on different VLANs. For example, in the following configuration, you might expect that traffic-group-1 and MAC 02:23:e9:74:e2:c4 are bound only to VLAN Internal. However, you can create another self IP address, assign it to different VLANs or route domains, and have them be part of the same traffic group. A traffic group is about availability and not about routing or partitioning.

Configuration
===========
net self 10.10.10.10%1 {
    address 10.10.10.10%1/23
    allow-service {
        default
    }
    floating enabled
    traffic-group traffic-group-1
    unit 1
    vlan Internal
}."

Although this is intended functionality, some users might not expect the behavior. BIG-IP sends ND probes for all masquerading addresses on all VLANs. Although switches typically build up forwarding tables per VLAN, there are some switches that might not correctly, which results in failure to forward packets as expected. That might impact other traffic, including IPv4. Workaround: Set the db variable tm.macmasqaddr_per_vlan to True. This ensures that a single source MAC is associated with a single VLAN ID, and is guaranteed to be unique per VLAN.
371647 When using the F5 Advanced Client Authentication (ACA) module's Kerberos delegation, users must manually add the iRule _sys_auth_krbdelegate to their profile. Using Kerberos authentication in ACA. When using ACA Kerberos delegation, users must manually add the iRule _sys_auth_krbdelegate to their profile. Note: This does not apply to APM authentication. Workaround: Manually add the iRule _sys_auth_krbdelegate.
372209 When the certificate used to verify a signed iRule expires, the iRule verification status still remains 'Verified' as long as the certificate exists on the device. This occurs when an expired certificate that was used to sign an iRule still exists on the system The iRule status remains 'Verified', even though the certificate is expired. Workaround: To avoid the misleading status, the signature for iRules signed with an expired certificate should be modified to have the 'ignore verification' property set to true, or edited to remove the signature (edit the rule and remove the 'definition-signature' line).
372706 For most categories of functionality, the web-based graphical user interface for BIG-IP systems provides a convenient selection of search and filter fields. However, the screens for some functions lack these fields. Searching for/filtering the following fields in the GUI: iRule, iFile, data group, SNAT, NAT. Work of network administrators is slowed down and/or made more difficult. Workaround: None. This is a request for additional functionality.
374109 The radvd config is not migrated to tmsh syntax during a UCS restore. Performing a UCS restore. radvd config is not migrated to tmsh syntax. Workaround: Create the config manually with tmsh.
374333 When the rate of new connections (CPS) is extremely low, observed/predictive load balancing can perform uneven connection distribution across pool members. Configure a pool using predictive or observed load balancing methods. Uneven connection distribution across pool. Workaround: None.
375207 On rare occasions, tmsh writes an innocuous error message to /var/log/ltm based on a query to mcpd. Here is one case that issues the message: In tmsh, type the command 'generate sys icall event', and then press the tab key. The following error is posted: 01070734:3: Configuration error: Invalid wildcard query, invalid or missing class ID. Workaround: None, but this message is innocuous and can be safely ignored.
375434 An HSB lockup might occur when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This occurs on HSB platforms that have AMD processors, which include the BIG-IP 6900, 8900, 8950, 11000, and 11050N platforms, and the VIPRION B4200N blades. The system posts error messages similar to the following: -- 'Device error: hsb interface 3 soft resetting due to transmitter failure'. -- 'Interface 0.3: link is down'. -- 'hsb interface 2 disable tx ring 0 timed out'. Workaround: None.
376166 QSFP+ module ports do not allow a media capability setting of 1 GbE. This occurs when setting the media capability of the 10 GbE port to 1 GbE. This action fails to turn the 'link-up' LED to amber; the LED remains green. Workaround: None. This action is not supported on this port.
376380 The TMM may crash if HTTP::respond is invoked within the LB_FAILED iRule event. An iRule that uses HTTP::respond within the LB_FAILED event. A TMM crash. Workaround:
376447 If a VLAN group member is used in the configuration of another object, an error may result. It should not be possible to add that VLAN directly to a route domain since it is part of a group, however, if you create a new route domain. The VLAN appears. Attempting to add that VLAN results in the error. This occurs when using tmsh or iControl and the VLAN group feature. "The system posts an error similar to the following: 01070712:3: Caught configuration exception (0), Cannot create vlan 'vlanx' in rd0 - ioctl failed: File exists - net/validation/routing.cpp, line 395." Workaround: To avoid the problem, when using tmsh and the VLAN group feature, only use the VLAN groups, never their members, when configuring other objects. Furthermore, it is not necessary to work with the VLAN group member (that is, in this case, the group is already in the route domain, so adding the VLAN itself is not even necessary).
377231 VIPRION B4300 blades only support 9600 and 19200 baud, even though other baud rates are accepted. This occurs when using baud other than 9600 or 19200 on VIPRION systems. You can select other baud rates, but they do not work. Workaround: None. VIPRION B4300 blades only support 9600 and 19200 baud.
378055 The serial console on the B2100 blade in a VIPRION C2400 chassis cannot be set to 38400 using the tmsh command 'tmsh mod sys console baud-rate 38400,' but can be set using the AOM Command Menu. After setting to 38400 via the AOM Command Menu you can use the tmsh command to see that the baud rate has been set to 38400. This occurs on the B2100 blade on a VIPRION 2400. Cannot use tmsh to set baud rate to 38400. Workaround: Use AOM to set baud rate to 38400.
378967 Users in partitions attached to sync-only device groups do not sync to other devices in that device group. There are users whose active partitions are attached to a sync-only device group. This affects sync-only device groups only, not the failover device group. Workaround: None.
379002 MSRDP persistence fails when pool members are in route domains, causing the pool's load-balancing mechanism to be used instead. A configuration with route domains and MSRDP persistence. Connections will be load-balanced in perpetuity. Workaround: Do not use route domains if possible.
380047 Listing objects that exist in partitions other than /Common shows no results. This occurs when you are in the /Common partition and you attempt to list objects that exist in another partition, for example, running the command 'list ltm profile ntlm my_subfolder/my_ntlm_profile' when /Common is the active partition. Listing certain objects in subfolders of the current folder (e.g., 'list ltm profile ntlm my_subfolder/my_ntlm_profile') may not show any output. Workaround: As a workaround, you can change into the partition ('cd my_partition') and then list the object: 'list ltm profile ntlm my_ntlm_profile'.
380415 TMM CPU utilization statistics reported by sFlow or by running 'tmsh show sys tmm-info' are less than actual TMM CPU utilization. This occurs when using sFlow or by running 'tmsh show sys tmm-info' to report TMM CPU utilization statistics. The values reported are less than actual TMM CPU utilization. Workaround: TMM CPU utilization stats can be found by running 'tmsh show sys proc-info tmm'.
381100 You may see entries coming in one at a time while an iRule is running. Using internal datagroup in an iRule. iRule operates incorrectly. Workaround: Use an external datagroup instead of an internal datagroup.
381123 Enabling more than 10 sFlow receivers may impact the performance of the BIG-IP system and, therefore, is not recommended. This occurs when using more than 10 sFlow receivers. Slower system performance. Workaround: None. This configuration is not recommended,
381710 The test-monitor and test-pool-monitor commands require the monitor or pool argument to include its partition; e.g. /Common/pool1. This occurs when using these commands inside a partition. Tab completion from inside a partition causes the partition name to be omitted. Workaround: To work around this, run these commands from the root partition, or to manually type the full pool or monitor argument including partition.
382040 Config sync fails after changing an IP address of a pool member with a node name. IP addr change achieved by deleting the pool member and node then recreating the pool member/node. "This issue occurs when the following steps are followed. 1. Delete an existing pool member that has a node name set. 2. Recreate the pool member with a different IP address using the same node name before syncing the config. 3. Sync the configuration.

ltm pool ip_mod_pl {
    members {
        ip_mod2_nd:http {
            address 10.168.1.4
        }
        ip_mod_nd:http {
            address 10.168.1.1
        }
    }
}

ltm node ip_mod2_nd {
    address 10.168.1.4
}

tmsh modify ltm pool ip_mod_pl members delete { ip_mod2_nd:http}
tmsh delete ltm node ip_mod2_nd
tmsh modify ltm pool ip_mod_pl members add { ip_mod2_nd:http { address 10.168.1.5 }}
tmsh run cm config-sync to-group S48-S49

On versions 11.4.0 and later, the issue happens only if a full is performed. Note that full loads may still complete successfully on occasion, even if full-load-on-sync is false for the device group." Config sync fails. Workaround: Delete the pool member and node on the peer then sync the configuration. The issue does not affect pool members/nodes with no name associated with the node.
382363 The system does not require setting a pool's min-up-members greater than 0 (zero) when also using gateway-failsafe-device on the same pool. A pool's min-up-members is 0 when gateway-failsafe-device is set. Failure to set min-up-members greater than 0 when using gateway-failsafe-device might cause errors. The tmm might crash. Workaround: Set min-up-members greater than 0 when using gateway-failsafe-device.
382613 On VIPRION 4400 chassis containing B4100 blades, the Speed LED stays with solid yellow when at 10 MB. VIPRION 4400 chassis containing B4100 blades. The Speed LED stays with solid yellow. Workaround: This is not an indication of a problem with the system, even though the Platform Guide: VIPRION 4400 Series indicates that the Speed LED should blink yellow.
383128 While upgrading or booting between versions on the VIPRION B2400, B4200N, and B4300 Blade Series, it should be expected that firmware upgrades between versions may delay the cluster from becoming active by up to fifteen minutes. This occurs when upgrading or booting between versions on VIPRION blades. Firmware upgrades between versions may delay the cluster from becoming active by up to fifteen minutes Workaround: None.
383442 If a packet is split into multiple fragments and the matching part of the tcpdump filter is in a later fragment, it does not match. This occurs on multi-fragment packets. The tcpdump packets do not match. Workaround: None.
384717 While running 'tmsh /cm watch-trafficgroup-device', if devices in the device group change, 'watch-trafficgroup-device' can sometimes become non-responsive. This occurs while viewing 'watch-trafficgroup-device' if devices in the device group change. The 'watch-trafficgroup-device' can sometimes become non-responsive. Workaround: Exit the tool with CTRL-C and restart it after the device group membership stops changing.
384993 A FastL4 virtual server does not always return from suspending commands. This occurs when using a suspending iRule command in CLIENT_DATA in FastL4. If an 'after' command is executed, it does not return until the connection times out. This is most noticeable in a DNS configuration. Workaround: Do not include parking commands in CLIENT_DATA in FastL4.
385243 An iRule configured with HSL::open will cause the virtual server to which it's attached to be marked as green (up), even if there are no available pool members. iRule attached to a virtual server that contains HSL::open as the first command Connections are reset if the pool contains no members. Workaround: "In your iRule, instead of configuring HSL::open like the following:

when CLIENT_ACCEPTED {
    set hsl [HSL::open -proto UDP -pool My_HSL_Pool]
}

Set a variable before calling HSL::open

when CLIENT_ACCEPTED {
    set mypool My_HSL_Pool
    set hsl [HSL::open -proto UDP -pool $mypool]
}

The pool's status will then be properly propagated to the virtual server status."
385825 The CMI watch-* scripts (such as watch-devicegroup-device, watch-sys-device, watch-trafficgroup-device) should not be allowed to run indefinitely as they may adversely affect performance of the unit after a few hours. Run a CMI watch script for an extended period, for example: 'tmsh run cm watch-devicegroup-device'. Might cause processes to fail, or a unit to failover or unexpectedly reboot when non-tmm memory is exhausted. Workaround: Do not allow CMI watch-* scripts (such as watch-devicegroup-device), to run indefinitely. Problems typically occur after a few hours, so the issue might not occur if you keep run to less than an hour.
385915 When using the tmsh command 'list net interface all lldp-tlvmap' to display the lldp-tlvmap values, you might see values that deviate from the default of 130943 (for example, 114552). "This issue occurs when Link Layer Discovery Protocol (LLDP) is enabled and you use the BIG-IP Configuration utility to manually update the properties of a BIG-IP interface. This issue occurs when unused bits in the Type, Length, Value (TLV) bitmask are incorrectly set." None. This issue is purely cosmetic. Workaround: Manually modify the value as needed.
386778 IPsec in HA deployment cannot use anonymous ike-peer. This occurs when using IPsec in an HA configuration. The tunnel is not created. Workaround: - Create a new ike-peer with the required remote IP field holding the remote peer's IP address. - If using RSA (the default) uncheck the verify certificate field (not required when using PSK). - Change the presented ID and verified ID fields to 'address'.
387106 Ramcache statistics are associated with only one virtual server per profile. The statistics for all of the virtual servers that use this profile are reflected in the ramcache statistics for that virtual server. This occurs in reporting ramcache statistics. System reports statistics for only one virtual server per profile. Workaround: The workaround is to create a copy of the profile for each virtual server if the individual statistics are desired. However, this adds complexity to the configuration and should only be done when necessary.
387448 Monitoring device group status from a device from outside the group might return an incorrect status. When monitoring device group status from a device that does not belong to that group, the config sync status reported could be inconsistent with the device-level status. For example, the sync status for device A is 'Changes Pending,' but the device-group to which device A belongs shows a status of 'In sync.' Workaround: View the sync status from a device in the device group.
388098 Running dmesg can report hda cable detect errors. This occurs when running dmesg. dmesg might display a message similar to the following: 'localhost warning kernel: hda: host side 80-wire cable detection failed, limiting max speed to UDMA33'. Workaround: None. This is expected and does not indicate any problem with the hardware or software.
389397 On 12050/12250 (D111) and 10350N (D112) platforms, setting the db variable platform.powersupplymonitor to disable might not stop power supply error messages on power supplies that are connected but not turned on. This occurs on BIG-IP 12050/12250 (D111), 10350N (D112), and 10000s/10050s/10200v/10250v (D113) platforms on which platform.powersupplymonitor is set to disable. The power supplies in the system that are not turned on might log error messages until power is removed. Workaround: Remove power on disabled power supplies.
390089 Multiple MSSQL monitors on a single node might cause state flapping. Multiple, different SQL monitors on the same pool member/node. May cause node flapping, potentially indicating that a server is down when the server is actually up. Workaround: Use a single monitor. Adjusting the interval might help if there are only two or three SQL monitors on a node, but if there are more, adjusting the interval likely has no effect.
390195 Tmsh 'list auth partition' command shows partitions the user has no access to User with tmsh access and limited partition access User can see a list of all partitions on the system, possible confusion about which ones they have access to Workaround: None.
390764 A BFD session might not show the correct session 'Up Time' value in the BFD session information returned using the IMI shell command 'show bfd session detail'. This occurs when any BFD session parameter is modified through imish. BFD Session 'Up-time' is reset when BFD configuration is modified.. There is no functional impact, only diagnostic. The BFD session appears to have reset when it has not. Workaround: None.
392085 On a standalone BIG-IP system, on the properties screen for Device Management, the Force to Standby button might become available. Since this is a standalone unit and there is no active-standby configuration, this button is not valid and it should not be clicked. This occurs on a standalone BIG-IP system. The Force to Standby button might become available, even though it is not valid. Workaround: None.
395148 When setting the baud rate for the front panel serial management port using the AOM command menu, the LCD display does not reflect the baud rate change until fpdd is restarted. This occurs when changing the baud rate using the AOM command menu. The incorrect baud rate might be shown. Workaround: Restart fpdd using the command 'bigstart restart fpdd'.
395269 Reapplying a template to reconfigure an Application Service Object deletes any firewall rules that have been created through the Security screen. This occurs when reconfiguring an iApp. Firewall rules are deleted. Workaround: To retain a set of firewall rules, include creation of the desired firewall rules in the template itself.
395720 On the BIG-IP 4000 platform, sometimes on boot, Ethernet devices do not get renamed. For example, eth6 should be renamed to pf1-7. This occurs on the BIG-IP 4000. Ethernet devices do not get renamed. Workaround: To work around this issue, reboot the device.
396273 When running dmesg, you might see errors similar to the following: 0000:17:00.0: vpd r/w failed. This is typically considered a firmware issue on the device, and you can contact the card vendor for a firmware update. This can occur when 'lspci -vvv' is executed. This is a benign message, and you can safely ignore it. Workaround: There is no workaround, but this is not a functional issue.
396293 SNAT bounceback does not work when the non-default CMP hash is used on a VLAN carrying that kind of traffic. This occurs with SNAT bounceback using non-default CMP hash. SNAT bounceback does not work. Workaround: None.
396831 Provisioning Virtual Clustered Multiprocessing (vCMP) on 2000/4000 series platforms can cause a kernel panic. vCMP is not supported on these platforms. This can occur on the 2000/4000 series platforms. A kernel panic can occur. Workaround: The release notes contain information about which platforms support vCMP. You can also check the AskF5 Knowledgebase. If a vmdisks application-volume was created on a platform that does not support vCMP, it should be removed.
398947 It is possible that the text 'serial8250: too much work for irq4' may be seen on the host serial console. These messages are extremely rare. The cause of the message is a temporary overload of the serial port. However, once the serial port has recovered from the overload, it continues to operate normally. The system might post the text 'serial8250: too much work for irq4' may be seen on the host serial console. Workaround: None. No character loss on the console has been observed when this condition is encountered.
399073 You might encounter the error 'err ntpd[5766]: Frequency format error in /var/lib/ntp/drift' in /var/log/daemon.log once after boot. This occurs after boot. The system posts the error: err ntpd[5766]: Frequency format error in /var/lib/ntp/drift. Workaround: None. This message indicates an innocuous condition.
399470 Switch based platforms incorrectly identify Fiber Channel SFP modules. This occurs on switch based platforms. The platform incorrectly identifies the Fiber Channel SFP. Workaround: None. Switch based platforms do not support Fiber Channel SFP modules.
400078 When removing a pluggable module from some specific ports on 4300/4340N blades or on the 10000 and 12000 series platforms, it is possible for the adjoining ports to lose link briefly. For example, this might occur when removing a pluggable module from the 4300 blade's ports 1.1 or 1.5. When this occurs, it may cause established link on ports 1.2 or 1.6 respectively, to drop briefly. Workaround: None.
400584 lsn-pool object can be created without any member prefix, however will not function for translation until prefixes are added. lsn-pool without any member prefix lsn-pool without any member prefix will no perform translation Workaround: add prefixes to lsn-pool
402455 Before attempting synchronization using the GUI setup wizard, clocks of the BIG-IP devices must be synchronized. It is recommended to use an NTP server for completing this operation. This occurs when using the setup wizard. Establishing device trust group fails. Workaround: To facilitate this, synchronize the clocks of the BIG-IP devices, preferably using an NTP server.
402855 Removal of Route-Domains from configuration might cause load failures. #NAME? Load of the updated config fails. Workaround: Clear the current config by loading defaults before loading the UCS using the following command sequence: -- tmsh load sys config default. -- tmsh load sys ucs ucs_name.
403688 Hardware syncookies currently require both client side and server side profile context to have hardware syncookies enabled in order to function. This occurs with hardware syncookies. Hardware syncookies do not function. Workaround: Enable client side and server side profiles for hardware syncookies.
403764 If a log message is not matched by any filter, then the log will be processed by the syslog-ng daemon. Workaround: To disable log processing by the syslog-ng daemon, create a filter with source equal to "all" and level equal to "debug" then route as desired.
404398 Using tmsh merge to update route-domains does not work. This occurs when attempting to merge configuration information that contains differing route domain information. The operation fails with a message similar to the following: 01070979:3: The specified vlan (/Common/external) for route domain (/Common/0) is in use by a self IP. Unexpected Error: Loading configuration process failed. Workaround: A workaround is to manually merge the changes to /config/bigip_base.conf (or /config/partitions/partition_name/bigip_base.conf) before performing the load operation.
404588 LSN iRules persistence-entry get/set and inbound-entry get/set might not work properly for RTSP when the iRule gets suspended (for example if the 'after' command is used). This occurs when an iRule on the RTSP_RESPONSE event gets suspended (for example when using the 'after' command). LSN iRules persistence-entry get/set and inbound-entry get/set might not work properly for RTSP. Workaround: None.
405255 Issuing a 'reset-stats net interface' command in tmsh does not clear the stats for an interface with status 'disabled'. This occurs when resetting stats on a disabled interface. Stats do not reset. Workaround: Enabling the interface with 'modify net interface x.y enabled' before resetting stats causes the stats to correctly clear. The interface can be disabled again afterwards if needed.
405898 If the maximum transmission unit (MTU) for a network running OSPF is different from ZebOS, or if its neighbor router has configured for its interface MTU, OSPF adjacencies may not form, or some datagrams may be rejected. TMM has cached a reduced path MTU for a network that is smaller than the configured MTU of the interface. OSPF running on that interface. OSPF adjacencies never fully form and routes are not exchanged. Workaround: Restarting TMM clears the cached maximum transmission unit (MTU), and allowing all interface MTUs to function with default values should prevent a mismatch.
406238 FTP active mode data connection does not work from the BIG-IP system command line, if the connection is exiting through an interface with SP DAG. cmp-hash = src-ip or dst-ip. ftp initiated from the BIG-IP system. The data connection cannot be established with active mode. Workaround: Use FTP passive mode for data transfer.
407966 deprecated field but left in the system not to be removed. deprecated field but left in the system not to be removed. deprecated field but left in the system not to be removed. Workaround: deprecated field but left in the system not to be removed.
408599 The iRule node command does not function properly when invoked from the LB_SELECTED event. Using an iRule in which the 'node' command in the LB_SELECTED event modifies the node and port. Although logs from the iRule may indicate the node and/or port was modified, the changes are not applied, as a subsequent tcpdump confirms. Workaround: Use node under other events.
408810 BIG-IP with Vyatta neighbor on a single link may appear to be stuck in ExStart/Exchange state because Vyatta incorrectly drops a database description packet containing a 24 byte router-LSA (zero link LSA). "OSPFv2 or OSPFv3 Neighbor is a Vyatta router" OSPF session will not come up Workaround: None
409059 Hairpin connections are not supported for NAT64. "-- lsnpool with NAT64. -- Hairpinning enabled." Hairpinned connections do not work Workaround: Hairpin via upstream router.
410036 "If a client and server attempt to resume a TLS connection using TLS session tickets through a BIG-IP virtual server configured for Proxy SSL, the BIG-IP resets the connection. If Reset Cause Logging is enabled (refer to SOL13223), the reset cause is 'SSL Session Not Cached.'" #NAME? Resumed handshakes do not succeed, which might result in traffic disruption for the affected clients through the virtual server. Workaround: Disable TLS session tickets on either the pool members, or the client systems.
410114 When the OSPF protocol running on BIG-IP system sends a 24-byte router LSA, Vyatta discards this LSA. This might cause the OSPF protocol to become stuck in ExStart/Exchange and never reach FULL state. This occurs intermittently. OSPF v2 protocol configured between BIG-IP system and a Vyatta neighbor. OSPFv2 protocol does not synchronize without manual intervention. Workaround: In imi shell, run the command 'clear ip ospf process'. You might need to run the command multiple times.
410223 For a virtual with a SIP profile configured as an ALG using the TCP transport, TCP FIN and RST packets are being unnecessarily sent by the BIG-IP system to multiple peer clients/servers when one of the client/servers issues a FIN or RST packet. SIP ALG TCP virtual configuration and one of the clients/servers send a FIN or RST packet to the virtual. Unless the SIP clients/servers are configured to automatically reconnect when they receive an unexpected FIN or RST, the in-progress sessions/calls that are using the connection being closed will fail. Workaround: "Configure the mblb (message based load balancing) profile to isolate the clients and servers from RST and FIN packets generated by the other client and servers. Add the following mblb profile to the SIP virtual:

ltm profile mblb /Common/test {
    defaults-from /Common/mblb
    isolate-abort enabled
    isolate-client enabled
    isolate-expire enabled
    isolate-server enabled
}"

412458 It is possible to misconfigure a SIP ALG virtual by adding a transport protocol profile to the virtual server that does not match the ip-protocol of the virtual server. This invalid configuration will result in a core. If a UDP profile is applied, then the ip-protocol type should be udp. If a TCP profile is applied, then the ip-protocol type should be TCP. "Add a tcp transport protocol profile to a virtual server. apply a UDP profile to the same configuration." Misconfigured SIP ALG virtual server allows packets for other protocols to reach the tcp/udp/sctp filters. Workaround: None.
414160 Configuring the VLAN used for inter-device mirroring for an IP cmp-hash mode may cause errors establishing the mirroring connection between devices. Configure the VLAN used for inter device mirroring also for IP cmp-hash mode. Errors generated when establishing mirroring connections between devices. Workaround: Configure the VLANs used for the mirroring connection with the default cmp-hash mode, not an IP cmp-hash mode.
415483 A license activated on 11.2.1, or later, is not backward compatible with software versions 11.2.0, or earlier An issue occurs after performing a software downgrade from version 11.2.1, or later, to software version 11.2.0, or earlier. The license becomes non-operational. Workaround: You must acquire a new License Key, or request for 'allow move' from F5 after downgrade.
415961 The upgrade process does not migrate unassigned HTTP Class profiles to BIG-IP 11.4.0 and later When you upgrade a BIG-IP system to BIG-IP 11.4.0 or later, the upgrade process attempts to convert all assigned HTTP Class profiles to their equivalent local traffic policies. If an HTTP Class profile is not assigned to a virtual server, the upgrade process will not perform the conversion and the unassigned HTTP Class profile will no longer exist in the configuration of the upgraded BIG-IP system. Similarly, if you restore a UCS archive that contains unassigned HTTP Class profiles in BIG-IP 11.4.0 and later, the restoration process will not convert the unassigned HTTP Class profiles and these profiles will no longer exist. This behavior is by design. You might lose unused HTTP Class profiles in the configuration. Workaround: "When upgrading to BIG-IP 11.4.0 and later or saving a UCS archive from a pre-11.4.0 system, you should consider the following factor: Prior to upgrading or saving a UCS archive, ensure that all HTTP Class profiles are assigned to a virtual server."
417045 Upon shutdown, the system posts the message 'err chmand[8873]: Error sending MCP system_information (err:1020003)’ to the ltm log. This might occur intermittently when shutting down the system. This message is benign, and the system should power up correctly. Workaround: None.
417526 The system logs a message sequence that includes a hardware sensor critical alarm in log /var/log/ltm when a power cable is disconnected and then re-connected. This might occur when a power cable is disconnected, then re-connected to an AC power supply. When that happens, system status might switch from Good to Bad, and then back to Good within seconds. As a result, the system posts a message sequence similar to the following: -- notice chmand[9322]: 012a0016:5: Blade 0 hardware sensor notice: Power Supply 2 GPIO status(SPAFFIV04G): Good. -- crit chmand[9322]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV04G): Bad. -- notice chmand[9322]: 012a0016:5: Blade 0 hardware sensor notice: Power Supply 2 GPIO status(SPAFFIV04G): Good. This is expected behavior, in that the system is actually reflecting the state in real time: when the cable is connected, the status is Good; when the cable is disconnected, the status is Bad; when the cable is re-connected, the status is Good. This message sequence does not indicate a problem in the BIG-IP system. It simply means that it might take a few seconds for the fan in the power supply to come up to speed. Workaround: None.
417720 "If a power supply fan unit becomes jammed or experiences a failure that prohibits the minimum RPM threshold to be met, the LTM log will erroneously indicate that the power supply has been turned off. For example: localhost crit chmand[8482]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(73-610-125): Bad localhost crit chmand[8482]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power supply #2 fan-1: Bad localhost warning chmand[8482]: 012a0018:4: Chassis power module 2 turned off." Any kind of power supply fan failure that prevents the unit from achieving the minimum spec. for RPMs. Misleading log message. Workaround: None.
418924 Secondary blades in a cluster go into swap when there are too many iso images in /shared/images. Too many iso images in /shared/images. Secondary blades are slow. Workaround: Use tmsh or the GUI to delete as many iso images from /shared/images as feasible.
419345 Changing Master Key on the standby of an HA configuration on a chassis might cause secondaries to restart processes. This occurs when you modify the master key on standby chassis. Users might not be able to access the cluster. The secondary blades of that chassis might experience continuous restarts of mcpd and other daemons, accompanied by 'decrypt failure' messages in the ltm log. Workaround: Run the command bigstart restart on secondaries to return system functionality. In general, you should change master keys on the primary in the cluster.
419621 After a blade failover, an existing inbound session may not have the delete event logged when it completes. "lsn-pool with NAPT Inbound session logging enabled HA configuration After failover" The add event for the inbound session may not have a matching delete event. Workaround: None.
419733 BIG-IP systems configured with additional non-default management routes via static, OSPF or other protocols might post error messages. The problem occurs when multiple management interfaces are defined. The system might post route_mgmt_entry count errors during the operation of the /usr/bin/config script. Workaround: You can use one of the following alternative methods to configure the mgmt address and default route: GUI, iControl, tmsh, and configuration file load.
419741 Rare TMM crash bug with vip-targeting-vip. Core analysis is typically necessary to determine whether this bug is the cause. Triggering this bug is difficult and seems to require vip-targeting-vip (e.g., use of the 'virtual' command in an iRule) and more than one blade. In rare situations, the TMM crashes. Workaround: None. This occurs rarely, and the system recovers automatically. Although this workaround has not be verified, in situations where virtual A targets virtual B via the 'virtual' command, it should be sufficient for virtual A to have shorter timeouts than virtual B.
420053 Although the IPFIX Logging Destination accepts transport protocol profile configuration, it does not use parameters from the profile. An IPFIX Logging destination can be configured with non-default protocol profiles, such as a custom TCP profile with specific values for Idle Timeout or Keep Alive interval, but the selections are not used. This occurs when customizing parameters within the configured protocol profile. Parameters specified within the configured protocol profile are not utilized, and default values are used instead. Workaround: None.
420184 A transaction fails when you create a new folder and then create an object in that new folder in a batched set of command-line commands. This occurs when a folder does not yet exist, and you try to create the folder and the object in a batched set of command-line commands. The transaction fails with an error similar to the following: 01070734:3: Configuration error: Invalid mcpd context, folder not found (/AAA). Workaround: To work around this, create a folder before using batch commands to create objects in a folder.
420330 When experience a large amount of traffic, TMM could crash due to corruptions. "The system is under stress and TMM memory is exhausted. SSL profiles are configured." TMM crash which would cause the system to either failover to redundant or traffic would be broken for TMM to restart. Workaround: None
420344 When BFD is configured between the HA pair neighbor and the HA pair units, BFD fails to establish a session because the IS-IS routing module uses floating self IP address for establishing adjacency rather than non-floating self IP address. BFD is used with IS-IS in HA pair configuration. BFD cannot be used with IS-IS in HA pair configuration. Workaround: None.
420558 Using the list command will no longer display the records of an external datagroup. Workaround:
420689 A single configuration file (SCF) as generated by the command save sys config file 'name', does not contain information describing what configuration objects have synchronized between the device and other devices. This occurs with an SCF generated using the command: save sys config file 'name'. Loading the SCF can cause the system to lose track of this information. Workaround: From one device, run the following command: modify cm device-group device_group_name devices modify { device_name { set-sync-leader } }'.
421012 scriptd might indicate that it is running on a secondary blade, even when the process is running on a primary blade or an appliance. The error condition generates this log message: 014f000f:7: Becoming secondary cluster member The conditions under which this occurs are not well understood, but it is a rare occurrence. Perpetual iCall handlers do not run, so scripts running under the control of a daemon do not run. Workaround: Issue the command 'bigstart restart scriptd' on an affected blade or device.
421092 The maximum number of named variables in an iRule is 4,194,304. This occurs when using iRules. System drops core file and posts message: Assertion 'maximum pages' failed. No more than 4,194,304 named variables can exist in an iRule. Although the maximum pages limitation has always existed, beginning with 11.3.0, the assert occurs very early when this is detected. Workaround: None.
421640 Entries that mention yourtheme.css appear in the httpd error logs. Using the GUI for iApps triggers this condition. Entries appear in httpd_errors referencing yourtheme.css. There is no impact, visual or otherwise, to the GUI or the rest of the BIG-IP system. Workaround: None.
421702 The BIG-IP system publishes the mgmt MAC addresses using offsets of the chassis base MAC address, instead of the MAC addresses from the kernel (as ifconfig and dmesg report). This occurs on BIG-IP systems MAC addresses. MAC address is inconsistent between ifconfig and 'tmsh show sys mac'. This is expected behavior and does not indicate an issue with the system. Workaround: None.
421851 When iRules are saved into bigip.conf, the first line is automatically indented with four whitespaces. Usually these whitespaces are removed when the config is loaded, but when an iRule starts with commented lines, the whitespace is not removed. Every subsequent save/load operation adds another four whitespaces. When users adds checksum to the iRule, loading fails at checksum verification error This occurs when both conditions are true: 1. Line 1 begins with a # character and white spaces. 2. The checksum operation is performed on the iRule. Load failure. Workaround: Remove the whitespace at the beginning of the iRule
422259 "An IPFIX logging destination is configured with a pool of nodes to identify the collectors to which IPFIX messages should be sent. The health of the nodes and the overall pool can be monitored by the BIG-IP system using a health monitor. However, if network or other issues cause the ICMP monitors to mark a node as Offline, the BIG-IP system continues to try to establish connections and send data to that node, instead of deferring such attempts until the node is declared Online again by the health monitor." Network or other issues that cause ICMP requests to a pool member to fail. Minimal, other than extra processing load. Under normal circumstances, if ICMP traffic to a pool member is not successful, the BIG-IP system cannot establish a connection to that member, and IPFIX messages might be transmitted to other available nodes in the pool. When the iptables filter is removed, it takes approximately five seconds for the traffic to resume. This is expected behavior. Workaround: None.
422315 When trying to remove certain interfaces from list, the user can encounter an error in the UI. For example, if more than two interfaces exist in the Interface list on a trunk object, you receive an error if you attempt to remove one of the interfaces that appear between the first and last interfaces listed. More than two interfaces exist in Interface list on trunk object. Customer tries to remove a 'middle' interface and Update. Customers cannot remove all interfaces from Trunk using UI. Workaround: Use tmsh.
422709 Intermittently, if a secondary blade is being disabled, it may miss the command and stay enabled. Unknown. Secondary blade will still pass traffic as if it is active. It will not be considered inactive for counting of min-up-members. Workaround: As this only happens rarely, you can re-enable the blade and re-disable the blade.
423304 Synchronized configuration objects may contain invalid parameters after you delete an object and create a different object type with the same name. "This issue occurs when all of the following conditions are met: -- The BIG-IP systems are configured as part of a Device Group. -- You delete a configuration object of one type and then create a different type of object that uses the same name. -- The new object's configuration is synchronized to the other systems of the Device Group." An invalid configuration on the box that is synced to, and no obvious warning signs. Workaround: Use either of the following methods: -- Synchronize the configuration after you delete the original object and before you create the new object. -- Use a different name for the new configuration object.
423392 In previous versions of iRules, the variable tcl_platform was readable as: 'set myvar static::tcl_platform'. However with recent changes, the variable is in the global, not static namespace and should be accessed as '::tcl_platform'. This occurs on pre-11.4.0 iRules that use the variable 'static::tcl_platform'. iRules that worked properly under earlier versions can result in runtime Tcl exceptions (disrupting traffic) after an upgrade to v11.4.0 or later, if those iRules reference static::tcl_platform. Workaround: To map tcl_platform into the static namespace in an iRule, use the following: when RULE_INIT { upvar #0 tcl_platform static::tcl_platform }. Or you can use ::tcl_platform instead of static::tcl_platform. Note: The latter workaround might demote a virtual server from CMP. For more information, see SOL14544: The tcl_platform iRules variable is not in the static:: namespace, available here: http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14544.html.
424542 "tmsh modify net interface commands with either invalid interface names, or invalid attribute names will appear to create new interfaces. An invalid interface will show up in ""show net interfaces""" Only happens on clustered or virtual environments, not on appliances. Cosmetic only - extraneous interfaces show up in tmsh show net interface. Workaround: guishell -c "delete from interface where name='12345/is_this_correct'"
424649 Blades continually fail over with a large enough translation address space in an lsn-pool in DNAT mode. An example of a translation prefix large enough to cause this problem would be /8, or several translation prefixes summing to a large number of translation addresses. An lsn-pool in deterministic mode, assigned to a virtual server, with a /8 prefix (or similar number of addresses.) System is rendered unusable until DNAT mode is disabled. Workaround: Change to NAPT mode, or use a smaller translation prefix range. There is no other workaround.
425017 For Thales HSM clients, the tmm and pkcs11d daemons must be restarted for changes to take effect to the key protect mechanism. This occurs for Thales HSM clients when support is added for module keys and token keys, or for softcard features, or when these are enabled or disabled. Changes do not take effect. Workaround: None. The tmm and pkcs11d daemons must be restarted for the changes to take effect.
425018 Loading a SCF after modifying self IP may cause route in Linux kernel to be dropped. Linux host applications may not be able to connect when they are expected to. Create a config with a self IP on a VLAN and a default gateway route on that VLAN, save a SCF file, then modify the self IP in that SCF file and then load the SCF. Linux kernel default gateway route is dropped and host applications looking for the route may not be able to connect. Workaround: Reset the config to default before loading modified SCF: 1. tmsh load sys default. 2. tmsh load sys scf SCF_flename. For more information, see SOL14572: Routes configured in a single configuration file may be missing from the Linux kernel route table after loading the single configuration file, available here: http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14572.
425209 "mcpd on secondary blades may restart with an error message about an sflow_vlan_data_source object of the form: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1760). A duplicate value was received for a non-primary key unique index field. DB exception text (Can't save/checkpoint DB object, class:sflow_vlan_data_source status:13))" The exact conditions under which this occurs are not well understood. The immediately triggering event is a restart of the clusterd daemon on an individual secondary blade in a VIPRION chassis, performed while all other blades are restarting their TMOS software. All services on an affected blade will restart. Workaround: This issue has no workaround at this time.
425826 "Unit in HA configuration constantly cored until the system was rebooted. An intermittent error appears: notice panic: ../kern/xbuf.c:2273: Assertion 'valid xfrag' failed" It is unclear whether this is an high-speed bridge (HSB) issue or a driver issue. The return buffer is provided by the driver and used by HSB to return the packets. Either the provided buffer is corrupt or HSB somehow corrupts it. This issue is rare and has been seen across several platforms and HSB bitfiles. Rare issue that results in kernel panic. You might see invalid return buffer and invalid xfrag messages. Workaround: This is typically cleared on reboot. The issue might also be cleared with a bitfile upgrade.
425965 "On the BIG-IP 2000 and 4000 family of platforms, rapid changes to port speed and duplex mode on the fixed RJ-45 ports may cause a TMM restart. Ports may be listed as down in UI, but through the CLI the system port is listed as up. Messages about tmm processes restarting may appear in /var/log/ltm." BIG-IP 2000 and 4000 platforms. Ports down due to tmm restarting. Workaround: Change both sides of the interface to auto-negotiation, then switch to the desired speed/duplex.
426128 If the passphrase for the pkcs12 file being installed is greater than 49 characters in length, installation could fail with the error - "Key management library returned bad status: -28, Bad password". This occurs with pkcs12 files with passphrases greater than 49 characters. When this occurs, installation could fail with the error - "Key management library returned bad status: -28, Bad password". Workaround: Use passphrases containing fewer than 50 characters for pkcs12 files.
426129 CGNAT translation logs sent to ArcSight HSL destinations will not be in a compatible format for ArcSight to parse. "LSN pools are configured for a virtual server A log profile is configured to use an ArcSight destination and attached to the LSN pool" CGNAT log messages will not be processed correctly by ArcSight Workaround: "Modify ArcSight for custom parsing Use a different log server."
426350 When the BIG-IP system is passing heavy traffic load on an L7 VIP, running tcpdump might causes tmm restart. Running tcpdump under heavy L7 traffic load. Traffic passing might be interrupted and the BIG-IP system might fail over to standby. Workaround: None.
427223 "VIPRION C4800-series chassis contain two Annunciator cards which perform chassis-level hardware-management functionality. Each card is located in a numbered slot accessible via the chassis front panel after removing the LCD display. BIG-IP utilities (such as the 'bladectl' utility or the 'tmsh show sys hardware' command) label the annunciator cards numerically opposite from the chassis front-panel slot labels. - The annunciator card located in physical slot 2 is identified as 'Annunciator'. - The annunciator card located in physical slot 1 is identified as 'Annunciator 2'." VIPRION C4800-series chassis running affected versions of BIG-IP. Inconsistency between logical and physical numbering of the chassis annunciator cards can cause confusion when one of the annunciator cards requires replacement or other service. Workaround: Remember that numerical identification of chassis annunciator cards in the TMOS UI is reversed from the physical annunciator slot numbering.
427260 PPTP-ALG stats: tmsh show sys pptp may show duplicate flows with some stats in each direction. CGNAT and PPTP-ALG with default DAG. Running the command 'tmsh show sys pptp' shows identical flow with different stats incremented. Although this is a cosmetic issue, it might be confusing. Workaround: Grep and aggregate the stats for a unified view.
427679 After HA Group creation, the UI does not allow the user to change pool weight. The user can change the value and submit it, but the value is not reflected post-update. User has created the HA Group. Pool weight cannot be changed post-creation. Workaround: Make modifications to pool weight using tmsh.
428752 Occasionally, on shutdown/reboot of a platform, diskmonitor might be started while the system is shutting down. This occurs when the system is shutting down, halting or rebooting. After a shutdown, halt, or reboot is initiated, the system console may display this message: 011d0002: Can not access the database because mcpd is not running. The ltm log file shows the same database warning along with a date and system entry: warning diskmonitor: 011d0002: Can not access the database because mcpd is not running. Workaround: The warning is innocuous on shutdown and may be ignored. The diskmonitor script automatically runs when the system is booted next and detects disk space issues at that time.
428976 If a self IP is configured for advertisement in OSPF and is moved to a different VLAN, the LSA may be removed from the database and not readded. OSPF enabled, self IP moved between VLANs. Missing prefix from OSPF. Workaround: Remove and readd connected route redistribution, delete and readd the self IP, or clear the OSPF process ("clear ip ospf process" in imish).
429096 Various tools, including the Dashboard, display an SSL TPS limit provided in the base license, ignoring any additional licensing modules that might increase the TPS limit. This occurs when the system is using licensing modules that increase base SSL TPS. An incorrect SSL TPS limit is reported. Workaround: None. This a display issue only. The correct SSL TPS limit is actually used.
429213 "A race condition may occur in which a monitor instance is killed abruptly if another copy of the same monitor attempts to check health of the same node IP:port in a different route domain. The killed monitor will then contribute to a monitoring timeout and potentially mark the node as down. This issue occurs because the PID file created to prevent duplicate monitoring of the same pool member is not sufficiently unique to distinguish between route domains. For example, SIP monitor named ""sip_london"" applied to pool members 1.2.3.4%100 and 1.2.3.4%200 would share the same PID file: /var/run/SIP__Common_sip_london.::ffff:1.2.3.40..5060.pid" "For health monitor types which execute outside of the bigd process (see list below), a health monitor profile is assigned to monitor 2 different nodes which have the same IP:port in different route domains. The affected monitor types include:

Diameter
IMAP
LDAP
NNTP
POP3
Radius
Radius Accounting
RPC
Scripted
SIP
SMB
SMTP
WAP"

Pool members may flap down/up. Workaround: "To work around this, perform the following steps: 1. Create a duplicate copy of the monitor profile, and add the route domain to the name of the monitor profile. For example: ltm monitor radius /Common/radius_seattle_rd43 { default-from /Common/radius_seattle } 2. For nodes or pool members in that route domain, replace the old monitor profile with the new duplicate monitor profile."
429613 TACACS+ accounting packets are only sent to the authentication server. This occurs with TACACS+ accounting packets. These packets are only sent to the authentication server. Workaround: You can use syslog to send the messages (but not TACACS+ accounting codes) to multiple destinations simultaneously.
430354 When an alarm light is present on the primary blade and the USB LCD dongle is then attached, all of the blades go from green/pri or green/sec to amber status, and the alarm light is erased. A few moments later once the LCD screen is up, the blades go back to their original green pri/sec assignment but the alarm light never returns. Although the alarm message is present on the LCD after it comes up, the alarm light should stay on until the alarm has been cleared. Inserting or removing USB LCD module. The alarm message is present on the LCD after it comes up. This is a cosmetic issue, and does not indicate a system issue. Workaround: Run system_check manually.
430915 When a power supply or fan tray FRU is inserted into a running BIG-IP system, a critical alarm may be raised indicating low power and/or fan speeds. This is due to the amount of time it takes for the power and/or fan speed levels to reach their steady state levels relative to when the sensors are monitoring them. Insertion of power supply or fan tray FRU. Critical alarm raised for temporary, non-serious issue. Workaround: None.
431936 The SASP monitor does not mark pool members down when the GWM server cannot be reached. The GWM server does not send a RST packet to terminate its connection to the SASP monitor in case of a network failure. The pool members are not marked down for a SASP monitor in case of a GWM/network failure. They are marked down when the TCP connection to the GWM terminates on a connection timeout which was observed around 10 minutes. This is the correct behavior. Workaround: Use the ICMP monitor in conjunction with the SASP monitor. The ICMP monitor should use the GWM server as its destination. This monitor should be associated with each of the nodes that are present in the pool using the SASP monitor. The pool members will be marked down when the GWM server cannot be reached.
432407 The GUI becomes inaccessible after the system logs become large and the user navigates to log lists under System :: Logs. This event is most likely to occur when the logging options are configured to show the most output. For example: Enabled, Verbose, Debug. The issue is most easily seen when the system has been configured with Audit logging enabled, particularly MCP, it sends numerous messages to the var/log/audit log. This causes the log to become large, which after time might render the GUI inaccessible. When logs become large, the GUI might become inaccessible if the user attempts to view the log files through the GUI. Workaround: Configure logging options to show only the most severe output: Emergency, Error, etc. (available under the System :: Logs). If the system is already in this unresponsive state, issue the command 'bigstart restart tomcat'.
432790 "Blade point of load power supply faults may be incorrectly captured and logged during chassis power cycle and card pull events. The blade AOM function continuously monitors the blade health for reporting of hardware failures to the system layer. This AOM function is on standby power and is operational whenever chassis power is present. If the chassis or the entire blade powers down through an intentional or unintentional action, power health monitoring is indeterminate and incorrect power fail event status may be captured. The blade point of load +5V, +3.3V, +1.5V, +1.1V, etc power supply status is stored by the AOM in non-volatile memory. The information is saved in memory forever until reported and cleared by the application layer. Thus any transient power fail status captured during a power down is unintentionally logged by the application layer on the next power-up. This issue has been observed only on a few blades with very low frequency of occurrence during rigorous power cycle testing." This condition although very rare and can occur during chassis power cycles. It can also occur during a blade pull while servicing a system in operation. Incorrect power fault status may be reported in the system logs and maintained on the blade until the log files are over-written or deleted. This may cause confusion or concerns when viewing the system log files that a hardware issue exists. If point of load power fail system log messages are observed, you must qualify them with system main power events to discriminate between false positive errors and actual power supply faults. Workaround: Recommended process is to power down the blade prior to turning off chassis power or removing the blade from the chassis. Normal controlled blade power down events are unaffected by the issue.
433235 When using certain iRules in congested traffic situations. it is possible for TMM to crash. There are several conditions resulting from iRules that require queuing. Meeting all internal conditions generally requires high concurrency and rare sequences of internal events. Examples include: -- Using 'discard' in a 'when CLIENT_DATA' clause with aborts or half-closes queued by the peer. -- Using 'release' after a connection is closed. TMM cores. Workaround: Modify iRules to handle additional conditions.
433572 DTLS does not work with rfcdtls cipher on the B2250 blade This occurs as a result of hardware acceleration offload on the B2250 blade when using dtls on vCMP. DTLS does not work with rfcdtls cipher on the B2250 blade Workaround: None.
434356 When an internal/external data-group configuration is modified, it doesn't reflect in a client SSL profile. Modifying a data group configuration. You have to manually restart tmm or re-apply the data-group to the SSL profile each time the data-group is modified. Workaround: Restart tmm or re-apply the data-group to the SSL profile each time the data-group is modified.
434364 "When upgrading from 10.x or installing a 10.x originated UCS on 11.x, bigpipe is used to parse the newly created file-object definitions which had been generated from files in the 10.x install. If the filename being upgraded to file-object starts with a '.', then on initial load, bigpipe will give an error while trying to load the generated configuration, resulting in an error message similar to: BIGpipe parsing error (/config/bigpipe/bigip.conf Line 107): 012e0017:3: The requested item (.myfile.txt {) is invalid (external_monitor_file_object_key | show | list | help) for 'external monitor file object'" The installation of a UCS or configuration roll-forward from 10.x to 11.x in which the previous install had files that were upgraded to file-objects, but whose filename started with a '.' The UCS will not install properly, and/or the configuration on initial boot will not load. Workaround: Edit the name of the file-object in question which would be found in /config/bigpipe/bigip.conf to remove the leading '.' character from the object name, and make any references to the file-object match that change.
434517 If a HTTP_RESPONSE event fires due to the server sending an early response (i.e. a response before the entire request has been sent), then HTTP::retry does not work correctly. Client begins sending a request. The server responds before that request is completely sent. A HTTP::retry is called in the HTTP_RESPONSE event. Typically, early server responses are error conditions. Workaround: HTTP::respond or HTTP::redirect may be used at the cost of an extra client-side request.
434889 Unable to configure AOM IP address using the DHCP Menu Option, with the system responding with the "Error: Failed to configure AOM management port" message. When trying to configure an IP address for AOM using the N - Configure AOM network option. unable to configure the AOM address using DHCP. Workaround: None.
435332 If there are users defined on a version 10.2.1 BIG-IP system to have administrator or resource-admin roles, and they have partition access to a single partition, these user config objects fail to load during an upgrade to version 11.x/12.x. "Here is a sample user config from 10.2.1:

user v-abban {
   password crypt '$1$UIPmGYdY$yewCx.a2qNDauz/UB1Jbp/'
   description 'v-abban'
   group 500
   home '/home/v-abban'
   shell '/bin/false'
   role administrator in Common
}"

Upgrade or load UCS fails with the following error: 01070821:3: User Restriction Error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition. Workaround: Prior to upgrade, edit the bigip_sys.conf to have the role line as follows: ... role administrator in [All] }
435488 Cannot configure route domain for centralized management infrastructure (CMI) device unicast-address. (CMI is also referred to as device service clustering (DSC).) Try to configure non-default route-domain for CMI device unicast-address. Cannot configure route domain. This is not a supported configuration. If you use a route-domain address, the configuration does not work, and the system posts a number of log errors indicating that. Workaround: Do not configure non-default route-domain for CMI device unicast-address.
435494 DTLS handshake may fail when UDP messages are round robin among TMMs. "DTLS configuration. Round Robin DAG enabled for DTLS UDP packets." DTLS handshake could fail Workaround: Disable Round Robin DAG for DTLS packets.
435646 lsn-pool inbound setting does not work when not associated with a virtual server. "lsn-pool with inbound or hairpinning enabled That lsn-pool is not associated with a virtual server but is assigned by an iRule." inbound and hairpinning is not enabled for subscribers using that lsn-pool when assigned via an iRule. Workaround: Create a virtual server for each lsn-pool.
435814 CGNAT connections for a single client might exceed connection limits. This occurs when the persistence-timeout value is fewer than 30 seconds on lsn-pools with connection limits Connection limits are not enforced. Workaround: Set persistence timeout to a value greater than 30 seconds.
436170 When FIPS fails to attach, tmm crashes when attaching an SSL profile. This transient issue occurs because of a timing issue during software initialization, in which SSL initialization is occasionally called before FIPS attaches. TMM crashes during bootup. This is typically a transient issue, and not an indication of actual FIPS hardware failure. Workaround: Run the EUD test. If FIPS passes the test, a TMM restart resolves the issue.
436813 Messages for sync statuses differ when there is a sync config in memory that is newer than the one in the binary database, and the system is restarted. This occurs when set-sync-leader and then issue a bigstart restart before saving the config. On one system, the message posted is 'Not All Devices Synced', and on another, 'Changes Pending'. This issue is cosmetic only. The actual sync statuses will be correct. Workaround: Save the configuration on a device before rebooting it.
436825 Under certain conditions, nodes (or any other object with an IP address) in a partition that belong to route domain 0 will be treated as part of the default route domain for the partition after an upgrade. "All of these conditions must be true: - A system is being upgraded from any TMOS v10.x release to any TMOS v11.x release after 11.1 or any TMOS v12.x release. Upgrading to 11.0.0 or 11.1.0 is not affected, but the upgrade process resets the partition's default-route-domain setting to 0. - It has a partition that has its default route domain set to a nonzero route domain. - That partition contains nodes with no route domain set (so the default is used). - That partition contains other nodes in route domain 0." Those objects might no longer be addressable or able to connect. Workaround: "Set the partition's default route domain ID to 0 before upgrading, then set it back to its previous value after the upgrade. This field is only used by the GUI and shell, so temporarily changing it to 0 will have no effect on the dataplane."
437226 The SERVER_CLOSED execution counter is incremented by 2 for every 1 run when the flow is parked in CLIENT_CLOSE. This occurs in the stats for SERVER_CLOSED when the flow is parked in CLIENT_CLOSE. The stats for SERVER_CLOSED become inaccurate due to parking. Workaround: None. This is a cosmetic issue. TMM does not core.
437768 Do not use 'bigip1' as a device name. The BIG-IP system reserves 'bigip1' as the factory default device name. This occurs when using 'bigip1' as the device name. You might see an error similar to the following: 01070710:3: Can't save/checkpoint DB object, class:devicegroup_device status:13 - EdbCfgObj.cpp, line 127. Unexpected Error: Loading configuration process failed. Workaround: Treat 'bigip1' as a reserved word, and do not use it for device names.
437905 "HTTP compression for certain image files may fail on the BIG-IP 2000s/2200s and 4000s/4200v platforms. As a result of this issue, you may encounter one or more of the following symptoms: - BIG-IP iHealth lists Heuristic H450131 on the Diagnostics : Identified : Low|Medium screen. - The BIG-IP system resets the client connection. - You observe error messages in the following files with the same time stamp: /var/log/ltm :: -- crit tmm[19290]: 01010025:2: Device error: (null) Cave Creek compression error, err = -11. -- crit tmm[19290]: 01010025:2: Device error: (null) qa_dc_ctx_done: hw_comp Error. /var/log/tmm :: -- notice dcCompression_ProcessCallback() - : Recoverable error: stateful compression overflow. You may need to increase the size of your destination buffer and resubmit this request." "HTTP compression may fail on some BIG-IP 2000s/2200s and 4000s/4200v platforms. This issue occurs when all of the following conditions are met: The BIG-IP system is configured to use hardware HTTP compression. Note: This behavior is by default for BIG-IP platforms equipped with hardware compression. You can modify this behavior using the compression.strategy database variable. However, F5 recommends that you keep this database variable set to its default value because changing it may impact system resources. For more information, refer to the Profiles for Managing HTTP Traffic chapter in the BIG-IP Local Traffic Manager: Concepts guide. The BIG-IP system is compressing a Portable Network Graphic (PNG) image file." The client browser receives an incomplete image file and experiences a connection reset. Workaround: "To work around this issue, you must obtain an engineering hotfix for this issue and install it on the affected BIG-IP system. The engineering hotfix introduces a new quickassist.compression.buffsize_multiplier database variable that you must configure its value to 300. To obtain an engineering hotfix for this issue, contact F5 Support. To modify the quickassist.compression.buffsize_multiplier database variable, perform the following procedure: Impact of workaround: Performing the following procedure should not have a negative impact on your system. 1. Log in to the Traffic Management Shell (tmsh) by typing the following command: tmsh. 2. Modify the value of the quickassist.compression.buffsize_multiplier database variable to 300 by typing the following command: modify /sys db quickassist.compression.buffsize_multiplier value 300. 3. Save the change by typing the following command: save /sys config."
438177 RSA key/cert pair must be configured as a default in clientssl profile even for only DSA/ECDSA ciphers. If ciphers only contain DSA/ECDSA ciphers. The connection cannot be built up if no RSA key/cert is configured on clientssl profile. Workaround: The clientssl profile must have RSA key/cert configured.
438324 Virtual servers configured with Fast HTTP profiles can fail if TCP uses ipport hash on B2150/B2100 blades. The B2150/B2100 DAG (Disaggregator) hash cannot use both IP address and TCP port in selecting tmm in ipport mode. This occurs when TCP is configured to use ipport hash on B2150/B2100 blades and the virtual servers use Fast HTTP profiles. TCP-based virtual servers configured with the Fast HTTP profile can fail. Workaround: To work around this, you can either use port hash or use profiles other than Fast HTTP for TCP-based virtual servers.
438666 iControl/REST relies on automatic parsing of tmsh output in order to reply to requests. The structure of 'show sys raid array' does not provide that support, so the array-members statistics are dropped and not returned in the output. This happens for any 'stats' query on a BIG-IP system that has RAID. Clients cannot get array-members statistics using iControl/REST. Workaround: Use tmsh or other UI (iControl/SOAP).
439507 Running the qkview utility might take a very long time, up to 30 minutes, possibly longer if there are thousands of tunnels or virtual IPs created. This occurs when there are 500 virtual network interfaces or more in a configuration. qkviews are slow to generate. Workaround: Wait for qkview to finish, which might take up to 30 minutes.
439628 Updating the Dynamic Ratio of a node or pool member using TMSH or iControl, instead of a built-in dynamic ratio monitor such as SNMP, results in a 'configuration sync needed' status, or an automatic sync if auto sync is enabled. This occurs when the following conditions are met. - Multiple devices in a device group. - Updating dynamic ratio via TMSH or iControl. - For automatic sync, auto sync is enabled on the sync-failover group. The sync status might unexpectedly transition to 'Changes Pending'. If automatic sync is enabled, the device group performs a ConfigSync immediately. If automatic sync is enabled, and the dynamic ratio is updated frequently (such as by an External monitor or an iControl script), the following additional impacts may occur: - An administrator's pending changes to the configuration may unexpectedly roll back on a receiving device. - A sync conflict may potentially occur. Workaround: "The following 'guishell' command syntax can be used to update the dynamic ratio as an alternative to using TMSH: guishell -c ""update pool_member set dynamic_ratio=dynamic_ratio_number. Where pool_name='/path/pool_name', node_name='/path/node_name', and port='port#'"". The node name is the full folder path to the object name, which might be the node address with the pool folder prepended. In external monitor scripts, the node name is available in the NODE_NAME environment variable. Example: guishell -c ""update pool_member set dynamic_ratio=123 where pool_name='/Common/SMTP_Servers' and node_name='/Common/10.50.5.251' and port='25'""."
439860 When user enables or disables a virtual server, the SNMP traps do not exist. However, when virtual server changes up/down state due to pool member monitoring, the traps exist. The BIG-IP system configured for sending SNMP traps. SNMP traps when a user manually enables/disables virtual servers are not sent. Workaround: None.
440199 Using the LCD buttons to change the console baud rate to anything other than 9600 or 19200 may cause the rate to default to 19200. This occurs when using the LCD to change the baud rate. Console input/output may not be usable after the changes. Workaround: Use tmsh to change the console baud rate for rates higher than 19200 baud.
440365 At upgrade or UCS installation time, one or more files which share the same name may not be copied to a staging location, eventually leading to an error message at configuration load time, of the form, 'File object by name (filename) is missing.' In a 10.x system it's possible that files of different types (e.g., certificates, keys, external monitors, etc.) which are to be upgraded to file-objects in an 11.x/12.x system may have identical filenames though they reside in different directories on the BIG-IP system. For instance, a certificate located in /config/ssl/ssl.crt/example and a key in /config/ssl/ssl.key/example, on a 10.x system which is to be upgraded could cause this condition. Error at first boot of a newly upgraded partition, or UCS load time. Workaround: Modify the duplicately named files and any references to them in the configuration before upgrade.
440431 Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands. "This issue occurs when the following condition is met: A virtual server with Response Logging configured has an iRule assigned that uses either the HTTP::respond or HTTP::redirect command. The Request Logging profile gives you the ability to specify the data and format for HTTP requests and responses that you want to include within the log file. Parameters, such as $HTTP_STATUS, are used to specify information that is included within the log file. The HTTP::respond and HTTP::redirect iRule commands allow you to customize the response sent to the client and are intended to run immediately when triggered. Therefore, no further processing of response data should occur. As a result, the system logs blank status information when using the $HTTP_STATUS parameter within the Request Logging profile for Response Logging." The system logs invalid information. As a result of this issue, you may encounter the following symptom: -- BIG-IP iHealth lists Heuristic H465653 on the Diagnostics :: Identified :: Medium screen. If $HTTP_STATUS is used within the Response Logging template, the output will be blank. Workaround: To work around this issue, you can use the iRule to generate the required logs, rather than the Request Logging profile. If an iRule is calling HTTP::respond or HTTP::redirect, you can log directly from that iRule using the log iRule command, and record parts of the old response, or the new one, depending on what is required.
440959 SNMP DCA monitor reject delayed responses with ICMP unreachable result. Within the threshold of configured timeout and retry, in the event of an ICMP unreachable, the monitor marks the weight to the default (1). Configure a pool_member with SNMP_DCA monitor. Delay the SNMP server's response. Delayed SNMP responses are rejected by the monitor. Workaround: "Write an external monitor script, using the snmpget utility.

For example:
------------
# values provided by bigd
node_ip=`echo $1 | sed 's/::ffff://'`

# example: use snmp get
command=$(snmpget -v 2c -c private '$node_ip' -r 3 -t 5 .1.3.6.1.4.1.2021.4.5.0 .1.3.6.1.4.1.2021.4.6.0 .1.3.6.1.4.1.2021.11.50.0 .1.3.6.1.4.1.2021.11.51.0 .1.3.6.1.4.1.2021.11.52.0 .1.3.6.1.4.1.2021.11.53.0 .1.3.6.1.4.1.2021.9.1.2 .1.3.6.1.4.1.2021.9.1.9)

To configure an external monitor:
---------------------------------
-- tmsh create sys file external-monitor my_snmp_exec source-path file:/config/monitors/my_snmp2.sh.
-- tmsh create ltm monitor external my_snmp run my_snmp_exec.
-- tmsh create ltm node nodeA address 1.1.1.1 monitor my_snmp."

441146 Flooding on forwarding ports for some HSB equipped platforms are being delayed. The delays are due to the absence of an event-driven flushing of HSB L2 entries, when interfaces changes to a STP blocked state. This occurs with the BIG-IP 3900, 6900, 8900, 8950 platforms. This is seen with multiple parallel interfaces on the same VLAN between the BIG-IP system and a remote switch, with STP enabled. Delays are observed with the BIG-IP system again reverting to use the STP selected forwarding port, after the original forwarding port was disabled and re-enabled. Workaround: None.
441719 The CRYPTO command might trigger a core when using invalid algorithms (for example, using a symmetric key (hamc-sha 256) instead of an asymmetric key (SHA algorithm ). This is a negative test that only helps to verify iRule completeness. This occurs when the CRYPTO:: commands use invalid algorithms. The system drops a core. Workaround: Only use the same type of algorithms (asymmetric or symmetric alone).
441796 "When you run hsb_snapshot or qkview from the command line, this may cause a watchdog reboot. One or more messages similar to this appear in the log: info kernel: Program hsb_snapshot tried to access /dev/mem between 164e6b000 and 164e6c000." Running qkview or hsb_snapshot from the command line. System reboot. Workaround: Do not run qkview, or follow the workaround procedure in SOL10052
442227 When using tmsh, a user can set the start time or end time for the database download schedule as 24:01. The supported time range is between 00:00 and 23:59. User could set the download schedule more than 24 hours in start time or end time using tmsh Download schedule might behave randomly. Workaround: To prevent any problem with the schedule, set the time range between 00:00 and 23:59 or use the GUI to set the time.
442489 Licensed SSL and compression limits totals are not shown. Any multi-core system with SSL and/or compression licensed. Might result in confusion or assumption of different limits than actually exist. This is a cosmetic issue and does not affect system functionality. Workaround: None.
442569 Some benign SELinux errors that can occur in this release when installing a hotfix: -- /usr/sbin/load_policy: Can't load policy: No such file or directory. -- semodule: Failed! This occurs when installing a hotfix on the BIG-IP 5000, 7000, and 10000 platforms (with SSDs). The system presents messages that appear severe, but are actually benign: Can't load policy: No such file or directory and semodule: Failed! Workaround: None, but these errors are benign and SELinux corrects itself after reboot.
442613 After user modifies tag map data group content, the tag replacement function may still use the old tag mapping data. After user assigns a data group to FIX profile's sender tag map attributes, user modifies the content of the data group. The replaced tag may still be the data defined in the old data group, this causes the FIX message receiver to not recognize the tag and reject the message. Workaround: After user modifies data group, user must then remove the data group map from the FIX profile, update the profile, re-add the it and update the profile again.
446712 When FTP is used with LSN pools, the data connections do not count towards the LSN client connection limit count. FTP is configured with LSN pool whose client connection limit value is greater than zero. Data connections (active/passive mode) are not counted. This might result in a subscriber being able to create more connections than specified by LSN pool client connection limit Workaround: None.
446963 When messages are queued after processing of the HUDCTL_ABORT, processing those messages might cause a crash. After processing ABORT no other messages should be processed. But in the case in which HUDCTL_SHUTDOWN queued. HUDCTL_ABORT is processed and then HUDCTL_SHUTDOWN (queued by SIP filter), causing the crash. TMM crashes and the system creates a core file. Workaround: None.
448409 The command 'load sys config verify' causes loss of sync configuration and initiates a provisioning cycle. The 'verify' option on the 'load sys config' command is designed to ensure that a configuration (either from a file or pasted to the terminal) is valid, but not have it take effect. This affects the ConfigSync communication channel if configured. The ConfigSync connection, including the connections to other devices, might be lost. In addition, provisioning might be impacted. Workaround: You can avoid this issue by using the 'load sys config verify' command 'merge' option, which keeps the current configuration during the validation step. Once affected by this issue, the workaround is to re-load the full configuration using the command: tmsh load sys config partitions all.
449158 iRule: nexthop to 'vlan:mac address' does not forward the packet. HTTP request to a port 80 virtual server with a default pool and an iRule that specifies nexthop to a MAC address on the internal VLAN. Packet forwarding does not occur. Workaround: None.
449502 Diameter monitor script doesn't allow custom grouped AVPs that contain only a single element. Capabilities Exchange Answer (CEA) with a custom grouped AVP containing only a single attribute. Duplicating the attribute in the Diameter monitor script doesn't work either. The monitor will fail. Workaround: Use multiple attributes, or use non-custom grouped-AVP.
449526 Rarely LB::prime iRule with SIP filter can result in a core due the flow control mechanism added in the SIP hudfilter and the fact that LB::prime, adds necessary count of prime messages in Q and calls mblb_connect synchronously which has the potential to traverse the entire serverside chain. LB::prime iRule with SIP filter is used. Rarely results in a core with LB::prime iRule Workaround:
449747 All of the self links and reference links in iControl REST responses will contain localhost instead of an IP address or a hostname or an FQDN. This occurs when using iControl. iControl REST clients will need to substitute 'localhost' with the correct server name (or IP address or FQDN) when navigating links returned in responses .This is by design. Workaround: iControl REST clients will need to substitute 'localhost' with the correct server name (or IP address or FQDN) when navigating links returned in responses.
450671 "A BIG-IP UDP virtual server may not send an ICMP Destination Unreachable message Code 3 (port unreachable). As a result of this issue, you may encounter the following symptoms: -- Client applications may not respond or appear to hang. -- When attempting to troubleshoot the connectivity issue from remote devices, no ICMP diagnostic data is available from the BIG-IP system." This issue occurs when the following condition is met: All pool members for the UDP virtual server are unavailable. In versions 11.3.0 through 11.4.1, the system silently drops the request. In versions 11.5.0 and later, the system sends back the ICMP message with type 13 ('administratively filtered'). Workaround: None.
453232 The double-tagging packet stats counters are only supported the on VIPRION blades: B2250, B4300, B4340, and B4350, and on BIG-IP platforms: 10000, 10050, 10050N, 10200, 10250, 12050. Double-tagging packet counters are not supported on the B2100/B2150 VIPRION blades or the BIG-IP platforms 5000 series and 7000 series. The system is configured for and passing double-tagged traffic and showing zero values for the Double Tagged Packets stats in the GUI, TMSH, or via the iControl APIs. When running the command 'tmsh show net interface all-properties' on the unsupported platforms, 'DoubleTag Pkts In' and 'DoubleTag Pkts Out' always show a value of 0 (zero). Workaround: None.
453362 SSL forward proxy does not work with OneConnect when there are multiple connections from the same client to the same server. This occurs with virtual servers configured with OneConnect. SSL forward proxy does not work. Workaround: Multiple connections worked fine without OneConnect.
454209 TMM crash on UDP DNS virtual without datagram-load-balancing enabled. DNS virtual server without datagram lb mode. TMM crash with a backtrace including dns_dev_pool coring at line 360. Failover and potential traffic interruption. Workaround: Enable datagram-lb-mode in the UDP profile used by the DNS virtual server, or turn off DNS queuing via the db variable dns.queuing.
454640 Secondary blades' mcpd instances might restart on boot. This might occur intermittently on VIPRION bladed systems or VCMP guests. This might be the result of a race condition that occurs when /config is synced between the blades and when the mcpd process starts. The mcpd process restarts on secondary blades. The process eventually returns to normal, and the system finishes booting. The system posts messages similar to the following: 01071038:5: Secondaries couldn't load master key from the database. 01070734:3: Configuration error: Configuration from primary failed validation: 01071029:5: Master Key not present. Workaround: This issue has no workaround at this time.
454671 When SIP is used with LSN pools, the media connections do not count towards the LSN client connection limit count. SIP ALG is configured with an LSN pool whose client connection limit value is greater than zero. Media connections are not counted. This might result in a subscriber being able to create more connections than specified by LSN pool client connection limit Workaround: None.
454672 When RTSP is used with LSN pool, the media connections do not count towards the LSN client connection limit. RTSP is configured with LSN pool whose client connection limit value is greater than zero. Media connections are not counted toward the LSN pool client connection limit. This might result in a subscriber being able to create more connections than specified. Workaround: None.
455090 The hashtag character '#' is a Tcl comment command that causes the Tcl parser to ignore the rest of the line. When user inserts a '#' character to a command that has an open curly brace ({) at the end of line, there is a mismatch of open and close braces. However, the user can save the iRule script through the web interface and TMSH. "1. '#' at the start of a line that ends with '{'. 2. The ending '{' perfectly matches a '}' in the script." When the iRule script runs at traffic time, system fails. Workaround: Comment out or delete the matching closing '}' brace character.
455525 "If for some special reasons, the role and partition information are not present, there are two cases where this might occur: When the user's role and partition information is not provided, by default, the no-access role and all partitions are assumed. If the user's role and partition are explicitly deleted, this is also allowed with no further error message. This is potentially useful in cases where you want to preserve the user data such as password for later re-activation the user. In both cases, the user cannot login successfully due to the lack of the necessary role-partition information." User's role and partition information is missing or removed. The user with missing role and partition information is prohibited from login. Workaround: None.
456378 When using ipother profile, if there is an iRule that fires on CLIENT_ACCEPTED that contains a discard or reject action, TMM is going to failover. Virtual server with ipother profile and an iRule firing on CLIENT_ACCEPTED with discard or reject action. TMM cores. Workaround: Use CLIENT_DATA as the firing event for the iRule. Will have the same expected result when discarding the connection.
456508 Deleting persistence entries using iRules in Port block allocation (PBA) mode does not completely remove persistence. This occurs because having a PBA block implies that some persistence exists. This occurs when the following conditions are met: -- LSN mode equals PBA. -- iRules use LSN::persistence-entry to create and delete address persistence entries Using lsndb to view persistence entries may cause confusion as the deleted persistence entries might still be present. These persistence entries go away when they timeout. Workaround: None.
457509 The failure relates to how quickly cross-blade trunk tables can be reconfigured after the primary blade is pulled, or powered down. The mcpd driven trunk_wrkng_member deletes may take too long to reach bcm56xxd on remaining blades, for reconfiguring the trunk tables and selecting the new slot for passing the multicast packets. Primary blade is pulled, powered down, or otherwise experiencing a terminal failure. The remaining blade(s) may experiencing long delays (4+ secs) before receiving trunk_working_member modify messages, as a result of losing the primary slot, resulting in a temporary multicast blackout window. Workaround:
458526 When a BIG-IP device is running the spanning tree protocol, it may continue to send one or more TCN BPDU packets after receiving a Topology Change Acknowledgement BPDU. Using spanning tree protocol. BIG-IP device might send additional Spanning Tree TCN BPDUs. Workaround: None.
458527 When running spanning tree, a BIG-IP device sends TCN BPDUs after receiving a topology change notification on its root port. A BIG-IP device is connected to another switch running spanning tree and the BIG-IP device is not the root switch of the tree. No observable network impact from the TCN flag being sent in the BPDU. Workaround: None.
458529 When a BIG-IP system is running spanning tree protocol and receives BPDUs from another device containing a worse root path cost, it may not honor the hold timer value on the BPDUs received, and consequently it will send BPDUs at a faster rate than requested. Spanning tree is running and has a better root path cost than an adjacent switch that has a lower transmit hold count than what is configured on the BIG-IP system. Spanning Tree BPDUs sent out more frequently than they should. Workaround: Set the transmit hold count on the BIG-IP system to be the same as all other devices on the network that are participating in spanning tree.
459471 ssl-ocsp and ssl-cc-ldap auth profiles can contain the same name leading to issues when trying to delete them. ssl-ocsp and ssl-cc-ldap objects have the same name. Cannot delete both of these auth profile objects. Workaround: Do not create the two auth profiles with the same name.
460500 Cannot load config containing iRules signed with Global comments. This occurs when using iRules with Global comments (outside any WHEN block) before the first block or after the last block. Global comments between WHEN blocks do not cause any issue. The config file cannot be loaded, and the system posts the following error: 01071485:3: iRule (/Common/irule2) content does not match the signature. Unexpected Error: Loading configuration process failed. Workaround: You can use either of these workarounds: -- Delete the Global comments (outside WHEN blocks) that lie either at the beginning or at the end of the iRule (before the first or after the last WHEN block). -- Delete the signing entries (definition-signature and signing-key) from the config file before loading it.
461140 You cannot configure High Availability (HA) using IPv6 IP address formatting. This occurs when using IPv6 formatted IP addresses. "When adding a peer device using an IPv6 address using the web interface, the system posts the following error message: 'java.io.IOException: Could not read response from server: ParseError at [row,col]:[1,150] Message: The reference to entity 'destaddr' must end with the ';' delimiter.' The system posts a similar error message performing the same operation using TMSH: 'Unexpected Error: Could not add ca-device (error from devmgmtd): [evConnection.cpp:162 tryConnect] evConnect(m_ev, fd, (void *) &destaddr, sizeof(destaddr), &::evOutgoingConnection, this, &m_connId): Network is unreachable.'" Workaround: Set up a IPv4 Self IP in an HA VLAN (VLAN on which each device can communicate with the other). Then add that Self IP to the device. To do so, in TMSH, run a command similar to the following: 'modify cm trust-domain Root ca-devices add { 10.10.3.102 } username admin password admin name 8950-3.example.com'. Running that command retrieves the already-set-up IPv6 addresses for management-ip, the config-sync IP addresses, and Network failover IP addresses already exist from the peer device and syncs both of them, so that HA device trust can work correctly.
461199 Memory increases when using certain iRule methods related to Diameter (for example, AVP::insert, AVP::replace, AVP::codes). Inside the underlying function dime_method_optional_args_parse, A call to the function Tcl_GetIndexFromObj was not decrementing the refcount of an object. This issue occurs when all of the following conditions are met: -- You have configured a virtual server to process Diameter messages. -- The virtual server references an iRule that uses Diameter based commands. For example, AVP::insert, AVP::replace, AVP::codes. As a result of this issue, you may encounter one or more of the following symptoms: -- The BIG-IP system fails to process traffic for a brief period of time. -- The BIG-IP system fails over to another host in the device group. -- TMM generates a core file in the /var/core directory. Workaround: None.
461776 Setting the DB variable 'qinq.cos' to 'outer' has no effect on the VLAN priority of packets arriving at customer-tagged interfaces and does not correctly affect the egress Class-of-Service (CoS) mapping. Q-in-Q VLANs on customer-tagged interfaces. Using the outer tag to affect VLAN CoS is not supported. Workaround: None.
462043 On the 5000 and C2400 platforms, when the DB variable 'qinq.cos' is set to 'inner'; a packets inner priority bits do not determine the CoS mapping when the incoming packet is customer-tagged and the outgoing interface is service-tagged. On 5000 and C2400 platforms. Incorrect egress CoS queue mapping. In this case, all packets are mapped to CoS queue 0. Workaround: None.
462507 If CGNAT Port block allocation (PBA) is configured for block lifetimes, when the lifetime expires, the system terminates any flows still associated with that port block. However, SIP media flows cannot be terminated, so the block cannot be released until the media flows terminate. "This occurs when the following conditions are met: -- Using CGNAT PBA mode. -- block lifetime set. -- Using SIP-ALG. -- Media flows outlive block lifetime." Blocks cannot be released as expected until media flows terminate. Workaround: None.
462524 "When a User-Agent identifies a browser which has known compression limitations, the 'browser workarounds' disable compression. Browsers requiring these workarounds include: - Microsoft Internet Explorer 6.0 - Netscape Navigator 4.1 - Netscape Navigator 5.0 Unfortunately, the functionality will falsely identify many modern browsers as needing compression workarounds, disabling compression." Enable HTTP compression browser workarounds. HTTP compression will not compress responses for modern browsers. Workaround: Disable browser workarounds. If legacy clients require compression workarounds, use an iRule that selectively disables compression depending on the User-Agent.
462754 The system does not support SSL mirroring with L7 mirroring, When an SSL connection is mirrored, after a few failovers, the connection is reset or the response is delayed for up to several minutes. This occurs when SSL connections are mirrored. The connection is reset or the response is delayed for up to several minutes. The BIG-IP system does not forward request to server. In addition, you cannot use L7 features like iRules on mirrored SSL virtual servers. Workaround: Do not use SSL mirroring with L7 mirroring. SSL mirroring is not supported with L7 mirroring
463970 When using 'LB::reselect pool current_pool' in an iRule, the pool stats do not get increased/updated (although virtual servers stats do get increased as expected). This occurs when using an iRule containing the LB::reselect pool pool2 command in LB_SELECTED. The Pool stats don't get increased (tmsh show ltm pool), resulting in misleading stats reporting, and possibly incorrect traffic based load balancing. Workaround: "Add extra logic in the iRule to ensure the redundant call to LB::reselect pool SAME_POOL is not performed. To do so, you can use an iRule similar to the following: if {[LB::server pool] ne ""/Common/pool_name""}{ LB::reselect pool ""/Common/pool_name"" }"
464923 Trying to use a netHSM key without the HSM license causes the SSL handshake to fail with the general error in sign server key exchange. This issue might occur when using netHSM without HSM licensing. "The system posts potentially confusing errors similar to the following (with ssl debug logs turned on): -- debug tmm3[28399]: 01260009:7: Connection error: ssl_hs_vfy_sign_srvkeyxchg:8309: sign_srvkeyxchg (80) -- info tmm3[28399]: 01260013:6: SSL Handshake failed for TCP 10.10.10.13:47804 -> 10.10.10.23:443" Workaround: License HSM. To determine whether this is the issue related to these messages, you can turn on tmm.verbose. Then, if netHSM is not licensed, you can the following message at /var/log/tmm: notice No license for external HSM.
466285 When certain users switch partitions, their displayed role shows Unknown. After a few seconds, the appropriate role displays for the active partition. A user with access only to specific partitions and switches partitions. This occurs only with the Chrome browser. Unknown is shown as their role in the top bar in the GUI. This issue is only cosmetic, the user's actual role changes immediately. Any activity in the intervening time period is performed as the user's true role in that partition. Workaround: Use Firefox or Internet Explorer browsers.
466837 Using the GUI to modify a virtual server with multiple profiles results in multiple audit logs. This occurs with multiple profiles on a virtual server. The system writes multiple audit logs for a single user transaction. This is intended functionality. Workaround: This issue has no workaround at this time.
467043 Modifying banner and banner-text while sshd service is disabled, result in error. This occurs when modifying banner and banner-text while sshd service is disabled. The system posts an error. Workaround: Workaround is to change config order to enable login before banner change, or perform the operations in separate commands. -- tmsh modify sys sshd login enabled banner disabled banner-text none. -- tmsh modify sys sshd login enabled. -- tmsh modify sys sshd banner disabled banner-text none.
467089 When performing a policy-sync the GUI disconnects from the BIG-IP system, and the Administrator will not be able to access the platform. This most often occurs when a large number of devices are within the device group being synced to. The exact number of devices that will cause this issue depends upon the specifications of the platform you are using (less powerful machines might be affected while syncing to smaller numbers), and the size of the policy being synced. If the policy is large or contains hosted content files, you are more likely to experience this issue. Once disconnected the GUI does not always connect to the server, which means you must connect via ssh and then run the command: bigstart restart tomcat. This restarts the GUI. Once back up, the GUI should be usable. Workaround: Run the command: bigstart restart tomcat. This restarts the GUI. Once back up, the GUI should be usable.
468505 tmsh crypto commands will fail when executed in tmsh batch mode. tmsh batch mode and 'sys crypto' commands. tmsh crypto commands will fail when executed in tmsh batch mode. Workaround: Run the tmsh 'sys crypto' commands outside of a 'cli transaction' i.e. not in batch mode.
468559 Protocol Security Module (PSM) provisioning was removed in 11.5.0. Upgrading a config fails to load after upgrade to 11.5.1 when an iApp requires PSM module. Upgrade to 11.5.1 when an iApp requires PSM module. The upgrade fails as the configuration fails to load. Workaround: Remove PSM from the list of enabled modules from affected iApp templates before upgrading.
469035 If the configuration includes encrypted items (for example, an LDAP bind password) that are empty strings, a SecureVault rekey operation fails. Empty string as encrypted configuration item. This might occur when using the tmsh command 'modify /sys crypto master-key, or during the introduction of a device into a Trust Domain. The rekey operation fails, and the system posts an error similar to the following: with this error: 01071029:5: master_decrypt failed during rekey. This might result in a ConfigSync failure. Workaround: Do not use empty strings as passwords. Alternately, remove the problematic configuration object (which may require changing system authentication to a different source), perform the rekey operation, and then recreate the configuration.
469366 A config sync operation might fail with a parent-profile-not-found error message, despite the fact that the parent profile is present in the running configuration of both systems. On the sync target (the system receiving the configuration, and the one that reports a sync failure), a system-supplied profile (e.g. /Common/serverssl) has been modified, and is present in /config/bigip.conf. An administrator is unable to synchronize system configurations. The system might post messages similar to the following example: '01020036:3: The requested parent profile (/Common/serverssl) was not found.' Workaround: "One of the following: 1. Manually replicate the changes on the base profile to the system that is sourcing the config sync. 2. Undo the changes to the base profile on the system that is receiving the config sync (to do so, save the configuration, manually remove the base profile from /config/bigip.conf, and then re-load the configuration), and then perform a force sync operation. 3. Perform a sync in the other direction. Important: Performing a sync in this direction overrides any unsync'd changes on the other system."
469549 "Upon reviewing the log file in /var/log/ltm, a user may see the following error: err mcpd[8105]: 01070820:3: User Modification Denied: User (root) may not change the role of system account (admin)" This happens only during the first reboot after a software install. If the error is seen again, the audit log should be checked. There is no known impact at this time. Workaround: None.
470203 Setting a remote syslog destination to a localhost address results in recursive log messages. Using 127.0.0.1 or a hostname resolving to it as a host for syslog's remote-server. Using a localhost address as a remote syslog destination results in continual log entries until the BIG-IP system runs out of disk space. Workaround: Use a non-local remote host for syslog's remote-server.
470807 When an iRule specifies a data-group that is not in Common, or that does not have an explicit path to it, it does not result in an error when the iRule is saved, or during runtime. User saves an iRule with a data-group not in Common or with an explicit path to it. When such an iRule is saved, it can cause all traffic to fail. Workaround: None.
471294 The iApp / Application Service 'components' page for a deployed application instance in the GUI does not show a pool (associated with the application), if that pool is referenced by a Local Traffic policy. If the reference to the pool is removed from the policy, the pool is shown (unattached to anything). iApp / Application Service 'components' page. Pool that is associated with an iApp / Application Service is not shown on the 'components' page. Workaround: None.
471492 When running IP reputation database on small (less than or equal to 4 GB) vCMP or VE instances, or on older platforms with less than or equal to 4 GB of memory, iprepd can use enough memory to make the system wait for disk I/O. This can make the system sluggish when disk operations are taking place. This typically exists on HDD equipped systems only. SSD systems are typically not affected. Extensive disk I/O, such as logging to disk or rotating logs, or when installing software, might result in a system that does not respond to user interaction as expected. Swap might increase, as well. Workaround: Provision 'large control plane' in the GUI provisioning page. Alternatively, add 100 to the existing value of the db variable provision.extramb. (which is zero by default).
472187 When an internal virtual server is created for ICAP use without specifying a pool or source IP address, the resulting virtual server status is a gray-colored box. When the internal virtual server is modified to reference a pool, the virtual server status changes to a gray-colored circle. When the virtual server is modified from an internal virtual server to a standard virtual server, the virtual server status changes to a green-colored circle. When the virtual server is modified from a standard virtual server to an Internal virtual server, the virtual server status remains a green-colored circle. This occurs when creating Internal virtual servers for ICAP use without specifying a pool or source IP address. The status indicator might be confusing, however, it does not adversely affect functionality of the device. Workaround: Although this is a cosmetic issue, you can change the virtual server type from internal to standard to internal to have the gray status markers display green.
472412 When you force-offline a node, the associated pool member State shows 'Disabled (Only persistent or active connections allowed)', not 'Forced Offline (Only active connections allowed)' in the GUI. Force-offline a node, and then view the associated pool member State. Existing persistence records disappear, and the connection get load balanced to the available pool member, which is forced offline behavior. The state of the pool member is gray and 'disabled', not 'forced offline'. Workaround: None.
472553 eventd spins at 100% and memory consumption grows over time. If an eventd consumer is deleted while there are events pending, eventd can spin at 100% and its memory consumption will grow. System may be impacted due to eventd cycle usage, and eventually experience increasing memory consumption. Workaround: None.
472573 Cannot set a password of 14 characters --the maximum length-- for the security officer. "Occurs when the following conditions are met: - NG FIPS security device installed. - Initialize FIPS security domain. - Attempt to set password of maximum length (14 characters)." Setting a password using more than 14 characters prevents the creation of the security officer password, and causes device initialization to fail. Workaround: Use a password shorter than 14 characters for the security officer.
472581 Trying to use 'default' as the FIPS security officer password results in an invalid encryption error from the fips-util. Trying to use 'default' as the FIPS security officer password. You cannot use the word 'default' as the security officer password. Although this is expected behavior, the error message posted does not provide a relevant explanation. The system posts errors similar to the following: -- Invalid encrypted password. -- Failed to set security officer's password: 1073742342. -- Failed to create security domain. -- INITIALIZATION FAILED! -- The FIPS device is NOT operational. In version 11.1.0 and earlier, the error was similar to the following: -- Creating crypto user and crypto officer identities. -- password should not be default. -- Failed to set security officer's password. Workaround: Use a password other than the word 'default'.
473212 Some early 6900 and 8900 platforms shipped with TMOS v10.0.0 (and earlier) use a single hard drive and no software RAID. This occurs on some early 6900 and 8900 platforms. Although this is by design, you might see inconsistent information on the TMSH, GUI, and front panel LCD interfaces of the software RAID configuration of these systems. This occurs on platforms shipped with one hard drive or one SSD installed. The TMSH command 'show sys raid' indicates an array called MD1 with a size of zero. The single drive listed shows a state of Undefined. On the front panel LCD, a RAID Status menu shows similar information. For systems configured in this way, you can safely ignore these inconsistencies because the system is not using the RAID interface. This issue is cosmetic, and does not indicate a functional issue. Workaround:
473213 Failed system fan emergency alert is exhibited as critical alert at LED and LCD screen. A failure of a system fan on the 10000s, 10200v, 10250v, and 10350vN platforms causes this issue to appear. This is a relatively minor event. Although the alarm is reported as critical, it should be treated at an emergency level and not critical. Workaround: None.
473724 If a DC PSU hotswap is performed on BIG-IP 10000-series or 12000-series appliances, but the PSU is left unpowered, the front panel PSU LED is amber, but no other alerts, LCD messages or LED indications are issued to indicate that the appliance is in a non-redundant PSU state. "This occurs on BIG-IP 10000-series or 12000-series appliances if a DC PSU is hot-swapped but external power is not applied. FND850 DC PSUs for BIG-IP 10000-series or 12000-series appliances do not indicate their presence to the BIG-IP system until external power is applied. Thus, the presence of an unpowered DC PSU in this case is not detected, and its status is reported as Not Present. By design, no alerts are issued by BIG-IP for non-present PSUs." Operators may not be aware that the appliance is left in a non-redundant PSU state after a DC PSU hot-swap. This is expected behavior. FND850 DC PSUs for BIG-IP 10000-series or 12000-series appliances do not indicate their presence to the BIG-IP system until external power is applied. Workaround: "When hot-swapping DC PSUs on BIG-IP 10000-series or 12000-series appliances, verify the success of the operation by: 1. Verify that the front panel PSU LED for the newly inserted PSU is Green. 2. Verify that the status of the newly inserted PSU is reported as Good by the 'system_check -d' or 'tmsh show sys hardware' utilities."
474179 SOAP monitors configured with a leading colon':' in the URL path fail. SOAP monitor configured with leading colon ':' in the URL path. Monitor fails. Enabling monitor debug provides additional clues, indicating 'Error calling getaddrinfo'. Workaround: A leading ':' in a URL path is now allowed by RFC 3986, section 3.3. If the URL path is, in fact, a colon, then a leading slash should work (i.e., /:). No errors occur when embedding a colon in a URL path. If your URL path begins with a colon, you need to either escape the colon, or need to add a leading slash.
474797 "If malformed SSL packets are sent to the BIG-IP system, the following errors can be logged to /var/log/ltm: Device error: cn9 core general. crypto codec cn-crypto-4 queue is stuck." Malformed SSL packets being sent to the BIG-IP system. Error logs in /var/log/ltm. This is a cosmetic issue only, and the errors can be safely ignored. Workaround: None.
475346 The Expire Certificate Response Control setting in the Server SSL profile is not honored. "This issue occurs when all of the following conditions are met: A virtual server with an associated Secure Sockets Layer (SSL) pool member is configured with an SSL server profile to request a server certificate. The SSL server is serving data with an expired certificate, and certificate is not trusted by the BIG-IP system. The SSL server profile specifies that the system should not drop the connection if the certificate is untrusted. The SSL server profile specifies that the system should drop the connection if the certificate has expired." The BIG-IP system fails to drop the expired SSL certificate. This is expected behavior. Workaround: Although this is expected behavior, you can avoid the issue by not using expired certificates on your SSL server, or by using the trusted certificates.
475896 "tmsh load /sys config from-terminal of an external-monitor, does not work. Specifically, running the following command does not work: load sys config from-terminal sys file external-monitor ext_monitor { source-path ... }" This occurs when running the command 'tmsh load /sys config from-terminal' external-monitor. The system posts the following error: Failed: name (/Common/external_monitor_name) cache path expected to be non empty. This error prevents using cut and paste to configure external monitors. Workaround: None.
475997 When performing LAN-speed transfers of large files (hundreds of MB) over SSL, or transfers of small ssl records, the throughput speed of the transfer significantly drops if the hardware SSL offloading is performed. The performance drop is from ~30% - ~50% depending on the cipher suite used. This issue occurs when hardware SSL offloading is turned on. The performance degrades from ~30% - ~50% depending on the cipher suite used. Workaround: Change the "scheduler.hsbpollmode.ltm" to "always" can be used as a workaround for this issue.
476010 The inband monitor might not cause pool members/pools to be marked offline after the expected number of failures. A virtual server with an inband monitor. Traffic might be disrupted for a longer-than-expected period of time after a pool member goes offline. The issue might be more readily apparent when there is only one pool member. Workaround: None.
476398 The TCP profile options Receive Window and Send Buffer are not used. TCP profile has Multipath TCP (MPTCP), Rate Pacing, or Limited Transmit Recovery enabled, or congestion algorithms illinois, woodside, westwood, cdg, chd, cubic, or vegas are selected. This prevents configuring these settings. Workaround: Modify TCP Auto Tuning by disabling sys db variable using the following command: tmsh modify sys db tm.tcpprogressive.autobuffertuning value disable.
476544 mcpd runs out of memory when a connection's send message queue has a lot of messages in it. The connection's m_current_msg_byte_cnt is high, but does not account for the entire 2 GB virtual memory space. mcpd cores and restarts if it runs out or memory. Workaround: None.
476920 Any iRule command that references an IP address may not resolve properly without an explicit route domain. This occurs when the when the route domain is not given as part of ip address%route_domain ID. Default route domain ID of the partition is not used with any IP-address-referencing iRule command. Workaround: Explicitly provide the route domain ID with the IP address.
477705 The 'untrusted-cert-response-control=drop' command is not honored. This occurs when the following conditions are met: virtual server is deployed with a SSL server profile that is configured to request a server certificate and drop the connection if the certificate is untrusted. The SSL handshake is not properly dropped. Workaround: This issue has no workaround at this time.
477786 Depending on the release, sending a SYN packet to a self IP address with Port Lockdown set to Allow None might respond to the SYN with a RST packet, or might silently drop the SYN. "With Port Lockdown configured to Allow None, the LTM behaves differently upon receiving a SYN packet. In 11.3.0 and 11.4.1, when receiving a SYN packet the LTM replies with RST. In 11.4.0, 11.5.1, and 11.6.0, when receiving a SYN packet the LTM does not reply (sends a REJECT)." Inconsistent behavior based on version; sometimes RST in response to SYN on closed port, and sometimes nothing (REJECT). Because the traffic is not allowed in either case, there is no fundamental impact. This is primarily a behavioral difference between releases. Workaround: None.
477967 TMM segfaults when attempting to apply TSO processing to an outbound packet that does not need it. Occurs when applying TSO to packets. TMM crashes and the system fails over. Workaround: None.
477992 Errors when enabling Debug Monitoring for an iApp-created pool member and disabling strict updates for the iApp. Create pool members via an iApp, and attempt to enable logging on the pool member. Instance-specific monitor logging fails for pool members created in iApps. The log is never created. The system posts error messages in /var/log/ltm stating the log file cannot be opened. Workaround: If logging is required, bigdlog is available. To enable logging, run the following command: tmsh modify sys db bigd.debug value enabled.
479129 TCP window scaling is not applied, which can be observed in transmitted packets containing small segments that are about the size of the unscaled window. SYN cookies have been activated. Poor performance / throughput. Workaround: None.
479262 The 'readPowerSupplyRegister error' is logged in LTM log when DC PSU loses its power. When a DC powered PSU loses its power, the system logs 'readPowerSupplyRegister error' messages in the LTM log. This occurs because PSU data is not available without power. The 'readPowerSupplyRegister error' messages occur because PSU data is not available without power. When the system is in this state, you can safely ignore these messages. Workaround: None. You can safely ignore this error message in this case.
480206 IKE peer configuration objects in non-common partition is visible to all in GUI. If an IKE peer object is configured in non-common partition, users can see it in GUI even though it does not belongs to common partition. This causes inconsistent partition behavior for ike-peer objects in BIG-IP and these objects will not be stored in their respective partition configuration files. Also, Users in one partition can see list of ike peer objects belonging to other partitions. Workaround: None
481869 For certain blade failures scenarios the HA score on the remaining blades does not update, and thus a failover does not occur, for at least ten seconds. This is because the remaining blades wait for a ten second timeout period before marking the powered-off blade as down. A blade is powered off via the serial console or the 'bladectl' command, or the blade is physically removed from the chassis, and the chassis is configured in an HA pair where the loss of a blade should result in a failover. The expected failover will not occur for at least ten seconds Workaround: There is no workaround for this issue.
483953 ICMP type 3 code 4 (needsfrag) messages are elicited when TMM transmits packets at the TM.MinPathMTU size if the path MTU is lower than that value. "Path MTU discovery results are cached by default. If a client responds to an IP datagram with an ICMP needsfrag message with a very small MTU (smaller than the value of the TM.MinPathMTU database variable), the cached path MTU value will be set to the TM.MinPathMTU value even though this still isn't able to traverse the path. This can affect multiple endpoints when a low MTU is advertised by an endpoint (misconfigured or malicious) behind a shared NAT address." "TMM may use and enforce a low path MTU for clients capable of handling a higher path MTU, but may use an MTU too high to reach clients whose path MTU is lower than TM.MinPathMTU. This metric will live for 10 minutes by default." Workaround: "This issue has no workaround at this time. The route metric lifetime can be lowered using route.metrics.timeout db key."
484683 The other Peer of a high-availability (HA) pair cannot show the summary of cert-chain by 'tmsh run sys crypto check-cert verbose enabled' after config-sync. "Conditions leading to this issue include:

1.) Setup an HA Pair
2.) Import Certificate chain to one BIG-IP system.
3.) 'run config-sync' to sync the Certificate chain to the peer BIG-IP system."
The other Peer of HA Pair cannot show the summary of cert-chain by
'tmsh run sys crypto check-cert verbose enabled' after config-sync.

Workaround: "Copy the cert-chain file to a place (such as /shared/tmp/), and update the cert-chain using:
*********************************************************
root@(eng-3900A)(cfg-sync In Sync)(Standby)(/Common)(tmos)# modify sys file ssl-cert Cert-Chain_Browser_Serv.crt source-path file:/shared/tmp/Cert-Chain_Browser_Serv.crt_58761_1
*********************************************************"

485176 The RADIUS::avp replace iRule command will core when only two arguments are passed to it. Must be running an iRule that executes a RADIUS::avp replace command with only two arguments. TMM cores, which can result in a failover. Workaround: None.
485327 "By default the tmsh cli global settings service value is name. That implies that for a user configuration, the ports are saved by their names and not port numbers." This occurs when upgrading. Loading a UCS configuration with port names fails on an upgrade if the port name is not present in /etc/services in the upgrade version. The failure message appears similar to the following: The requested value (*:hosts2-ns }) is invalid (ip_addr | member) for 'dest' in 'monitor'. Workaround: Run the following tmsh command prior to saving the UCS file. (tmos)# tmsh cli global settings service number. The config will then load successfully on an upgrade.
485714 "The bigd process will go into a restart loop, with the following log message in /var/log/ltm: Fatal error: An unexpected failure occurred while performing an OpenSSL cryptography operation. Root error: 10219:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:323:" This issue occurs when there is an encrypted password on a monitor. The bigd process will restart. Workaround: Enter the plaintext password in the Monitor UI page.
486722 The default config-sync timeout is 300 seconds. This time is not sufficient when configuration includes 1000s of FIPS keys. Config-sync operation times out and reports failure. FIPS HA setup and 1000s of FIPS keys in the configuration. config-sync fails Workaround: Increase the config-sync timeout value. Note: The desired timeout value depends on the size of the configuration and the TMOS version. You can increase the timeout value using the following series of commands: -- tmsh mod /sys httpd fastcgi-timeout timeout-val. -- tmsh save sys conf. -- bigstart restart httpd.
486735 Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections virtual server. This occurs when the load disaggregated to available TMMs is uneven. This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in higher-than-expected maximum connections. Workaround: Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.
487194 When attempting to remove a profile from a virtual server and delete that same profile within a transaction, the system returns an error indicating that the profile is not found. A virtual server configured with a profile. Delete operation does not complete. Workaround: Remove the profile and then delete it in separate transactions.
487660 LSN Translation failures in persistence mode when cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN. Persistence is enabled on the LSN pool, and cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN, when the lsn-pool port range is relatively small (under 1000), or a blade is added or removed. Translation mode is NAPT or PBA. Translation failures. The system posts an error similar to the following: debug tmm9[25268]: 01670012:7: [0.9] Translation failed client 200.200.200.101,10096. Workaround: Adequately provision the LSN pool.
488314 Connection stall and/or connection is reset due to handshake timeout. Mirroring enabled on SSL virtual and failover occurs during SSL handshake, i.e., negotiation/renegotiation. SSL connections might stall or be reset on failover. Workaround:
489957 The RADIUS::avp command fails when AVP contains multiple attributes (VSA) within an AVP. One AVP contains multiple attributes (VSA). RADIUS::avp command fails. Workaround: None.
490121 PVA current and maximum stats are incorrectly reported when using a FastL4 profile with a SERVER_CONNECTED iRule event. For each connection that is established, the current connection count is incremented twice and decremented only once when the connection is terminated. This leads to a lingering connection, which skews the stats. A fastL4 virtual with a SERVER_CONNECTED iRule event. The current and maximum PVA stats are incorrectly reported. Workaround: This issue has no workaround at this time.
491076 When a blade fails, any non-mirrored connections on that blade are lost. The loss of these connections are not correctly accounted for when determining LSN client connection count limits. This may cause some clients to reach their connection count limit prematurely. Blade failure on a chassis based system. This condition is most likely to occur when default DAG is configured on LSN VLANs. Client connection count limits reached prematurely. Workaround: In order to make the client connection counter accurate again an effected client must not have any active connections or make any new connections for a time greater than any connections configured timeout. (default 300 seconds). After the client connection counter entry times out, the client connection counter will accurately reflect the number of client connections.
491116 When BIG-IP systems are in HA with auto-sync enabled and full-sync disabled, and there are changes made to clientSSL profiles that are associated with virtual servers, and the changes are synced manually, 'TMM clock advanced' messages could be seen in the LTM logs. BIG-IP systems in HA with auto-sync enabled, full-sync disabled. Changes made to ClientSSL profiles associated with virtual servers. Manual sync. Generally minor and transient, some potential for partial disruption. Workaround: None.
491717 Running the command 'eud_log' on a BIG-IP 7000 series and 10000 series platform produces the following output: -- info: No EUD log found in /var/tmp. Searching boot volume -- info: No eud.log found on sda.dat.boot. This occurs on the 7000 series and 10000 series. This message indicates that eud.log file cannot be detected in the incorrect directory /var/tmp. However, the file does exist in the /var/log directory, which is the correct directory. Workaround: None.
491894 A sync group may go red and log an sync error while a full sync is still in process. Unknown "The state of the sync group goes red momentarily and a log is produced (Device group '/Common/device-group-failover-67faa25ad625' sync inconsistent, Sync failed on one or more devices in this devicegroup, Sync status may not be consistent), however the sync eventually succeeds." Workaround: None.
493060 If dynamic multicast routing is enabled and a system originates multicast traffic on a VLAN that is a child of a VLAN group, the traffic may not be bridged to the other child VLAN. Dynamic multicast routing enabled, and VLAN group configured. Global multicast traffic does not traverse VLAN groups. Workaround: None.
493061 Priority order of Diameter Router Profile static routes is determined by order in bigip.conf. In the GUI, it appears that the user can assign priority order to static routes for a Diameter Router Profile. If there are multiple static routes attached to a Diameter Router Profile, the first route that appears in the list of routes in bigip.conf is the one the system uses. This can cause BIG-IP to choose a route that is not what you expected. Workaround: To change the priority order of static routes for a Diameter Router Profile, the user must manually edit the bigip.conf configuration file, or use tmsh to manually order the static routes in the Router Profile.
493206 A virtual server that is assigned to a static route is not honored. Specifically, traffic is not filtered to be only on that virtual server. A static route is configured with a virtual server. The traffic continues to be routed to the static route without matching the virtual server. Workaround: None.
494019 System matches to previous Diameter Route Application ID after modifying the application ID value. This occurs after modifying the application ID value for a Diameter Route object. The Diameter Route might continue to match Diameter messages against the old application ID until TMM is restarted. Workaround: Always restart TMM after changing the value of application ID in a Diameter Route.
494987 If `dont-insert-empty-fragments' is removed from the server SSL profile, the connection might hang and fail. This occurs when dont-insert-empty-fragments is removed from the server SSLprofile. The server SSL connection might hang and fail. Workaround:
495242 The system posts the following message in the mcpd log: Failed to unpublish LOIPC object. This is an intermittent issue that occurs on standby systems in High Availability configurations. In this case, the system is attempting to remove a file/directory that does not exist. Either it has already been removed or it was not created. The system posts the following error: err mcpd[7143]: 010716d6:3: Failed to unpublish LOIPC object for (loipc_name.1417443578.297505208). Call to (shm_unlink) failed with errno (2) errstr (No such file or directory). This is a benign error that can be safely ignored. Workaround: None.
496038 After a chassis fan tray is removed, the system_check utility still shows the stale data from time before the removal. Remove chassis fan tray There is a warning in the ltm log when the chassis fan tray is removed. So, the impact of the system_check inconsistency is small. Workaround: None.
496137 "No messages are logged to /var/log/boot.log on the following platforms: VIPRION B2100, B2150, B2250 blades BIG-IP 2000-/4000-/5000-/7000-/10000-/12000-series appliances" "Affects the following platforms: VIPRION B2100, B2150, B2250 blades BIG-IP 2000-/4000-/5000-/7000-/10000-/12000-series appliances" Missing diagnostic information that would otherwise be logged to /var/log/boot.log. Workaround: None.
496155 tmsh show ltm persistence persist-records sometimes shows an incorrect number of entries on VIPRION chassis. When there are multiple slots on a VIPRION chassis, and the command is executed on a secondary from the primary. Results are not reported correctly in tmsh. Results display a fluctuating number of src ip persistence entries. Workaround: Specify the virtual server name in the tmsh command directly, instead of running the command for all virtual servers.
496788 MPI failures and a slow failover are observed when B4340N devices, which were attached and used by TMM, become unavailable. Random PCI resets can cause the issue to appear. Momentary loss of traffic passing on the B4340N platform until failover completes Workaround: None.
497304 "When deleting an HTTP iApp, the system posts errors similar to this in the LTM log, along with similar sync errors in the GUI: -- err mcpd[6629]: 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16). -- err mcpd[6629]: 01071488:3: Remote transaction for device group /Common/HA_Group to commit id 895 6070871290648001573 /Common/cr-ltm-bb2.ns.uwaterloo.ca 0 failed with error 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16)." Auto-sync must be enabled. HTTP iApp must have been reconfigured prior to deleting the iApp. Sync failure. Cannot delete the iApp manually after the error occurs. Workaround: Do not use auto-sync. If the sync failure has already occurred, refer to SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) for information on how to restore configuration sync.
499348 Statistics can steadily fail to be merged when the stats tables are volatile. Volatile stats tables, typically proc_pid_stat from frequent process spawning, or spawning synchronized with merge cycle. Statistics fail to merge. System stats fail to be set and remain zero. Workaround: Stop spawning processes and steady configuration.
500317 When using FastL4, connection might not be immediately removed from the connection table, taking up to 60 seconds until they are removed. This requires a FastL4 with loose-init enabled and loose-close disabled. Connections are not immediately removed from the connection table. This can result by impacting traffic by using up more memory on the unit. Workaround: Disable loose-init or enable loose-close.
500648 LSA update packets were not sent out within the expected time leading to the expiration of the LSA update timer. The SNMP traps gets sent out as a result. BIG-IP systems in high availability setup and OSPF configured with peer nodes. Can generate false alarms. Workaround: None available.
501984 When an iRule fails in LB_SELECTED, it is possible for TMM to crash. The TMM failure is an intermittent, timing-related issue.. Using iRules with a rule for when LB_SELECTED is operating on a node/pool member. TMM outage resulting in brief loss of service or HA failover. Workaround: None.
503037 Issue when configuring Self certificate whose name length is greater than or equal to 64. Configure certificate name with length greater than or equal to 64 bytes. "- If the Name value is longer than 63 characters and the Issuer is set to Self, the system creates the certificate and key, but truncates the object name at 63 characters. There is no warning message in this case. - If the Name field is longer than 6" Workaround: Use fewer than 64 characters for Self certificate names.
504827 tmm crash with panic string 'top filter' appearing in tmm log. Configure DHCP relay virtual server that conflicts with other virtual server address/port. A rarely encountered tmm crash, which might result in network outage. The system posts a message similar to the following: notice panic: ../modules/hudfilter/hudnode.c:310: Assertion 'top filter' failed. Workaround: "Avoid configuring virtual servers that share address:port with DHCP relay virtual server. In releases prior to version 11.6.0, use regular IP forwarding virtual servers if the virtual server is not for Relay but just for 'forwarding'. When the virtual server destination is not 255.255.255.255, it is typically for forwarding, not for Relay."
505037 Modifying a monitored pool with a gateway failsafe device might put secondary into restart loop. Only occurs in clustered environments, when modifying a monitored pool to set the gateway failsafe device while the secondary is down. Symptom occurs when the secondary comes back up and attempts to update the health status of a pool. Secondary in a restart loop. Workaround: Remove the gateway failsafe device. Re-apply when the blade is up.
506459 If multiple IPsec tunnel interfaces are established, some of their IPsec traffic selector stats may not show up on CLI and GUI. When there are multiple IPsec interfaces, running the command 'tmsh show net ipsec ipsec-sa' shows all of the existing traffic selector stats. However, if the command is specified with a traffic selector name, some of the traffic selector stats do not show up. The display does not show the traffic selector stats. The tunnel works correctly; this is a display issue. Workaround: Run the command 'tmsh show net ipsec ipsec-sa' to show SA status for all IPsec
507206 Multicast Out stats are always zero for the management interface. Statistics information on the management interface. The Multicast Out stats can help determine whether multicast network failover is working (from looking at a qkview). The missing stat might also delay or confuse other troubleshooting activities unrelated to network failover. Workaround: Run the following command: clsh 'ethtool -S eth0 | grep tx_mcast_packets'.
507566 GUI fails to successfully make edits to an external datagroup file. A large external datagroup is loaded and edits are attempted via the GUI. The datagroup file is not updated correctly, and the system posts no error messages. iRules/datagroup dependent functions might fail to behave as expected. Workaround: Use TMSH to make edits to external datagroup files.
508067 When incoming traffic is not well distributed and being directed to a single TMM, packets are lost instead of being processed by other TMMs Incoming network traffic is not well distributed and being directed to a single TMM, while the other TMMs do not have incoming external traffic. Network traffic is dropped or delayed Workaround: Enable the busy flag in tmm.init.tcl.
508361 bcm56xxd daemon keeps restarting and generating core files with signal SIGABORT. This is a rarely encountered problem that happens when there are too many VLANs configured. For example, the problem might occur with 1,029 VLANs. This might be hardware related: the configuration might be too large to load within a given timeframe, which causes a bcm56xxd daemon keeps restart. It might be related to having the Link Aggregation Control Protocol (LACP) Timeout set to 'Long'. All the switch ports stop working, since the daemon bcm56xxd does not function as expected. Workaround: "Disable the heartbeat of the bcm56xxd using the following command: tmsh modify sys daemon-ha bcm56xxd heartbeat disabled. Note: When needed, to re-enable the heartbeat, use the following command: tmsh modify sys daemon-ha bcm56xxd heartbeat enabled."
509568 Mirrored DS-Lite connections on a standby device are dropped within 60 seconds. Connections are not carried over in a failover. CGNAT, DS-Lite tunnels on a mirrored traffic group, high-availability active-standby configuration. DS-Lite connections are not mirrored and are therefore lost on failover. Workaround: None.
510588 When using the non-default trunk.cluster.distribution mode, with a cross blade trunk and the only remaining trunk member for the slot disabled, results in trunk errors when re-enabling this (non favor local) trunk member interface. Re-enabled local trunk member interface of a balanced cross blade trunk (i.e. using non favor local members) may not function correctly. Workaround: A restart of the bcm56xxd daemon may be required to re-add all the trunk members of a balanced cross blade trunk.
510612 If a TCP virtual server is configure as loose init and also hardware syncookie is enabled, the flow may not be set up when hardware syncookie is triggered. TCP virtual server with loose init and with hardware syncookie enabled and triggered. Failed ACK will be sent to virtual server and cause numerous RESETs. Normal traffic continues without error. Workaround: Avoid hardware syncookie and loose init configuration together. This combination, using loose init together with software syncookie, is not recommended. Essentially, loose init means to disable the 3-way handshake check at the BIG-IP system, while syncookie means to enforce the 3-way handshake check at the Big-IP system (possibly by hardware). Configuring these two in combination will produce unexpected side effects.
511324 The HTTP::disable command does not work correctly after the first request is complete. If called during the second request (or response), then the connection is reset with an error message. HTTP::disable is called in a request after the first. The pass-through data reaches the server-side before the server-side HTTP filter expects it. The connection is reset. Workaround: None.
511326 The BIG-IP system does not forward messages when configured as SIP ALG with translation. The BIG-IP system is configured as SIP ALG with translation, and the subscriber sends a SUBSCRIBE message to receive a notification. The Subscriber does not receive any notification regarding the subscribed events. Workaround: None.
512130 Remote role group authentication fails if there is a space in attribute name of remote-role role-info. This occurs when the auth remote-role role-info attribute name contains a space character. LDAP authentication fails. Workaround: "Remove space characters from LDAP attribute group name. Another option is to use '\20' in place of spaces in the remote-role's role-info member-of attribute, for example: memberOf=CN=Some Big Group,CN=Users,DC=DOMAIN,DC=COM becomes: memberOf=CN=Some\20Big\20Group,CN=Users,DC=DOMAIN,DC=COM"
512320 Diameter messages can be retransmitted if the serverside connection experiences a handshake failure and the virtual has an iRule with a LB_FAILED/LB::reselect combination. This occurs because both the clientside diameter filter and mlb proxy attempt to retransmit the same message. This occurs under the following conditions: 1. Retransmission is turned on. 2. Handshake fails. 3. LB_FAILED/LB::reselect iRule is used. Diameter messages might be retransmitted. Workaround: Turn off retransmission.
512885 https monitor fails to work with server that has MD5 with RSA as signature hash algorithm https monitor, server using MD5 with RSA. https monitor fails Workaround: configure the back end server to use another cipher
513968 When subscribers are in a different route-domain from the route-domain used for the prefix in the LSN pool, hairpin connections cannot be established. The route-domain used on the Virtual Server is different from the route-domain used on the prefix in the LSN pool. Subscribers cannot make connections to each other using public (translated) addresses. Workaround: The routes can be configured so the hairpinning takes place on an external router.
514470 On the LTM do command 'tmsh show sys mem |grep -i syn', tmm shows stats for unused TCP4 SYN cache and TCP SYN cache. LTM do command 'tmsh show sys mem |grep -i syn'. Shows TCP4 SYN cache and TCP SYN cache. These two stats are not used and do not reflect any actual mem usage in LTM. Workaround: None.
514473 VXLAN tunnels rely on the TMM for maintaining ARL entries representing MAC address to endpoint mappings. The BIG-IP system may undergo a brief period of inconsistency in VXLAN ARL entries across the TMM instances. "Network misconfiguration can lead to a period where the BIG-IP system receives alternating encapsulated frames with the same source MAC address from two different endpoints. This leads to conflicting, alternating ARL updates across the TMM instances. One example of network misconfiguration is the configuration of the same MAC address at two different endpoints/VTEPs. Also if the VXLAN topology contains an L2 forwarding loop, this could lead to the same effect. Currently, VXLAN does not have a standard mechanism for detecting and avoiding loops. Therefore, loops need to be avoided by network configuration. However, network HA failover typically does not lead to a period of conflicting, alternating ARL updates." During the period of inconsistency, the TMM instances may forward packets destined to the same remote MAC address to different endpoints. This lasts until the network misconfiguration is corrected and the conflicting ARL entries expire. Workaround: In addition to addressing the network misconfiguration, the condition can be mitigated by using a shorter ARL timeout. This can be done by modifying the bigdb variable vlan.fdb.timeout.
514815 Configuration loads but cannot re-key. This is sometimes seen as a configuration that is successfully synced but a device that cannot join a trust group. "This occurs when the following conditions are met: -- Configuration includes unused, encrypted items. -- Host is not configured with the correct master key for those items. -- Configuration is loaded under the wrong key. -- An attempt is made to change the master key for any reason." Unable to set device master key. In some cases this has no impact, but it prevents installing a UCS file containing an encrypted passphrase (as described in SOL9420, available here: https://support.f5.com/kb/en-us/solutions/public/9000/400/sol9420.html), and is somewhat difficult to detect as no other operations fail. Workaround: Remove all encrypted items from the config. Re-sync the key either manually with f5mku or with device trust. Re-install the desired configuration.
516280 With a very large number of monitors, the bigd process can consume more than 80% CPU when a slow HTTP server returns an error. ~8000 HTTP/HTTPS monitors, and a slow HTTP server returns a 500 error. bigd process uses a large percentage of CPU. Workaround: None.
517456 When there are active connections on the virtual server, resetting its virtual server stat through tmsh reset-stats ltm virtual virtual_name, doubles the client ssl profile cur_conns/cur_native_conns/cur_compat_conns. "- SSL virtual server. - Active connections on the virtual server. - Virtual server stat reset which active connections are occurring." Invalid statistics values on the client ssl profile stats. Workaround: None.
517829 When the BIG-IP system is configured for OCSP authentication, if the OCSP server reports that a certificate has been revoked, client connections are reset without sending SSL error alerts. BIG-IP system configured for OCSP authentication. Client connections are reset without sending SSL error alerts. Workaround: "Use the following iRule for the OSCP authentication profile instead of the system-supplied iRule:

when CLIENT_ACCEPTED {
    set tmm_auth_ssl_ocsp_sid 0
    set tmm_auth_ssl_ocsp_done 0
}


when CLIENTSSL_CLIENTCERT {
    if {[SSL::cert count] == 0} {
        return
    }
    set ssl_version [SSL::cipher version]
    set tmm_auth_ssl_ocsp_done 0
    if {$tmm_auth_ssl_ocsp_sid == 0} {
        set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
        AUTH::subscribe $tmm_auth_ssl_ocsp_sid
    }
    AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
    AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
    AUTH::authenticate $tmm_auth_ssl_ocsp_sid
    SSL::handshake hold
}


when CLIENTSSL_HANDSHAKE {
    set tmm_auth_ssl_ocsp_done 1
}


when AUTH_RESULT {
    if {[info exists tmm_auth_ssl_ocsp_sid] && ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
        set tmm_auth_status [AUTH::status]
        array set tmm_auth_response_data [AUTH::response_data]
        if {$tmm_auth_status == 0} {
            set tmm_auth_ssl_ocsp_done 1
            SSL::handshake resume
        }
        elseif {($tmm_auth_status == 1) && ($tmm_auth_response_data(ocsp:response:status) eq ""revoked"")} {
            if { $ssl_version equals ""TLSv1.2"" } { set hex_version ""0303"" }
            elseif { $ssl_version equals ""TLSv1.1"" } { set hex_version ""0302"" }
            elseif { $ssl_version equals ""TLSv1.0"" } { set hex_version ""0301"" }
            else { reject }
            set hex_response ""15${hex_version}0002022C""
            set bin_response [binary format H* $hex_response]
            TCP::respond ""$bin_response""
            TCP::close
        } elseif {($tmm_auth_status != -1) || ($tmm_auth_ssl_ocsp_done == 0)} {
            reject
        }
    }
}"

518059 Using the HTTP::payload iRules API within the iRules HTTP_RESPONSE_DATA event yields bogus data in the inspected content, when the server sends a chunked HTTP response (HTTP/1.1 Transfer-Encoding: chunked). The following characters are appended to the actual content: CR-LF-0-CR-LF-CR-LF (H'0d0a300d0a0d0a' ..0....). HTTP::payload iRules API used within the HTTP_RESPONSE_DATA iRules event, when server responds with a chunked HTTP payload (HTTP/1.1 Transfer-Encoding: chunked). Invalid content returned by the HTTP::payload iRules API when server sends a chunked HTTP response. Workaround: The iRule author can work around this issue by changing the request protocol to HTTP 1.0, since that prevents chunked transfer encoding. However, that would be inefficient because it breaks connection reuse. Workaround is just to add: HTTP::version "1.0" in HTTP_REQUEST event.
518086 SafeNet hardware security module (HSM) Traffic failure after system reboot/switchover. Restart of services on primary or secondary blade. Now traffic will fail. There will be no pkcs11 connection on new primary blade. Workaround: The workaround is to restart pkcs11d on the secondary blade.
518197 "A device group sync results in the following error: 01070700:3: The attributes of a root profile (/Common/antifraud) cannot be set to 'default'." The default /Common/antifraud profile is modified from its default values while in a device group. Sync fails and can be difficult to recover. Workaround: "Don't modify the base profile; create a new one instead. Recovery could involve running SOL13887 against a peer with an unmodified base profile, but this will delete any changes made. If that is not an acceptable solution, you can tmsh save sys config, remove the /Common/antifraud profile from bigip.conf, then tmsh load sys config."
518608 Running the startup script command 'tmsh install sys crypto...' to update the CRL file errors out with 'file... expected to exist' exception. Follow the steps in the AskF5 SOL11948: Configuring the BIG-IP system to run commands or scripts upon system startup, (available here: https://support.f5.com/kb/en-us/solutions/public/11000/900/sol11948.html) to run startup_script_sol11948.sh at startup. Adapt this script to run the command: tmsh modify /sys file ssl-crl LatestCRL.crl source-path http://custom_url/NewLatestCRL.crl. The CRL file is retrieved, but due to the error it is not installed. This is because mcpd lacks read permission to the specified temp file. The system posts an error in /var/log/ltm similar to the following: err mcpd[6253]: 01070712:3: Caught configuration exception (0), file(/var/tmp/tmsh/7QjLFt/data) expected to exist. - sys/validation/FileObject.cpp, line 3151. Workaround: Update the CRL file from the local file using the following command: tmsh -m install sys crypto crl LatestCRL.crl from-local-file /root/LatestCRL.crl.
519064 If a node is configured with a connection limit, the display may show a maximum connection count equal to the number of pool members using that node. This occurs when nodes are configured with connection limits, and more than 1 pool member is using that node. Maximum connections statistic on node shows higher than the specified connection limit. This is a display issue only. The actual connection limit is enforced. Workaround: None.
519335 When deploying an iApp that creates APM objects, the following error message is displayed: 01071529:3: The tunnel name (/Common/tunnel-name-that-is-longer-than-sixty-four-characters-in-its-name) cannot be longer than 64 characters. When the iApp-generated tunnel name exceeds 64 characters. iApp configuration fails. Workaround: The workaround is to shorten the iApp application name.
520408 TMM ASSERTs on 'Subkey is a subkey' in the SessionDB when releasing a record. This is a rarely encountered issue that might require SAML traffic. TMM ASSERTS, and the system stops passing traffic. Workaround: None.
520928 Virtual server page becomes unresponsive with 'Display Host Names When Possible' enabled and DNS unreachable. This occurs when the following conditions are met: -- 'Display Host Names When Possible is enabled. -- The configured DNS servers are responding with ServFail or not responding at all (unreachable). The GUI might become unresponsive. Workaround: Use TMSH to display virtual servers when 'Display Host Names When Possible' is enabled. Or disable 'Display Host Names When Possible'.
521077 GUI does not show the external hardware security module (HSM)-based key type correctly. This occurs when the external HSM is used to create the key. GUI shows HSM-based keys as Normal Security Type instead of HSM. Workaround: Although there is no workaround, the HSM-based key works correctly; only the Security Type description is incorrect.
521329 Under some circumstances TMM may core when using deterministic NAT due to a divide by zero error. "CGNAT using deterministic NAT mode and persistence enabled. This error only occurs if a previous connection created an address persistence entry using the second address. This crash is dependent on both the configuration and the traffic. When the number of subscriber addresses that disaggregates to a TMM is not evenly divided by the number of translation addresses that disaggregates to the same TMM, connections from one or more subscribers may be assigned to blocks from two translation addresses. Depending on the exact address ratio, there may be only one port using the second address. Due to an off-by-one error, the number of ports available for the second address may be set to zero when it should be set to one. This causes the divide by zero fault." TMM crashes. This is a rarely encountered error condition. Workaround: None.
521336 The retry of pkcs11d initialization might post misleading error messages and eventually result in a pkcs11d core. When pkcs11d retries to wait for other services such as tmm or mcpd. After the system reboots, the /var/log/ltm shows initialize errors and the /var/log/daemon.log shows pkcs11_initialize messages: -- err pkcs11d[6247]: 01680002:3: Pkcs11 Initialize error (this is misleading; pkcs11d is actually retrying). -- err pkcs11d[6247]: Nethsm: pkcs11_initialize C_GetSlotList error 0x00000000, number of slots 0. Workaround: Retry pkcs11d restart when tmm and mcpd are both ready.
521792 Health monitor information and status are both missing for FQDN nodes and pool members. FQDN nodes or pool members. GUI does not show health monitors info/status in node properties page, pool member properties page, or monitor instances page. Difficulty checking health monitor info/status for FQDN members. Workaround: Check logs for this info.
522304 Some password policy settings (maximum and minimum durations, expiration warning) are reflected in /etc/shadow when a user's password is changed. In a CMI device group, changes to password policy are correctly synced, but the settings reflected in /etc/shadow are not. CMI device group configured; maximum or minimum duration, or expiration warning, settings of password policy are used; user password is changed. Password policy may not be enforced consistently across all devices. Workaround: None.
522837 During a small window of opportunity, mcpd can core if it is told to restart. This often occurs when another component has failed. This issue generally occurs when another component has a problem which then initiates an mcpd restart. An mcpd core file is generated during shutdown, and it may initially appear as if mcpd coring was the cause of the restart. Workaround: None.
523126 When the route domain of the originating address of a NAT configuration is changed without the address itself being changed, the change does not take effect. Viewing the configuration through tmsh and the GUI indicates that the change has worked, when it is not yet in use. This occurs when editing an existing NAT configuration and changing the route domain without changing the address. The intended NAT change is not in effect. Workaround: In order to make the change take effect, delete and recreate the NAT or restart tmm.
523128 When syncookie is enabled, given same threshold and same traffic, Syncookie mode is easier to trigger when PVA acceleration is enabled than when PVA-acceleration is disabled. Virtual server with PVA hardware acceleration and hardware SYN cookie support. SYN cookie protection is easier to be triggered when PVA acceleration is enabled, especially when the syncache level is lowered from the default value. Workaround: "Change the pva offload state from ""embryonic"" to ""establish"" root@(localhost)(cfg-sync Standalone)(Offline)(/Common)(tmos)# modify ltm profile fastl4 fastL4 pva-offload-state establish"
523797 The upgrade operation might fail to update the file path name for snmp.process_name, causing a validation error. Upgrade from 10.x. The upgrade operation does not remove the parent path name from process-monitors, which might cause a validation error. Workaround: Edit the process name path to reflect the location. For more information, see SOL13540: The BIG-IP system may return inaccurate results for the prTable SNMP object at https://support.f5.com/kb/en-us/solutions/public/13000/500/sol13540.html
523985 Certificate summary information about individual certificates in a bundle does not propagate to device group peers after a config sync. A certificate file is create in a folder synced to a device group. Certificate information about the bundle is not displayed on peers. However, the bundle itself is intact and available. Workaround: None.
523990 "The command ""tmsh show net fdb vlan [dynamic|static] -hidden"" shows inconsistent results, varying among not showing any results or showing all results and not applying the appropriate filter. All records are shown in ""tmsh show net fdb vlan dynamic -hidden"", not properly filtering out static rows." Using "tmsh show net fdb vlan -hidden", "tmsh show net fdb vlan static -hidden", or "tmsh show net fdb vlan dynamic -hidden" Improper results. Workaround: To get the properly filtered results, you can use "tmsh show net fdb vlan dynamic -hidden" and use grep or other tools to remove the inapplicable rows.
524722 "Occasionally a secondary blade reboots when making changes to the configuration in a partition other than Common. The system logs an error in the /var/log/ltm file that references the type of object being modified, even though the error message indicates that it cannot. The error appears similar to the following: -- err mcpd[4187]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107098a:3: The ip address (10.10.10.10%2164) for a virtual server in partition (Common) references a route domain (2164) in a different partition (PARE-RVBD). Objects may only reference objects in the same or the 'Common' partition" A chassis-based system with multiple blades, and a configuration with multiple partitions. Secondary blades restart, which may cause a failover event to occur depending on the value of min_up_cluster_member. Workaround: None.
525400 Connections are dropped prematurely on the standby unit, but remain up on the active unit. This issue occurs when the following conditions are met: -- HA active-standby chassis configuration. -- Connection mirroring is enabled on a virtual server configured for tunneling (e.g., pptp, ipip, gre). -- Hardware syn-cookies are enabled. Failover to the standby unit might cause mirrored client connections to be dropped. Workaround: In the TCP profile, change the 'hardware syn-cookie' setting to 'disabled'.
525580 "The presence of base option indicates that only the base objects in the configuration should be considered for the save operation. The non-base objects in the configuration should be ignored. However, this is not true for the following command: tmsh load sys config merge file filename.scf base." Running the command: tmsh load sys config merge file filename.scf base. This command ignores the base option. When specified with the merge option the base option is ignored. It merges the non-base configuration objects. It does not load only the base config objects as specified in the command. Workaround: None.
526500 Manually adding a username and encrypted password into ZebOS, either by using imish command line, or by modifying zebos.conf directly, might cause imi to core. Manually modifying the zebos.conf configuration file or adding a non-existing user using imish. The user interface to ZebOS, imi, might core. Other functionality should not be affected. Workaround: Do not add the configuration manually in ZebOS. Use the BIG-IP system facilities for adding/modifying ZebOS users.
527206 "An error that occurs while reading the management interface registers might cause incorrect interpretation of the management interface state, which might cause the management interface to flap. Example error sequence: -- warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff. -- err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0 : File mgmtif/BourneMgmtIfSvc.cpp Line 357. -- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7. -- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x7 expected=0x5. ... notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is DOWN. ... notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is UP." This problem might occur rarely on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades. The management interface on the affected blade or appliance might be down for several seconds, 15 seconds being a typical interval. Workaround: None.
527393 For a VIP with UDP protocol and fastL4 profile, the SERVER_CONNECTED iRule event is triggered in 10.x, but not in 11.x/12.x. This occurs when using the fastL4 profile and UDP. Unable to run iRule commands in a server-side context when data goes from client to server. The SERVER_DATA event does not fire until data is returned from server (or not at all if the server does not return data). The LB_SELECTED is client-side. Workaround: Change VIP from fastL4 to standard.
527720 "An error message similar to the following might be logged at rare intervals while the BIG-IP system is operating normally: warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff. This message might be followed by a log message similar to one of the following: err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0. err chmand[32142]: 012a0003:3: GET_STAT failure (status=0xffffffff) page=0x%20 reg=0x50. This message might be followed by a log message similar to the following: warning chmand[5847]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7." This problem might occur rarely on the BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances, and on VIPRION 2100, 2150, and 2250 blades. This problem might occur if the response to a request to read the status of the hardware registers for the management interface is delayed beyond the normally-expected timeout value. When this problem occurs, status of the management interface might be reported incorrectly, which might cause the management interface to flap momentarily. In this scenario, subsequent requests typically complete successfully, at which point status of the management interface is again reported normally, and expected functionality restored. Workaround: None.
528228 When a node is configured using a FQDN and a port specific monitor is assigned at the node level, the BIG-IP system sends the probe to the incorrect destination port. Assign port specific monitor at node level to a FQDN node. You cannot monitor the specified port on a FQDN node. Workaround: Apply the monitor at the pool level rather than the node level for correct operation.
528295 A 10.x UCS containing LTM virtual servers with ARP set to disable. Loading the 10.x UCS on 11.4.x or later system leads to the ARP and ICMP echo setting value being flipped each time the load occurs. Reloading a 10.x UCS containing virtual servers on 11.4.x or later system. ARP and ICMP echo setting value being flipped each time the load occurs. Note that the ICMP echo virtual field will be flipped even if ARP is enabled. Workaround: Delete the LTM virtual servers on the 11.x/12.x version system prior to re-loading the 10.x UCS.
528314 Using CLI to generate new default certificate and key pairs for BIG-IP ssl profiles are not reflected in GUI or in tmsh. Using OpenSSL commands to generate a new default certificate and key pair, as described in SOL13579: Generating new default certificate and key pairs for BIG-IP ssl profiles, available here: https://support.f5.com/kb/en-us/solutions/public/13000/500/sol13579.html. After the renewal, tmsh list sys file ssl-cert default.crt command or the general properties in the GUI SSL Cert List shows the old one. This is a cosmetic issue only. The system uses the new default. Workaround: Perform a force reload of mcpd by running the following commands: -- touch /service/mcpd/forceload. -- tmsh restart sys service mcpd.
528894 Config sync after sub-partition config changes results extra lines in the partition's conf file. Make changes under any partition except /Common and then config sync without overwrite. /config/partitions/partition_name/bigip_base.conf in the partitions folder has trunk and ha-group configuration. /config/bigip_base.conf no longer has the trunk and ha-group configuration. Workaround: 'Sync Device to Group' with 'Overwrite Configuration' enabled.
528955 tmm core file Serverside connection is detached after processing HTTP response Outage / tmm restart Workaround: None.
529162 If you disable the HSB's watchdog process, you might experience an HSB transmitter failure. This occurs when the HSB's watchdog process is disabled. (Note: The watchdog is disabled using the following Tcl command (added to tmm_init.tcl): HSB::enable_rx_watchdog no.) An HSB transmitter failure may occur, resulting in a reboot of the device. Workaround: After disabling HSB's watchdog process, always enable it again. To do so, run the following Tcl command (added to tmm_init.tcl): HSB::enable_rx_watchdog yes.
529395 A local-only network IP forwarding virtual server does not forward traffic on standby systems. BIG-IP systems in an high-availability (HA) device cluster. An IP forwarding virtual server in traffic-group-local-only. Traffic is forwarded only on active BIG-IP systems. Workaround: None.
529897 Failed diameter monitor logging displays hex instead of the AVP on which the monitor failed. Logging is enabled on a pool member which is being checked by a diameter monitor, and the monitor is failing. Difficult to determine the reason for the diameter monitor failure. Workaround: None.
530016 Statistic will be incorrect or negative: 'Clients Using Max Port Blocks'. Changing the PBA client-block-limit on a LSN pool while there are active blocks and connections might result in incorrect 'Clients Using Max Port Blocks' counts in the stats. 'Clients Using Max Port Blocks' count is used for monitoring the number of clients that have reached the block limit, then this will impact operations and monitoring of lsn-pool status. Workaround: Restarting the BIG-IP system resets the counter.
530266 Rate limit configured on a node is not honored and is exceeded. The excess per second can be as much as 10 (100%) when the limit is configured as 10. More than 1 tmm needs to be there. Rate limit needs to be configured on the node. Node rate limit feature does not work as intended. Workaround: Rate limit can be shifted from the node to pool member and it works.
530645 Administrator can enter a cipher string in SSL profile longer than 768 characters, and the system appears to save and apply that cipher string. However, the system utilizes only the first 768 characters as the cipher string for the profile. Cipher strings longer than 768 characters. Cipher suites that were truncated will not be accepted. Workaround: Do not use cipher strings longer than 768 characters.
530877 A specific combination of configuration options might cause iRule processing to run the CLIENT_ACCEPTED event twice. "This occurs when all of the following conditions are met: - Standard Virtual Server is configured. - Virtual Server is configured with a TCP profile in which Verified Accept is enabled. - Address translation is enabled on the Virtual Server. - Node selection occurs in the iRule via node command. - Client sends the initial data to be sent on the ACK of the three-way-handshake." Depending on the scenario, this might result in the specific connection being reset. Workaround: "You can use the following workarounds: - Disable Verified Accept in the TCP profile. - Modify the iRule to run the commands in the CLIENT_ACCEPTED event once, by setting a variable and checking it on subsequent runs."
530927 "If a trunk is created from interfaces that have lower than max speed (e.g., 100full-duplex on 1GbE links) adding a new interface fails. When this occurs, the system posts an error similar to the following: 01070619:3: Interface 1.4 media type is incompatible with other trunk members." "Interfaces use a lower speed then their capacity. Trunk is created where the highest speed of any of the members is this reduced speed. Interface, also lowered, is added to the trunk." Interface cannot be added to the trunk. Workaround: Remove all interfaces, readd them all at the same time.
532559 If the client-ssl profile is /Common/clientssl, its parent profile is supposed to be /Common/clientssl. But the configuration could potentially use 'defaults-from none'. "This condition could be caused by executing the following command when generating the configuration. 'tmsh modify ltm profile client-ssl clientssl defaults-from none'" The upgrade fails after booting into the new release, during the config loading phase. This occurs because the script extracts the line 'defaults-from none' and treats 'none' as its parent profile. Workaround: Edit the configuration prior to upgrading, changing the defaults-from value on the client-ssl profile to the name of that profile.
533174 Certain OIDs in the IP-MIB, IF-MIB and Etherlike-MIB were either not supported by the Big-IP, or the returned MIB query data related to the interface index (IfIndex) was incorrect or inconsistent with the IfIndex returned by the IF-MIB::ifTable. No special conditions. Customer could not relate interface data from one MIB table to another. Workaround: None.
533755 When saving an iRule which uses 'DIAMETER::avp create', if the command does not have a 'type' argument then a validation warning will be issued. In previous versions, this argument was optional. This occurs when calls to 'DIAMETER::avp create' do not provide a 'type' argument. Behavior of the command itself has not changed, and iRules using it will continue to function as expected. This is a change only in the validation of the command. Workaround: Review all iRules and ensure that calls to 'DIAMETER::avp create' provide a 'type' argument.
533866 After upgrading to 11.2.1 HF15, SNMPd might not reply when a GetRequest is sent to localhost, management IP, or to the self-IP address of the BIG-IP system. Upon upgrading from 11.2.1 base install (with only the default comm-public community configured) to 11.2.1 HF15, the system boots up with no communities configured, even though no command was issued to remove the default comm-public community. SNMPD does not send replies to client. Workaround: Configure a 'public' SNMP community after upgrading to 11.2.1 HF15.
534288 In tmsh, when making changes to ltm policy-strategy, tab completion displays extra suggested completions. This occurs when tmsh user is in the ltm policy-strategy area and presses the Tab key. Additional parameters which are not pertinent to the ltm policy-strategy operation will be displayed, and could lead to trial-and-error to get it right. Workaround: None
534443 "When configuring redundancy in 10.2.x with the GUI you do not configure the config sync peer's user name and password in the GUI. You must use tmsh commands. For example, # modify sys config-sync custom-peer-addr 10.255.252.196 user-password admin # tmsh save sys config" Setting up redundancy with the GUI in 10.2.x This can affect synchronization and upgrade. If the username and password is not set then the configuration synchronization fails with authentication errors. Upgrading is also affected because the upgrade path needs the credentials. Workaround: Use tmsh to establish config-sync peer's username and password
534457 When using dynamic routing, it's possible that L4 connections fail to remirror after a restart on the standby device. Initial mirroring works as expected, but remirroring might not work. Using dynamic routes and mirroring, and either the active or standby restarts. If the active restarts, failover completes correctly, but connections might not remirror to the previously active device after it comes back online. Dynamically discovered routes might fail to remirror connections. One-way failover, similar to L7 virtual servers. Initial failover works as expected; subsequent failovers might drop connections. Workaround: Provide a static route instead of dynamic routes.
534500 When using iRules to configure persistence, if a client uses keepalive so that multiple requests come on the same connection, it is possible to write a conditional 'persist' command (e.g., to only persist based on certain requests). Using conditional 'persist' requests in an iRule. Requests that are not processed in that conditional 'persist' revert to the persistence configuration of the virtual server. Persistence should apply to the client, indicating that the client should continue using the same server. If a client disconnects and reconnects, persistence should send them to the same server as the persistence rule from the iRule indicates. In this case, clients might be redirected to different servers. This is expected behavior. Persistence is connection oriented and, once toggle on, applies to all messages on the connection. Workaround: Ensure that all paths specifically declare persistence settings. To configure for no persistence for a given message, the iRule should have a call to 'persist none'.
535041 Any virtual server with UDP profile executing iRule using parking command such as table set. The BIG-IP system drops all UDP packets received while waiting for iRule execution to be completed. This occurs when using iRules containing a parking command in virtual server with UDP profiles. For more information on iRules that suspend processing, see SOL12962: Some iRule commands temporarily suspend iRule processing at https://support.f5.com/kb/en-us/solutions/public/12000/900/sol12962.html BIG-IP system drops all UDP packets until iRule execution is completed. Workaround: Enable datagram-load-balancing in UDP profile associated with the virtual server. It will aggregate flows and process them in parallel based on the timeout setting.
535857 When user removes a VAN from an STP instance, it appears in stp instance 0. This is by design. Deleting a VLAN from an STP instance. Minor: VLANS deleted from an STP instance do not "disappear", they are instead added to STP instance 0. Workaround:
536563 Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets. This occurs when the existing connection is closing while waiting on an ACK to the last FIN. Unexpected RSTs (Clientside). Workaround: None.
536931 When guests use ePVA disabled virtuals the host double-counts packets and bits in the host side throughput counters. VCMP guest disable pva in a virtual. Observe host throughput statistics (packets, bits). Incorrect representation of traffic flowing through the BIG-IP. Workaround:
536935 On BIG-IP 2000/4000 systems the driver that manages the MAC and PHY for the 2.x front panel ports will occasionally emit a pair of spurious log messages which appear to indicate that the [unpopulated] port had a link up message followed immediately by a link down message. This appears to occur only intermittently, only on the 2.x ports of BIG-IP 2x00/4x00 systems, and only when the ports are enabled but are not cabled to a live link partner. The impact this issue has is largely cosmetic but it can cause confusion or concern if at first glance one assumes the message is from a port that is actually in use. Workaround: "In most cases a port left unpopulated can safely be disabled with (for port 2.1 for example): tmsh modify net interface 2.1 disabled which should prevent the system from polling the MAC's link state and logging changes."
536939 In certain situations a chassis based system with more than one working blade may encounter service restart on the secondary blade. "- Chassis system with 2 or more working blades. - Configuration to be deleted via tmsh using a wildcard. For instance: tmsh delete ltm virtual test*" Services will restart on the secondary blade. Workaround: Do not use * wildcards with tmsh when deleting configuration elements on a chassis system.
537073 "This leaves the rule expecting the result of the *prior* table command instead. When that result arrives, it is treated as the result for the CLIENT/SERVER_CLOSED's iRule. This has the effect of both not actually executing the requested table command *and* supplying the wrong result." Table command does an asynch operation in an iRule on a flow which is aborted. Incorrect iRule operation. Workaround: None.
537698 MCPD might abort and drop a core when encountering a memory error while processing a large configuration. This might occur when the config is large enough to exhaust MCPd's memory. This might occur after a memory error. MCPd cores and restarts, putting the system in a temporarily non-functional state. Workaround: None.
538292 When using asynchronous task in iControl REST, specifying any version other than 12.0.0 will cause the API to become unstable in some cases. Specify any version below 12.0.0 for asynchronous task requests. In some cases, user may experience iControl REST to hang or become unresponsive. Workaround: When making requests through iControl REST using asynchronous task, specify only version 12.0.0 in the request URI.
539385 If Access Policy event logs include long string arguments, the log buffer grows while processing each log parameter. The log information can overflow to other files such as, user.log and message.log. "Larger value for log parameters (mainly of string type). Happens only when the parameters are very long. For example, if one assigns big string into session variables." Log information gets truncated and some amount spills over to user.log and message.log. Workaround: None.
540571 TMM may core when an iRule changes the destination address of a connection to use a multicast address such as 224.0.0.1. When the BIG-IP system looks up the route, it returns an internal route with no interface designed for use with multicast traffic. LSN expects to find an interface and crashes when it attempts to use the non-existent interface. "- CGNAT enabled and LSN pools configured on active virtual server that accepts traffic. - On the same virtual server, an iRule is configured that changes the destination IP to a multicast address in the 224.0.0.0/24 network." TMM crashes, interrupting traffic flow. Workaround: There are two workarounds: -- Remove the offending iRule that is sending traffic to the 224.0.0.0/24 network. -- Prevent traffic from using that destination in the iRule.
540872 "Config sync fails after creating a partition. A config sync error similar to the following occurs: Configuration error: Can't associate (/P1/pool1) with folder (/P1) folder does not exist" "This error occurs when a folder is created in the same transaction that an object is also created in that folder. This can be done either by explicitly using tmsh or iControl transaction mechanisms or through incremental sync of APM where folders get created." A transaction will fail or incremental sync on APM will fail on a peer. Workaround: "In the case of transactions, create partitions and folders in a separate transaction from any object creation. For incremental sync of APM, force a full sync by using the 'Overwrite Configuration' option in the UI."
541550 "Authentication fails, indicating the affected user is associated with an ""unknown"" role: notice httpd[2112]: pam_bigip_authz: authenticated user bob with role 12345678 ([unknown]) in partition /bin/false" Define more than 10 remote-role groups and authenticate with a user having more than 10 roles. User cannot authenticate. Workaround: None.
541571 Under certain circumstances, ephemeral nodes that are force-deleted may not repopulate as expected. "Sync group, multiple FQDNs resolving to different IP addresses. FQDNs deleted and re-created, with IP addresses swapped from deleted nodes to re-created ones." Ephemeral nodes may not repopulate as expected. Workaround: None.
541916 The tmm fails with a segmentation fault in hud_process_upper. This is a rarely occurring issue whose causes are not well understood. The tmm fails and restarts. Workaround: None.
542104 "In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades. TCP monitors may fail because the server fails to respond to the initial TCP SYN. TCP traffic that utilizes a SNAT may fail because the server fails to respond to the initial TCP SYN." "A server with tcp_tw_recycle enabled. A multi-blade BIG-IP chassis." Monitor failures or traffic disruption. Workaround: "After confirming that the time is properly synchronized across the chassis, reboot the chassis. Alternatively, if your servers do not require tcp_tw_recycle to be enabled, it is recommended that you disable this setting on your servers."
544033 In a very specific scenario, a response to an IPv4 ICMP Echo to a Virtual address may not reach back to the originator. "- Client network MTU is lower than the BIG-IP system's ingress VLAN's MTU. - Client ICMP Echo is larger than Client's MTU and fragmented." Response is not received at client. Workaround: "In certain version 11.x/12.x environments, it may be acceptable to disable PathMTU discovery. If it is, this can be worked around by disabling the following DB Key: tmsh modify sys db tm.pathmtudiscovery value disable Note this workaround is not possible in BIG-IP software versions 10.x. 10.x does not have a workaround."
544906 "User validation failing when adding a partition when the [All] partition already exists, or when adding [All] partition if a specific (non-All) partition is already configured for that user. For example, on config sync, the system might post an error similar to the following: error 01070821:3: User Restriction Error: Once configured for specific partition(s), user cannot have [all]." "Devices configured for remote authentication. User A on device 1 with role on all-partitions. User A on device 2 with role restricted to a single partition. Perform operation that involves accessing partitions on each device. For example, a config sync operation. The config sync issue occurs because one device is trying to sync an [All] partition to a peer that has a non-All partition already configured for a user." The system posts User Restriction Errors and operations (such as config sync) fail. Workaround: Switch to local authentication on device 1 to perform operations on multiple devices on which a single user has different partition access configured. After completing the operations, switch back to remote authentication on device 1.
545745 When tmm first starts, the system logs multiple messages containing the words "error:" and "best_error:" in the tmm log files when tmm.verbose is enabled, and hardware accelerators are present. Must have an accelerator device, and enable tmm.verbose logging. The system posts messages that could be mistaken for errors. For example: en: 1, clkf: 13, pll_MHz: 650, ddr_hertz: 650000000, error: 17000000, best_error: 667000000. These are not errors, and may be safely ignored. Workaround: "Ignore the lines with format similar to the following: en: 1, clkf: 13, pll_MHz: 650, ddr_hertz: 650000000, error: 17000000, best_error: 667000000"
545796 iRule is not generating any stats for executed iRules. "1. Moving/editing a iRule attached to a virtual server; 2. Passing traffic to the virtual server; 3. Adding the iRule back to the virtual server." No iRule usage stats available. Workaround: Restart tmm.
545810 Causes TMM to crash happens with CSP module when configured on local loopback. Crash and restart of TMM Workaround: None
545856 The Java VM crashed while attempting to monitor the proper functioning of a DB Unknown One known occurrence. Failure affects a single attempt at monitoring the DB. Workaround: Based on the information available, this failure is not persistent. A single attempt at monitoring the DB failed and proper functioning resumed without intervention.
545946 Transparent/translucent Vlangroup may have its MAC address set to 02:00:00:00:00 on either the first configuration load after an upgrade or on a manual mcpd db clear/reload. "Transparent/Translucent vlangroup. Upgrade to later version or manually delete mcpd DB binary." Vlangroup MAC address is incorrect and can adversely affect traffic transversing the vlangroup. Workaround: Reload configuration or alter vlangroup configuration: e.g: set back and forth between transparency modes.
546145 Creating a local user for a user who previously authenticated using a remote mechanism (e.g. LDAP, RADIUS) results in a user who has no partition-access. Additionally, the user cannot be modified via web UI. Configure remote system authentication. Create a local user for remotely authenticated user. User cannot authenticate. User name does not appear in User List. Workaround: After initial creation, modify local user via tmsh to include appropriate partition-access.
546260 TMM might crash intermittently when traffic is sent through v6rd profile-configured tunnels. Specific conditions required for encountering this issue are not well understood. TMM crashes, which might cause a traffic outage. Workaround: None.
548003 GUI Network Map page runs out of memory and the GUI hangs indefinitely. When a BIG-IP system is configured with a large number of Virtual Servers (3000+) and accompanying components (iRules, Pools, Pool Members, and Node Addresses), multiple users retrieving the Network Map might result in an Out of Memory Exception. GUI server becomes unresponsive and unable to process new requests. The GUI becomes unusable and requires a restart. Workaround: Use items in the filter bar (along the top of the screen) to reduce the result size to avoid an Out of Memory Exception. Also, increase the memory of the container server.
548105 When an PBA LSN pool is under-provisioned, the LSN::inbound-entry iRule will not work. PCP will also not work with an under-provisioned PBA LSN pool. Occurs when PCP or the iRules LSN::inbound-entry command is enabled on a PBA LSN pool that does not have many translation addresses. PCP or the LSN::inbound-entry iRule may not work. This would result in failing connections. Workaround: None.
548175 In certain circumstances, CMP demoted Fast L4 virtual servers may intermittently and incorrectly use the tcp handshake timeout instead of the configured idle timeout. #NAME? Connections may be reset earlier or closed at an unexpected time. Workaround: "Ensure that the virtual server is not CMP demoted. To do so, do one of the following: -- CMP-enable the virtual server. -- Ensure that any iRules that CMP-demotes the virtual server are corrected. See SOL13033: Constructing CMP-compatible iRules at https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13033.html"
549329 A spurious ACK sent to the standby unit will be mirrored over to the active unit for processing. If a matching connection on the active has not been fully initialized, tmm will crash. HA active-standby pair setup for L7 packet mirroring. tmm cored and caused failover. Workaround: None.
549927 iRule validation does not check RULE_INIT/virtual are disallowed in proc calling Under RULE_INIT event call a proc which has virtual command. Pass validation while it should not. Workaround: Do not call virtual command inside proc.
550988 The connections statistics for client ssl profiles are: Native, Compatibility, and Total. Total is *not* the sum of Native and Compatibility. Rather, it is the total number of handshakes completed. If the handshake does not complete, or the connection is not SSL the `total' line will still increment. Workaround: None.
551189 Upon repeatedly modifying the same HTTP cookie value (in the Set-Cookie header) within an iRule attached to a virtual server, the HTTP::cookie API may produce stale HTTP header data (e.g. HTTP Set-Cookie header and/or other HTTP headers). LTM Virtual Server handling HTTP traffic, with iRule attached which modifies a given HTTP cookie value through the HTTP::cookie API, on ingress and/or egress traffic (through the HTTP_REQUEST and/or HTTP_RESPONSE events). An example use-case for producing the error would be encrypting and decrypting HTTP cookies via an iRule. Repeatedly altering the same HTTP cookie value in an iRule, via the HTTP::cookie API, may yield to an HTTP request/response with inconsistent HTTP header data, including but not limited to the Set-Cookie HTTP header. Workaround: None.
551208 Some of the log messages watched by alertd changed between BIG-IP software versions 10.x to versions 11.x/12.x. However, the /etc/alertd/alert_nokia.conf file has not been updated accordingly. Running versions 11.x/12.x and receiving targeted messages that match the 10.x regex key fields. This occurs when the Nokia snmp alarms are enabled. See solution 15435 at https://support.f5.com/kb/en-us/solutions/public/15000/400/sol15435.html Matching the specific fields in the log message fails, so the corresponding alarm is not deleted from the nokia_alarm table. This might cause SNMP alerts to not be broadcast in Nokia-specific environments. Workaround: None.
551572 The LCD display may stop updating and the Status LED may begin blinking Amber on BIG-IP 10000-series appliances. The Status LED will blink Amber if the LED/LCD module does not receive updates from the BIG-IP host for 3 minutes or longer. This condition may occur if data transfers between the BIG-IP host and the LED/LCD module over the connecting USB bus becomes stalled. When this condition occurs, the front-panel LCD display will not display the current BIG-IP host status, and the Status LED will blink Amber. There is no impact to BIG-IP host operations, and no disruption to traffic. Workaround: This condition can be cleared by pressing one of the buttons on the LCD display to navigate the LCD menus. The button-press event generates USB traffic which will trigger recovery from the USB stalled transfer condition.
552278 Fast L4 proxy operates in TTL decrement mode. That means that for Fast L4 software-transformed flows (that is, no PVA acceleration) the system decrements TTL by 1 during the transform. In comparison, for the ePVA assisted flows, the system operates in preserve mode (no TTL change). For all ePVA assisted flows. Inconsistent behavior on IP TTL handling between ePVA and tmm for Fast L4 flows: TTL is not decremented for ePVA assisted flows, but TTL is decremented for flows without hardware acceleration. Workaround: Disable hardware acceleration to see TTL decrements.
553027 Truncated responses after a HTTP::collect A pipelined HTTP request handled by HTTP::collect. A fast response that is drained slowly by the client. If the server responds quickly to the second pipelined request, that second request may be truncated when it is sent to the client. Rare truncated responses caused by HTTP::collect of pipelined requests Workaround: None.
553613 FQDN nodes do not support session user-disable. Configure a monitor with recv-disable string, and set node to session user-disabled. Monitor does not mark the node down for draining persistent connections. Unable to use session drain. Workaround: None.
553625 When a BIG-IP proxied connection is being terminated, and the client is not accepting packets (zero window) then the connection may be reset after a timeout. "In the following scenario: 1. TCP standard VIP receives all TCP payloads and FIN/ACK from server. 2. TCP standard VIP forwards TCP payloads(same size of client receive window) 3. Client sends zero window packet. 4. TCP profile used ""fin wait 5"", then after timeout, send RST to both client and server." Drained packets from server may be lost if the client is not accepting them. Workaround: None.
554625 Configurations with a high number of datagroups result in an unexpected save time. When configuration contains 1000+ datagroups, then the save time is near 60 seconds. "This issues occurs when: - Configuration contains a significant number of datagroups - Running v11.0.0+" Increased save time Workaround: None.
555039 "There is a high drop counts when running tmsh show net interface, and running tmctl -a drop_reason shows that a large number of drops are due to counters.rx_cosq_drop Smaller buffering alpha values are configured for egress buffering to allow an 8 HW CoS queue feature to correctly implement weight based egress dropping. This results in busy ports dropping more aggressively, although allowing more fair buffering amongst multiple active ports." "Higher traffic rates, which stress switch MMU buffering resources, might result in egress CoS queue drop on busy ports. This affects the BIG-IP 5000- and 7000 series platforms, and VIPRION B2100, B2150, and PB200 blades." This results in busy ports dropping more aggressively. Note that using smaller values allows more fair buffering amongst multiple active ports, whereas higher values allow better burst absorption but less fair buffering. Workaround: None.
555380 When running a qkview, there are various "Data publisher not found or not implemented" messages in /var/log/ltm. This is benign as these messages can be safely ignored. There were some items planned for implementation that later got scrapped and hence we see these messages. The items were psu, cooling and chassis info. Always present since the query is always made for these items that aren't available. A bit of concern by anybody monitoring /var/log/ltm and seeing these messages during a qkview which shouldn't have discernible impact on a system. Workaround: Ignore the messages as they are not caused by anything wrong in the system.
555465 With enough SessionDB entries and a small enough HA connection, you can cause the HA channel to become oversaturated. Very large number of SessionDB entries and a small/bad HA channel Mirroring and other HA related TMM usages will be disrupted. Workaround: KIP text needs to be updated to include the suggested work-around
556505 Loading a UCS on running configuration may fail on objects with unique IP address constraints (e.g., self IPs, pool member IPs, etc). Loading a UCS on running configuration. UCS load failure. Workaround: Either load the UCS on a clean configuration (i.e., tmsh load sys config default), or run the load UCS command twice.
557358 ssl_q_dequeue can cause crash when the dequeued element is not in the queue. This happens rarely under certain condition. Try to dequeue one element which is not in the queue. Crash. Workaround: None.
557471 Statistics for LTM Policies, i.e. the total count of policy invocations and number of successful policy invocations, are not being updated in the graphical UI. The graphical UI shows zeros for both of these stats for every LTM Policy. Occurs under all conditions. Through the GUI, Administrators will not be able to see invocation counts for general troubleshooting or to figure which policies are being used. Workaround: "Accurate stats can be obtained from the command line using tmsh. Stats for all policies can be obtained by the following: # tmsh show ltm policy Stats for a specific policy can be obtained by specifying the policy name. # tmsh show ltm policy <policy-name>"
557680 Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel. The issue occurs when the IPsec tunnel interface attributes has its configuration modified quickly and repeatedly. TMM cores. This might result in site unavailability. Workaround: Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.
558044 On configuration reload, FQDN nodes do not refresh immediately. If the FQDN node's interval is large, upon configuration reload, the ephemeral nodes are not recreated until the specified interval. This occurs on an FQDN node with a large interval, such as the default of 3600 seconds. When the configuration is loaded, runtime objects are removed. The nodes do not regenerate until after the 3600-second interval. This issue is display only and has no functional impact. Workaround: "-- Make the FQDN node's interval shorter. -- Alternatively, to force bigd to refresh the ephemeral nodes immediately, issue the command: bigstart restart bigd."
558053 If a pool has no associated monitors, new pool members added to the pool do not increment the active_member_cnt even if traffic will be passed to it. In other cases, for FQDN pool members, the active_member_cnt does not update in user-down scenarios, or other state transitions. "1) Configure a pool without a monitor, and make use of an iRule that attempts to use the 'active_member_cnt' attribute. 2) Configure a pool with FQDN nodes and change the state to user-down, and check the active_member_cnt via an iRule or GUIshell." Although this does not impact load balancing and is not visible in the GUI or tmsh, it is exposed as a consumable attribute in iRules, which can impact your scripts. Workaround: member_count returns total members with no status information.
558893 TMM may fail to forward FTP data connections when PORT/EPRT commands are used in succession referring to the same IP/PORT. "FTP Virtual server configured with an FTP profile that does inherit-parent-profile disabled. A client to request EPRT and then PORT commands referring to the same IP/PORT." TMM may reset the connection in some cases. Workaround: Change the ftp profile to enable the inherit-parent-profile option.
559080 High Speed Logging to specific destinations stops from individual TMMs. The flows appear to have very large idle times. Attempts to delete the flows sets the idle time to zero, but does not kill the flow. This appears to be the result of a failure on the part of the log destination (for example, a log server) wherein the server's TCP stack ACKs a FIN request from the TMM, but does not follow through with a matching FIN or RST. The logging code expects another timeout (essentially a FIN-WAIT2 timeout), but never receives one because the flow has already been marked as expired. As a result, the flow goes into a state in which it appears to be viable but is not actually delivering. Logs are silently lost. Workaround: Create an additional virtual server to act as a proxy for the log server, and sent the logs to this virtual server. This essentially uses the TMM itself as a sanitizing proxy.
559584 A configuration containing a number of nested objects takes a long time to list or save. For example, the tmsh listing time for a ~2 MB config can exceed 30 seconds. "Following is an example of nested objects in a config. If the config contains thousands of such virtual servers, it might take longer than 30 seconds to run either of the following commands: -- tmsh list ltm virtual. -- tmsh save config. ltm virtual vs { destination 10.10.10.10:http ip-protocol tcp mask 255.255.255.255 profiles { ::: nested object http { } http_security { } tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vs-index 26 } ." When commands take longer than 30 seconds to complete, iControlREST times out. Workaround: None.
560098 Configuration validation may fail or configuration load may fail during upgrade. iRule with table command using 'indef' for timeout and/or lifetime. "Unable to load rule/config. Config fails to load during upgrade." Workaround: Use 'indefinite' instead of 'indef'.
560429 If you have a record with an extremely low timeout value and you attempt to constantly set/reset the value, you may intermittently attempt to access the record while it is expired, in which case the value you attempt to set it to is not accepted. Using table set command with a timeout of less than 8 seconds. iRule operates incorrectly Workaround: Refresh the timeout on the entry before attempting to set it, via table lookup.
560975 When deleting SSL keys via iControl it is possible to delete keys from the Hardware Security Module even while they are configured in an active profile. Using iControl to delete SSL key installed in hardware. Key is removed from HSM and must be reloaded. Workaround: Verify that keys are not in use before using iControl to delete them.
562292 If an iRule contains a periodic after command, and within this there is another periodic after command whose contents park, it can lead to tmm crashes. A periodic after command is used, and within this there is another periodic after command whose contents park. tmm crashes. Workaround: Do not nest after commands with parking command.
562308 FQDN pool members do not support manual-resume, but allow its configuration. Attempting to use manual-resume for FQDN pool members. FQDN pool members do not honor manual-resume setting. Workaround: Do not configure manual-resume on FQDN pool members.
562370 SSL traffic may be stalled if there is a mismatch in mirror setting on the SSL virtual server between the active and the standby unit. SSL virtual server with mirroring enabled on the active unit and disabled on the standby unit. Connections on the active unit may be stalled up to "Handshake timeout" seconds Workaround: configure both units to have the same mirror setting on the Virtual Server.
562406 The total pva assisted connection counter is reported as the total number of times connections being accelerated by hardware. In the case of support dynamic hardware re-offloading, a connection might be offloaded to hardware multiple times, and therefore be counted in multiple time in this way. Using pva-configured hardware. pva assisted connection counter reports higher-than-expected totals. Workaround: None.
562452 The GUI banner 'Loading... Receiving configuration data from your device' does not disappear when updating changes in System :: Preferences page. Use a BIG-IP system running 11.6.0 HF6. Make changes to System :: Preferences page. The GUI banner 'Loading... Receiving configuration data from your device' stays without showing the modified data. This is cosmetic. The changes are properly sent and stored. Reloading the page shows the new values. Workaround: None needed. This is cosmetic.
562676 No virtual servers display on multi-page, multiple partition configurations. This occurs in the GUI on the virtual server list when there is more than one page of virtual server results in partition A and only one page in partition B, when you show page 2 in partition A and then switch to partition B. The list will be empty even though there are virtual servers configured on the system. Workaround: Switch to the partition you want to view before navigating to the virtual servers list page.
562808 TMM might produce a core dump if a pool containing poolmembers is renamed. "- Pool with poolmembers. - Move operation is enabled via sys db key. - Pool is renamed." TMM might core. Workaround: Do not use move operation; fully delete/recreate pools if renaming is needed.
562959 In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel. This occurs when there is some issue processing the packet going through IPsec tunnel. Tmm restart without core due to internal connection timeout. Workaround: None.
562997 As a result of a known issue TMM may leak memory if a pool containing poolmembers is renamed. "- Pool with poolmembers. - Move operation is enabled via sys db key. - Pool is renamed." TMM may leak memory associated to pools and poolmembers Workaround: Do not use move operation; fully delete/recreate pools if renaming is needed.
563222 If we configure an external HSM in a non-default route domain, it will fail to work, because pkcs11d isn't route-domain aware, and the vendor library is not route domain-aware, either. Configure an external HSM in a non-default route domain We cannot configure the external HSM in a non-default route domain. Workaround: None.
563227 When a poolmember goes down, persistence entries may vary among tmms. The result will be that rather than persisting to a single pool member, the new connections may arrive on different pool members based on the number of tmms on the BIG-IP platform in use. Using persistence with some connections persisted to a pool member that goes down, either administratively or due to a monitor. During this time, the client is issuing several new connections to the big-ip. Inconsistent persistence entries. Workaround:
563641 The system does not prevent running per-client and setting the source port if you are using SNAT, but that configuration does not work. If SNAT is enabled, and routing through a peer configured with a per-client connection-mode and a non zero source_port, only one client may connect to a server at a time. A second client will not be able to connect until the previous outgoing connection times out. Running per-client and setting the source port if you are using SNAT. Certain configurations will not work. Workaround: "Do not run per-client and set the source port if you are using SNAT. Use one of the following configurations instead: -- SNAT and per-client. -- SNAT and setting source_port. -- Per-client and setting source_port."
564699 Even some entry presents in whitelist it can be mitigated if BADOS is configured and active configure whitelist or/and blacklist or/and Can't avoid mitigation of bad actor under attack even if it should be ignored according to the whitelist or correspondent iRule with action DOSL7::disable Workaround: Don't configure BADOS if whitelist / blacklist configured
565786 Users that log in multiple times using variations on case may get load balanced to different servers. Improper load balancing. Workaround: Use consistent case when logging in.
566477 The dashboard lines charts are difficult to read because there are many annotations (red-filled circles on the bottom part of the diagram). Reading any line chart with a time period other than the last five minutes reveals this issue. The user finds it difficult to read dashboard line charts. Workaround: None. This is a cosmetic issue that does not indicate a problem.
566507 The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system. "-- In a BIG-IP high availability (HA) configuration. -- The HA configuration is Active-Active topology. -- There are multiple traffic-groups, in which each device is active for one traffic-group." An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device. Workaround: Configure the floating address of a traffic group as the next-hop in its route-map.
566565 If ADAPT is sending a very long HTTP request or response to an internal virtual server (IVS), its timeout might expire before sending is complete, not giving a chance for the IVS to respond. This might occur in this following case: the IVS has an ICAP profile and the ICAP server waits for the entire ICAP request before responding, by which time the ADAPT timeout has fired. A request-adapt or response-adapt profile has preview-size 0 and a timeout short enough to expire before the IVS has a chance to respond. The IVS transaction fails and ADAPT performs its service-down action. In this no-preview case, an 'ignore' (bypass) action is not possible, so the HTTP transaction fails. Workaround: Increase the timeout in the requestadapt or responseadapt profile, to cover the longest HTTP payload expected to be sent to the IVS.
566667 iRule stats show wrong data when it is attached to multiple virtuals. The iRule is attache to multiple virtuals. The stats do not update correctly. Workaround: There is no workaround.
566930 If the internal client (subscriber) is unregistered, then any SIP call to/from that particular subscriber is dropped by the BIG-IP system SIP-ALG. SIP-ALG requires subscribers to be registered with their proxy servers through the BIG-IP system, because it uses those messages to maintain a table of valid subscribers and their translated addresses. Subscriber makes/gets a SIP call without registering with their proxy servers through the BIG-IP system. SIP Call does not get established, since the messages gets dropped. Although this is as-designed behavior, the system does not post detailed messages to the logs that indicate that this behavior occurred. Workaround: None. This is functioning as designed.
566995 Under unspecified conditions and in rare cases, bgpd might crash. Although bgpd restarts right away, routing table might be impacted. The conditions under which this occurs are not known. This might impact routing table and reachability. Workaround: None known.
567065 The HTTP request or response may be compressed when the rule in the compression policy is matched. "Compression policy associated with the virtual and request matches rule. When the action is compress request enable, the response may be compressed. When the action is compress response enable, the request may be compressed. When the action is compress request enable and compress response disable, neither request nor response will be compressed." HTTP request/response data may be compressed when undesired. Workaround: Explicitly define actions (enable/disable) for both request and response types.
567330 The ltm log file contains these errors: err mcpd[9011]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (5130). This occurs when logged into secondary member of a cluster (VIPRION blade or vCMP guest) and running the command: tmsh show sys memory. The error indicates that the secondary member cannot display information that is only presented on a primary. This is a spurious error, and you can safely ignore it. Workaround: "Ignore the specific error with this signature: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (5130)."
567723 TACACS system-auth stops working after running config verify. Running config verify where the tacacs system-auth does not match the running config (e.g., altered secret or server list). Unable to login to system with tacacs system-auth. Workaround: Reload the running configuration.
568141 A RST packet isn't sent when a client sends a request and no servers are available. The client will then eventually get a time out error instead of getting an immediate error. An HTTP profile is assigned to a Performance L4 virtual server, and that server's pool has no available pool members. Clients could have to wait for a network timeout error instead of getting an immediate error. Workaround: None.
568543 Syncookie mode can be activated with a wildcard virtual, even in the case where there's no SYN flood. The default number of connection per second before activating syncookie mode is 1993. This value can be increased to a max of 4093. After this threshold is reached, then syncookie mode is activated. This is an insufficient maximum for wildcard virtuals, since they can have 30k+ connections per second. Syncookie mode is activated with high connection rates to a wildcard virtual. Workaround: Break up the wildcard virtual into multiple virtuals to reduce the number of connections per virtual.
568547 When syncookie mode is activated, the system must choose an MSS value for the connection. The current MSS values that can be chosen are 536, 1460, 8960. Syncookie mode is activated on the BIG-IP system. An inefficient MSS value might be used for connections when syncookie mode is activated. For example, if the client-side MSS is 1400, then an MSS value of 536 is used for the connection when in syncookie mode. Workaround: None.
568566 "When we create a user with Auditor role, and login using the Auditor role to execute ""list sys crypto"" command, we will get the error message like: ""Unexpected Error: Can't chmod key management directory: ""/var/tmp/key_mgmt"", error: [1] Operation not permitted""." A root/admin user create a user with Auditor role, and login using the Auditor role to execute "list sys crypto" command. A use with Auditor role can not execute "list sys crypto" command. Workaround: "1. Change the security context by using ""chcon"": ******************************************** [root@eng-3900A:Active:Disconnected] tmp # chcon -u root -r object_r /var/tmp/key_mgmt/ [root@eng-3900A:Active:Disconnected] tmp # ls -lZ | grep key_mgmt drwxr-xr-x. root root root:object_r:tmp_t:s0 key_mgmt"
569100 "TCL error in /var/log/ltm. TCL error: bad option ""serverside"": must be require or preclude while executing ""constrain NTLM require clientside {HTTP} serverside {CONNPOOL} preclude FTP" Virtual using the NTLM profile. Only logged when the first virtual is created or when TMM restarts. There should be no impact to the system. Workaround: None.
569102 "Virtual server using NTLM unusable. Errors in /var/log/ltm and /var/log/tmm similar to the following:

err tmm2[27885]: 01010007:3: Config error: virtual_server_profile no suitable hudchain
err tmm2[27885]: 01010007:3: Config error: add virtual server profile error
notice hudchain missing required clientside filter: HTTP
notice MCP message handling failed in 0x5f69c0 (16977920): Jan 20 20:29:45 - MCP Message:
notice create {
notice virtual_server_profile {
notice virtual_server_profile_vs_name ""/Common/ntlm_profile_test""
notice virtual_server_profile_profile_name ""/Common/ntlm""
...
notice virtual_server_profile_transaction_id 72"

This occurs when a Virtual server uses an NTLM profile which does not include the HTTP profile. Unusable virtual server. Workaround: The NTLM profile requires the HTTP profile. Add the HTTP profile to the virtual server.
569288 In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch. This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation. Non aggregated trunk members won't be able to pass traffic. Workaround: Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd"
569968 sod reanimates (with core dump) snmpd due to heartbeat timeout during BIG-IP system startup and configuration load. During startup and configuration load, snmpd sometimes blocks while waiting for certain system resources to become available. If snmpd blocks longer than its configured heartbeat timeout, sod reanimates it (with a core dump). Only impact is the generation of a core file. Workaround: "Increase the snmpd heartbeat timeout to 300 seconds or more. The 11.5.1 default timeout of 60 seconds might be too short for certain platforms and configurations. The default timeout for later releases is 300 seconds."
570281 "Attempting to modify the 'ip-address' attribute of a static ARP / NDP entry results in the following error: Syntax Error: 'ip-address' may not be specified in the context of the 'modify' command. 'ip-address' may be specified using the following commands: create, list, show" Attempting to modify the 'ip-address' attribute of a static ARP / NDP entry. Note: Starting in 11.6.0, the 'ip-address' attribute of an ARP/NDP record can no longer be modified. This is as-designed functionality. However, the BIG-IQ SCVMM plugin fails to work properly as a result, which might impact some configurations. For example, when the LTM gateway device is running versions later than 11.5.3, it could fail because the syntax that worked in 11.5.3 no longer works in 11.6.0 and later. Workaround: None.
571017 "Following message may appear in /var/log/ltm when optics are removed: soc_phy_i2c_read_devtype - eeprom soc_phy_i2c_read_bytes failed port(28)" Optics removal. This is a cosmetic message and does not indicate a problem with the system. Workaround: None needed.
571156 Certs and keys attached to a HTTPs monitor are not displayed in GUI, but visible with tmsh. Certs and keys configured to a HTTPs monitor. Not able to show/configure certs/keys for HTTPs monitors. Workaround: Use tmsh.
571333 When a VIP is configured with a fastl4 profile that enables full acceleration and offload state to embryonic, and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the "idle timeout" value of the fastl4 profile, but it should be set to the "tcp handshake timeout" instead. "1. Configure fastl4 profile with ePVA=full, offload state=SYN, apply to network VS 2. Ensure ARP entry exists for server node (static arp, ping, etc.) to satisfy requirements for offloading initial SYN 3. Send over SYN packet from client to server via VS" The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value. Workaround: Set the offload state to "established"
571560 In rare cases, icrd may crash and create a core file while shutting down. icrd exiting, typically due to a system shutdown or reboot icrd crashes and generates a log file. Workaround: The crash of icrd during shutdown/reboot may be ignored; no services were impacted. Related core files can be deleted as desired.
571635 When a VIPRION B2100 or B2150 blade boots, there is a brief window during which the transmitter on the optics module is enabled, but the accompanying initialization of the Broadcom switch has not yet occurred. during this window (~20 seconds) random data may be transmitted which may be reported as errors by the link partner. VIPRION B2100 or B2150 blade is powered or rebooted or when the user performs a 'bigstart restart'. This has a minor impact. In most cases link is functional after the system fully initializes, although error counts may show up on the link partner. Workaround: "If link fails to come up, attempt ""bigstart restart bcm56xxd"" to restart the Broadcom daemon. However, this will have no impact on errors seen by peer equipment. You can determine the type of hardware using the command: tmsh show sys hardware. 'Type' is A109 for VIPRION B2100 blades and A113 for VIPRION B2150 blades."
572079 The command history and audit logs add additional escaping. Command entered into tmsh includes escape (backslash) characters. "Commands repeated from the history may not match what was entered and will be interpreted as displayed. The audit logs may contain additional quoting or escaping when compared to the command that was ran." Workaround: When repeating commands from the history which contain escaping, remove the added escaping before running.
572111 "When configured by default the min-threshhold and max-threshold of red and fred drop policy of rate shaper show the value of zero. All it mean is that data plane is expected to use default values. Later when one of the values changes it does show actual values of all the other fields also. Just for reference value of zero is equivalent to following values for drop-policy parameters net rate-shaping drop-policy fred { average-packet-size 1024 fred-max-drop 100 inverse-weight 128 max-probability 100 max-threshold 9216 min-threshold 3072 type fred } net rate-shaping drop-policy red { average-packet-size 1024 inverse-weight 512 max-probability 10 max-threshold 15 min-threshold 5 red-hard-limit 60bytes type red }" Working to change it to show all default values at all times. Confusion for customer when they see the change in value from zero to something else when they change one value and see other value automatically changed. Workaround: No work around is needed.
572225 "If an edit to the bigip.conf file contains duplicate objects (e.g., a virtual server, a pool, etc.) with the same name, the system creates the last object with the duplicate name. For example, if a virtual server and a pool are both defined in bigip.conf with a name of 'test1', if the pool is the object that is referenced second, the system creates the pool and does not create the virtual server. The system does not posts messages to inform the user that the configuration contains multiple objects of the same name. In the following example, the system creates the second object when running the command 'tmsh load sys config'. The created object has the /Common/http { } attribute.

ltm virtual /Common/duplicate {   <--- This object will not exist
    destination /Common/10.10.10.10:80
    ip-protocol tcp
    mask 255.255.255.255
    profiles {
        /Common/tcp { }
    }
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
}
ltm virtual /Common/duplicate { <--- This object will exist
    destination /Common/10.10.10.10:80
    ip-protocol tcp
    mask 255.255.255.255
    profiles {
        /Common/tcp { }
        /Common/http { }   <--- contains an extra profile
    }
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
}"

The only occurs when manually editing the bigip.conf and creating objects with the same name. The system handles this behavior when creating objects using tmsh or the GUI. The first object defined in bigip.conf is not created. Note that directly editing the bigip.conf is not the recommended method for configuring the BIG-IP system. Workaround: You can prevent this issue by using tmsh or the GUI to configure the BIG-IP system, and not edit the bigip.conf directly. If you must edit the bigip.conf by hand, keep in mind that the system creates only the last object specified with a duplicate name.
572281 "When there is something like the following script:

foreach a [list 1 2 3 4] {
   set a 10
   after 100
}

There is parking command, after, in the script and it runs after ""set a 10"", when after command returns, the value of a goes back to the initial value set in the foreach, value of 10 is lost." There is parking command in the nesting script of foreach. Variable values get reset. Workaround: Set(or set again) the variable value after the parking command.
572554 EM device discovery/device update fails iRule object with special characters in the same line EM device discovery/device update fails Workaround: Escape the '#' with '\#'
572680 Send buffer size is unlimited on a standby TMM. If sync is lost with the active TMM while a TCP client is advertising a zero receive buffer, the standby TMM might continue to use a zero send buffer indefinitely. This eventually leads to the send buffer overflowing on the standby TMM. Standby TMM loses sync with active TMM while a TCP client's advertised receive window is zero. Standby TMM can accumulate too much data in the send buffer and overflow. Workaround: This issue is less likely with a low zero-window-timeout value in the TCP profile.
572778 Nodes stay in checking state Create an FQDN node. Next apply ICMP monitor onto the parent node. Monitoring state not updating node. Workaround: "There are several workarounds: 1. Create FQDN node and apply monitor in one step. 2. Use default node monitor 3. Restart bigd"
572871 When creating or editing LTM profiles with regex or GLOB-expression attributes using tmsh, if the regex or GLOB expression is invalid the TMM logs an incorrect error message, similar to "Invalid command name...". The TMSH command line interface logs the correct message, similar to "Profile XYZ error - couldn't compile regular expression..." Specifying invalid regex or GLOB expressions in LTM profiles, using TMSH No functional impact. This problem only affects the quality of diagnostics due to inaccurate TMM error logs. Workaround: There is no workaround at this time.
572895 When a flow is forwarded from one tmm to another, and the destination tmm finds that the client is reusing a port that is in time_wait, and time wait recycle is enabled, the source tmm terminates the connection with a RST sent to the SYN-ACK from the client. Using time-wait recycle and a client reuses the port that is currently in time-wait, and the flow is forwarded to another tmm. Client flows are reset rather than accepted. Workaround:
573235 IPsec Phase 1 and Phase 2 authentication algorithms default to SHA-1 in the GUI. This happens when configuring IPsec via the GUI. The authentication algorithms may be configured as SHA-1 which may not be the best choice for the use case. Workaround: Select the appropriate level of authentication algorithm strength from the pull down menu for the use case.
573247 For GRE PPTP flows, the local port and remote port in the clientflow and serverflow have changed from any (port 0) to the PPP ethertype (0x880b). This affects iRules commands related to flow creation such as relate_client and relate_server. Using port 0 with these commands will no longer match incoming GRE PPTP packets and the packets will be dropped. These drops can be seen in the no_handler_deny counter in the tmm_stat table. iRule that uses the relate_client or relate_server commands to create flows to handle GRE (IP protocol 47) PPTP traffic. All GRE PPTP packets are dropped. Workaround: The relate_client and relate_server commands in the iRule should be edited to use 34827 (0x880b) for the local and remote port.
573366 parking command used in the nesting script of clientside and serverside command can cause tmm core parking command used in the nesting script of clientside and serverside command tmm cores. Workaround: move the parking command outside the nesting script.
573757 When a blade syncs its config with a peer device in a device group, an mcpd core dump triggers a new primary blade. If auto-sync is turned on the new primary will attempt to sync again, core dump, and cascade to the next primary. "There must be a virtual server synced in the device group configured with CMP enabled and an iRule. The chassis must also have a local non-synced virtual server referencing the same iRule. If that iRule is deleted on the peer device, it will cause a core dump on the chassis when the change is synced." "If auto-sync is disabled on the device group and a user issues a manual sync, the primary blade will core and a new primary will come up out of sync but functional. If auto-sync is enabled on the device group, a cascading primary blade failure will occur. Every time a new primary is established, it will attempt to sync and core dump. This leaves the chassis in a state where the primary blade can't be established." Workaround: "If auto-sync is turned on then disable it first to prevent cascading failures. One of several things can be done: 1. Remove the reference from the non-synced virtual server to the iRule that is in the device group. 3. Turn off CMP on the non-synced virtual server 2. Undo the delete of the iRule on the peer by either recreating it or loading a backup UCS. Attempt a manual sync and make sure it succeeds before turning auto-sync back on."
573782 csyncd may dump core. This is rarely encountered, and happens rarely when a VCMP guest is disabled and then restarted. This occurs at a non-critical time with no visible effects. Workaround: None.
574095 The hostname not being RFC 952/RFC 1123 compliant. Characters in the hostname making the hostname not RFC 952/RFC 1123 compliant. The hostname won't be RFC 952/RFC 1123 compliant. Workaround: Don't add characters to the hostname making the hostname not RFC 952/RFC 1123 compliant.
574259 BIG-IP system does not automatically runs the synchronization process when a new blade is inserted to a chassis. Inserting a new blade into a VIPRION chassis. New blade must be synced manually. Workaround: None.
575176 In some scenarios UDP traffic can cause syncookie statistics to be incremented. "Virtual server with fastL4 profile with ePVA offload enabled. Virtual server to handle UDP traffic." Statistics might be incorrectly incremented, and can lead to early syncookie activation if used in conjunction with TCP on the same virtual server. Workaround:
575339 After modifying IKEv2 peer state to disabled, remote security association (SA's) stay active. Changing IKEv2 peer state to disabled. Remote SA's stay active. Workaround: Use IPsec dead peer discovery (DPD) mechanism defined in RFC 3706 for detecting peers that have been disconnected too abruptly (a system crash) or due to network issues (manual disconnecting a laptop's Ethernet cable). You can find more information in 'A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers' available here: http://www.ietf.org/rfc/rfc3706.txt.
575368 When a UCS with FIPS keys is loaded after re-initializing the FIPS card, errors should be posted that the FIPS keys in the configuration that are now invalid. Instead, the configuration loads without any errors, and SSL handshake failures are seen when a clientSSL profile uses the FIPS key. UCS file with FIPS keys is loaded after re-initializing the FIPS card. SSL handshake failures are seen when a clientSSL profile uses the FIPS key. Workaround: You can delete the FIPS keys, re-initialize the FIPS card, then install the needed keys.
575595 The memory allocation for mcpd will grow by a small amount if a eviction policy stats are queried. In order to begin to impact the performance of the system, the stats would have to be queried many thousands of times. An eviction policy is configured, and the stats are displayed in TMSH or the GUI. Performance may be degraded. Workaround:
575608 MCPd might leak memory in virtual server stats query. In some cases, querying virtual server stats can leak memory. MCPd might eventually run out of memory and core. Workaround: None.
575619 MCPd leaks memory; the umem_alloc_8 cache will grow. In some cases, querying pool member stats can leak memory. MCPd might eventually run out of memory and core. Workaround: None.
575649 MCPd might leak memory in IPFIX destination stats query. In some cases, querying IPFIX destination stats can leak memory. MCPd might eventually run out of memory and core. Workaround: None.
575660 MCPd leaks memory so the amount of used memory will grow over time. In rare cases, such as immediately after a reboot before system performance stats are populated, querying system performance stats can leak memory. MCPd might eventually run out of memory and core. Workaround: None.
575671 MCPd might leak memory in host info stats. In some cases, querying host information stats can leak memory. MCPd might eventually run out of memory and core. Workaround: None.
575708 MCPd might leak memory in CPU info stats. In some cases, querying CPU information stats can leak memory. MCPd might eventually run out of memory and core. Workaround: None.
575735 MCPd leaks memory; the umem_alloc_8 cache will grow. In some cases, querying global CPU information stats can leak memory. MCPd might eventually run out of memory and core. Workaround: None.
575848 Traffic statistics on a SNAT object might not be updated if traffic is ePVA accelerated. SNAT object on a ePVA capable platform. Some traffic-related statistics (pkts/bytes in/out) are not updated. Workaround: To get these statistics, convert the global SNAT to an appropriate virtual server.
575919 TMSH writes to the ~/.tmsh-history-username file whenever a command is issued. Running concurrent instances of TMSH can result in a race condition in writing this file. Running multiple instances can cause one instance of TMSH to lock the history file while the other is trying to access it, resulting in an error. Updating the history file fails, so the file does not reflect the actual history of the commands that have been issued. Workaround: Only run a single instance of TMSH.
577511 The /var/tmp/merged.state file produced by merged when it is sent SIGUSR2 including when qkview is taken can incorrectly report the merge method as slow in limited circumstances. The input files to merged need to be in a steady state of churn (rows added or removed) so that merged cannot successfully complete a merge. It is harder to debug merged. Workaround: Reduce the churn on the input files, for example by not spawning a steady stream of processes recorded in the proc_pid_stat table.
578097 OCSP Stapling uses either DNS resolver OR proxy server pool to connect to the OCSP responder. In GUI these two configuration options are selective but tmsh allows configuration of proxy-server-pool when use_proxy_server is set to false, and vice-versa. DNS resolver and use_proxy_server are configured at the same time, but only one of these configurations is set to true. "In following situation: -use_proxy_server: Enabled but incorrectly configured or external proxy server not working or down. -DNS resolver: Enabled and correctly configured. OCSP stapling will not work since device will try to connect to OCSP responder by using proxy regardless DNS resolver configuration. Since this 'double' configuration (DNS+use_proxy_server) only can be done by tmsh customer cannot see in GUI that they actually have both configurations at the same time." Workaround: Disable use_proxy_server configuration using tmsh, then device will use DNS resolver to reach OCSP responder.
578573 "In SSL Forward Proxy, the signature algorithm used by the CA certificate configured on the client SSL profile can change the signature algorithm used by the server certificate. For example, if the server certificate uses SHA1 but the CA certificate configured in client SSL profile uses SHA256, the forged certificate will use SHA256. If the server certificate uses SHA256 but the CA certificate configured in client SSL uses SHA1, the forged certificate will use SHA1. Both scenarios are a problem for a customer." when the signature algorithm of the CA certificate configured in client SSL profile differs from the signature algorithm of the server certificate. The signature algorithm of forged certificate may differ from the signature algorithm of the server certificate. Workaround: Configured the CA certificate in client SSL profile so that the signature algorithm matches that in server certificate.
578816 Profile changes with certain configurations will cause a large number of internal transitions that will cause the update to take an excessive time. The amount of time is dependent upon the number of iRules and SPDY profiles in use in the system. Using iRules and SPDY profiles, and making updates to profiles. "When the amount of time is too excessive, this can cause the watchdog processes to think tmm is not responding and can ultimately kill the tmm and cause a possible failover event. When not long enough for the switchover daemon (sod) and watchdog processes to intervene, this can still lead to a traffic disruption." Workaround:
578843 The GUI strips out 0.0.0.0 masks from the SNMP Client Allow List. Using the GUI to specific SNMP Client Allow List containing 0.0.0.0 masks. The GUI strips the 0.0.0.0 masks. Workaround: Use tmsh to modify the SNMP Access if using 0.0.0.0 net masks.
579210 Over extended periods of booting and rebooting a VIPRION system containing B4400N blades, a switch port connected to the HSB might fail to initialize properly. In some cases, logs indicate an occurrence of the problem in the following form: hgm_fcs_errs[higig mac #] exceeds 1000. This happens under very rare conditions on B4400N blades; for example, after approximately 8-12 hours of continuous rebooting. When the problem is manifest, the HSB receives FCS errors at a high-frequency and does not receive any valid traffic from the port switch. The B4400N blade might be unable to go active and join the cluster. Workaround: To recover, reboot the system once.
579252 Traffic can be directed to an incorrect virtual during virtual modification "net self external-ipv4 { address 10.124.0.19/16 traffic-group traffic-group-local-only vlan external } net self internal-ipv4 { address 10.125.0.19/16 traffic-group traffic-group-local-only vlan internal } ltm pool redirect-echo { members { 10.125.0.17:7 } } ltm virtual fw { description ""less-specific virtual"" destination 10.125.0.0:any ip-forward mask 255.255.255.0 profiles { fastL4 } translate-address disabled translate-port disabled vlans-disabled } ltm virtual redirect-echo { description ""enable/disable this one"" destination 10.125.0.20:echo ip-protocol udp mask 255.255.255.255 pool redirect-echo profiles { udp } vlans { external } vlans-enabled }" Traffic can be directed to an incorrect virtual server Workaround: No known workaround at this time.
579540 The current BIG-IP implementation of Initial Sequence number generation may not cover the whole sequence space thereby making the BIG-IP more vulnerable to TCP sequence space attacks. Normal operation. TCP Sequence space attacks may be easier to achieve than they should be. Workaround:
580031 "Using OneConnect with forwarded flows might cause resets. The first connection attempt from the client works properly and sets up the OneConnect flow pool on one tmm, and a forwarding flow on another tmm. Then, when the client attempts a second connection, the system tries to reuse the forwarding flow, which returns failure and resets the connection. The system might report a reset cause such as 'Unable to obtain local port' or 'Out of ports', or in some versions, there might not be a specific reset cause reported." "Using OneConnect and forwarding flows. The system uses forwarding flows when source-port preserve-strict is configured, when a virtual server is configured for 'cmp-enabled no', and in certain other circumstances. For example, this issue can be seen on 2000- and 4000-series platforms, when 'source-port preserve strict' is used with OneConnect." Client connections are reset. Workaround: Do not use preserve-strict and OneConnect together.
580303 When moving from active to offline, tmm might send one final GARP for a floating address from the device that is moving offline. Using high availability, and switching a device from active to offline. The GARP from the offline device can arrive on upstream devices after the GARP from the newly active device, which might poison the address cache of the upstream device. The result is that failover takes longer, since the upstream devices must rediscover the active device. Workaround: Use MAC masquerading along with the floating address; the system sends a GARP for the MAC masqueraded address, which prevents the issue.
580499 "On a chassis with at least two blades, after disabling the default admin on the primary and setting an alternate, mcpd on secondary goes into restart loop and error messages are seen in /var/log/ltm: Mar 14 10:05:49 slot2/VPR-144-6 warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user a-test. Mar 14 10:05:49 slot2/VPR-144-6 warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user test-noaccess. Mar 14 10:05:49 slot2/VPR-144-6 warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user test-noaccess1. Mar 14 10:05:49 slot2/VPR-144-6 warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user test-noaccess2. Mar 14 10:05:49 slot2/VPR-144-6 warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user nothing. Mar 14 10:05:49 slot2/VPR-144-6 err mcpd[26012]: 010718e7:3: The requested primary admin user (admin111) must have a password set. Mar 14 10:05:50 slot2/VPR-144-6 err mcpd[26012]: 01070734:3: Configuration error: Configuration from primary failed validation: 010718e7:3: The requested primary admin user (admin111) must have a password set.... failed validation with error 17242343. (admin111 is the primary admin user set on the primary blade.)" Chassis with multiple blades; alternate primary admin is set on the primary blade. mcpd in a restart loop on secondaries Workaround:
580591 "NTLMv2 authentication support in the bigd monitor only works reliably with Microsoft servers if the (NetBIOS) domain part of the (""Down-Level Logon Name"" format, https://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx#down_level_logon_name) username is either omitted or entered in uppercase (DOMAIN\user). However, if it entered in lowercase (domain\user), authentication fails." Monitor using NTLM authentication with domain not uppercase. HTTP monitor marks member down. Workaround: Change domain in monitor user string to uppercase.
580697 After a FPGA firmware switch on VIPRION 2200 platform without a system reboot, some internal higig ports may not operate properly. Using tmsh or GUI to switch FPGA firmware on VIPRION 2200 platform. This might result in the system not passing traffic properly. Workaround: After FPGA firmware switch, run command 'clsh reboot' to reboot the whole chassis.
581660 netHSM connection may fail with a message 'cannot locate key'. This only affects Thales users. Safenet users are not affected by this issue. This may happen after restarting pkcs11d without starting tmm immediately after. "SSL handshake failure with a message similar to the following: SSL Handshake failed for TCP 10.10.0.1:59513 -> 10.10.1.150:20001." Workaround: For Thales, always restart tmm after restarting pkcs11d. To do so, run the following commands: bigstart restart pkcs11d bigstart restart tmm
581746 Occasional BIG-IP outages may occur when MPTCP traffic is being handled by a Virtual server. MPTCP has been enabled on a TCP profile on a Virtual Server. A System outage may occur. Workaround: Do not enable MPTCP on any TCP profile
581851 MCPD on secondary blades restart with Configuration error. Clustered system (VIPRION or vCMP guest). The issue occurs when the system interleaves commands from different contexts. For example, this might occur when one system requests continual persistence records resets, and another requests continual TCP statistics resets. Secondary blades restart services, resulting in performance degradation or failover. Workaround: Issue commands as part of a transaction.
581921 The ssh files required for ssh sign on are not transferred when performing a UCS restore operation. This can happen when performing a UCS restore operation. This might affect the operation of ssh. Workaround: Add the folder /etc/ssh to the /usr/libdata/configsync/cs.dat file
582331 Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections per virtual server. This occurs when the load disaggregated to available TMMs is uneven. This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in lower-than-expected maximum connections. Workaround: Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.
582465 After the SafeNet Hardware Security Module (HSM) is restarted, users cannot generate a new key. The BIG-IP system uses the SafeNet HSM. HSM service is not usable even after restarting pkcs11d. Users must re-authenticate. Workaround: "To generate a new key, after HSM finishes starting up, run the following commands: # /shared/safenet/toolkit/sautil -v -s 1 -i 10:11 -c # /shared/safenet/toolkit/sautil -v -s 1 -i 10:11 -o -p <hsm_partition_password> Or, you can reinstall SafeNet client."
582487 When the statistics DB variable option 'merged.method' is set to 'slow_merge,' system stats is not updated and remains zero. Merged.method is set to slow_merge. System stats such as overall CPU usage remain at zero. Workaround: Set Merged.method to fast_merge.
582749 The maximum number of trunk member ports on the B4300 blade is currently limited to 16 ports. This occurs on the B4300 blade. External trunks can not have more than 16 front panel ports configured, across all blades in a chassis. Workaround: None.
582989 For backward compatibility reasons we use our own version of platform object class defined by MCP schema. This doesn't have new properties added to platform class in MCP schema and there is no easy way to keep both in sync other than manual merge to add additive changes and not to pull-in breaking changes. This occurs in all BIG-IP releases starting 11.5 Confusing error messages in /var/tmp/restjavad.out Workaround: These error messages are harmless and indicate that platform object received from MCP has properties we don't understand. Since those properties not used for any functionality in restjavad, it is perfectly fine. Please ignore error messages having DataObjectException for "platform" object.
583101 Tcl command 'ADAPT::result bypass' does not work in ADAPT_REQUEST_RESULT when the ICAP server has previously returned 100-continue. "iRules exist on a VS with an adapt profile, containing: when ADAPT_REQUEST_RESULT { ADAPT::result bypass } or when ADAPT_RESPONSE_RESULT { ADAPT::result bypass }" ADAPT logs an unexpected state transition and resets the connection. Workaround: Avoid "ADAPT::result bypass" in cases where there is no preview (either configured for no preview, or after the preview has been dropped due to a 100-continue or 200-ok ICAP response).
583475 In some rare and still unknown situations the BIG-IP may core when creating or modifying LTM policies. While the root cause of the crash is not fully understood at this time, one of the symptoms points to a nonexistent or invalid LTM policy. Creating or modifying LTM policies. The BIG-IP control plane services restart thus affecting both, control plane and data plane functionality. Workaround: A possible workaround could be to attempt re-creating the LTM policy producing the crash under a different name. Avoid any special characters (or spaces) in the name of the LTM policy.
584310 When TCP::Collect is used with 'skip' and 'length' arguments in SERVER_CONNECTED, the "skip' argument does not take effect and is ignored. The Collect works, but collects only the length bytes from start. TCP:Collect on server side events like SERVER_CONNECTED used with the 'skip' parameter. This is an intermittent issue that have happen only with IIS server. TCP:Collect collects bytes without taking into account the skip, so the bytes collected are not the correct ones. Workaround: None.
584414 After deleting the persistence records, the connection might use persistent records to two different nodes breaking persistence. Deleting persistence records when there is high concurrency for particular persistence records (e.g., load testing). Client fails to persist to a particular node. Workaround: Avoid removing persistence records from tmsh or use iRules to remove persistence records.
584471 "When a SSL connection with specified server name is received in a virtual server from client side, The BIG-IP system selects one clientssl profile for this connection based on the given server name. Currently the system matches the server name using the following rules: (1) First try to match the server name with explicit server name configuration of the clientssl profiles. (2) If (1) has no match, then try to match the common names of the certificates used by the clientssl profiles. (3) If (2) has no match, then try to match the subject alternative names of the certificates used by the clientssl profiles. The issue is, based on RFC6125, common name should be used as a 'last resort'. In other words, the third rule should be the second rule." "The issue occurs when all of the following conditions are met. (1) The coming SSL request includes SNI (server name) extension in the clienthello, used to specify its desirable SSL server. (2) The given server name from the client side does not match any server name configured in all the clientssl profiles of the virtual server. (3) The certificates used by the clientssl profile of the virtual server have subject alternative names (note that every certificate has common name but not necessarily subject alternative names)." The virtual server might select a clientssl profile which is not preferred by the client side. Workaround: None.
584504 Usernames and passwords can contain non English characters but it fails when logging in. Usernames and/ or passwords contain non English characters. Workaround: Make sure Usernames and/ or passwords contain only English characters.
584603 A device that is already in the device trust can be re-added by repeating the TMSH command. This can be a 'back door' way to rename the device in the trust and may cause errors in the trust if the rename assigns a duplicate name. Use of the TMSH command 'modify cm trust-domain' to rename a device already in the trust. Can disrupt connections in the trust over which configuration is synchronized. Workaround: Don't use the 'modify cm trust-domain' command as a way to rename the device. To rename a device, use the 'mv cm device' command.
584772 ssldump crashes while decrypting. Using ssldump to decrypt SSL which contains bad records. ssldump crashes making it difficult to decrypt SSL data. Workaround:
584948 The safenet-sync.sh script (used to replicate a functioning Safenet HSM installation to a newly-inserted secondary blade) and csyncd conspire to improperly install/fix permissions on the secondary blade if there are symlinks, which results in the Safenet HSM integration failing after it completes, until the user takes appropriate actions. This occurs when there is at least one symlink in the shared/safenet/lunasa/lib/ directory. Upon failover to secondary blade, the BIG-IP system will be unable to communicate with the configured netHSM. Workaround: "Use chcon and chcon -h to fix any permissions issues. The --reference option can be used on any properly permissioned file in the same directory to do this quickly. For example: chcon -h --reference=libcklog2.so libCryptoki2_64.so."
585412 Connections to a virtual server that uses an SMTPS profile may be reset with a reset cause of 'Out of memory.' A virtual server that uses an SMTPS profile with activation-mode set to allow. A client connection which does not use TLS that sends a DATA section with a text line that is longer than approximately 8192 characters. 8192 characters is an approximation for the maximum line length. The actual problem length can be affected by the MSS value and the particular way that the TCP traffic is segmented. The TCP connection is reset with a reset-cause of Out of memory' and the email will not be delivered. Workaround: None.
585807 'ICAP::method' iRule function is documented as 'ICAP::method <REQMOD|RESPMOD>' which is said to get as well as set (modify) the ICAP method type in the ICAP_REQUEST event. Validation has at times rejected an argument, and at times accepted it. In fact the argument is ignored even if validation accepts it: the method type cannot be changed by the iRule. When validation rejects it, the system posts an error similar to the following: 01070151:3: Rule [/Common/icap_test] error: /Common/icap_test:2: error: [unexpected extra argument "REQMOD"][ICAP::method "REQMOD"] iRule in ICAP_REQUEST event with 'ICAP::method REQMOD' or 'ICAP::method RESPMOD'. Users may attempt to change the method type. Usually the validator rejects it. In some versions the validator accepts it, but the methods only return the existing method type. Workaround: Do not attempt to change the method type with 'ICAP::method <method>'.
585833 In order to inform the user that the /shared partition needed to be cleaned up, qkview was checking for at least 2GB of free space. This isn't a hard requirement to build a qkview which potentially could use much less than the 2GB limit. Additionally, some F5 VE systems are shipped with less than 2GB in /shared, thus qkviews cannot be produced. The /shared partition is smaller than 2GB or has less than 2GB free. User is unable to create a qkview despite having enough room to build one. Workaround: Increase the size of /shared so that it has at least 2GB of free space. See https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14952.html for detailed instructions on resizing volumes.
585876 When modifying very large data groups(~33k objects) in the Configuration Utility, updates will fail with an error message: "Unknown Button Pressed." The BIG-IP contains a data group that exceeds roughly 33 thousand objects. Updates to particular object will fail. Updates to large data groups will fail in the Configuration Utility. Updates to smaller data groups are still possible. Workaround: Updates to large data groups must be made with tmsh.
585961 Customer may experience unexpected failover. Issues has been found on a virtual server with both an attached iRule and LTM Policy. The iRule calls TCP::collect when connection is accepted, and calls TCP::release at the CLIENT_DATA event. The LTM Policy has a single action to set a tcl set-variable expression. Customer may experience unexpected failover Workaround: No workaround.
586368 Non-root users or processes cannot read or write from /var/log/sa6 directory because of not having the executable bit set (0755 permissions). Non-root users attempting to read or write from /var/log/sa6 directory. Processes not run by root cannot read or write to this directory and permissions' errors abound. Workaround: As root, run the following command: chmod 755 /var/log/sa6 /var/log/sa. Once the directory has the correct permissions, the errors disappear.
586660 A virtual server will fail some requests where the response is served from cache. "If a virtual server has either SPDY, or HTTP/2 enabled, it might fail requests that would normally be served from RAM cache. Also, a normal HTTP virtual server that has an iRule attached that responds to the HTTP_RESPONSE_RELEASE event might give errors to Tcl commands that attempt to access the response headers." Errors in certain TCL commands or failed requests. Workaround: None.
586878 "During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3. The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade." "The issue occurs when all the below conditions are met.

1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, and versions 12.1.0 and later)." "Configuration fails to load. The system posts an error message that might appear similar to one of the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Unexpected Error: Loading configuration process failed." Workaround: "To workaround this situation, modify the configuration file before upgrading:
1. Check the config file /config/bigip.conf.
2. Identify the clientssl profile without a cert/key.
    For example, it might look similar to the following:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            """" { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }

   Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            default { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }
3. Remove the clientssl profile from /config/bigip.conf.
4. Run the command: tmsh load sys conf.
5. Re-create the clientssl profiles you need."

586946 Updating iRules containing 'onClick' gets a blank page instead of the iRule list. Update the iRules containing 'onClick' in HTML snippets. Cannot have 'onClick' in iRules Workaround: Do not use Chrome to update the iRules with 'onClick'; use FireFox or Internet Explorer instead.
587016 SIP monitor in TLS mode marks pool member down after positive response. The SIP monitor in TLS mode is constantly marked down. "SIP monitor configured in TLS mode. Server does not send close_notify alert in response to the monitor's close_notify request." Unable to monitor the status of the TLS SIP server. Workaround: None.
587266 "As of BIG-IP v12.1.0, the output of the ""tmsh show sys hardware"" command includes the ""Chassis Name"" and ""Chassis Type"" fields under the ""Chassis Information"" section. On VIPRION blades, these fields report the Marketing Name and Platform ID of the VIPRION chassis in which the blade is installed. On BIG-IP appliances, the ""Chassis Name"" and ""Chassis Type"" fields are not populated." "This affects the following BIG-IP appliances running BIG-IP v12.1.0 or later: BIG-IP 1600, 3600, 3900, 6900, 8900, 8950, 11000, 11050 BIG-IP 2000-/4000-series, 5000-/7000-series, 10000-/12000-series" Cosmetic. Non-applicable fields contain no information. Workaround:
587443 Throughput statistics on a multi-slot vCMP guest are not accurate when tcpdump is running. Specifically, the BIG-IP Administrator may find that starting a tcpdump command causes the Throughput figures to double or even triple (both In and Out). When the tcpdump command is stopped, the Throughput figures return to normal. This issue affects all systems reporting Throughput figures (i.e. the performance graphs in the configuration utility, TMSH, SNMP, etc.). TMM Throughput figures, however, are not affected by this issue and remain accurate while tcpdump is being run. A tcpdump command is started on a multi-slot vCMP guest. The impact is cosmetic, in the sense that the system is fully functional and performing as intended during the issue. However, the incorrect reporting of Throughput figures may confuse and alarm BIG-IP Administrators, causing them to take unnecessary remedial actions (restart, failover, expand the guest, burst to the cloud, etc.). In this case, there is no remedial action needed. Workaround: None needed. When the tcpdump command stops, the Throughput figures return to normal.
587678 When client hello reuses a previous session ID, and changes the SSL version from TLS 1.0 to TLS 1.2 in the handshake layer, but keeps the TLS 1.0 in the record layer, LTM accepts the session resumption, but changes the version of the record layer to TLS 1.2 as well, and finishes the resumption. However, the client aborts the connection due to the record layer version change. When SSL client attempts to resume a session, but the client_version has changed. Workaround: No workaround.
587705 Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist for the client, but pointing to different pools. "Match_across_virtual" enabled. Multiple persistence entries for a client address exist, and some of these persistence entries point to poolmembers from different pools. Some of these poolmembers do not belong to any of the current vips' pools. Source address persistence fails for this client, even though there is a valid persistence entry that can be used. Workaround:
587804 "On initial boot of VIPRION blade, before the blade is licensed, you may see the following error message in /var/log/ltm: err mcpd[5015]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure" It is not yet known what the conditions are that trigger this error. This occurs on initial boot of the VIPRION blade, prior to licensing the device. After licensing, this error does not occur. Workaround: None. If this error is reported on first boot, but can otherwise be licensed, it can be safely ignored.
587892 Multiple iRule proc names might clash, causing the wrong rule to be executed. This occurs when there is an iRule configures with more than one proc, the wrong proc might get executed. The call proc might execute the wrong proc. Workaround: None.
588089 SSL resumed connections when using SSL mirroring may fail during mirroring. This could result in SSL connections being unable to recover after failover. Mirroring enabled on virtual with an associated client-ssl profile. SSL connections unable to recover after failover. Workaround: Disable session cache to prevent connections from resuming.
588115 As a result of a known issue TMM may crash in some specific scenarios if there is an overlapping and more specific route to the floating self-IP range configured on the unit. "- Unit configured with a floating self-IP and allow-service != none. - More specific route exists via GW to the self-IP. - Configured gateway for the overlapping route is unreachable. - Ingress traffic to the floating self-IP." TMM may crash Workaround: Avoid the use of routes overlapping with configured floating self-IPs.
588505 TMM may crash because of memory corruption. Because The root cause of this issue has not been determined, the actual symptoms cannot be detailed. TMM might crash when memory is overwritten during operations. The conditions under which the memory corruption occurs are unknown. TMM might crash. This is a rarely encountered issue Workaround: There is no known workaround.
588569 TCP segment size is 40 bytes less. "ICMP implementation using Path MTU (PMTU). User enables MPTCP, Rate Pacing, or any of the following congestion controls: Vegas, Illinois, Woodside, CHD, CHG" The impact of this issue is less data per TCP segment. Workaround: "Disable Path MTU Discovery by doing the following, ""tmsh modify sys db tm.enforcepathmtu value disable"""
588572 LTM re-transmits TCP segments even when ICMP Path maximum transmission unit (PMTU) is higher than existing MTU. "ICMP PMTU is higher than existing MTU. User enables MPTCP, Rate Pacing, or any of the following congestion controls: Vegas, Illinois, Woodside, CHD, CHG" Burst traffic generated. Workaround: Disable Path MTU Discovery by entering the command: tmsh modify sys db tm.enforcepathmtu value disable.
588646 The use of remarks in standard access lists in dynamic routing shell causes subsequent filters in the same ACL to fail to load. "Create a standard access list with a remark. Add to the same list another entry to permit or deny a IP/range." The ACL does not load and error is returned. Workaround: No not use remarks in standard access lists or use an access list in the extended or named ranges.
588946 You can install v11.5.4 on the 12250v platform, but are unable to license BIG-IP. This is because v11.5.4 is not supported on the 12250v platform. Install BIG-IP v11.5.4 on a 12250v platform. BIG-IP v11.5.4 is not supported on the 12250v platform. Even though installation succeeds, it is not possible to license BIG-IP system. Workaround: Install a supported version of BIG-IP on the 12250v. Supported versions are 11.6.0 HF2 or later and 12.0.0 or later.
589083 When a user is remotely authenticated, and tries to use iControl REST to save config, they get a "permission denied" error. Remote Authentication needs to be setup Unable to save config. Workaround:
589199 CoS queue egress packet drop counts are not exposed in the 'Drops' column for 'tmsh show net interface' for B2250, B4300 and 1x000 platforms. The CoS queue egress packet drop counts are however correctly reported via the 'drop_reason' and 'interface_stat' tmstat counters. This occurs on B2250 and B4300 blades and on 1x000 platforms. CoS queue egress packet drop counts are not exposed via net interface reports, but are reported correctly via tmstat counters. Workaround: CoS queue egress packet drop counts can be viewed using 'tmctl interface_stat' and 'tmctl drop_reason'.
589338 As a result of a known issue, Linux host residing on the secondary blade may lose ECMP routes previously learned via a dynamic routing protocol. "- Multibladed chassis or vCMP guest - ECMP routes learned via dynamic routing - Restart of services or reboot of secondary blade" "ECMP Routes on Linux host of secondary blade lost. This may cause an effect on host traffic, such as monitoring, remote logging, etc due to the lack of routing information" Workaround: Restarting routing processes on the primary blade will cause the routes to propagate to the secondary blade.
589698 An HSB lockup occurred on a B2100 (A109) blade running vCMP. Unknown. HSB lockup requires unit restart. Workaround: None.
589856 When 2 iControl REST clients using the same username create transactions simultaneously, they can potentially get the same transaction id. This completely messes up both the client code execution. Client requests to create transaction are close to each other in time. Transaction semantics are not followed, and unintended errors may occur Workaround:
590966 "When DNS server node is flapping, FQDN Template Pool Member state might not update properly. - The corresponding FQDN Template Node updates correctly. - FQDN Template Pool Members do not impact Pool health. - Does not impact traffic." Trigger DNS server UP/DOWN, or change DNS configuration to point to an unreachable/reachable DNS server. Can be confusing for administrators. Workaround: tmsh modify ltm pool <name> members modify { <name> { state user-up } }
591708 "The HSB may drop off of the PCI bus. This results failure to read the HSB registers, which is indicated by the following log entries in the tmm logfile: Device error: hsb_lbb1 hde1_crc_errs count 65535. Device error: hsb_lbb1 hde2_crc_errs count 65535. This is usually followed by SIGABRT. The subsequent TMM reload fails to load the HSB device. Querying the PCI bus (using lspci), shows that the HSB device is unavailable: 03:00.0 Ethernet controller: F5 Networks Inc. Device 0006 (rev ff) (prog-if ff) !!! Unknown header type 7f" Unknown. Disruption of traffic. Request unit reboot. Workaround: Reboot unit.
591789 IPv4 fragments are dropped when packet filtering is enabled. Packet filtering is enabled IPv4 fragments with a non-zero offset are lost Workaround: Disable packet filtering
592048 When a system is configured with one or more custom provisioning profiles, modifications to these profiles have no immediate effect. Moreover, there is no indication the system must be rebooted before these changes take effect. Modify one or more custom provisioning profiles. Provisioning modifications do not have any effect until the system is rebooted. Workaround: Reboot after provisioning changes.
592194 "An HSB transmitter failure occurs within a vCMP guest. This is indicated by the following in the tmm logs: panic: hsb interface 1 DMA lockup on transmitter failure. This may or may not be specific to a 5250 or vCMP guest." Unknown. Reboot of the unit. Workaround: None.
592620 iRule validation does not catch iRule with incorrect 'after' syntax. iRule with incorrect 'after' syntax. Traffic handled by the rule fails, generating Tcl error 'invalid command name 'periodic' while executing 'periodic LB::reselect''. Workaround: Correct the syntax error.
592770 Accelerated loose init connections may send seq number 0 on idle timeout reset. "Virtual server configured with fastl4 with ePVA acceleration an loose initiation. Idle timer to expire will cause a TCP reset to be sent" TCP reset will have a 0 sequence number. Workaround: While this will not necessarily cause issues, some applications might not interoperate correctly. In this case disabling PVA acceleration might be a valid workaround.
592780 Radius AVP parsing might get out of sync on Vendor-Specific AVP iRules and produce a Tcl error: Buffer error. This occurs when there is an iRule looking for a specific Vendor-Specific AVP, and a Radius Packet that contains a different Vendor-Specific AVP, that comes alphabetically before the one in the iRule. Tcl Error and potentially a dropped request. The error is similar to the following: err tmm3[12353]: 01220001:3: TCL error: /Common <CLIENT_ACCEPTED> - Buffer error (line 1) (line 1) invoked from within "RADIUS::avp 26 string vendor-id 9 vendor-type 1. Workaround: None.
592850 The tmm crashed while processing an IPsec request. The circumstances under which this occurs are not known at this time. The tmm restarts, a failover may occur. Workaround: None known.
593396 Stateless virtual servers might not work correctly if the configured poolmember is reachable via a route pool or via several ECMP routes learned via dynamic routing. - Stateless virtual server. - Pool reachable via route pool or via ECMP routes. Traffic might be dropped. Workaround: Use other virtual server types to process this traffic.
593536 Devices do not have matching configuration, but system reports device group as being "In Sync". Device Service Cluster Device Group with incremental sync enabled. A ConfigSync occurred where a configuration transaction failed validation, and then a subsequent (or the final) configuration transaction was successful. BIG-IP incorrectly reports configuration is in-sync, despite the fact that it is not in sync. All sorts of failures or odd behavior or traffic impact can result from this. Workaround: Turn off incremental sync (by enabling "Full Sync" / "full load on sync") for affected device groups.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices