Applies To:
Show Versions
BIG-IP AAM
- 11.5.7
BIG-IP APM
- 11.5.7
BIG-IP GTM
- 11.5.7
BIG-IP Link Controller
- 11.5.7
BIG-IP Analytics
- 11.5.7
BIG-IP LTM
- 11.5.7
BIG-IP AFM
- 11.5.7
BIG-IP PEM
- 11.5.7
BIG-IP ASM
- 11.5.7
BIG-IP Release Information
Version: 11.5.7
Build: 1.0
NOTE: This release includes fixes for the Spectre Variant 1 and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754).
In some configurations, installing software containing these fixes might impact performance. You can disable these fixes to recover performance. Please see K91229003 for additional Spectre and Meltdown information.
Cumulative fixes from BIG-IP v11.5.6 that are included in this release
Cumulative fixes from BIG-IP v11.5.5 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 Hotfix 4 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 Hotfix 3 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 that are included in this release
Cumulative fixes from BIG-IP v11.5.3 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.5.3 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v11.5.3 that are included in this release
Cumulative fixes from BIG-IP v11.5.2 Hotfix 1 that are included in this release
Known Issues in BIG-IP v11.5.x
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 630446-3 | CVE-2016-0718 | K52320548 | Expat vulnerability CVE-2016-0718 |
| 710148-6 | CVE-2017-1000111 CVE-2017-1000112 |
K60250153 | CVE-2017-1000111 & CVE-2017-1000112 |
| 694901 | CVE-2015-8710 | K45439210 | CVE-2015-8710: Libxml2 Vulnerability |
| 688625-4 | CVE-2017-11628 | K75543432 | PHP Vulnerability CVE-2017-11628 |
| 662850-4 | CVE-2015-2716 | K50459349 | Expat XML library vulnerability CVE-2015-2716 |
| 617273-4 | CVE-2016-5300 | K70938105 | Expat XML library vulnerability CVE-2016-5300 |
| 605579-9 | CVE-2012-6702 | K65460334 | iControl-SOAP expat client library is subjected to entropy attack |
| 597652-1 | CVE-2015-3217 | K20225390 | CVE-2015-3217 pcre: stack overflow caused by mishandled group empty match |
| 591438-3 | CVE-2015-8865 | K54924436 | PHP vulnerability CVE-2015-8865 |
| 673165-3 | CVE-2017-7895 | K15004519 | CVE-2017-7895: Linux Kernel Vulnerability |
| 687193-2 | CVE-2018-5533 | K45325728 | TMM may leak memory when processing SSL Forward Proxy traffic |
| 686305-4 | CVE-2018-5534 | K64552448 | TMM may crash while processing SSL forward proxy traffic |
| 582773-3 | CVE-2018-5532 | K48224824 | DNS server for child zone can continue to resolve domain names after revoked from parent |
| 603758-4 | CVE-2018-5540 | K82038789 | Big3D security hardening |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 710314-4 | 2-Critical | TMM may crash while processing HTML traffic | |
| 705476-6 | 2-Critical | Appliance Mode does not follow design best practices | |
| 693744-1 | 2-Critical | High CPU Usage by the TMM Can Cause SOD to Kill vCMP Guests | |
| 677088-6 | 3-Major | Qkview does not follow current best practices | |
| 674486-2 | 3-Major | Expat Vulnerability: CVE-2017-9233 | |
| 674320-4 | 3-Major | K11357182 | Syncing a large number of folders can prevent the configuration getting saved on the peer systems |
| 672988-4 | 3-Major | K03433341 | MCP memory leak when performing incremental ConfigSync |
| 663924-4 | 3-Major | Qkview archives includes Kerberos keytab files | |
| 639575-3 | 3-Major | K63042400 | Using libtar with files larger than 2 GB will create an unusable tarball |
| 633465-1 | 3-Major | K09748643 | Curl cannot be forced to use TLSv1.0 or TLSv1.1 |
| 631172-2 | 3-Major | K54071336 | GUI user logged off when idle for 30 minutes, even when longer timeout is set |
| 605270-3 | 3-Major | On some platforms the SYN-Cookie status report is not accurate | |
| 600558-10 | 3-Major | Errors logged after deleting user in GUI | |
| 598039-8 | 3-Major | MCP memory may leak when performing a wildcard query | |
| 589856 | 3-Major | iControl REST : possible to get duplicate transaction ids when transactions are created by multiple clients | |
| 589338-2 | 3-Major | Linux host may lose dynamic routes on secondary blades | |
| 585547-4 | 3-Major | K58243048 | NTP configuration items are no longer collected by qkview★ |
| 583502-3 | 3-Major | K58243048 | Considerations for transferring files from F5 devices |
| 539832-2 | 3-Major | Zebos: extended community attributes are exchanged incorrectly in BGP updates. | |
| 522304-1 | 3-Major | Some password policy changes are not reflected in /etc/shadow when synced in a CMI device group | |
| 516540-2 | 3-Major | devmgmtd file object leak | |
| 508556-2 | 3-Major | K17035 | CSR missing SAN when renewing cert in GUI |
| 457149-1 | 3-Major | Remotely authenticated users may still obey local password policy | |
| 424542-2 | 3-Major | tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments | |
| 660239-4 | 4-Minor | When accessing the dashboard, invalid HTTP headers may be present | |
| 645589 | 4-Minor | Password-less ssh access lost for non-admin users after tmsh load sys ucs | |
| 530530-4 | 4-Minor | tmsh sys log filter is displayed in UTC time | |
| 477700-2 | 4-Minor | K04116117 | Detail missing from power supply 'Bad' status log messages |
| 464650-2 | 4-Minor | Failure of mcpd with invalid authentication context. |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 618905-2 | 1-Blocking | tmm core while installing Safenet 6.2 client | |
| 715923-4 | 2-Critical | When processing TLS traffic TMM may reset connections | |
| 682682-4 | 2-Critical | tmm asserts on a virtual server-to-virtual server connection | |
| 646643-4 | 2-Critical | K43005132 | HA standby virtual server with non-default lasthop settings may crash. |
| 625198-4 | 2-Critical | TMM might crash when TCP DSACK is enabled | |
| 581746-4 | 2-Critical | K42175594 | MPTCP or SSL traffic handling may cause a BIG-IP outage |
| 488908-3 | 2-Critical | K16808 | In client-ssl profile which serves as server side, BIG-IP SSL does not initialize in initialization function. |
| 474797-1 | 2-Critical | Malformed SSL packets can cause errors in /var/log/ltm | |
| 450765-1 | 2-Critical | tmm segfault: hud_mptcp_handler HUDCTL_PERFORM_METHOD | |
| 713951-1 | 3-Major | tmm core files produced by nitrox_diag may be missing data | |
| 711281-1 | 3-Major | nitrox_diag may run out of space on /shared | |
| 708653-5 | 3-Major | TMM may crash while processing TCP traffic | |
| 691806-5 | 3-Major | K61815412 | RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state |
| 680755-3 | 3-Major | K27015502 | max-request enforcement no longer works outside of OneConnect |
| 676355-4 | 3-Major | DTLS retransmission does not comply with RFC in certain resumed SSL session | |
| 641512-2 | 3-Major | K51064420 | DNSSEC key generations fail with lots of invalid SSL traffic |
| 619849-1 | 3-Major | In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled. | |
| 603609-5 | 3-Major | Policy unable to match initial path segment when request-URI starts with "//" | |
| 603550-4 | 3-Major | K63164073 | Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats. |
| 596433-1 | 3-Major | Virtual with lasthop configured rejects request with no route to client. | |
| 593390-1 | 3-Major | Profile lookup when selected via iRule ('SSL::profile') might cause memory issues. | |
| 591666-1 | 3-Major | TMM crash in DNS processing on TCP virtual with no available pool members | |
| 589400-5 | 3-Major | With Nagle disabled, TCP does not send all of xfrags with size greater than MSS. | |
| 568743-2 | 3-Major | TMM core when dnssec queries to dns-express zone exceed nethsm capacity | |
| 466875-3 | 3-Major | SNAT automap may select source address that is not attached to egress VLAN/interface | |
| 393647-1 | 3-Major | Objects configured with a connection rate-limit and yellow status | |
| 716922-6 | 4-Minor | Reduction in PUSH flags when Nagle Enabled | |
| 708249-6 | 4-Minor | nitrox_diag utility generates QKView files with 5 MB maximum file size limit | |
| 629033-1 | 4-Minor | BIG-IP should send SHA1 in supported signature hash algorithm last (clientside / Server Hello). | |
| 604272-3 | 4-Minor | SMTPS profile connections_current stat does not reflect actual connection count. | |
| 589039-3 | 4-Minor | Clearing masquerade MAC results in unexpected link-local self IP addresses. | |
| 481820-2 | 4-Minor | Internal misbehavior of the SPDY filter |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 645615-4 | 2-Critical | K70543226 | zxfrd may fail and restart after multiple failovers between blades in a chassis. |
| 642039-4 | 2-Critical | TMM core when persist is enabled for wideip with certain iRule commands triggered. | |
| 587617-4 | 2-Critical | While adding GTM server, failure to configure new IP on existing server leads to gtmd core | |
| 721895-3 | 3-Major | Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery) | |
| 632423-1 | 3-Major | DNS::query can cause tmm crash if AXFR/IXFR types specified. | |
| 629530-8 | 3-Major | K53675033 | Under certain conditions, monitors do not time out. |
| 625671-1 | 3-Major | The diagnostic tool dnsxdump may crash with non-standard DNS RR types. | |
| 619398-3 | 3-Major | TMM out of memory causes core in DNS cache | |
| 657961 | 4-Minor | K44031930 | The edit button on the GSLB Wide IP create page does not place the pool name back into the select dropdown |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 716992-5 | 2-Critical | The ASM bd process may crash |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 672480-1 | 2-Critical | WebSSO plugin process may become unresponsive in rare situations for Kerberos SSO | |
| 632798-3 | 2-Critical | Double-free may occur if Access initialization fails |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 559953-3 | 2-Critical | tmm core on long DIAMETER::host value |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 591828-3 | 3-Major | For unmatched connection, TCP RST may not be sent for data packet |
Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 468710-3 | 3-Major | K32093584 | Using non-standard lettercasing for header name results in misleading error during commit of transaction |
Cumulative fixes from BIG-IP v11.5.6 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 699803 | CVE-2018-5510 | K77671456 | TMM may crash while processing IPv6 traffic |
| 695901-4 | CVE-2018-5513 | K46940010 | TMM may crash when processing ProxySSL data |
| 681710-6 | CVE-2017-6155 | K10930474 | Malformed HTTP/2 requests may cause TMM to crash |
| 674189-5 | CVE-2016-0718 | K52320548 | iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0 |
| 670822-5 | CVE-2017-6148 | K55225440 | TMM may crash when processing SOCKS data |
| 649907-4 | CVE-2017-3137 | K30164784 | BIND vulnerability CVE-2017-3137 |
| 649904-4 | CVE-2017-3136 | K23598445 | BIND vulnerability CVE-2017-3136 |
| 644904-3 | CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985 CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486 |
K55129614 | tcpdump 4.9 |
| 643187-4 | CVE-2017-3135 | K80533167 | BIND vulnerability CVE-2017-3135 |
| 612128-2 | CVE-2016-6515 | K31510510 | OpenSSH vulnerability CVE-2016-6515 |
| 704490-2 | CVE-2017-5754 | K91229003 | CVE-2017-5754 (Meltdown) |
| 704483-2 | CVE-2017-5753 CVE-2017-9074 CVE-2017-7542 CVE-2017-11176 |
K91229003 | CVE-2017-5753 (Spectre Variant 1) |
| 699455-1 | CVE-2018-5523 | K50254952 | SAML export does not follow best practices |
| 676457-1 | CVE-2017-6153 | K52167636 | TMM may consume excessive resource when processing compressed data |
| 671497-3 | CVE-2017-3142 | K59448931 | TSIG authentication bypass in AXFR requests |
| 662663-5 | CVE-2018-5507 | K52521791 | Decryption failure Nitrox platforms in vCMP mode |
| 645101-3 | CVE-2017-3731, CVE-2017-3732 | K44512851 | OpenSSL vulnerability CVE-2017-3732 |
| 643375-3 | CVE-2018-5508 | K10329515 | TMM may crash when processing compressed data |
| 635314-3 | CVE-2016-1248 | K22183127 | vim Vulnerability: CVE-2016-1248 |
| 631688-3 | CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433 | K55405388 K87922456 K63326092 K51444934 K80996302 | Multiple NTP vulnerabilities |
| 631204-3 | CVE-2018-5521 | K23124150 | GeoIP lookups incorrectly parse IP addresses |
| 627907-4 | CVE-2017-6143 | K11464209 | Improve cURL usage |
| 625372-1 | CVE-2016-2179 | K23512141 | OpenSSL vulnerability CVE-2016-2179 |
| 622178-4 | CVE-2017-6158 | K19361245 | Improve flow handling when Autolasthop is disabled |
| 621337-4 | CVE-2016-7469 | K97285349 | XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469 |
| 618261-4 | CVE-2016-2182 | K01276005 | OpenSSL vulnerability CVE-2016-2182 |
| 618258-4 | CVE-2016-2182 | K01276005 | OpenSSL vulnerability CVE-2016-2182 |
| 613225-4 | CVE-2016-2180, CVE-2016-6306, CVE-2016-6302 | K90492697 | OpenSSL vulnerability CVE-2016-6306 |
| 605039-1 | CVE-2016-2775 | K92991044 | lwresd and bind vulnerability CVE-2016-2775 |
| 600248-5 | CVE-2016-2177 | K23873366 | OpenSSL vulnerability CVE-2016-2177 |
| 600232-5 | CVE-2016-2177 | K23873366 | OpenSSL vulnerability CVE-2016-2177 |
| 600223-5 | CVE-2016-2177 | K23873366 | OpenSSL vulnerability CVE-2016-2177 |
| 599536-5 | CVE-2017-6156 | K05263202 | IPsec peer with wildcard selector brings up wrong phase2 SAs |
| 585424-4 | CVE-2016-1979 | K20145801 | Mozilla NSS vulnerability CVE-2016-1979 |
| 572272-3 | CVE-2018-5506 | K65355492 | BIG-IP - Anonymous Certificate ID Enumeration |
| 353229-4 | CVE-2018-5522 | K54130510 | Buffer overflows in DIAMETER |
| 622662-4 | CVE-2016-6306 | K90492697 | OpenSSL vulnerability CVE-2016-6306 |
| 617901-4 | CVE-2018-5525 | K00363258 | GUI to handle file path manipulation to prevent GUI instability. |
| 609691-5 | CVE-2014-4617 | K21284031 | GnuPG vulnerability CVE-2014-4617 |
| 600205-5 | CVE-2016-2178 | K53084033 | OpenSSL Vulnerability: CVE-2016-2178 |
| 600198-5 | CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 CVE-2016-2216 | K53084033 | OpenSSL vulnerability CVE-2016-2178 |
| 598002-4 | CVE-2016-2178 | K53084033 | OpenSSL vulnerability CVE-2016-2178 |
| 655021-4 | CVE-2017-3138 | K23598445 | BIND vulnerability CVE-2017-3138 |
| 621935-4 | CVE-2016-6304 | K54211024 | OpenSSL vulnerability CVE-2016-6304 |
| 601268-2 | CVE-2015-8874 CVE-2016-5770 CVE-2016-5772 CVE-2016-5768 CVE-2016-5773 CVE-2016-5769 CVE-2016-5766 CVE-2016-5771 CVE-2016-5767 CVE-2016-5093 CVE-2016-5094 | K43267483 | PHP vulnerability CVE-2016-5766 |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 570570-2 | 3-Major | Default crypto failure action is now 'go-offline-downlinks'. |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 707226-4 | 1-Blocking | DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations | |
| 534824-2 | 1-Blocking | K02954921 | Incorrect key/certificate when creating clientSSL profile and modifying key/cert in the same transaction. |
| 475599-3 | 1-Blocking | full "/shared" filesystem prevents tmsh from running | |
| 470945-1 | 2-Critical | K16891 | Memory leak in Export Policy operation |
| 655649-5 | 3-Major | K88627152 | BGP last update timer incorrectly resets to 0 |
| 645179-4 | 3-Major | Traffic group becomes active on more than one BIG-IP after a long uptime | |
| 644184-6 | 3-Major | K36427438 | ZebOS daemons hang while AgentX SNMP daemon is waiting. |
| 624692-1 | 3-Major | Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying | |
| 621314-1 | 3-Major | K55358710 | SCTP virtual server with mirroring may cause excessive memory use on standby device |
| 610417-4 | 3-Major | K54511423 | Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported. |
| 584583-2 | 3-Major | K18410170 | Timeout error when using the REST API to retrieve large amount of data |
| 563905 | 3-Major | K62975642 | vCMP guest fails to go Active after the host system is rebooted |
| 423928-1 | 3-Major | K42630383 | syslog messages over 8 KB in length cause logstatd to exit |
| 524606-2 | 4-Minor | SElinux violations prevent cpcfg from touching /service/mcpd/forceload |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 621452-4 | 1-Blocking | K58146172 | Connections can stall with TCP::collect iRule |
| 670804 | 2-Critical | K03163260 | Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP |
| 646604-4 | 2-Critical | K21005334 | Client connection may hang when NTLM and OneConnect profiles used together |
| 622856-2 | 2-Critical | BIG-IP may enter SYN cookie mode later than expected | |
| 613524-1 | 2-Critical | TMM crash when call HTTP::respond twice in LB_FAILED | |
| 600982-7 | 2-Critical | TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0" | |
| 341928-6 | 2-Critical | CMP enabled virtual servers which target CMP disabled virtual servers can crash TMM. | |
| 685615-1 | 3-Major | K24447043 | Incorrect source mac for TCP Reset with vlangroup for host traffic |
| 677525-4 | 3-Major | Translucent VLAN group may use unexpected source MAC address | |
| 664769-3 | 3-Major | TMM may restart when using SOCKS profile and an iRule | |
| 662881-4 | 3-Major | K10443875 | L7 mirrored packets from standby to active might cause tmm core when it goes active. |
| 633691-2 | 3-Major | HTTP transaction may not finish gracefully due to TCP connection is closed by RST | |
| 604880-1 | 3-Major | tmm assert "valid pcb" in tcp.c | |
| 572234-4 | 3-Major | When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. | |
| 517456-2 | 3-Major | K00254480 | Resetting virtual server stat increments cur_conns stat in clientssl profile |
| 507554-2 | 3-Major | K13741128 | Uneven egress traffic distribution on trunk with odd number of members |
| 496950-2 | 3-Major | Flows may not be mirrored successfully when static routes and gateways are defined. | |
| 494333-1 | 3-Major | In specific cases, persist cookie insert fails to insert a session cookie when using an iRule | |
| 435055-2 | 3-Major | K17291 | ECDHE-ECDSA ciphers with hybrid certificate (RSA signed EC cert) |
| 248914-5 | 3-Major | ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address | |
| 554774-3 | 4-Minor | Persist lookup across services might fail to return a matching record when multiple records exist. | |
| 511985-2 | 4-Minor | Large numbers of ERR_UNKNOWN appearing in the logs | |
| 495242 | 4-Minor | mcpd log messages: Failed to unpublish LOIPC object |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 562921-2 | 2-Critical | Cipher 3DES and iQuery encrypting traffic between BIG-IP systems | |
| 663310-1 | 3-Major | named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★ | |
| 654599-3 | 3-Major | K74132601 | The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed |
| 644220-1 | 4-Minor | Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 691670-1 | 2-Critical | Rare BD crash in a specific scenario | |
| 679603-4 | 2-Critical | K15460886 | bd core upon request, when profile has sensitive element configured. |
| 706304-1 | 3-Major | ASU and other Update Check services overload F5 download server | |
| 697303-5 | 3-Major | BD crash | |
| 696265-1 | 3-Major | BD crash | |
| 695878-1 | 3-Major | Signature enforcement issue on specific requests | |
| 694922-1 | 3-Major | ASM Auto-Sync Device Group Does Not Sync | |
| 685207-4 | 3-Major | DoS client side challenge does not encode the Referer header. | |
| 683241-5 | 3-Major | K70517410 | Improve CSRF token handling |
| 504917-2 | 3-Major | In ASM Manual Sync Only group, policies do not stay deleted or inactive on secondary after sync is pushed |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 693739-4 | 2-Critical | VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled | |
| 499800-2 | 2-Critical | Customized logout page is not displayed after logon failure | |
| 702490-6 | 3-Major | Windows Credential Reuse feature may not work | |
| 692369-1 | 3-Major | TMM crash caused by SSOv2 form based due to null config | |
| 689826-4 | 3-Major | Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese) | |
| 684937-4 | 3-Major | [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users | |
| 683113-4 | 3-Major | [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users | |
| 678976-4 | 3-Major | K24756214 | Do not print all HTTP headers to avoid printing user credentials to /var/log/apm. |
| 610582-8 | 3-Major | Device Guard prevents Edge Client connections | |
| 590345-4 | 3-Major | ACCESS policy running iRule event agent intermittently hangs | |
| 563135-2 | 3-Major | SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt | |
| 541622-3 | 3-Major | APD/APMD Crashes While Verifying CAPTCHA | |
| 436489-3 | 3-Major | Session variables defined within the "Relay State" parameter of an SP initiated SSO session may fail. |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 696049-5 | 3-Major | K55660303 | High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running |
Traffic Classification Engine Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 447570-1 | 2-Critical | tmm sigsegv |
Cumulative fixes from BIG-IP v11.5.5 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 684879-4 | CVE-2017-6164 | K02714910 | Malformed TLS1.2 records may result in TMM segmentation fault. |
| 653993-1 | CVE-2017-6132 | K12044607 | A specific sequence of packets to the HA listener may cause tmm to produce a core file |
| 653880-2 | CVE-2017-6214 | K81211720 | Kernel Vulnerability: CVE-2017-6214 |
| 652516-2 | CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576 | K31603170 | Multiple Linux Kernel Vulnerabilities |
| 648865-3 | CVE-2017-6074 | K82508682 | Linux kernel vulnerability: CVE-2017-6074 |
| 644693-6 | CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231,CVE-2016-5547,CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2017-3241 | K15518610 | Fix for multiple CVE for openjdk-1.7.0 |
| 641360-4 | CVE-2017-0303 | K30201296 | SOCKS proxy protocol error |
| 630475-3 | CVE-2017-6162 | K13421245 | TMM Crash |
| 626360-4 | CVE-2017-6163 | K22541983 | TMM may crash when processing HTTP2 traffic |
| 624903-2 | CVE-2017-6140 | K55102452 | Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms. |
| 610255-3 | CVE-2017-6161 | K62279530 | CMI improvement |
| 580026-4 | CVE-2017-6165 | K74759095 | HSM logging error |
| 573778-5 | CVE-2016-1714 | K75248350 | QEMU vulnerability CVE-2016-1714 |
| 563154-3 | CVE-2015-2925 CVE-2015-5307 CVE-2015-7613 CVE-2015-7872 CVE-2015-8104 | K31026324 K94105604 K90230486 | Multiple Linux Kernel vulnerabilities |
| 560109-4 | CVE-2017-6160 | K19430431 | Client capabilities failure |
| 540174-2 | CVE-2015-5364 CVE-2015-5366 | K17307 K17309 | CVE updates from https://rhn.redhat.com/errata/RHSA-2015-1623.html |
| 655059-1 | CVE-2017-6134 | K37404773 | TMM Crash |
| 648217-2 | CVE-2017-6074 | K82508682 | CVE-2017-6074: Linux Kernel Vulnerability |
| 638137-3 | CVE-2016-7117 CVE-2016-4998 CVE-2016-6828 | K51201255 | CVE-2016-7117 CVE-2016-4998 CVE-2016-6828 |
| 614147-4 | CVE-2017-6157 | K02692210 | SOCKS proxy defect resolution |
| 614097-4 | CVE-2017-6157 | K02692210 | HTTP Explicit proxy defect resolution |
| 613127-5 | CVE-2016-5696 | K46514822 | Linux TCP Stack vulnerability CVE-2016-5696 |
| 600069-4 | CVE-2017-0301 | K54358225 | Portal Access: Requests handled incorrectly |
| 592485-1 | CVE-2015-5157 CVE-2015-8767 | K17326 | Linux kernel vulnerability CVE-2015-5157 |
| 582813-4 | CVE-2016-0774 | K08440897 | Linux Kernel CVE-2016-0774 |
| 540018-3 | CVE-2014-3940 CVE-2014-3184 CVE-2015-0239 | K16429 K15685 K15912 | Multiple Linux Kernel Vulnerabilities |
| 533413-3 | CVE-2011-5321 CVE-2015-3636 CVE-2015-1593 CVE-2015-2830 CVE-2015-2922 | K51518670 | CVE updates from https://rhn.redhat.com/errata/RHSA-2015-1221.html |
| 527563-5 | CVE-2015-1805 CVE-2015-3331 CVE-2014-9419 CVE-2014-9420 CVE-2014-9585 | K17458 K16819 K17551 K17543 K17241 | Kernel Vulnerabilities |
| 492732-1 | CVE-2014-3184 | K15912 | Linux kernel driver vulnerabilities CVE-2014-3184, CVE-2014-3185, CVE-2014-3611, CVE-2014-3645, and CVE-2014-3646 |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 651772-6 | 3-Major | IPv6 host traffic may use incorrect IPv6 and MAC address after route updates | |
| 545263-2 | 3-Major | Add SSL maximum aggregate active handshakes per profile and per global | |
| 441079-4 | 3-Major | K55242686 | BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 641013-4 | 2-Critical | GRE tunnel traffic pinned to one TMM | |
| 625824-4 | 2-Critical | iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory | |
| 542097-6 | 2-Critical | Update to RHEL6 kernel | |
| 448409-5 | 2-Critical | K15491 | 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle |
| 667278-6 | 3-Major | DSC connections between BIG-IP units may fail to establish | |
| 623930-1 | 3-Major | vCMP guests with vlangroups may loop packets internally | |
| 621273-5 | 3-Major | DSR tunnels with transparent monitors may cause TMM crash. | |
| 617628-3 | 3-Major | SNMP reports incorrect value for sysBladeTempTemperature OID | |
| 612721 | 3-Major | FIPS: .exp keys cannot be imported when the local source directory contains .key file | |
| 601709-4 | 3-Major | K02314881 | I2C error recovery for BIG-IP 4340N/4300 blades |
| 467195-1 | 3-Major | Allow special characters importing SSL Key and Certificate except backslash. | |
| 460176-3 | 3-Major | Hardwired failover asserts active even when standalone |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 659899-4 | 2-Critical | K10589537 | Rare, intermittent system instability observed in dynamic load-balancing modes |
| 597978-5 | 2-Critical | GARPs may be transmitted by active going offline | |
| 515915-3 | 2-Critical | K47804233 | Server side timewait close state causes long establishment under port reuse |
| 503125-2 | 2-Critical | Excessive MPI net traffic can cause tmm panics on chassis systems | |
| 658214-4 | 3-Major | K20228504 | TCP connection fail intermittently for mirrored fastl4 virtual server |
| 613369-5 | 3-Major | Half-Open TCP Connections Not Discoverable | |
| 611278-1 | 3-Major | Connections to a BIG-IP system's Self-IP address may fail when the VLAN cmp-hash is altered | |
| 587705-6 | 3-Major | K98547701 | Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools. |
| 554295-5 | 3-Major | CMP disabled flows are not properly mirrored | |
| 542009-3 | 3-Major | K01162427 | tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message. |
| 536563-4 | 3-Major | Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets. | |
| 528198-1 | 3-Major | reject in iRule event FLOW_INIT may not respond with a RST | |
| 520604-6 | 3-Major | K52431550 | Route domain creation may fail if simultaneously creating and modifying a route domain |
| 494977-1 | 3-Major | Rare outages possible when using config sync and node-based load balancing | |
| 488921-3 | 3-Major | BIG-IP system sends unnecessary gratuitous ARPs | |
| 452443-3 | 3-Major | DNS cache resolver cannot send egress traffic on a VLAN with src-ip or dst-ip cmp hash configured | |
| 225634-6 | 3-Major | K12947 | The rate class feature does not honor the Burst Size setting. |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 568347-3 | 2-Critical | BD Memory corruption | |
| 520038-2 | 3-Major | Added/updated signatures are added to certain corrupted Manual user-defined sets. | |
| 441075-6 | 3-Major | Newly added or updated signatures are erroneously added to Manual user-defined signature sets. |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 679235-3 | 2-Critical | Inspection Host NPAPI Plugin for Safari can not be installed | |
| 666454-4 | 2-Critical | K05520115 | Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update |
| 620829-5 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly | |
| 597214-6 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly | |
| 445483-2 | 3-Major | SSO does not work with Password with '+' character for Citrix Storefront integration mode |
Cumulative fixes from BIG-IP v11.5.4 Hotfix 4 that are included in this release
Functional Change Fixes
None
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 656902 | 2-Critical | Upgrade to 11.5.4 HF3 may remove valid cipher suite configuration from SSL profile | |
| 655756 | 2-Critical | TMM might crash while using SSL profiles on BIG-IP 2000/4000 platforms. | |
| 587691-2 | 2-Critical | K41679973 | TMM crashes upon SSL handshake cancellation. |
Cumulative fixes from BIG-IP v11.5.4 Hotfix 3 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 616772-3 | CVE-2014-3568 | K15724 | CVE-2014-3568 : OpenSSL Vulnerability (Oracle Access Manager) |
| 616765-3 | CVE-2013-6449 | K15147 | CVE-2013-6449 : OpenSSL Vulnerability (Oracle Access Manager) |
| 636702-1 | CVE-2016-9444 | K40181790 | BIND vulnerability CVE-2016-9444 |
| 636700-2 | CVE-2016-9147 | K02138183 | BIND vulnerability CVE-2016-9147 |
| 636699-3 | CVE-2016-9131 | K86272821 | BIND vulnerability CVE-2016-9131 |
| 632618 | CVE-2016-3717 | K29154575 | ImageMagick vulnerability CVE-2016-3717 |
| 631582-3 | CVE-2016-9250 | K55792317 | Administrative interface enhancement |
| 624570-4 | CVE-2016-8864 | K35322517 | BIND vulnerability CVE-2016-8864 |
| 624457-2 | CVE-2016-5195 | K10558632 | Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195 |
| 616864-4 | CVE-2016-2776 | K18829561 | BIND vulnerability CVE-2016-2776 |
| 616498-3 | CVE-2009-3245 | K15404 | CVE-2009-3245 : OpenSSL Vulnerability (Oracle Access Manager) |
| 616491-3 | CVE-2006-3738 | K6734 | CVE-2006-3738 : OpenSSL Vulnerability (Oracle Access Manager) |
| 611830 | CVE-2016-7468 | K13053402 | TMM may crash when processing TCP traffic |
| 611469-6 | CVE-2016-7467 | K95444512 | Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector |
| 597394-5 | CVE-2016-9252 | K46535047 | Improper handling of IP options |
| 596340-4 | CVE-2016-9244 | K05121675 | F5 TLS vulnerability CVE-2016-9244 |
| 591328-3 | CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 | K36488941 | OpenSSL vulnerability CVE-2016-2106 |
| 591327-3 | CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 | K36488941 | OpenSSL vulnerability CVE-2016-2106 |
| 591325-3 | CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 | K75152412 | OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 |
| 591042-6 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K23230229 | OpenSSL vulnerabilities |
| 508057-2 | CVE-2015-0411 | K44611310 | MySQL Vulnerability CVE-2015-0411 |
| 635412-1 | CVE-2017-6137 | K82851041 | Invalid mss with fast flow forwarding and software syn cookies |
| 623119-3 | CVE-2016-4470 | K55672042 | Linux kernel vulnerability CVE-2016-4470 |
| 622496-3 | CVE-2016-5829 | K28056114 | Linux kernel vulnerability CVE-2016-5829 |
| 604442-3 | CVE-2016-6249 | K12685114 | iControl log |
| 601938-5 | CVE-2016-7474 | K52180214 | MCPD stores certain data incorrectly |
| 597023-5 | CVE-2016-4954 | K82644737 | NTP vulnerability CVE-2016-4954 |
| 594496-4 | CVE-2016-4539 | K35240323 | PHP Vulnerability CVE-2016-4539 |
| 593447-3 | CVE-2016-5024 | K92859602 | BIG-IP TMM iRules vulnerability CVE-2016-5024 |
| 591455-3 | CVE-2016-1550 CVE-2016-1548 CVE-2016-2516 CVE-2016-2518 | K24613253 | NTP vulnerability CVE-2016-2516 |
| 591447-4 | CVE-2016-4070 | K42065024 | PHP vulnerability CVE-2016-4070 |
| 587077-4 | CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 | K37603172 | Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118 |
| 526514-2 | CVE-2016-3687 | K26738102 | Open redirect via SSO_ORIG_URI parameter in multi-domain SSO |
| 524279-4 | CVE-2015-4000 | K16674 | CVE-2015-4000: TLS vulnerability |
| 520924-3 | CVE-2016-5020 | K00265182 | Restricted roles for custom monitor creation |
| 475743-2 | CVE-2017-6128 | K92140924 | Improve administrative login efficiency |
| 416734-2 | CVE-2012-5195 CVE-2012-5526 CVE-2012-6329 CVE-2013-1667 | K15867 | Multiple Perl Vulnerabilities |
| 635933-2 | CVE-2004-0790 | K23440942 | The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable |
| 599285-5 | CVE-2016-5094 CVE-2016-5095 CVE-2016-5096 | K51390683 | PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095 |
| 597010-5 | CVE-2016-4955 | K03331206 | NTP vulnerability CVE-2016-4955 |
| 596997-5 | CVE-2016-4956 | K64505405 | NTP vulnerability CVE-2016-4956 |
| 591767-4 | CVE-2016-1547 | K11251130 | NTP vulnerability CVE-2016-1547 |
| 573343-4 | CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 | K01324833 | NTP vulnerability CVE-2015-8158 |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 633723-1 | 3-Major | New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot | |
| 620712 | 3-Major | Added better search capabilities on the Pool Members Manage & Pool Create page. | |
| 561348-2 | 3-Major | krb5.conf file is not synchronized between blades and not backed up | |
| 541549-3 | 3-Major | AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination. | |
| 530109-1 | 3-Major | OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled. | |
| 511818-5 | 3-Major | Support RSASSA-PSS signature algorithm in server SSL certificate | |
| 454492-2 | 3-Major | Improved handling of signature_algorithms extension to avoid using SHA1 in TLS handshake signatures |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 638935-1 | 2-Critical | Monitor with send/receive string containing double-quote may cause upgrade to fail.★ | |
| 624263-1 | 2-Critical | iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response | |
| 614865 | 2-Critical | Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors. | |
| 610354-3 | 2-Critical | TMM crash on invalid memory access to loopback interface stats object | |
| 605476 | 2-Critical | statsd can core when reading corrupt stats files. | |
| 601527-1 | 2-Critical | mcpd memory leak and core | |
| 600396-1 | 2-Critical | iControl REST may return 404 for all requests in AWS | |
| 570663-2 | 2-Critical | Using iControl get_certificate_bundle_v2 causes a memory leak | |
| 562959-3 | 2-Critical | In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel. | |
| 551661-3 | 2-Critical | Monitor with send/receive string containing double-quote may fail to load. | |
| 483373-1 | 2-Critical | Incorrect bash prompt for created admin role users | |
| 467847-1 | 2-Critical | passphrase visible in audit log | |
| 440752-2 | 2-Critical | qkview might loop writing output file if MCPD fails during execution | |
| 355806-2 | 2-Critical | Starting mcpd manually at the command line interferes with running mcpd | |
| 631627-3 | 3-Major | Applying BWC over route domain sometimes results in tmm not becoming ready on system start | |
| 631530 | 3-Major | K32246335 | TAI offset not adjusted immediately during leap second |
| 628164-1 | 3-Major | K20766432 | OSPF with multiple processes may incorrectly redistribute routes |
| 624931 | 3-Major | getLopSensorData "sensor data reply too short" errors with FND300 DC PSU | |
| 621417-2 | 3-Major | sys-icheck error for /usr/share/defaults/bigip_base.conf in AWS. | |
| 621242-2 | 3-Major | Reserve enough space in the image for future upgrades. | |
| 620659-1 | 3-Major | The BIG-IP system may unecessarily run provisioning on successive reboots | |
| 616242-1 | 3-Major | K39944245 | basic_string::compare error in encrypted SSL key file if the first line of the file is blank★ |
| 615934 | 3-Major | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. | |
| 614675 | 3-Major | iControl SOAP API call "LocalLB::ProfileClientSSL::create_v2" creates invalid profile | |
| 608320-2 | 3-Major | iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response | |
| 604237-1 | 3-Major | Vlan allowed mismatch found error in VCMP guest | |
| 596814-2 | 3-Major | HA Failover fails in certain valid AWS configurations | |
| 595773-6 | 3-Major | Cancellation requests for chunked stats queries do not propagate to secondary blades | |
| 560510-4 | 3-Major | Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down. | |
| 558858-1 | 3-Major | K80079953 | Unexpected loss of communication between slots of a vCMP Guest |
| 556277-4 | 3-Major | Config Sync error after hotfix installation (chroot failed rsync error)★ | |
| 534021-1 | 3-Major | HA on AWS uses default AWS endpoint (EC2_URL). | |
| 533813-2 | 3-Major | Internal Virtual Server in partition fails to load from saved config | |
| 502714-6 | 3-Major | K75031635 | Deleting files and file object references in a single transaction might cause validation errors |
| 502049-3 | 3-Major | Qkview may store information in the wrong format | |
| 502048-3 | 3-Major | Qkview may store information in the wrong format | |
| 499537-2 | 3-Major | K22406859 | Qkview may store information in the wrong format |
| 491406-2 | 3-Major | TMM SIGSEGV in sctp_output due to NULL snd_dst | |
| 460833-2 | 3-Major | MCPD sync errors and restart after multiple modifications to file object in chassis | |
| 420438-2 | 3-Major | Default routes from standby system when HA is configured in NSSA | |
| 393270-3 | 3-Major | Configuration utility may become non-responsive or fail to load. | |
| 605661-1 | 4-Minor | Update TZ data | |
| 601927-4 | 4-Minor | K52180214 | Security hardening of control plane |
| 599191-1 | 4-Minor | One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card | |
| 589379-1 | 4-Minor | K20937139 | ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route. |
| 551208-3 | 4-Minor | Nokia alarms are not deleted due to the outdated alert_nokia.conf. | |
| 516841-3 | 4-Minor | Unable to log out of the GUI in IE8 | |
| 500452-3 | 4-Minor | K28520025 | PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware |
| 471827-2 | 4-Minor | Firstboot early syslog-ng log: /var/run/httpd.pipe does not exist★ | |
| 457951-3 | 4-Minor | K19305339 | openldap/ldap.conf file is not part of ucs backup archive. |
| 442231-1 | 5-Cosmetic | Pendsect log entries have an unexpected severity |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 637181-2 | 2-Critical | VIP-on-VIP traffic may stall after routing updates | |
| 622166-1 | 2-Critical | HTTP GET requests with HTTP::cookie iRule command receive no response | |
| 619071-1 | 2-Critical | OneConnect with verified accept issues | |
| 616215-1 | 2-Critical | TMM can core when using LB::detach and TCP::notify commands in an iRule | |
| 611704-1 | 2-Critical | tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event | |
| 605865-1 | 2-Critical | Debug TMM produces core on certain ICMP PMTUD packets | |
| 603667-1 | 2-Critical | TMM may leak or corrupt memory when configuration changes occur with plugins in use | |
| 597966-1 | 2-Critical | ARP/neighbor cache nexthop object can be freed while still referenced by another structure | |
| 588351-3 | 2-Critical | IPv6 fragments are dropped when packet filtering is enabled. | |
| 578045-5 | 2-Critical | The HTTP_PROXY_REQUEST iRule event can cause the TMM to crash if pipelined ingress occurs when the iRule parks | |
| 576897-2 | 2-Critical | Using snat/snatpool in related-rule results in crash | |
| 575011-9 | 2-Critical | K21137299 | Memory leak. Nitrox3 Hang Detected. |
| 574153-3 | 2-Critical | If an SSL client disconnects while data is being sent to SSL client, the connection may stall until TCP timeout. | |
| 565409-3 | 2-Critical | Invalid MSS with HW syncookies and flow forwarding | |
| 559973-5 | 2-Critical | Nitrox can hang on RSA verification | |
| 526367-2 | 2-Critical | tmm crash | |
| 488686-4 | 2-Critical | K24980114 | Large file transfer hangs when HTTP is in passthrough mode |
| 484214-3 | 2-Critical | Nitrox got stuck when processed certain SSL records | |
| 477195-1 | 2-Critical | OSPFv3 session gets stuck in loading state | |
| 469770-3 | 2-Critical | System outage can occur with MPTCP traffic. | |
| 411233-2 | 2-Critical | New pool members take all requests until lb_value catches up. | |
| 629771 | 3-Major | the TCP::unused_port does erroneous accept IPV4_COMPAT addresses | |
| 621465 | 3-Major | The minimum IP packet fragment size is now 1 and not 24 | |
| 617862-3 | 3-Major | Fastl4 handshake timeout is absolute instead of relative | |
| 617824-1 | 3-Major | "SSL::disable/enable serverside" + oneconnect reuse is broken | |
| 610609-4 | 3-Major | Total connections in bigtop, SNMP are incorrect | |
| 610429-2 | 3-Major | X509::cert_fields iRule command may memory with subpubkey argument | |
| 608551-2 | 3-Major | Half-closed congested SSL connections with unclean shutdown might stall. | |
| 608024-2 | 3-Major | Unnecessary DTLS retransmissions occur during handshake. | |
| 607304-1 | 3-Major | TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap. | |
| 606575-2 | 3-Major | Request-oriented OneConnect load balancing ends when the server returns an error status code. | |
| 604977-4 | 3-Major | K08905542 | Wrong alert when DTLS cookie size is 32 |
| 604496-1 | 3-Major | SQL (Oracle) monitor daemon might hang. | |
| 603723-1 | 3-Major | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | |
| 603606-1 | 3-Major | tmm core | |
| 600827-3 | 3-Major | K21220807 | Stuck Nitrox crypto queue can erroneously be reported |
| 598874-1 | 3-Major | GTM Resolver sends FIN after SYN retransmission timeout | |
| 597089-3 | 3-Major | Connections are terminated after 5 seconds when using ePVA full acceleration | |
| 592871-1 | 3-Major | Cavium Nitrox PX/III stuck queue diagnostics missing. | |
| 592784 | 3-Major | Compression stalls, does not recover, and compression facilities cease. | |
| 591789 | 3-Major | IPv4 fragments are dropped when packet filtering is enabled. | |
| 591659-2 | 3-Major | K47203554 | Server shutdown is propagated to client after X-Cnection: close transformation. |
| 591476-6 | 3-Major | K53220379 | Stuck crypto queue can erroneously be reported |
| 588572-2 | 3-Major | Unnecessary re-transmission of packets on higher ICMP PMTU. | |
| 588569-2 | 3-Major | Don't include maximum TCP options length in calculating MSS on ICMP PMTU. | |
| 588115-4 | 3-Major | TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw | |
| 587892 | 3-Major | Multiple iRule proc names might clash, causing the wrong rule to be executed. | |
| 586738-3 | 3-Major | The tmm might crash with a segfault. | |
| 584310 | 3-Major | K83393638 | TCP:Collect ignores the 'skip' parameter when used in serverside events |
| 584029-7 | 3-Major | Fragmented packets may cause tmm to core under heavy load | |
| 583957-3 | 3-Major | The TMM may hang handling pipelined HTTP requests with certain iRule commands. | |
| 579926-2 | 3-Major | HTTP starts dropping traffic for a half-closed connection when in passthrough mode | |
| 579843-4 | 3-Major | tmrouted may not re-announce routes after a specific succession of failover states | |
| 572281-3 | 3-Major | Variable value in the nesting script of foreach command get reset when there is parking command in the script | |
| 568543-2 | 3-Major | Syncookie mode is activated on wildcard virtuals | |
| 556117-1 | 3-Major | client-ssl profile is case-sensitive when checking server_name extension | |
| 555432-2 | 3-Major | Large configuration files may go missing on secondary blades | |
| 554761-4 | 3-Major | Unexpected handling of TCP timestamps under syncookie protection. | |
| 549329-2 | 3-Major | K02020031 | L7 mirrored ACK from standby to active box can cause tmm core on active |
| 545450-2 | 3-Major | Log activation/deactivation of TM.TCPMemoryPressure | |
| 537326-4 | 3-Major | NAT available in DNS section but config load fails with standalone license | |
| 528734-1 | 3-Major | K04711825 | TCP keeps retransmitting when ICMP Destination Unreachable-Fragmentation Required messages are received. |
| 519746-2 | 3-Major | ICMP errors may reset FastL4 connections unexpectedly | |
| 512119-3 | 3-Major | Improved UDP DNS packet truncation | |
| 508486-1 | 3-Major | TCP connections might stall if initialization fails | |
| 503214-11 | 3-Major | Under heavy load, hardware crypto queues may become unavailable. | |
| 500003-3 | 3-Major | Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP | |
| 499478-3 | 3-Major | K16850453 | Bug 464651 introduced change-in-behavior for SSL server cert chains by not including the root certificate |
| 483257-2 | 3-Major | K17051 | Cannot delete keys without extension .key (and certificates without .crt) using iControl SOAP |
| 468820-2 | 3-Major | MPTCP Flows may hang whan an MTU mismatch occurs on the network. | |
| 468300-3 | 3-Major | Filters may not work correctly with websockets or CONNECT | |
| 464801-1 | 3-Major | Intermittent tmm core | |
| 455553-8 | 3-Major | ICMP PMTU handling causes multiple retransmissions | |
| 442539-3 | 3-Major | OneConnect security improvements. | |
| 442455-4 | 3-Major | Hardware Security Module (HSM) CSR and certificate fields constraints: 15 characters and no spaces. | |
| 437256-1 | 3-Major | clientssl profile has no key/cert pair | |
| 423392-7 | 3-Major | tcl_platform is no longer in the static:: namespace | |
| 598860-5 | 4-Minor | IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address | |
| 587966-5 | 4-Minor | K77283304 | LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port |
| 538708-2 | 4-Minor | TMM may apply SYN cookie validation to packets before generating any SYN cookies | |
| 536868-2 | 4-Minor | Packet Sizing Issues after Receipt of PMTU | |
| 486485-2 | 4-Minor | TCP MSS is incorrect after ICMP PMTU message. | |
| 356841-2 | 5-Cosmetic | Don't unilaterally set Connection: Keep-Alive when compressing |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 603598-1 | 2-Critical | big3d memory under extreme load conditions | |
| 642330-4 | 3-Major | GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★ | |
| 624193 | 3-Major | Topology load balancing not working as expected | |
| 613576-9 | 3-Major | QOS load balancing links display as gray | |
| 589256-4 | 3-Major | K71283501 | DNSSEC NSEC3 records with different type bitmap for same name. |
| 487144-1 | 3-Major | tmm intermittently reports that it cannot find FIPS key | |
| 615187 | 4-Minor | Missing hyperlink to GSLB virtual servers and servers on the pool member page. |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 614441-1 | 1-Blocking | K04950182 | False Positive for illegal method (GET) |
| 602749 | 2-Critical | Memory exhaustion when asking for missing page of learning suggestion occurrences | |
| 577668-2 | 2-Critical | ASM Remote logger doesn't log 64 KB request. | |
| 499347 | 2-Critical | JSON UTF16 content could be blocked by ASM as Malformed JSON | |
| 616169-1 | 3-Major | ASM Policy Export returns HTML error file | |
| 615695 | 3-Major | Fixes to bd and iprepd components not included in BIG-IP v11.5.4-HF2 | |
| 603945-3 | 3-Major | BD config update should be considered as config addition in case of update failure | |
| 576591-3 | 3-Major | Support for some future credit card number ranges | |
| 562775-3 | 3-Major | Memory leak in iprepd | |
| 366605-2 | 3-Major | response_log_size_limit does not limit the log size. | |
| 463314-1 | 4-Minor | Enabling ASM AJAX blocking response page feature causing cross domain AJAX requests to fail |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 565085-4 | 3-Major | Analytics profile allows invalid combination of entities for Alerts setup | |
| 560114-2 | 3-Major | Monpd is being affected by an I/O issue which makes some of its threads freeze | |
| 491185-3 | 3-Major | URL Latencies page: pagination limited to 180 pages |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 618324-3 | 2-Critical | Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor | |
| 592868-1 | 2-Critical | Rewrite may crash processing HTML tag with HTML entity in attribute value | |
| 591117-2 | 2-Critical | APM ACL construction may cause TMM to core if TMM is out of memory | |
| 536683-1 | 2-Critical | tmm crashes on "ACCESS::session data set -secure" in iRule | |
| 511478-1 | 2-Critical | Possible TMM crash when evaluating expression for per-request policy agents. | |
| 428068-2 | 2-Critical | Insufficiently detailed causes for session deletion. | |
| 625376-2 | 3-Major | In some cases, download of PAC file by edge client may fail | |
| 613613 | 3-Major | Incorrect handling of form that contains a tag with id=action | |
| 612419-3 | 3-Major | APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable)) | |
| 610243-1 | 3-Major | HTML5 access fails for Citrix Storefront integration mode with gateway pass through authentication | |
| 610180-5 | 3-Major | SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin. | |
| 604767-6 | 3-Major | Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object. | |
| 601407 | 3-Major | Legacy PNAgent access does not work from Citrix Receiver 4.3 onwards | |
| 600116 | 3-Major | DNS resolution request may take a long time in some cases | |
| 598981-1 | 3-Major | K06913155 | APM ACL does not get enforced all the time under certain conditions |
| 598211-3 | 3-Major | Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode. | |
| 597431-6 | 3-Major | VPN establishment may fail when computer wakes up from sleep | |
| 597429 | 3-Major | eam maintains lock on /var/log/apm.1 after logrotate | |
| 592869 | 3-Major | Syntax Error when reimporting exported content containing acl-order 0 | |
| 592414-3 | 3-Major | IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed | |
| 590820-5 | 3-Major | Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser. | |
| 586718-5 | 3-Major | Session variable substitutions are logged | |
| 586006-5 | 3-Major | Failed to retrieve CRLDP list from client certificate if DirName type is present | |
| 582440-1 | 3-Major | Linux client does not restore route to the default GW on Ubuntu 15.10 | |
| 568445-7 | 3-Major | User cannot perform endpoint check or launch VPN from Firefox on Windows 10 | |
| 565167-3 | 3-Major | Additional garbage data being logged on user name and domain name for NTLM authentication | |
| 563349-2 | 3-Major | On MAC, Network Access proxy settings are not applied to tun adapter after VPN is established | |
| 561798-3 | 3-Major | Windows edge client may show scripting error on certain 3rd party authentication sites | |
| 556088-2 | 3-Major | In a chassis system with APM provisioned mcpd daemon on secondary blade will restart. | |
| 553063-4 | 3-Major | Epsec version rolls back to previous version on a reboot | |
| 553037 | 3-Major | iOS Citrix Receiver web interface mode cannot launch the apps | |
| 551260-3 | 3-Major | When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated | |
| 525429-13 | 3-Major | DTLS renegotiation sequence number compatibility | |
| 508337-5 | 3-Major | In Chrome, parent.document.write() from frame may cause errors on pages accessed through Portal Access | |
| 451301-2 | 3-Major | HTTP iRules break Citrix HTML5 functionality | |
| 450314-1 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for object field names may not work correctly | |
| 447565-4 | 3-Major | K33692321 | Renewing machine-account password does not update the serviceId for associated ntlm-auth. |
| 424368-3 | 3-Major | parent.document.write(some_html_with_script) hangs up parent frame for IE browsers | |
| 389484-5 | 3-Major | OAM reporting Access Server down with JDK version 1.6.0_27 or later | |
| 584373-1 | 4-Minor | AD/LDAP resource group mapping table controls are not accessible sometimes |
WebAccelerator Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 467542-1 | 2-Critical | TMM core in AAM assembly code during high memory utilization | |
| 474445-3 | 3-Major | TMM crash when processing unexpected HTTP response in WAM |
Wan Optimization Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 619757-4 | 2-Critical | iSession causes routing entry to be prematurely freed |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 649933-5 | 3-Major | Fragmented RADIUS messages may be dropped | |
| 550434-4 | 3-Major | Diameter connection may stall if server closes connection before CER/CEA handshake completes | |
| 489957-8 | 3-Major | RADIUS::avp command fails when AVP contains multiple attribute (VSA). |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 596134-1 | 2-Critical | TMM core with PEM virtual server | |
| 472106-1 | 2-Critical | TMM crash in a rare case of flow optimization |
Cumulative fixes from BIG-IP v11.5.4 Hotfix 2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 600662-5 | CVE-2016-5745 | K64743453 | NAT64 vulnerability CVE-2016-5745 |
| 599168-5 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
| 598983-5 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
| 596488-5 | CVE-2016-5118 | K82747025 | GraphicsMagick vulnerability CVE-2016-5118. |
| 570716-1 | CVE-2016-5736 | K10133477 | BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736 |
| 569467-2 | CVE-2016-2084 | K11772107 | BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084. |
| 565169-1 | CVE-2013-5825 CVE-2013-5830 | K48802597 | Multiple Java Vulnerabilities |
| 591806-4 | CVE-2016-3714 | K03151140 | ImageMagick vulnerability CVE-2016-3714 |
| 580596-5 | CVE-2013-0169 CVE-2016-6907 | K14190 K39508724 | TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907 |
| 579955-4 | CVE-2016-7475 | K01587042 | BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475 |
| 577826-3 | CVE-2016-1286 | K62012529 | BIND vulnerability CVE-2016-1286 |
| 573124-5 | CVE-2016-5022 | K06045217 | TMM vulnerability CVE-2016-5022 |
| 572495-4 | CVE-2016-5023 | K19784568 | TMM may crash if it receives a malformed packet CVE-2016-5023 |
| 563670-5 | CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 | K86772626 | OpenSSL vulnerabilities |
| 539923-2 | CVE-2016-1497 | K31925518 | BIG-IP APM access logs vulnerability CVE-2016-1497 |
| 457811-1 | CVE-2013-6438 CVE-2014-0098 | K15300 | CVE-2013-6438 : HTTPD Vulnerability |
| 452318-2 | CVE-2014-0050 | K15189 | Apache Commons FileUpload vulnerability CVE-2014-0050 |
| 591918-6 | CVE-2016-3718 | K61974123 | ImageMagick vulnerability CVE-2016-3718 |
| 591908-6 | CVE-2016-3717 | K29154575 | ImageMagick vulnerability CVE-2016-3717 |
| 591894-6 | CVE-2016-3715 | K10550253 | ImageMagick vulnerability CVE-2016-3715 |
| 591881-5 | CVE-2016-3716 | K25102203 | ImageMagick vulnerability CVE-2016-3716 |
| 582952 | CVE-2011-5321 CVE-2012-6647 CVE-2012-6657 CVE-2013-0190 CVE-2013-0228 CVE-2013-1860 CVE-2013-2596 CVE-2013-2851 CVE-2013-4483 CVE-2013-4591 CVE-2013-6367 CVE-2013-6381 CVE-2013-6383 CVE-2013-7339 CVE-2014-0055 CVE-2014-0077 | K31300371 | Linux kernel vulnerability CVE-2013-4483 |
| 579220-2 | CVE-2016-1950 | K91100352 | Mozilla NSS vulnerability CVE-2016-1950 |
| 564111-2 | CVE-2015-8395 CVE-2015-8384 CVE-2015-8392 CVE-2015-8394 CVE-2015-8391 CVE-2015-8390 CVE-2015-8389 CVE-2015-8388 CVE-2015-8387 CVE-2015-8386 CVE-2015-8385 CVE-2015-8383 CVE-2015-8382 CVE-2015-8381 CVE-2015-8380 CVE-2015-2328 CVE-2015-2327 CVE-2015-8393 | K05428062 | Multiple PCRE vulnerabilities |
| 550596-2 | CVE-2016-6876 | K52638558 | RESOLV::lookup iRule command vulnerability CVE-2016-6876 |
| 541231-1 | CVE-2014-3613 CVE-2014-3707 CVE-2014-8150 CVE-2015-3143 CVE-2015-3148 | K16704 K16707 | Resolution of multiple curl vulnerabilities |
| 486791-3 | CVE-2014-6421 CVE-2014-6422 CVE-2014-6423 CVE-2014-6424 CVE-2014-6425 CVE-2014-6426 CVE-2014-6427 CVE-2014-6428 CVE-2014-6429 CVE-2014-6430 CVE-2014-6431 CVE-2014-6432 | K16939 | Resolution of multiple wireshark vulnerabilities |
| 616382 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability (TMM) |
| 580340-4 | CVE-2016-2842 | K52349521 | OpenSSL vulnerability CVE-2016-2842 |
| 580313-4 | CVE-2016-0799 | K22334603 | OpenSSL vulnerability CVE-2016-0799 |
| 579975-4 | CVE-2016-0702 | K79215841 | OpenSSL vulnerability |
| 579829-4 | CVE-2016-0702 | K79215841 | OpenSSL vulnerability CVE-2016-0702 |
| 579237-4 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability CVE-2016-0705 |
| 579085-3 | CVE-2016-0797 | K40524634 | OpenSSL vulnerability CVE-2016-0797 |
| 578570-3 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability CVE-2016-0705 |
| 577828-4 | CVE-2016-2088 | K59692558 | BIND vulnerability CVE-2016-2088 |
| 577823-3 | CVE-2016-1285 | K46264120 | BIND vulnerability CVE-2016-1285 |
| 567379-2 | CVE-2013-4397 | K16015326 | libtar vulnerability CVE-2013-4397 |
| 565895-3 | CVE-2015-8389 CVE-2015-8388 CVE-2015-5073 CVE-2015-8395 CVE-2015-8393 CVE-2015-8390 CVE-2015-8387 CVE-2015-8391 CVE-2015-8383 CVE-2015-8392 CVE-2015-8386 CVE-2015-3217 CVE-2015-8381 CVE-2015-8380 CVE-2015-8384 CVE-2015-8394 CVE-2015-3210 | K17235 | Multiple PCRE Vulnerabilities |
| 551287-3 | CVE-2010-2596 CVE-2013-1960 CVE-2013-1961 CVE-2013-4231 CVE-2013-4232 CVE-2013-4243 CVE-2013-4244 | K16715 | Multiple LibTIFF vulnerabilities |
| 481806-4 | CVE-2013-4002 | K16872 | Java Runtime Environment vulnerability CVE-2013-4002 |
| 437285-4 | CVE-2013-3571 CVE-2012-0219 CVE-2010-2799 | K14919 | Multiple socat vulnerabilities |
| 416372-3 | CVE-2012-2677 | K16946 | Boost memory allocator vulnerability CVE-2012-2677 |
| 570667-10 | CVE-2016-0701 CVE-2015-3197 | K64009378 | OpenSSL vulnerabilities |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 583631-1 | 1-Blocking | ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers. | |
| 445633-2 | 2-Critical | Config sync of SecurID config file fails on secondary blades | |
| 560405-5 | 3-Major | Optional target IP address and port in the 'virtual' iRule API is not supported. | |
| 532685-5 | 3-Major | PAC file download errors disconnect the tunnel | |
| 544325-2 | 4-Minor | K83161025 | BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable). |
| 483508-2 | 4-Minor | K70333230 | Large values may display as negative numbers for 32-bit integer variables in the MIB |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 572600 | 1-Blocking | mcpd can run out of file descriptors | |
| 538761-1 | 1-Blocking | scriptd may core when MCP connection is lost | |
| 596603-5 | 2-Critical | AWS: BIG-IP VE doesn't work with c4.8xlarge instance type. | |
| 583936-1 | 2-Critical | Removing ECMP route from BGP does not clear route from NSM | |
| 582295 | 2-Critical | K62302950 | ospfd core dump when redistributing NSSA routes in a HA failover |
| 574116-3 | 2-Critical | MCP may crash when syncing configuration between device groups | |
| 568889-5 | 2-Critical | K22989000 | Some ZebOS daemons do not start on blade transition secondary to primary. |
| 564427-1 | 2-Critical | Use of iControl call get_certificate_list_v2() causes a memory leak. | |
| 563064-5 | 2-Critical | Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory | |
| 561814-4 | 2-Critical | TMM Core on Multi-Blade Chassis | |
| 559034-3 | 2-Critical | Mcpd core dump in the sync secondary during config sync | |
| 557144-1 | 2-Critical | Dynamic route flapping may lead to tmm crash | |
| 556380-3 | 2-Critical | mcpd can assert on active connection deletion | |
| 539784-2 | 2-Critical | HA daemon_heartbeat mcpd fails on load sys config | |
| 529141-4 | 2-Critical | K95285012 | Upgrade from 10.x fails on valid clientssl profile with BIGpipe parsing error★ |
| 510979-2 | 2-Critical | Password-less SSH access after tmsh load of UCS may require password after install. | |
| 507499-2 | 2-Critical | TMM can watchdog under extreme memory pressure. | |
| 506199-8 | 2-Critical | VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles | |
| 505071-2 | 2-Critical | Delete and create of the same object can cause secondary blades' mcpd processes to restart. | |
| 490801-3 | 2-Critical | mod_ssl: missing support for TLSv1.1 and TLSv1.2 | |
| 595874-3 | 3-Major | Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.★ | |
| 586878-1 | 3-Major | During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★ | |
| 583285-2 | 3-Major | K24331010 | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
| 579284-5 | 3-Major | Potential memory corruption in MCPd | |
| 579047 | 3-Major | Unable to update the default http-explicit profile using the GUI. | |
| 576305-1 | 3-Major | Potential MCPd leak in IPSEC SPD stats query code | |
| 575735-1 | 3-Major | Potential MCPd leak in global CPU info stats code | |
| 575726-1 | 3-Major | MCPd might leak memory in vCMP interface stats. | |
| 575716-1 | 3-Major | MCPd might leak memory in VCMP base stats. | |
| 575708-1 | 3-Major | MCPd might leak memory in CPU info stats. | |
| 575671-1 | 3-Major | MCPd might leak memory in host info stats. | |
| 575619-1 | 3-Major | Potential MCPd leak in pool member stats query code | |
| 575608-1 | 3-Major | MCPd might leak memory in virtual server stats query. | |
| 575587-1 | 3-Major | Potential MCPd leak in BWC policy class stats query code | |
| 575027-3 | 3-Major | Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues. | |
| 574045-3 | 3-Major | BGP may not accept attributes using extended length | |
| 573529 | 3-Major | F-bit is not set in IPv6 OSPF Type-7 LSAs | |
| 571344-2 | 3-Major | SSL Certificate with special characters might cause exception when GUI retrieves items list page.★ | |
| 571210-3 | 3-Major | Upgrade, load config, or sync might fail on large configs with large objects. | |
| 571019-2 | 3-Major | Topology records can be ordered incorrectly. | |
| 570053-1 | 3-Major | K78448635 | HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync. |
| 569356-5 | 3-Major | K91428939 | BGP ECMP learned routes may use incorrect VLAN for nexthop |
| 569236-2 | 3-Major | K24331010 | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
| 565534-3 | 3-Major | K40254066 | Some failover configuration items may fail to take effect |
| 563475-1 | 3-Major | K00301400 | ePVA dynamic offloading can result in immediate eviction and re-offloading of flows. |
| 562044-1 | 3-Major | Statistics slow_merge option does not work | |
| 560975-1 | 3-Major | iControl can remove hardware SSL keys while in use | |
| 559939-3 | 3-Major | K30040319 | Changing hostname on host sometimes causes blade to go RED / HA TABLE offline |
| 558779-5 | 3-Major | SNMP dot3 stats occassionally unavailable | |
| 558573-3 | 3-Major | K65352421 | MCPD restart on secondary blade after updating Pool via GUI |
| 557281-3 | 3-Major | The audit_forwarder process fails to exit normally causing the process to consume CPU to near 100% | |
| 556252 | 3-Major | sysGlobalTmmStatTmUsageRatio5s and sysGlobalTmmStatNpus in chassis | |
| 555905-1 | 3-Major | sod health logging inconsistent when device removed from failover group or device trust | |
| 555039-1 | 3-Major | K24458124 | VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration |
| 554563-2 | 3-Major | Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics. | |
| 554340-2 | 3-Major | IPsec tunnels fail when connection.vlankeyed db variable is disabled | |
| 553795-3 | 3-Major | Differing certificate/key after successful config-sync | |
| 553649 | 3-Major | The SNMP daemon might lock up and fail to respond to SNMP requests. | |
| 551927-3 | 3-Major | ePVA snoop header's transform vlan should be set properly under asymmetric routing condition | |
| 551742-1 | 3-Major | Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades | |
| 549971-3 | 3-Major | Some changes to virtual servers' profile lists may cause secondary blades to restart | |
| 549543-2 | 3-Major | K37436054 | DSR rejects return traffic for monitoring the server |
| 548385-1 | 3-Major | K25231211 | iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results |
| 547942 | 3-Major | SNMP ipAdEntAddr indicates floating vlan IP rather than local IP | |
| 547532-6 | 3-Major | Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades | |
| 542742-3 | 3-Major | K07038540 | SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m). |
| 541316-5 | 3-Major | K41175594 | Unexpected transition from Forced Offline to Standby to Active |
| 540996-4 | 3-Major | Monitors with a send attribute set to 'none' are lost on save | |
| 539125-1 | 3-Major | SNMP: ifXTable walk should produce the available counter values instead of zero | |
| 530242-4 | 3-Major | K08654415 | SPDAG on VIPRION B2250 blades might cause traffic imbalance among TMMs |
| 529484-3 | 3-Major | Virtual Edition Kernel Panic under load | |
| 527168-3 | 3-Major | In GUI System :: Users : Authentication TACACS+ ports have max value of 32768 instead of 65535 | |
| 527145-3 | 3-Major | K53232218 | On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown. |
| 520408-1 | 3-Major | TMM ASSERTs due to subkey_record field corruption in the SessionDB. | |
| 517209-6 | 3-Major | K81807474 | tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable |
| 517020-4 | 3-Major | SNMP requests fail and subsnmpd reports that it has been terminated. | |
| 515667-6 | 3-Major | Unique truncated SNMP OIDs. | |
| 512954-1 | 3-Major | ospf6d might leak memory distribute-list is used | |
| 510580-3 | 3-Major | Interfaces might be re-enabled unexpectedly when loading a partition | |
| 508076-1 | 3-Major | Cannot successfully create a key/cert via tmsh or the GUI of the form name.key1, where extension is in the name. | |
| 496679-3 | 3-Major | Configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.★ | |
| 491716-3 | 3-Major | SNMP attribute type incorrect for certain OIDs | |
| 487625-4 | 3-Major | Qkview might hang | |
| 486725-1 | 3-Major | GUI creating key files with .key extensions in the name causing errors | |
| 486512-8 | 3-Major | audit_forwarder sending invalid NAS IP Address attributes | |
| 483228-8 | 3-Major | The icrd_child process generates core when terminating | |
| 478215-5 | 3-Major | The command 'show ltm pool detail' returns duplicate members in some cases | |
| 474194-4 | 3-Major | iControl GlobalLB::PoolMember get_all_statistics and get_monitor_association cause memory leaks | |
| 453949-3 | 3-Major | small memory leak observed in audit_forwarder | |
| 451494-1 | 3-Major | SSL Key/Certificate in different partition with Subject Alternative Name (SAN) | |
| 446493-3 | 3-Major | foreign key index error on local traffic-only group★ | |
| 425980-2 | 3-Major | Blade number not displayed in CPU status alerts | |
| 421971-7 | 3-Major | Renewing certificates with SAN input in the GUI leads to error. | |
| 418664-3 | 3-Major | K21485342 | Configuration utility CSRF vulnerability |
| 405635-5 | 3-Major | Using the restart cm trust-domain command to recreate certificates required by device trust. | |
| 405611-2 | 3-Major | K61045143 | Configuration utility CSRF vulnerability |
| 400456-2 | 3-Major | HTTP monitors with long send or receive strings may not save or update | |
| 372118-1 | 3-Major | import_all_from_archive_file and import_all_from_archive_stream does not create file objects. | |
| 339825-2 | 3-Major | Management.KeyCertificate.install_certificate_from_file failing silently | |
| 553174-2 | 4-Minor | Unable to query admin IP via SNMP on VCMP guest | |
| 551481-4 | 4-Minor | 'tmsh show net cmetrics' reports bandwidth = 0 | |
| 551349-1 | 4-Minor | K80203854 | Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★ |
| 548053-1 | 4-Minor | K33462128 | User with 'Application Editor' role set cannot modify 'Description' field using the GUI. |
| 536746-2 | 4-Minor | K88051173 | LTM : Virtual Address List page uses LTM : Nodes List search filter. |
| 535544-7 | 4-Minor | Enhancement: ltm virtual translate-port, translate-address are not listed if they are enabled | |
| 533480-4 | 4-Minor | K43353404 | qkview crash |
| 519216-3 | 4-Minor | Abnormally high CPU utilization from external SSL/OpenSSL monitors | |
| 511332-1 | 4-Minor | K35266322 | Cannot view Pools list by Address |
| 481003-1 | 4-Minor | 'General database error' trying to view Local Traffic :: Pools :: Pool List. | |
| 468949-1 | 4-Minor | audit_forwarded started error message | |
| 466612-2 | 4-Minor | Missing sys DeviceModel OID for VIPRION C2200 chassis | |
| 452487-5 | 4-Minor | Incremental sync causes incorrect accounting of member count of pools | |
| 447364-2 | 4-Minor | BIG-IP may report getLopSensorData warnings at boot time or when changing a PSU | |
| 401893-2 | 4-Minor | Allowing tilde in HTTP Profile fields Response Headers Allowed and Encrypt Cookies | |
| 572133-3 | 5-Cosmetic | tmsh save /sys ucs command sends status messages to stderr | |
| 524281-1 | 5-Cosmetic | Error updating daemon ha heartbeat | |
| 470627-4 | 5-Cosmetic | Incorrect and benign log message of bandwidth utilization exceeded when licensed with rate limit in VE | |
| 458563-3 | 5-Cosmetic | A 'status down' message is logged when enabling a pool member that was previously disabled | |
| 388274-2 | 5-Cosmetic | LTM pool member link in a route domain is wrong in Network Map. | |
| 291469-3 | 5-Cosmetic | K10643 | SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries. |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 555549-2 | 1-Blocking | 'tmsh modify ltm node <ip_addr> state user-down' fails to bring pool member state offline. | |
| 579919 | 2-Critical | TMM may core when LSN translation is enabled | |
| 565810-5 | 2-Critical | K93065637 | OneConnect profile with an idle or strict limit-type might lead to tmm core. |
| 562566-3 | 2-Critical | K39483533 | High Availability connection flap may cause mirrored persistence entries to be retained after expiration on multi-blade systems |
| 558612-3 | 2-Critical | System may fail when syncookie mode is activated | |
| 554967-2 | 2-Critical | Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets | |
| 552937-2 | 2-Critical | HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail. | |
| 552151-1 | 2-Critical | Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected | |
| 549868-2 | 2-Critical | K48629034 | 10G interoperability issues reported following Cisco Nexus switch version upgrade. |
| 544375-2 | 2-Critical | Unable to load certificate/key pair | |
| 540568-4 | 2-Critical | TMM core due to SIGSEGV | |
| 534795-6 | 2-Critical | Swapping VLAN names in config results in switch daemon core and restart. | |
| 517613-2 | 2-Critical | ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps | |
| 483665-3 | 2-Critical | Restrict the permissions for private keys | |
| 478812-4 | 2-Critical | DNSX Zone Transfer functionality preserved after power loss | |
| 468791-3 | 2-Critical | Crash when using FIX tag maps and a FIX message arrives without a SenderCompID. | |
| 466007-3 | 2-Critical | K02683895 | DNS Express daemon, zxfrd, can not start if its binary cache has filled /var |
| 459671-1 | 2-Critical | iRules source different procs from different partitions and executes the incorrect proc. | |
| 454583-4 | 2-Critical | SPDY may cause the TMM to crash if it aborts while there are stalled streams. | |
| 592854-2 | 3-Major | Protocol version set incorrectly on serverssl renegotiation | |
| 585412-1 | 3-Major | SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines | |
| 584717 | 3-Major | TCP window scaling is not applied when SYN cookies are active | |
| 580303-2 | 3-Major | When going from active to offline, tmm might send a GARP for a floating address. | |
| 579371-1 | 3-Major | K70126130 | BIG-IP may generate ARPs after transition to standby |
| 576296-1 | 3-Major | MCPd might leak memory in SCTP profile stats query. | |
| 575626-6 | 3-Major | K04672803 | Minor memory leak in DNS Express stats error conditions |
| 575612-4 | 3-Major | Potential MCPd leak in policy action stats query code | |
| 571573-3 | 3-Major | K20320811 | Persistence may override node/pmbr connection limit |
| 571183-3 | 3-Major | Bundle-certificates Not Accessible via iControl REST. | |
| 570617-5 | 3-Major | HTTP parses fragmented response versions incorrectly | |
| 569642-3 | 3-Major | Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core | |
| 569349-3 | 3-Major | Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled | |
| 569288-4 | 3-Major | Different LACP key may be used in different blades in a chassis system causing trunking failures | |
| 566361-2 | 3-Major | K11543589 | RAM Cache Key Collision |
| 563591-3 | 3-Major | reference to freed loop_nexthop may cause tmm crash. | |
| 563419-3 | 3-Major | IPv6 packets containing extended trailer are dropped | |
| 563227-4 | 3-Major | K31104342 | When a pool member goes down, persistence entries may vary among tmms |
| 558602-2 | 3-Major | Active mode FTP data channel issue when using lasthop pool | |
| 557783-3 | 3-Major | K14147369 | TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr |
| 557645-1 | 3-Major | Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms. | |
| 556560-1 | 3-Major | K80741043 | DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records. |
| 556103-2 | 3-Major | Abnormally high CPU utilization for external monitors | |
| 554977-1 | 3-Major | K64401960 | TMM might crash on failed SSL handshake |
| 553688-3 | 3-Major | TMM can core due to memory corruption when using SPDY profile. | |
| 552931-2 | 3-Major | Configuration fails to load if DNS Express Zone name contains an underscore | |
| 552865-5 | 3-Major | K34035224 | SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'. |
| 551189-2 | 3-Major | Modifying an HTTP cookie value via the HTTP::cookie iRule API may yield to incorrect HTTP header data | |
| 550782-2 | 3-Major | Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit | |
| 550689-3 | 3-Major | Resolver H.ROOT-SERVERS.NET Address Change | |
| 549406-3 | 3-Major | K63010180 | Destination route-domain specified in the SOCKS profile |
| 548680-3 | 3-Major | TMM may core when reconfiguring iApps that make use of iRules with procedures. | |
| 548583-5 | 3-Major | TMM crashes on standby device with re-mirrored SIP monitor flows. | |
| 548563-3 | 3-Major | Transparent Cache Messages Only Updated with DO-bit True | |
| 547732-3 | 3-Major | TMM may core on using SSL::disable on an already established serverside connection | |
| 542654 | 3-Major | K52195938 | bigd may experience a heartbeat failure when tcp-half-open monitors are used |
| 541126-1 | 3-Major | Safenet connection may fail on restarting pkcs11d or HSM reboot or if the connection to HSM is lost and then resumed | |
| 540893-3 | 3-Major | Unevenly loaded tmms while using syncookies may cause occasional spurious connection resets. | |
| 540213-4 | 3-Major | mcpd will continually restart on newly inserted secondary blades when certain configuration exists on the primary | |
| 536191-3 | 3-Major | Transparent inherited TCP monitors may fail on loading configuration | |
| 534111-2 | 3-Major | [SSL] Config sync problems when modifying cert in default client-ssl profile | |
| 533820-3 | 3-Major | DNS Cache response missing additional section | |
| 531979-4 | 3-Major | SSL version in the record layer of ClientHello is not set to be the lowest supported version. | |
| 530812-5 | 3-Major | Legacy DAG algorithm reuses high source port numbers frequently | |
| 529899-3 | 3-Major | Installation may fail with the error "(Storage modification process conflict.)".★ | |
| 527742-1 | 3-Major | K15550890 | The inherit-certkeychain field of a clientSSL profile is not synchronized correctly on a standby BIG-IP system |
| 524641-4 | 3-Major | K11504283 | Wildcard NAPTR record after deleting the NAPTR records |
| 523471-3 | 3-Major | pkcs11d core when connecting to SafeNet HSM | |
| 521711-3 | 3-Major | K14555354 | HTTP closes connection if client sends non-keepalive request and server responds with 200 OK on One-Connect enabled virtual |
| 519217-2 | 3-Major | K89004553 | tmm crash: valid proxy |
| 516816-2 | 3-Major | RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake. | |
| 515322-2 | 3-Major | Intermittent TMM core when using DNS cache with forward zones | |
| 513530-3 | 3-Major | Connections might be reset when using SSL::disable and enable command | |
| 513213-4 | 3-Major | FastL4 connection may get RSTs in case of hardware syncookie enabled. | |
| 509416-4 | 3-Major | Suspended 'after' commands may result in unexpected behaviors | |
| 505089-3 | 3-Major | Spurious ACKs result in SYN cookie rejected stat increment. | |
| 500786-4 | 3-Major | Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile | |
| 490936-1 | 3-Major | SSLv2/TLSv1 based handshake causing handshake failures | |
| 490174-3 | 3-Major | Improved TLS protocol negotiation with clients supporting TLS1.3 | |
| 469627-2 | 3-Major | When persistence is overriden from cookie to some other persistence method, the cookie should not be sent. | |
| 468471-1 | 3-Major | The output of DNS::edns0 subnet address command is not stored properly in a variable | |
| 463202-6 | 3-Major | BIG-IP system drops non-zero version EDNS requests | |
| 458348-3 | 3-Major | RESOLV:: iRule commands and sFlow don't function correctly when using non-default CMP hashing. | |
| 457109-3 | 3-Major | Traffic misclassified and matching wrong rule in CPM policy. | |
| 452900-3 | 3-Major | IP iRules may cause TMM to segfault in low memory scenarios | |
| 452659-1 | 3-Major | DNS Express zone creation, deletion or updates can slow down or stop other DNS services. | |
| 445471-1 | 3-Major | DNS Express zone creation, deletion or updates can slow down or stop other DNS services. | |
| 419217-1 | 3-Major | LTM policy fails to decompress compressed http requests | |
| 417006-5 | 3-Major | Thales HSM support on Chassis cluster-mode. | |
| 406001-5 | 3-Major | Host-originated traffic cannot use a nexthop in a different route domain | |
| 372473-3 | 3-Major | mcp error 0x1020003 may be logged to /var/log/tmm when TMM crashes | |
| 336255-8 | 3-Major | K52011109 | OneConnect Connection Limits with Narrow Source Address Masks |
| 546747-4 | 4-Minor | K72042050 | SSL connections may fail with a handshake failure when the ClientHello is sent in multiple packets |
| 541134-3 | 4-Minor | K51114681 | HTTP/HTTPS monitors transmit unexpected data to monitored node. |
| 499795-3 | 4-Minor | "persist add" in server-side iRule event can result in "Client Addr" being pool member address | |
| 492780-3 | 4-Minor | K37345003 | Elliptic Curves Extension in ServerHello might cause failed SSL connection. |
| 458872-1 | 4-Minor | Check SACK report before treating as dupack |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 569972-3 | 2-Critical | Unable to create gtm topology records using iControl REST | |
| 569521-2 | 2-Critical | Invalid WideIP name without dots crashes gtmd. | |
| 561539-1 | 2-Critical | [Upgrade] GTM pool member ratio setting to 0 is not honored when upgrading from v10.2.4 to v11.5.3.★ | |
| 539466-3 | 2-Critical | Cannot use self-link URI in iControl REST calls with gtm topology | |
| 533658-3 | 2-Critical | DNS decision logging can trigger TMM crash | |
| 471467-1 | 2-Critical | gtmparse segfaults when loading wideip.conf because of duplicate virtual server names | |
| 569472-3 | 3-Major | TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled | |
| 559975-4 | 3-Major | Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth | |
| 551767-2 | 3-Major | K03432500 | GTM server 'Virtual Server Score' not showing correctly in TMSH stats |
| 546640-1 | 3-Major | tmsh show gtm persist <filter option> does not filter correctly | |
| 540576-2 | 3-Major | K29095826 | big3d may fail to install on systems configured with an SSH banner |
| 552352-3 | 4-Minor | K18701002 | tmsh list display incorrectly for default values of gtm listener translate-address/translate-port |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 560748 | 2-Critical | BIG-IQ discovery fails | |
| 451089-1 | 2-Critical | ASM REST: Incorrect/Duplicate REST id for policy after a copy is made | |
| 449231-1 | 2-Critical | ASM REST: Updating multiple items in a list only make one change | |
| 589298 | 3-Major | TMM crash with a core dump | |
| 585045 | 3-Major | ASM REST: Missing 'gwt' support for urlContentProfiles | |
| 582683-1 | 3-Major | xpath parser doesn't reset a namespace hash value between each and every scan | |
| 574214-2 | 3-Major | Content Based Routing daemon (cbrd) logging control | |
| 573406-2 | 3-Major | ASU cannot be completed if license was last activated more than 18 months before | |
| 572922-3 | 3-Major | Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES.★ | |
| 566758-3 | 3-Major | Manual changes to policy imported as XML may introduce corruption for Login Pages | |
| 559541-3 | 3-Major | ICAP anti virus tests are not initiated on XML with when should | |
| 559055 | 3-Major | Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All" | |
| 531809-1 | 3-Major | FTP/SMTP traffic related bd crash |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 578353-1 | 2-Critical | Statistics data aggregation process is not optimized | |
| 529900-4 | 2-Critical | K88373692 | AVR missing some configuration changes in multiblade system |
| 472969-3 | 2-Critical | If you try to create more than 264 AVR profiles, avrd might crash. | |
| 569958-3 | 3-Major | Upgrade for application security anomalies | |
| 557062-3 | 3-Major | The BIG-IP ASM configuration fails to load after an upgrade.★ | |
| 488989-4 | 3-Major | AVRD does not print out an error message when the external logging fails | |
| 454071-1 | 5-Cosmetic | 'Show all' button has no effect or becomes hidden for short period of time |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 581770-1 | 1-Blocking | Network Access traffic does not pass IPv6 traffic if a Network Access resource contains IPv4&IPv6 | |
| 580817-4 | 2-Critical | Edge Client may crash after upgrade★ | |
| 579909-3 | 2-Critical | Secondary MCPD exits for APM Sandbox warning improperly treated as configuration error | |
| 579559-4 | 2-Critical | DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration | |
| 578844-3 | 2-Critical | tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client. | |
| 575609-4 | 2-Critical | Zlib accelerated compression can result in a dropped flow. | |
| 574318-4 | 2-Critical | Unable to resume session when switching to Protected Workspace | |
| 572563-4 | 2-Critical | PWS session does not launch on Internet Explorer after upgrade | |
| 571090-1 | 2-Critical | When BIG-IP is used as SAML IdP, tmm may restart under certain conditions | |
| 569306-5 | 2-Critical | Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected | |
| 565056-5 | 2-Critical | K87617654 | Fail to update VPN correctly for non-admin user. |
| 562919-1 | 2-Critical | TMM cores in renew lease timer handler | |
| 559138-4 | 2-Critical | Linux CLI VPN client fails to establish VPN connection on Ubuntu | |
| 556774-1 | 2-Critical | EdgeClient cannot connect through captive portal | |
| 555272-3 | 2-Critical | Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade★ | |
| 513083-2 | 2-Critical | d10200: tmm core when using ASM-FPS-AVR-APM-DOS on virtual server. | |
| 586056 | 3-Major | Machine cert checker doesn't work as expected if issuer or AltName is specified | |
| 581834-3 | 3-Major | Firefox signed plugin for VPN, Endpoint Check, etc | |
| 580421-4 | 3-Major | Edge Client may not register DLLs correctly | |
| 576069-1 | 3-Major | Rewrite can crash in some rare corner cases | |
| 575499-3 | 3-Major | VPN filter may leave renew_lease timer active after teardown | |
| 575292-2 | 3-Major | DNS Relay proxy service does not respond to SCM commands in timely manner | |
| 574781-3 | 3-Major | APM Network Access IPV4/IPV6 virtual may leak memory | |
| 573581-2 | 3-Major | DNS Search suffix are not restored properly in some cases after VPN establishment | |
| 573429-2 | 3-Major | APM Network Access IPv4/IPv6 virtual may leak memory | |
| 572893-5 | 3-Major | error "The modem (or other connecting device) is already in use or is not configured properly" | |
| 571003-4 | 3-Major | TMM Restarts After Failover | |
| 570640-4 | 3-Major | APM Cannot create symbolic link to sandbox. Error: No such file or directory | |
| 570064-4 | 3-Major | IE gives a security warning asking: "Do you want to run ... InstallerControll.cab" | |
| 569255-5 | 3-Major | K81130213 | Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON |
| 566908-3 | 3-Major | K54435973 | Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file |
| 566646-2 | 3-Major | Portal Access could respond very slowly for large text files when using IE < 11 | |
| 565231-1 | 3-Major | Importing a previously exported policy which had two object names may fail | |
| 564521-2 | 3-Major | JavaScript passed to ExternalInterface.call() may be erroneously unescaped | |
| 564496-2 | 3-Major | Applying APM Add-on License Does Not Change Effective License Limit | |
| 564482-3 | 3-Major | Kerberos SSO does not support AES256 encryption | |
| 564262-3 | 3-Major | K21518043 | Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code |
| 564253-6 | 3-Major | Firefox signed plugin for VPN, Endpoint Check, etc | |
| 563443-3 | 3-Major | WebSSO plugin core dumps under very rare conditions. | |
| 558946-3 | 3-Major | TMM may core when APM is provisioned and access profile is attached to the virtual | |
| 558870-4 | 3-Major | K12012384 | Protected workspace does not work correctly with third party products |
| 558631-6 | 3-Major | K81306414 | APM Network Access VPN feature may leak memory |
| 556597-3 | 3-Major | CertHelper may crash when performing Machine Cert Inspection | |
| 555457-4 | 3-Major | K16415235 | Reboot is required, but not prompted after F5 Networks components have been uninstalled |
| 554993-1 | 3-Major | Profile Stats Not Updated After Standby Upgrade Followed By Failover | |
| 554626 | 3-Major | K14263316 | Database logging truncates log values greater than 1024 |
| 554228-4 | 3-Major | OneConnect does not work when WEBSSO is enabled/configured. | |
| 554074-3 | 3-Major | If the user cancels a connection attempt, there may be a delay in estabilshing the next connection. | |
| 554041-4 | 3-Major | No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled | |
| 553925-3 | 3-Major | Manual upgrade of Edge Client fails in some cases on Windows★ | |
| 552498-2 | 3-Major | APMD basic authentication cookie domains are not processed correctly | |
| 550536-4 | 3-Major | Incorrect information/text (in French) is displayed when the Edge Client is launched | |
| 549086-3 | 3-Major | Windows 10 is not detected when Firefox is used | |
| 536575-2 | 3-Major | Session variable report can be blank in many cases | |
| 531983-4 | 3-Major | [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added | |
| 528548-1 | 3-Major | @import "url" is not recognized by client-side CSS patcher | |
| 528139-4 | 3-Major | Windows 8 client may not be able to renew DHCP lease | |
| 520088-1 | 3-Major | Citrix HTML5 Receiver does not properly display initial tour and icons | |
| 519059-2 | 3-Major | [PA] - Failing to properly patch webapp link, link not working | |
| 518550-5 | 3-Major | Incorrect value of form action attribute inside 'onsubmit' event handler in some cases | |
| 516219-2 | 3-Major | User failed to get profile license in VIPRION 4800 chassis if slot 1 is not enabled | |
| 492122-4 | 3-Major | K42635442 | Now Windows Logon Integration does not recreate temporary user for logon execution each time |
| 488811-4 | 3-Major | F5-prelogon user profile folder are not fully cleaned-up | |
| 487859-2 | 3-Major | K42022001 | Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI. |
| 473344-7 | 3-Major | Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP. | |
| 472446-4 | 3-Major | Customization group template file might cause mcpd to restart | |
| 464687-1 | 3-Major | Copying Access Profile with Machine Cert Agent check fails | |
| 462268-1 | 3-Major | long session var processing in variable assignment agent | |
| 461084-2 | 3-Major | K48281763 | Kerberos Auth might fail if client request contains Authorization header |
| 458737-1 | 3-Major | non-printable characters are escaped before hexencoding | |
| 409323-2 | 3-Major | OnDemand cert auth redirect omits port information | |
| 404141-3 | 3-Major | Standby system offers option to Apply Access Policy even though it has been synced | |
| 399732-2 | 3-Major | SAML Error: Invalid request received from remote client is too big | |
| 580429-3 | 4-Minor | CTU does not show second Class ID for InstallerControll.dll | |
| 572543-4 | 4-Minor | User is prompted to install components repeatedly after client components are updated. | |
| 541156-3 | 4-Minor | Network Access clients experience delays when resolving a host |
WebAccelerator Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 575631-2 | 3-Major | Potential MCPd leak in WAM stats query code | |
| 551010-3 | 3-Major | Crash on unexpected WAM storage queue state |
Wan Optimization Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 552198-3 | 3-Major | K27590443 | APM App Tunnel/AM iSession Connection Memory Leak |
| 547537-4 | 3-Major | TMM core due to iSession tunnel assertion failure |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 572224 | 3-Major | Buffer error due to RADIUS::avp command when vendor IDs do not match |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 575582-1 | 3-Major | MCPd might leak memory in FW network attack stats. | |
| 575571-1 | 3-Major | MCPd might leak memory in FW DOS SIP attack stats query. | |
| 575569-1 | 3-Major | MCPd might leak memory in FW DOS DNS stats query. | |
| 575565-1 | 3-Major | MCPd might leak memory in FW policy rule stats query. | |
| 575564-1 | 3-Major | MCPd might leak memory in FW rule stats query. | |
| 575557-2 | 3-Major | MCPd might leak memory in FW rule stats. | |
| 575321-1 | 3-Major | MCPd might leak memory in firewall stats. | |
| 569337-4 | 3-Major | TCP events are logged twice in a HA setup | |
| 561433-6 | 3-Major | TMM Packets can be dropped indiscriminately while under DoS attack | |
| 556694-6 | 3-Major | DoS Whitelist IPv6 addresses may "overmatch" |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 577814 | 3-Major | MCPd might leak memory in PEM stats queries. |
Carrier-Grade NAT Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 540571-4 | 2-Critical | TMM cores when multicast address is set as destination IP via iRules and LSN is configured | |
| 482202-2 | 2-Critical | Very long FTP command may be ignored. | |
| 515736-5 | 3-Major | LSN pool with small port range may not use all ports |
Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 453640-2 | 2-Critical | Java core when modifying global-settings |
Cumulative fixes from BIG-IP v11.5.4 Hotfix 1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 518275-3 | CVE-2016-4545 | K48042976 | The BIG-IP system may stop the normal processing of SSL traffic and dump a TMM core file |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 577811 | 3-Major | SNMP sysObjectID OID reports ID of blade on VIPRION 2xxx-series platforms |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 576314 | 2-Critical | SNMP traps for FIPS device fault inconsistent among versions. | |
| 574262 | 3-Major | Rarely encountered lockup for N3FIPS module when processing key management requests. | |
| 574073 | 3-Major | Support for New Platform: BIG-IP 10350 FIPS with NEBS support |
Cumulative fixes from BIG-IP v11.5.4 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 542314-7 | CVE-2015-8099 | K35358312 | TCP vulnerability - CVE-2015-8099 |
| 536481-8 | CVE-2015-8240 | K06223540 | F5 TCP vulnerability CVE-2015-8240 |
| 567475-4 | CVE-2015-8704 | K53445000 | BIND vulnerability CVE-2015-8704 |
| 560910-3 | CVE-2015-3194 | K86772626 | OpenSSL Vulnerability fix |
| 560180-3 | CVE-2015-8000 | K34250741 | BIND Vulnerability CVE-2015-8000 |
| 554624-1 | CVE-2015-5300 CVE-2015-7704 | K10600056 K17566 | NTP CVE-2015-5300 CVE-2015-7704 |
| 553902-3 | CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196 | K17516 | Multiple NTP Vulnerabilities |
| 546080-4 | CVE-2016-5021 | K99998454 | Path sanitization for iControl REST worker |
| 545786-2 | CVE-2015-7393 | K75136237 | Privilege escalation vulnerability CVE-2015-7393 |
| 545762-1 | CVE-2015-7394 | K17407 | CVE-2015-7394 |
| 540849-4 | CVE-2015-5986 | K17227 | BIND vulnerability CVE-2015-5986 |
| 540846-4 | CVE-2015-5722 | K17181 | BIND vulnerability CVE-2015-5722 |
| 540767-1 | CVE-2015-5621 | K17378 | SNMP vulnerability CVE-2015-5621 |
| 533156-2 | CVE-2015-6546 | K17386 | CVE-2015-6546 |
| 472093-2 | CVE-2015-8022 | K12401251 | APM TMUI Vulnerability CVE-2015-8022 |
| 445327-1 | CVE-2013-5878 CVE-2013-5884 CVE-2013-5893 CVE-2013-5896 CVE-2013-5907 CVE-2013-5910 CVE-2014-0368 CVE-2014-0373 CVE-2014-0376 CVE-2014-0411 CVE-2014-0416 CVE-2014-0422 CVE-2014-0423 CVE-2014-0428 | K53146535 | OpenJDK 1.7 vulnerabilities |
| 556383-2 | CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 | K31372672 | Multiple NSS Vulnerabilities |
| 534633-1 | CVE-2015-5600 | K17113 | OpenSSH vulnerability CVE-2015-5600 |
| 525232-10 | CVE-2015-4024 CVE-2014-8142 | K16826 | PHP vulnerability CVE-2015-4024 |
| 485917-5 | CVE-2004-1060 | K15792 | BIG/IP is vulnerable to Path MTU discovery attack (CVE-2004-1060) |
| 427174-6 | CVE-2013-1620 CVE-2013-0791 | K15630 | SOL15630: TLS in Mozilla NSS vulnerability CVE-2013-1620 |
| 560948-3 | CVE-2015-3195 | K12824341 | OpenSSL vulnerability CVE-2015-3195 |
| 553454-3 | CVE-2015-2730 | K15955144 | Mozilla NSS vulnerability CVE-2015-2730 |
| 515345-4 | CVE-2015-1798 | K16505 | NTP Vulnerability |
| 430799-5 | CVE-2010-5107 | K14741 | CVE-2010-5107 openssh vulnerability |
| 567484-4 | CVE-2015-8705 | K86533083 | BIND Vulnerability CVE-2015-8705 |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 557221 | 2-Critical | Inbound ISP link load balancing will use pool members for only one ISP link per data center | |
| 539130-7 | 3-Major | K70695033 | bigd may crash due to a heartbeat timeout |
| 530133 | 3-Major | Support for New Platform: BIG-IP 10350 FIPS | |
| 498992-9 | 3-Major | Troubleshooting enhancement: improve logging details for AWS failover failure. | |
| 439013-5 | 3-Major | K15162 | IPv6 link-local vlan tag handling incorrect |
| 425331-1 | 3-Major | On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports Chassis ID not Blade ID | |
| 226043-5 | 3-Major | Add support for multiple addresses for audit-forwarder. | |
| 479147-5 | 4-Minor | Cannot create VXLAN tunnels with the same local-address and different multicast addresses. |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 546260-1 | 1-Blocking | TMM can crash if using the v6rd profile | |
| 544980-1 | 1-Blocking | BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle. | |
| 510393-2 | 1-Blocking | TMM may occasionally restart with a core file when deployed VCMP guests are stopped | |
| 465142-5 | 1-Blocking | K16633 | iControl LocalLB::ProfileClientSSL::create and create_v2 methods result in crash when not in /Common |
| 397431-8 | 1-Blocking | Improved security for Apache. | |
| 562427 | 2-Critical | Trust domain changes do not persist on reboot. | |
| 555686-2 | 2-Critical | Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers | |
| 544913-2 | 2-Critical | K17322 | tmm core while logging from TMM during failover |
| 544481-4 | 2-Critical | IPSEC Tunnel fails for more than one minute randomly. | |
| 530903-5 | 2-Critical | HA pair in a typical Active/Standby configuration becomes Active/Active after a software upgrade★ | |
| 523434-5 | 2-Critical | K85242410 | mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object |
| 520380-4 | 2-Critical | K41313442 | save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory |
| 513151-7 | 2-Critical | VIPRION B2150 blades show up as unknown when SNMP queries the OID sysObjectID. | |
| 511559-6 | 2-Critical | Virtual Address advertised while unavailable | |
| 510559-5 | 2-Critical | Add logging to indicate that compression engine is stalled. | |
| 507602-4 | 2-Critical | K17166 | Data packet over IPsec tunnel might be looping between cores after rekey if IPsec lifebyte is enabled |
| 504508-4 | 2-Critical | K16773 | IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled |
| 503600-3 | 2-Critical | K17149 | TMM core logging from TMM while attempting to connect to remote logging server |
| 482373-5 | 2-Critical | Can not delete and re-create a new virtual server that uses the same virtual address in the same transaction | |
| 468473-5 | 2-Critical | K16193 | Monitors with domain username do not save/load correctly |
| 460165-5 | 2-Critical | General Database Error when accessing Clusters or Templates page | |
| 365219-3 | 2-Critical | Trust upgrade fails when upgrading from version 10.x to version 11.x.★ | |
| 355199-5 | 2-Critical | ePVA flow not removed when connection closed | |
| 556284-3 | 3-Major | K55622762 | iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found |
| 553576-2 | 3-Major | K17356 | Intermittent 'zero millivolt' reading from FND-850 PSU |
| 550694 | 3-Major | K60222549 | LCD display stops updating and Status LED turns/blinks Amber |
| 547047-1 | 3-Major | K31076445 | Older cli-tools unsupported by AWS |
| 545745-3 | 3-Major | Enabling tmm.verbose mode produces messages that can be mistaken for errors. | |
| 542860-5 | 3-Major | TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event | |
| 542320 | 3-Major | no login name may appear when running ssh commands through management port | |
| 539822-1 | 3-Major | tmm may leak connflow and memory on vCMP guest. | |
| 538133-1 | 3-Major | Only one action per sensor is displayed in sensor_limit_table and system_check | |
| 536939-1 | 3-Major | Secondary blade may restart services if configuration elements are deleted using a * wildcard. | |
| 534582-3 | 3-Major | K10397582 | HA configuration may fail over when standby has only base configuration loaded. |
| 533826-4 | 3-Major | SNMP Memory Leak on a VIPRION system. | |
| 532559-2 | 3-Major | Upgrade fails to 11.5.0 and later if 'defaults-from none' is under profile '/Common/clientssl'. | |
| 531986-2 | 3-Major | Hourly AWS VE license breaks after reboot with default tmm route/gateway. | |
| 529977-4 | 3-Major | OSPF may not process updates to redistributed routes | |
| 529524-5 | 3-Major | K15345631 | IPsec IKEv1 connectivity issues |
| 528881-5 | 3-Major | NAT names with spaces in them do not upgrade properly★ | |
| 528498-2 | 3-Major | Recently-manufactured hardware may not be identified with the correct model name and SNMP OID | |
| 528276-6 | 3-Major | K39167163 | The device management daemon can crash with a malloc error |
| 527431-2 | 3-Major | Db variable to specify audit forwarder port | |
| 526974-5 | 3-Major | Data-group member records map empty strings to 'none'. | |
| 526817-6 | 3-Major | snmpd core due to mcpd message timer thread not exiting | |
| 524490-7 | 3-Major | K17364 | Excessive output for tmsh show running-config |
| 524333-5 | 3-Major | K55005622 | iControl command pkcs12_import_from_file_v2 may fail if httpd is restarted or session times out. |
| 524300-1 | 3-Major | K71003856 | The MOS boot process appears to hang. |
| 523922-6 | 3-Major | Session entries may timeout prematurely on some TMMs | |
| 523867-2 | 3-Major | 'warning: Failed to find EUDs' message during formatting installation | |
| 523642-4 | 3-Major | Power Supply status reported incorrectly after LBH reset | |
| 523527-10 | 3-Major | K43121346 | Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.★ |
| 522871-4 | 3-Major | K13764703 | [TMSH] nested wildcard deletion will delete all the objects (matched or not matched) |
| 522837-3 | 3-Major | MCPD can core as a result of another component shutting down prematurely | |
| 521144-7 | 3-Major | K16799 | Network failover packets on the management interface sometimes have an incorrect source-IP |
| 519510-4 | 3-Major | K17164 | Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware |
| 519081-6 | 3-Major | Cannot use tmsh to load valid configuration created using the GUI. | |
| 518283-4 | 3-Major | K16524 | Cookie rewrite mangles 'Set-Cookie' headers |
| 517714-2 | 3-Major | logd core near end of its life cycle | |
| 517388-6 | 3-Major | Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs. | |
| 516995-8 | 3-Major | NAT traffic group inheritance does not sync across devices | |
| 516322-5 | 3-Major | The BIG-IP system may erroneously remove an iApp association from the virtual server. | |
| 514844-3 | 3-Major | K17099 | Fluctuating/inconsistent number of health monitors for pool member |
| 514726-5 | 3-Major | K17144 | Server-side DSR tunnel flow never expires |
| 514724-4 | 3-Major | crypto-failsafe fail condition not cleared when crypto device restored | |
| 512618-2 | 3-Major | Continuous "Invalid sadb message" upon issuing "racoonctl -l show-sa esp" | |
| 511145-2 | 3-Major | IPsec Policy Link not functional. | |
| 510425-7 | 3-Major | K28822214 | DNS Express zone RR type-count statistics are missing in some cases |
| 510381-5 | 3-Major | bcm56xxd might core when restarting due to bundling config change. | |
| 509600-5 | 3-Major | Global rule association to policy is lost after loading config. | |
| 507853-10 | 3-Major | MCP may crash while performing a very large chunked query and CPU is highly loaded | |
| 504803-4 | 3-Major | GUI Local Traffic Pool list does not show certain Pools with name containing 'mam'. | |
| 504494-4 | 3-Major | K43624250 | Upgrading to 11.5.0 and later might associate a disabled HA group to traffic groups.★ |
| 501437-6 | 3-Major | rsync daemon does not stop listening after configsync-ip set to none | |
| 497304-10 | 3-Major | Unable to delete reconfigured HTTP iApp when auto-sync is enabled | |
| 495865-4 | 3-Major | K15116582 | iApps/tmsh cannot reconfigure pools that have monitors associated with them. |
| 495862-7 | 3-Major | Virtual status becomes yellow and gets connection limit alert when all pool members forced down | |
| 493246-1 | 3-Major | K17414 | SNMP error: Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot |
| 491556-10 | 3-Major | K16573 | tmsh show sys connection output is corrected |
| 489113-7 | 3-Major | K16375 | PVA status, statistics not shown correctly in UI |
| 485939-8 | 3-Major | K16822 | OSPF redistributing connected subnets that are configured in the network element with infinity metric in a HA pair. |
| 485702-7 | 3-Major | Default SNMP community 'public' is re-added after the upgrade | |
| 484861-10 | 3-Major | K16919 | A standby-standby state can be created when auto failback acts in a CRC disagreement scenario |
| 484534-5 | 3-Major | interface STP state stays in blocked when added to STP as disabled | |
| 483699-5 | 3-Major | K16888 | No Access error when trying to access iFile object in Local Traffic :: iRules : iFile list |
| 483104-6 | 3-Major | K17365 | vCMP guests report platform type as 'unknown' |
| 481089-6 | 3-Major | Request group incorrectly deleted prior to being processed | |
| 479553-6 | 3-Major | Sync may fail after deleting a persistence profile | |
| 479543-8 | 3-Major | Transaction will fail when deleting pool member and related node | |
| 476288-5 | 3-Major | Tmrouted restarted after a series of creating/deleting route domains and adding/deleting protocols due to seg fault | |
| 473037-7 | 3-Major | K16896 | BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP |
| 470788-4 | 3-Major | K34193654 | Creating static ARP entry with unreachable IP address causes BIG-IP to be unreachable after reboot |
| 470756-8 | 3-Major | snmpd cores or crashes with no logging when restarted by sod | |
| 464225-6 | 3-Major | K16541 | 'tmsh list ltm message-routing' and 'tmsh show ltm message-routing' fail for non-admin users |
| 463468-9 | 3-Major | failed tmsh command generate double logs | |
| 462187-6 | 3-Major | K16379 | 'tmsh list net tunnels' and GUI tunnel access fail for non-admin users |
| 458104-6 | 3-Major | K16795 | LTM UCS load merge trunk config issue |
| 455980-6 | 3-Major | K17210 | Home directory is purged when the admin changes user password. |
| 455651-6 | 3-Major | K40300934 | Improper regex/glob validation in web-acceleration and http-compression profiles |
| 454392-1 | 3-Major | Added support for BIG-IP 10350N NEBS platform. | |
| 439299-5 | 3-Major | iApp creation fails with non-admin users | |
| 433466-5 | 3-Major | Disabling bundled interfaces affects first member of associated unbundled interfaces | |
| 410101-4 | 3-Major | HSBe2 falls off the PCI bus | |
| 375246-11 | 3-Major | Clarification of pool member session enabling versus pool member monitor enabling | |
| 549023 | 4-Minor | warning: Failed to find EUDs★ | |
| 548268-3 | 4-Minor | Disabling an interface on a blade does not change media to NONE | |
| 503841-4 | 4-Minor | Slow performance with delete_string_class_member in iControl-SOAP | |
| 492163-6 | 4-Minor | K12400 | Applying a monitor to pool and pool member may cause an issue. |
| 473163-9 | 4-Minor | RAID disk failure and alert.conf log message mismatch results in no trap | |
| 465675-5 | 4-Minor | K07816405 | Invalid MAX-ACCESS clause for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable. |
| 434096-5 | 4-Minor | TACACS log forwarder truncates logs to 1 KB | |
| 413708-7 | 5-Cosmetic | K31302478 | BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response. |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 536690-1 | 1-Blocking | K82591051 | Occasional host-tmm connections within a chassis will fail (affects APM processes trying to connect to a tmm) |
| 540473-5 | 2-Critical | peer/clientside/serverside script with parking command may cause tmm to core. | |
| 538255-2 | 2-Critical | SSL handshakes on 4200/2200 can cause TMM cores. | |
| 537988-3 | 2-Critical | K76135297 | Buffer overflow for large session messages |
| 534804-3 | 2-Critical | TMM may core with rate limiting enabled and service-down-action reselect on poolmembers | |
| 534052-5 | 2-Critical | K17150 | VLAN failsafe triggering on standby leaks memory |
| 533388-8 | 2-Critical | tmm crash with assert "resume on different script" | |
| 530505-2 | 2-Critical | IP fragments can cause TMM to crash when packet filtering is enabled | |
| 529920-6 | 2-Critical | Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit | |
| 528739-5 | 2-Critical | K47320953 | DNS Cache might use cached data from ADDITIONAL sections in ANSWER responses. |
| 527011-4 | 2-Critical | Intermittent lost connections with no errors on external interfaces | |
| 520413-12 | 2-Critical | TMM may crash when using woodside congestion control | |
| 517590-1 | 2-Critical | Pool member not turning 'blue' when monitor removed from pool | |
| 517465-3 | 2-Critical | tmm crash with ssl | |
| 514108-7 | 2-Critical | TSO packet initialization failure due to out-of-memory condition. | |
| 509646-6 | 2-Critical | Occasional connections reset when using persistence | |
| 503343-9 | 2-Critical | TMM crashes when cloned packet incorrectly marked for TSO | |
| 497299-7 | 2-Critical | Thales install fails if the BIG-IP system is also configured as the RFS | |
| 489451-2 | 2-Critical | K17278 | TMM might panic due to OpenSSL failure during handshake generation |
| 483719-4 | 2-Critical | K16260 | vlan-groups configured with a single member VLAN result in memory leak |
| 481677-5 | 2-Critical | A possible TMM crash in some circumstances. | |
| 481162-6 | 2-Critical | K16458 | vs-index is set differently on each blade in a chassis |
| 477064-5 | 2-Critical | K17268 | TMM may crash in SSL |
| 472585-5 | 2-Critical | tmrouted crashes after a series configuration changes | |
| 470235-1 | 2-Critical | The HTTP explicit proxy may leak memory in some cases | |
| 459100-6 | 2-Critical | K16452 | TMM may crash when offloading one-way UDP FastL4 flow |
| 456766-2 | 2-Critical | K17351 | SSL Session resumption with hybrid handshake might fail |
| 456175-3 | 2-Critical | Memory issues possible with really long interface names | |
| 455286-2 | 2-Critical | BIG-IP might send both session ID and server certificate during renegotiation | |
| 451059-8 | 2-Critical | SSL server does not check and validate Change Cipher Spec payload. | |
| 569718-3 | 3-Major | Traffic not sent to default pool after pool selection from rule | |
| 553311-1 | 3-Major | K13710973 | Route pool configuration may cause TMM to produce a core file |
| 552532-3 | 3-Major | K73453525 | Oracle monitor fails with certain time zones. |
| 552385 | 3-Major | Virtual servers using an SSL profile and two UDP profiles may not be accepted | |
| 547815-2 | 3-Major | K57983796 | Potential DNS Transparent Cache Memory Leak |
| 545704-3 | 3-Major | TMM might core when using HTTP::header in a serverside event | |
| 544028-3 | 3-Major | K21131221 | Verified Accept counter 'verified_accept_connections' might underflow. |
| 543993-4 | 3-Major | Serverside connections may fail to detach when using the HTTP and OneConnect profiles | |
| 543220-3 | 3-Major | K12153351 | Global traffic statistics does not include PVA statistics |
| 538603-3 | 3-Major | K03383492 | TMM core file on pool member down with rate limit configured |
| 537964-3 | 3-Major | K17388 | Monitor instances may not get deleted during configuration merge load |
| 537553-3 | 3-Major | tmm might crash after modifying virtual server SSL profiles in SNI configuration | |
| 533966-4 | 3-Major | Double loopback nexthop release might cause TMM core. | |
| 532107-5 | 3-Major | K16716213 | [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted |
| 530761-4 | 3-Major | TMM crash in DNS processing on a TCP virtual | |
| 528407-6 | 3-Major | K72235143 | TMM may core with invalid lasthop pool configuration |
| 528188-4 | 3-Major | Packet filters are by-passed for some fragmented ICMP echo requests to a virtual address | |
| 528007-5 | 3-Major | Memory leak in ssl | |
| 527027-3 | 3-Major | DNSSEC Unsigned Delegations Respond with Parent Zone Information | |
| 527024-2 | 3-Major | DNSSEC Unsigned Delegations Respond with Parent Zone Information | |
| 526810-8 | 3-Major | Crypto accelerator queue timeout is now adjustable | |
| 525958-10 | 3-Major | TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop. | |
| 525322-6 | 3-Major | Executing tmsh clientssl-proxy cached-certs crashes tmm | |
| 524960-5 | 3-Major | K17434 | 'forward' command does not work if virtual server has attached pool |
| 523513-5 | 3-Major | COMPRESS::enable keeps compression enabled for a subsequent HTTP request. | |
| 521036-4 | 3-Major | Dynamic ARP entry may replace a static entry in non-primary TMM instances. | |
| 520405-2 | 3-Major | tmm restart due to oversubscribed DNS resolver | |
| 517790-11 | 3-Major | When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped | |
| 517510-5 | 3-Major | HTTP monitor might add extra CR/LF pairs to HTTP body when supplied | |
| 517282-6 | 3-Major | K63316585 | The DNS monitor may delay marking an object down or never mark it down |
| 517124-6 | 3-Major | HTTP::retry incorrectly converts its input | |
| 516598-6 | 3-Major | K82721850 | Multiple TCP keepalive timers for same Fast L4 flow |
| 516432-4 | 3-Major | K21467711 | DTLS may send corrupted records when the DB variable tmm.ssl.dtlsmaxcrs is not the default value 1. |
| 516320-5 | 3-Major | TMM may have a CPU spike if match cross persist is used. | |
| 515482-6 | 3-Major | K93258439 | Multiple teardown conditions can cause crash |
| 515072-7 | 3-Major | K17101 | Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased |
| 514419-7 | 3-Major | TMM core when viewing connection table | |
| 514246-6 | 3-Major | connflow_precise_check_begin does not check for NULL | |
| 513319-7 | 3-Major | Incorrect of failing sideband connections from within iRule may leak memory | |
| 513243-5 | 3-Major | K17561 | Improper processing of crypto error condition might cause memory issues. |
| 512490-10 | 3-Major | Increased latency during connection setup when using FastL4 profile and connection mirroring. | |
| 512148-7 | 3-Major | K17154 | Self IP address cannot be deleted when its VLAN is associated with static route |
| 511517-8 | 3-Major | K17111 | Request Logging profile cannot be configured with HTTP transparent profile |
| 511057-7 | 3-Major | K60014038 | Config sync fails after changing monitor in iApp |
| 510921-6 | 3-Major | K23548911 | Database monitors do not support IPv6 nodes |
| 510164-4 | 3-Major | K53351133 | DNS Express zone RR statistics are correctly reset after zxfrd restart |
| 507109-6 | 3-Major | inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade★ | |
| 505705-6 | 3-Major | Expired mirrored persistence entries not always freed using intra-chassis mirroring | |
| 504827-3 | 3-Major | Use of DHCP relay virtual server might result in tmm crash 'top filter'. | |
| 503257-13 | 3-Major | Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST | |
| 502747-13 | 3-Major | Incoming SYN generates unexpected ACK when connection cannot be recycled | |
| 498334-6 | 3-Major | K16867 | DNS express doesn't send zone notify response |
| 495588-4 | 3-Major | Configuration fails with Syntax Error after upgrading from pre-11.5.0 releases★ | |
| 493140-6 | 3-Major | K16969 | Incorrect persistence entries are created when invoking cookie hash persistence within an iRule using offset and length parameters. |
| 493117-12 | 3-Major | K16986 | Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted |
| 490740-9 | 3-Major | TMM may assert if HTTP is disabled by another filter while it is parked | |
| 490429-4 | 3-Major | K17206 | The dynamic routes for the default route might be flushed during operations on non-default route domains. |
| 475649-6 | 3-Major | K17430 | HTTP::respond in explicit proxy scenarios may cause TMM crash due to assert |
| 475125-2 | 3-Major | K17428 | Use of HTTP::retry may cause TMM crash |
| 472748-4 | 3-Major | SNAT pool stats are reflected in global SNAT stats | |
| 471059-7 | 3-Major | Malformed cookies can break persistence | |
| 467551-5 | 3-Major | K17011 | TCP syncookie and Selective NACK (profile option) causes traffic to be dropped |
| 464651-7 | 3-Major | K16636 | Multiple root certificates with same 'subject' and 'issuer' may cause the tmm to core. |
| 458822-5 | 3-Major | Cluster status may be incorrect on secondary blades | |
| 453720-6 | 3-Major | clientssl profile validation fails to detect config with no cert/key name and no cert/key★ | |
| 452246-4 | 3-Major | K17075 | The correct cipher may not be chosen on session resumption. |
| 447043-11 | 3-Major | K17095 | Cannot have 2 distinct 'contains' conditions on the same LTM policy operand |
| 442869-7 | 3-Major | GUI inaccessible on chassis when var/log/audit log is full | |
| 441638-9 | 3-Major | K14972 | CACHE::header insert fails with 'Out of bounds' error for 301 Cache response |
| 441058-5 | 3-Major | K17366 | TMM can crash when a large number of SSL objects are created |
| 429011-8 | 3-Major | K15554 | No support for external link down time on network failover |
| 424831-4 | 3-Major | K14573 | State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover |
| 418890-5 | 3-Major | K92193116 | OpenSSL bug can prevent RSA keys from rolling forward★ |
| 364994-14 | 3-Major | K16456 | TMM may restart or disabled connections may be reused when a OneConnect profile is configured and OneConnect reuse is disabled be an iRule. |
| 348000-16 | 3-Major | HTTP response status 408 request timeout results in error being logged. | |
| 534458-4 | 4-Minor | K17196 | SIP monitor marks down member if response has different whitespace in header fields. |
| 532799-4 | 4-Minor | K14551525 | Static Link route to /32 pool member can end using dst broadcast MAC |
| 513288-2 | 4-Minor | Management traffic from nodes being health monitored might cause health monitors to fail. | |
| 503560-5 | 4-Minor | Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server. | |
| 446830-2 | 4-Minor | Current Sessions stat does not increment/decrement correctly. | |
| 446755-5 | 4-Minor | K70440102 | Connections with ramcache and clientssl profile allowing non-SSL traffic may stall |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 469033-15 | 2-Critical | Large big3d memory footprint. | |
| 437025-5 | 2-Critical | K15698 | big3d might exit during loading of large configs or when a connection to mcpd is dropped. |
| 529460-5 | 3-Major | K17209 | Short HTTP monitor responses can incorrectly mark virtual servers down. |
| 517582-5 | 3-Major | [GUI] [GTM] Cannot delete Region if attempting to delete another region referenced by a record. | |
| 514731-4 | 3-Major | K17100 | GTM Fails to change GTM server with IPv4 'Address Translation enabled |
| 510888-8 | 3-Major | [LC] snmp_link monitor is not listed as available when creating link objects | |
| 494305-6 | 4-Minor | K36360597 | [GUI] [GTM] Cannot remove the first listed dependent virtual server from dependency list. |
| 494070-4 | 4-Minor | K59225090 | BIG-IP DNS cannot use a loopback address with fallback IP load balancing |
| 451211-3 | 4-Minor | Error using GUI when setting debug option on GTM SIP monitor. |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 555057-1 | 2-Critical | ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies. | |
| 555006-1 | 2-Critical | ASM REST: lastUpdateMicros is not updated when changing a Custom Signature | |
| 552139-3 | 2-Critical | K61834804 | ASM limitation in the pattern matching matrix builtup |
| 540424-1 | 2-Critical | ASM REST: DESC modifier for $orderby option does not affect results | |
| 515728-4 | 2-Critical | Repeated BD cores. | |
| 478351-2 | 2-Critical | K17319 | Changing management IP can lead to bd crash |
| 475551-5 | 2-Critical | Flaw in CSRF protection mechanism | |
| 547000-3 | 3-Major | K47219203 | Enforcer application might crash on XML traffic when out of memory |
| 544831 | 3-Major | ASM REST: PATCH to custom signature set's attackTypeReference are ignored | |
| 542511-1 | 3-Major | K97242554 | 'Unhandled keyword ()' error message in GUI and/or various ASM logs |
| 540390-1 | 3-Major | ASM REST: Attack Signature Update cannot roll back to older attack signatures | |
| 538195-5 | 3-Major | Incremental Manual sync does not allow overwrite of 'newer' ASM config | |
| 535188-5 | 3-Major | Response Pages custom content with \n instead of \r\n on policy import. | |
| 534246-4 | 3-Major | rest_uuid should be calculated from the actual values inserted to the entity | |
| 530598-2 | 3-Major | Some Session Tracking data points are lost on TMM restart | |
| 529610-4 | 3-Major | K32565535 | On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db |
| 528071-2 | 3-Major | ASM periodic updates (cron) write errors to log | |
| 526162-6 | 3-Major | K52335623 | TMM crashes with SIGABRT |
| 521183-3 | 3-Major | Upgrade from 11.2.x (or earlier) to 11.5.x/11.6.x can fail when an active DoS profile exists with 'Prevention Duration' set to a value less than 5★ | |
| 519053-4 | 3-Major | Request is forwarded truncated to the server after answering challenge on a big request | |
| 514313-3 | 3-Major | K00884154 | Logging profile configuration is updated unnecessarily |
| 502852-4 | 3-Major | Deleting an in-use custom policy template | |
| 498189-6 | 3-Major | ASM Request log does not show log messages. | |
| 491371-4 | 3-Major | K17285 | CMI: Manual sync does not allow overwrite of 'newer' ASM config |
| 491352-4 | 3-Major | Added ASM internal parameter to add more XML memory | |
| 484079-5 | 3-Major | K90502502 | Change to signature list of manual Signature Sets does not take effect. |
| 478674-10 | 3-Major | K08359230 | ASM internal parameters for high availability timeout was not handled correctly |
| 471766-3 | 3-Major | Number of decoding passes configuration | |
| 470779-3 | 3-Major | The Enforcer should exclude session awareness violations when counting illegal requests. | |
| 466423-1 | 3-Major | ASM REST: Partial PATCH to User-Defined Signature-Set Filter Resets Other Fields to Defaults | |
| 442313-6 | 3-Major | Content length header leading whitespaces should not be counted as digits | |
| 440913-2 | 3-Major | Apply Policy Fails After Policy Diff and Merge |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 458823-2 | 2-Critical | TMM Crash can lead to crash of other processes | |
| 535246 | 3-Major | K17493 | Table values are not correctly cleaned and can occupy entire disk space. |
| 530952-4 | 3-Major | MySql query fails with error number 1615 'Prepared statement needs to be re-prepared' | |
| 530356-1 | 3-Major | Some AVR tables that hold ASM statistics are not being backed up in upgrade process. | |
| 529903-2 | 3-Major | Incorrect reports on multi-bladed systems | |
| 519252-1 | 3-Major | SIP statistics upgrade★ | |
| 474613-2 | 3-Major | Upgrading from previous versions★ | |
| 472125-3 | 3-Major | IP Intelligence report data is not roll-forwarded between installations as it should★ | |
| 537435-4 | 4-Minor | Monpd might core if asking for export report by email while monpd is terminating |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 553330-2 | 1-Blocking | Unable to create a new document with SharePoint 2010 | |
| 555507-3 | 2-Critical | K88973987 | Under certain conditions, SSO plugin can overrun memory not owned by the plugin. |
| 537227-6 | 2-Critical | EdgeClient may crash if special Network Access configuration is used | |
| 532340-2 | 2-Critical | When FormBased SSO or SAML SSO are configured, tmm may restart at startup | |
| 530622-2 | 2-Critical | EAM plugin uses high memory when serving very high concurrent user load | |
| 502269-2 | 2-Critical | Large post requests may fail using form based SSO. | |
| 480272-8 | 2-Critical | K17117 | During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID |
| 459584-2 | 2-Critical | K11596702 | TMM crashes if request URI is empty or longer than 4096 bytes. |
| 437611-3 | 2-Critical | K16104 | ERR_NOT_FOUND. File: ../modules/hudfilter/access/access_license.c, Function: access_read_license_settings, Line: 204 |
| 558859 | 3-Major | Control insertion to log_session_details table by Access policy logging level. | |
| 551764-1 | 3-Major | K14954742 | [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform |
| 549588-3 | 3-Major | EAM memory leak when cookiemap is destroyed without deleting Cookie object in it | |
| 544992-2 | 3-Major | Virtual server profile changes are ignored if it has /Common/remotedesktop and /Common/vdi assigned (Citrix/Vmware View iApp) | |
| 539270-2 | 3-Major | A specific NTLM client fails to authenticate with BIG-IP | |
| 539229-4 | 3-Major | EAM core while using Oracle Access Manager | |
| 537614-2 | 3-Major | Machine certificate checker fails to use Machine cert check service if Windows has certain display languages | |
| 532761-1 | 3-Major | APM fails to handle compressed ICA file in integration mode | |
| 528808-2 | 3-Major | Source NAT translation doesn't work when APM is disabled using iRule | |
| 526637-1 | 3-Major | tmm crash with APM clientless mode | |
| 522791-1 | 3-Major | K45123459 | HTML rewriting on client might leave 'style' attribute unrewritten. |
| 482177-2 | 3-Major | K16777 | Accessing Sharepoint web application portal interferes with IdP initiated SAML SSO |
| 467256-1 | 3-Major | K25633150 | Deleting OPSWAT/Epsec packages from GUI does not delete files from disk causing UCS packages to bloat |
| 462598-3 | 3-Major | K17184 | Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members. |
| 446860-6 | 3-Major | APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348 | |
| 533723-7 | 4-Minor | [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag. | |
| 491080-2 | 4-Minor | K92821195 | Memory leak in access framework |
| 473685-2 | 4-Minor | Websso truncates cookie domain value |
WebAccelerator Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 525478-3 | 3-Major | K80413728 | Requests for deflate encoding of gzip documents may crash TMM |
| 517013-2 | 3-Major | CSS minification can on occasion remove necessary whitespace | |
| 506557-5 | 3-Major | K45240941 | IBR tags might occasionally be all zeroes. |
| 506315-10 | 3-Major | WAM/AAM is honoring OWS age header when not honoring OWS maxage. | |
| 501714-4 | 3-Major | System does not prevent low quality JPEGs from optimizing to higher quality (becoming larger) does not work when AAM image optimization enabled and JPEG quality in policy is higher than JPEGs on OWS. | |
| 476476-9 | 3-Major | Occasional inability to cache optimized PDFs and images | |
| 384072-5 | 3-Major | K10442159 | Authorization requests not being cached when allowed. |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 528955-2 | 3-Major | TMM may core when using Request Adapt profile | |
| 523854-4 | 3-Major | K35305250 | TCP reset with RTSP Too Big error when streaming interleaved data |
Carrier-Grade NAT Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 540484-4 | 2-Critical | K04005785 | "show sys pptp-call-info" command can cause tmm crash |
| 533562-5 | 2-Critical | K15320373 | Memory leak in CGNAT can result in crash |
| 515646-9 | 2-Critical | K17339 | TMM core when multiple PPTP calls from the same client |
| 494743-8 | 2-Critical | K17389 | Port exhaustion errors on VIPRION 4800 when using CGNAT |
| 494122-6 | 2-Critical | K02533962 | Deterministic NAT state information from HSL is not usable on VIPRION B4300 blades |
| 490893-9 | 2-Critical | K16762 | Determinstic NAT State information incomplete for HSL log format |
| 500424-5 | 3-Major | dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error | |
| 486762-2 | 3-Major | K05172346 | lsn-pool connection limits may be invalid when mirroring is enabled |
| 480119-5 | 3-Major | K16112 | Vague error - Error ERR_BOUNDS connflow ... processing pullup of control message. |
Cumulative fixes from BIG-IP v11.5.3 Hotfix 2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 534630-3 | CVE-2015-5477 | K16909 | Upgrade BIND to address CVE 2015-5477 |
| 530829-2 | CVE-2015-5516 | K00032124 | UDP traffic sent to the host may leak memory under certain conditions. |
| 529509-4 | CVE-2015-4620 | K16912 | BIND Vulnerability CVE-2015-4620 |
| 527799-10 | CVE-2015-4000 CVE-2015-1792 CVE-2015-1791 CVE-2015-1790 CVE-2015-1789 CVE-2015-1788 CVE-2014-8176 | K16674 K16915 K16914 | OpenSSL library in APM clients updated to resolve multiple vulnerabilities |
| 527630-2 | CVE-2015-1788 | K16938 | CVE-2015-1788 : OpenSSL Vulnerability |
| 523032-5 | CVE-2015-3456 | K16620 | qemu-kvm VENOM vulnerability CVE-2015-3456 |
| 506034-5 | CVE-2014-9297 CVE-2014-9298 CVE-2014-9750 CVE-2014-9751 | K16393 | NTP vulnerabilities (CVE-2014-9297,CVE-2014-9298) |
| 532522-4 | CVE-2015-1793 | K16937 | CVE-2015-1793 |
| 531576-2 | CVE-2016-7476 | K87416818 | TMM vulnerability CVE-2016-7476 |
| 520466-3 | CVE-2015-3628 | K16728 | Ability to edit iCall scripts is removed from resource administrator role |
| 516618-4 | CVE-2013-7424 | K16472 | glibc vulnerability CVE-2013-7424 |
| 513382-2 | CVE-2015-0286 CVE-2015-0287 CVE-2015-0289 CVE-2015-0293 CVE-2015-0209 CVE-2015-0288 | K16317 | Resolution of multiple OpenSSL vulnerabilities |
| 527639-5 | CVE-2015-1791 | K16914 | CVE-2015-1791 : OpenSSL Vulnerability |
| 527638-5 | CVE-2015-1792 | K16915 | OpenSSL vulnerability CVE-2015-1792 |
| 527637-5 | CVE-2015-1790 | K16898 | PKCS #7 vulnerability CVE-2015-1790 |
| 527633-5 | CVE-2015-1789 | K16913 | OpenSSL vulnerability CVE-2015-1789 |
| 500091-3 | CVE-2015-0204 | K16139 | CVE-2015-0204 : OpenSSL Vulnerability |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 502443-9 | 2-Critical | K16457 | After enabling a blade/HA member, pool members are marked down because monitoring starts too soon. |
| 520705-4 | 3-Major | Edge client contains multiple duplicate entries in server list | |
| 490537-4 | 3-Major | Persistence Records display in GUI might cause system crash with large number of records | |
| 374067-2 | 3-Major | K14098 | Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 516184 | 1-Blocking | IKEv1 for IPsec does not work when VLAN cmp-hash is set to non-default values | |
| 542898 | 2-Critical | Virtual Edition: Disk partition /var shows 100% after live install to 12.0.0 | |
| 513454-2 | 2-Critical | An snmpwalk with a large configuration can take too long, causing snmpd or mcpd restarts | |
| 509503-3 | 2-Critical | tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration | |
| 507327-2 | 2-Critical | Programs that read stats can leak memory on errors reading files | |
| 495335-4 | 2-Critical | K17436 | BWC related tmm core |
| 479460-4 | 2-Critical | SessionDb may be trapped in wrong HA state during initialization | |
| 420107-3 | 2-Critical | TMM could crash when modifying HTML profile configuration | |
| 364978-2 | 2-Critical | Active/standby system configured with unit 2 failover objects★ | |
| 546410-1 | 3-Major | K02151433 | Configuration may fail to load when upgrading from version 10.x.★ |
| 540638 | 3-Major | GUI Device Management Overview to display device_trust_group | |
| 535806-4 | 3-Major | Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE | |
| 533458-2 | 3-Major | Insufficient data for determining cause of HSB lockup. | |
| 533257-1 | 3-Major | tmsh config file merge may fail when AFM security log profile is present in merged file | |
| 530122 | 3-Major | Improvements in building hotfix images for hypervisors. | |
| 527021-2 | 3-Major | BIG-IQ iApp statistics corrected for empty pool use cases | |
| 526419-2 | 3-Major | Deleting an iApp service may fail | |
| 524326-3 | 3-Major | Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips | |
| 524126-3 | 3-Major | K02142351 | The DB variable provision.tomcat.extramb is cleared on first boot.★ |
| 523125-1 | 3-Major | K17350 | Disabling/enabling blades in cluster can result in inconsistent failover state |
| 520640-1 | 3-Major | K31002924 | The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method. |
| 519877-3 | 3-Major | External pluggable module interfaces not disabled correctly. | |
| 519068-2 | 3-Major | device trust setup can require restart of devmgmtd | |
| 518039-2 | 3-Major | BIG-IQ iApp statistics corrected for partition use cases | |
| 517580-2 | 3-Major | K16787 | OPT-0015 on 10000-series appliance may cause bcm56xxd restarts |
| 516669-2 | 3-Major | K34602919 | Rarely occurring SOD core causes failover. |
| 513974-4 | 3-Major | K16691 | Transaction validation errors on object references |
| 513916-4 | 3-Major | K80955340 | String iStat rollup not consistent with multiple blades |
| 513649-3 | 3-Major | Transaction validation errors on object references | |
| 510119-3 | 3-Major | HSB performance can be suboptimal when transmitting TSO packets. | |
| 509782-2 | 3-Major | K16780 | TSO packets can be dropped with low MTU |
| 509504-4 | 3-Major | K17500 | Excessive time to save/list a firewall rule-list configuration |
| 507575-3 | 3-Major | An incorrectly formated NAPTR creation via iControl can cause an error. | |
| 507331-6 | 3-Major | Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be enabled. | |
| 506041-5 | 3-Major | K01256304 | Folders belonging to a device group can show up on devices not in the group |
| 502238-2 | 3-Major | K16736 | Connectivity and traffic interruption issues caused by a stuck HSB transmit ring |
| 501517-5 | 3-Major | K17478 | Very large configuration can cause transaction timeouts on secondary blades |
| 499260-2 | 3-Major | Deleting trust-domain fails when standby IP is in ha-order | |
| 497564-5 | 3-Major | Improve High Speed Bridge diagnostic logging on transmit/receive failures | |
| 483683-7 | 3-Major | K16210 | MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error |
| 481696-5 | 3-Major | Failover error message 'sod out of shmem' in /var/log/ltm | |
| 473348-5 | 3-Major | K16654 | SNMP hbInterval value not set to 300 sec after upgrade from 11.2.x to 11.3.0 or later |
| 472365-5 | 3-Major | The vCMP worker-lite system occasionally stops due to timeouts | |
| 470184-1 | 3-Major | K17284 | In Configuration Utility, unable to view or edit objects in Local Traffic :: iRules :: Data Group List |
| 455264-2 | 3-Major | K54105052 | Error messages are not clear when adding member to device trust fails |
| 451602-6 | 3-Major | DPD packet drops with keyed VLAN connections | |
| 441100-1 | 3-Major | iApp partition behavior corrected | |
| 436682-6 | 3-Major | Optical SFP modules shows a higher optical power output for disabled switch ports | |
| 410398-8 | 3-Major | sys db tmrouted.rhifailoverdelay does not seem to work | |
| 405752-2 | 3-Major | K22040410 | TCP Half Open monitors sourced from specific source ports can fail |
| 362267-2 | 3-Major | K17488 | Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors★ |
| 359774-5 | 3-Major | Pools in HA groups other than Common★ | |
| 355661-2 | 3-Major | K85476133 | sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address |
| 523863-1 | 4-Minor | istats help not clear for negative increment | |
| 475647-3 | 4-Minor | VIPRION Host PIC firmware version 7.02 update | |
| 465009-2 | 4-Minor | VIPRION B2100-series LOP firmware version 2.10 update | |
| 464043-4 | 4-Minor | Integration of Firmware for the 2000 Series Blades | |
| 460456-3 | 4-Minor | FW RELEASE: Incorporate 5000, 5050, 5250 BIOS 2.06.214.0 | |
| 460444-3 | 4-Minor | VIPRION B4300 BIOS version 2.03.052.0 update | |
| 460428-3 | 4-Minor | BIG-IP 2000-/4000-series BIOS version 2.02.171.0 update | |
| 460422-3 | 4-Minor | BIOS 4.01.006.0 for BIG-IP 10000, 10250, 10350 platforms. | |
| 460406-3 | 4-Minor | VIPRION B2100-series BIOS version 1.06.043.0 update | |
| 460397-3 | 4-Minor | FW RELEASE: Incorporate B2250 BIOS 1.26.012.0 | |
| 447075-3 | 4-Minor | CuSFP module plugged in during links-down state will cause remote link-up | |
| 443298-3 | 4-Minor | FW Release: Incorporate VIPRION 2250 LOP firmware v1.20 |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 522784-3 | 1-Blocking | After restart, system remains in the INOPERATIVE state | |
| 420341-5 | 1-Blocking | K17082 | Connection Rate Limit Mode when limit is exceeded by one client also throttles others |
| 419458-3 | 1-Blocking | HTTP is more efficient in buffering data | |
| 530963-3 | 2-Critical | BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms | |
| 530769 | 2-Critical | F5 SFP+ module becomes unpopulated after mcpd is restarted in a clustered environment. | |
| 528432-1 | 2-Critical | Control plane CPU usage reported too high | |
| 527826-1 | 2-Critical | K31622556 | IP Intelligence update failed: Missing SSL certificate★ |
| 527649-1 | 2-Critical | Upgrade sets client/server SSL profiles Ciphers field to DEFAULT if upgraded cipherstring effectively contains no ciphersuites.★ | |
| 523079-1 | 2-Critical | Merged may crash when file descriptors exhausted | |
| 521548-5 | 2-Critical | Possible crash in SPDY | |
| 521336-1 | 2-Critical | pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core | |
| 499422-2 | 2-Critical | K31310380 | An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm. |
| 478592-5 | 2-Critical | K16798 | When using the SSL forward proxy feature, clients might be presented with expired certificates. |
| 474601-4 | 2-Critical | FTP connections are being offloaded to ePVA | |
| 468375-2 | 2-Critical | K16779 | TMM crash when MPTCP JOIN arrives in the middle of a flow |
| 450814-9 | 2-Critical | Early HTTP response might cause rare 'server drained' assertion | |
| 443157-1 | 2-Critical | zxfrd might crash when the zone file (zxfrd.bin) is deleted from the directory /var/db | |
| 431283-3 | 2-Critical | iRule binary scan may core TMM when the offset is large | |
| 402412-10 | 2-Critical | FastL4 tcp handshake timeout is not honored, connection lives for idle timeout. | |
| 545821 | 3-Major | Idle timeout changes to five seconds when using PVA full or Assisted acceleration. | |
| 530795-1 | 3-Major | In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number. | |
| 524666-2 | 3-Major | DNS licensed rate limits might be unintentionally activated. | |
| 522147-1 | 3-Major | 'tmsh load sys config' fails after key conversion to FIPS using web GUI | |
| 521813-3 | 3-Major | Cluster is removed from HA group on restart | |
| 521774-2 | 3-Major | K17420 | Traceroute and ICMP errors may be blocked by AFM policy |
| 521538-3 | 3-Major | K08025400 | Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known |
| 521522-2 | 3-Major | K21981142 | Traceroute through BIG-IP may display destination IP address at BIG-IP hop |
| 521408-2 | 3-Major | Incorrect configuration in BigTCP Virtual servers can lead to TMM core | |
| 520540-2 | 3-Major | Specific iRule commands may generate a core file | |
| 518086-1 | 3-Major | Safenet HSM Traffic failure after system reboot/switchover | |
| 518020-10 | 3-Major | K16672 | Improved handling of certain HTTP types. |
| 517556-2 | 3-Major | DNSSEC unsigned referral response is improperly formatted | |
| 515759-2 | 3-Major | K92401129 | Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time |
| 515139-4 | 3-Major | K17067 | Active FTP session with inherit profile and address translation disabled may not decrement pool member current connections statistics |
| 514604-2 | 3-Major | Nexthop object can be freed while still referenced by another structure | |
| 512383-4 | 3-Major | K68275911 | Hardware flow stats are not consistently cleared during fastl4 flow teardown. |
| 512062 | 3-Major | K21528300 | A db variable to disable verification of SCTP checksum when ingress packet checksum is zero |
| 510638-2 | 3-Major | K37513511 | [DNS] Config change in dns cache resolver does not take effect until tmm restart |
| 507529 | 3-Major | Active crash with assert: tmm failed assertion, non-zero ha_unit required for mirrored flow | |
| 507127-1 | 3-Major | DNS cache resolver is inserted to a wrong list on creation. | |
| 504899-1 | 3-Major | Duplicated snat-translation addresses are possible (a named and an anonymous (created by snatpool) one) | |
| 504105-3 | 3-Major | RR-DAG enabled UDP ports may be used as source ports for locally originated traffic | |
| 501516-4 | 3-Major | If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted. | |
| 497584-5 | 3-Major | The RA bit on DNS response may not be set | |
| 496758-4 | 3-Major | K16465 | Monitor Parameters saved to config in a certain order may not construct parameters correctly |
| 488600-1 | 3-Major | iRule compilation fails on upgrade★ | |
| 479682-5 | 3-Major | K16862 | TMM generates hundreds of ICMP packets in response to a single packet |
| 478617-7 | 3-Major | K16451 | Don't include maximum TCP options length in calculating MSS on ICMP PMTU. |
| 478439-5 | 3-Major | K16651 | Unnecessary re-transmission of packets on higher ICMP PMTU. |
| 478257-6 | 3-Major | Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed | |
| 476097-3 | 3-Major | K15274113 | TCP Server MSS option is ignored in verified accept mode |
| 468472-6 | 3-Major | Unexpected ordering of internal events can lead to TMM core. | |
| 465590-4 | 3-Major | K17531 | Mirrored persistence information is not retained while flows are active |
| 462714-3 | 3-Major | K66236389 | Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server |
| 460627-5 | 3-Major | K17059 | SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists |
| 455762-3 | 3-Major | K17094 | DNS cache statistics incorrect |
| 454018-6 | 3-Major | K16540 | Nexthop to tmm0 ref-count leakage could cause TMM core |
| 452439-4 | 3-Major | K15574 | TMM may crash when enabling DOS sweep/flood if a TMM process has multiple threads |
| 451960-3 | 3-Major | HTTPS monitors do not work with FIPS keys | |
| 449848-5 | 3-Major | Diameter Monitor not waiting for all fragments | |
| 442686-1 | 3-Major | DNSX Transfers Occur on DNSX authoritative server change | |
| 422107-7 | 3-Major | K17415 | Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set |
| 422087-4 | 3-Major | K16326 | Low memory condition caused by Ram Cache may result in TMM core |
| 375887-5 | 3-Major | K17282 | Cluster member disable or reboot can leak a few cross blade trunk packets |
| 374339-5 | 3-Major | HTTP::respond/redirect might crash TMM under low-memory conditions | |
| 352925-4 | 3-Major | K16288 | Updating a suspended iRule and TMM process restart |
| 342013-5 | 3-Major | K27445955 | TCP filter doesn't send keepalives in FIN_WAIT_2 |
| 514729-1 | 4-Minor | 10.2.1 system with SSL profile specifying ciphers 'DEFAULT:!HIGH:!MEDIUM' fails to upgrade to 11.5.1, 11.5.2, 11.5.3, or 11.6.0. |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 515797-2 | 2-Critical | Using qos_score command in RULE_INIT event causes TMM crash | |
| 526699-5 | 3-Major | K40555016 | TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port. |
| 516685-1 | 3-Major | ZoneRunner might fail to load valid zone files. | |
| 516680-1 | 3-Major | ZoneRunner might fail when loading valid zone files. | |
| 515033-1 | 3-Major | [ZRD] A memory leak in zrd | |
| 515030-2 | 3-Major | K74820030 | [ZRD] A memory leak in Zrd |
| 514236-2 | 3-Major | [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses | |
| 496775-6 | 3-Major | K16194 | [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for the bigip monitor |
| 471819-1 | 3-Major | The big3d agent restarts periodically when upgrading the agent on a v11.4.0 or prior system and Common Criteria mode is enabled. | |
| 465951-1 | 3-Major | K12562945 | If net self description size =65K, gtmd restarts continuously |
| 225443-6 | 3-Major | gtmparse fails to load if you add unsupported SIP monitor parameters to the config | |
| 479084-3 | 4-Minor | ZoneRunner can fail to respond to commands after a VE resume. | |
| 353556-2 | 4-Minor | big3d https monitor is unable to correctly monitor the web server when SSL protocol is changed |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 524428-2 | 2-Critical | Adding multiple signature sets concurrently via REST | |
| 524004-2 | 2-Critical | Adding multiple signatures concurrently via REST | |
| 520280-2 | 2-Critical | Perl Core After Apply Policy Action | |
| 516523-1 | 2-Critical | Full ASM Config Sync was happening too often in a Full Sync Auto-Sync Device Group | |
| 487420-3 | 2-Critical | BD crash upon stress on session tracking | |
| 532030-2 | 3-Major | ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI | |
| 526856-2 | 3-Major | "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency | |
| 523261-2 | 3-Major | ASM REST: MCP Persistence is not triggered via REST actions | |
| 523260-2 | 3-Major | K52028045 | Apply Policy finishes with coapi_query failure displayed |
| 523201-1 | 3-Major | Expired files are not cleaned up after receiving an ASM Manual Synchronization | |
| 520796-2 | 3-Major | High ASCII characters availability for policy encoding | |
| 520585-1 | 3-Major | Changing Security Policy Application Language Is Not Validated or Propagated Properly | |
| 516522-2 | 3-Major | K04420402 | After upgrade from any pre-11.4.x to 11.4.x through 12.0.0, the configured redirect URL location is empty.★ |
| 514061-1 | 3-Major | K17562 | False positive scenario causes SMTP transactions to hang and eventually reset. |
| 512668-2 | 3-Major | ASM REST: Unable to Configure Clickjacking Protection via REST | |
| 510499-1 | 3-Major | K17544 | System Crashes after Sync in an ASM-only Device Group. |
| 506407-1 | 3-Major | K04420402 | Certain upgrade paths to 11.6.x lose the redirect URL configuration for Alternate Response Pages★ |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 533098 | 3-Major | K68715215 | Traffic capture filter not catching all relevant transactions |
| 531526-1 | 3-Major | K17560 | Missing entry in SQL table leads to misleading ASM reports |
| 525708-2 | 3-Major | K17555 | AVR reports of last year are missing the last month data |
| 519022-1 | 3-Major | K01334306 | Upgrade process fails to convert ASM predefined scheduled-reports.★ |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 525920 | 1-Blocking | VPE fails to display access policy | |
| 492149-2 | 1-Blocking | Inline JavaScript with HTML entities may be handled incorrectly | |
| 488736-6 | 1-Blocking | Fixed problem with iNotes 9 Instant Messaging | |
| 482266-1 | 1-Blocking | Windows 10 support for Network Access / BIG-IP Edge Client | |
| 482241-5 | 1-Blocking | Windows 10 cannot be properly detected | |
| 437670-2 | 1-Blocking | Race condition in APM windows client on modifying DNS search suffix | |
| 526833 | 2-Critical | Reverse Proxy produces JS error: 'is_firefox' is undefined | |
| 526754-3 | 2-Critical | F5unistaller.exe crashes during uninstall | |
| 525562-2 | 2-Critical | Debug TMM Crashes During Initialization | |
| 520298-1 | 2-Critical | Java applet does not work | |
| 520145-2 | 2-Critical | [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy | |
| 519864-2 | 2-Critical | Memory leak on L7 Dynamic ACL | |
| 518260-4 | 2-Critical | Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message | |
| 517988-1 | 2-Critical | TMM may crash if access profile is updated while connections are active | |
| 517146-2 | 2-Critical | Log ID 01490538 may be truncated | |
| 516075-5 | 2-Critical | Linux command line client fails with on-demand cert | |
| 514220-2 | 2-Critical | New iOS-based VPN client may fail to create IPv6 VPN tunnels | |
| 513581 | 2-Critical | Occasional TMM crash when HTTP payload is scanned through SWG | |
| 509490-1 | 2-Critical | [IE10]: attachEvent does not work | |
| 507681-9 | 2-Critical | Window.postMessage() does not send objects in IE11 | |
| 506223-1 | 2-Critical | A URI in request to cab-archive in iNotes is rewritten incorrectly | |
| 497118-6 | 2-Critical | Tmm may restart when SAML SLO is triggered | |
| 487399-3 | 2-Critical | VDI plugin crashes when View client disconnects prematurely | |
| 474058-7 | 2-Critical | K16689 | When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions |
| 471874-6 | 2-Critical | K16850 | VDI plugin crashes when trying to respond to client after client has disconnected |
| 452163-1 | 2-Critical | Cross-domain functionality is broken in AD Query★ | |
| 451469-3 | 2-Critical | APM User Identity daemon doesn't generate core | |
| 540778 | 3-Major | Multiple SIGSEGV with core and failover with no logged indicator | |
| 539013-2 | 3-Major | DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases | |
| 537000-3 | 3-Major | Installation of Edge Client can cause Windows 10 crash in some cases | |
| 534755-2 | 3-Major | Deleting APM virtual server produces ERR_NOT_FOUND error | |
| 532096-3 | 3-Major | Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used | |
| 531883-3 | 3-Major | Windows 10 App Store VPN Client must be detected by BIG-IP APM | |
| 531483-1 | 3-Major | Copy profile might end up with error | |
| 530697-3 | 3-Major | Windows Phone 10 platform detection | |
| 529392-3 | 3-Major | Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script | |
| 528726-2 | 3-Major | AD/LDAP cache size reduced | |
| 528675-3 | 3-Major | BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired | |
| 526617-2 | 3-Major | TMM crash when logging a matched ACL entry with IP protocol set to 255 | |
| 526578-2 | 3-Major | Network Access client proxy settings are not applied on German Windows | |
| 526492-3 | 3-Major | DNS resolution fails for Static and Optimized Tunnels on Windows 10 | |
| 526275-2 | 3-Major | VMware View RSA/RADIUS two factor authentication fails | |
| 526084-1 | 3-Major | Windows 10 platform detection for BIG-IP EDGE Client | |
| 525384-3 | 3-Major | Networks Access PAC file now can be located on SMB share | |
| 524909-3 | 3-Major | Windows info agent could not be passed from Windows 10 | |
| 523431-1 | 3-Major | Windows Cache and Session Control cannot support a period in the access profile name | |
| 523390-1 | 3-Major | Minor memory leak on IdP when SLO is configured on bound SP connectors. | |
| 523329 | 3-Major | When BIG-IP is used as SAML Identity Provider(IdP), TMM may restart under certain conditions. | |
| 523327-3 | 3-Major | In very rare cases Machine Certificate service may fail to find private key | |
| 523222-7 | 3-Major | Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending. | |
| 521835-1 | 3-Major | [Policy Sync] Connectivity profile with a customized logo fails | |
| 521773-1 | 3-Major | K10105099 | Memory leak in Portal Access |
| 521506-3 | 3-Major | Network Access doesn't restore loopback route on multi-homed machine | |
| 520642-2 | 3-Major | Rewrite plugin should check length of Flash files and tags | |
| 520390-2 | 3-Major | Reuse existing option is ignored for smtp servers | |
| 520205-2 | 3-Major | Rewrite plugin could crash on malformed ActionScript 3 block in Flash file | |
| 520118-3 | 3-Major | Duplicate server entries in Server List. | |
| 519966-1 | 3-Major | APM "Session Variables" report shows user passwords in plain text | |
| 519415-4 | 3-Major | apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual ) | |
| 519198-2 | 3-Major | [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user | |
| 518981-1 | 3-Major | RADIUS accounting STOP message may not include long class attributes | |
| 518583-3 | 3-Major | Network Access on disconnect restores redundant default route after looped network roaming for Windows clients | |
| 517564-2 | 3-Major | APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port | |
| 517441-4 | 3-Major | apd may crash when RADIUS accounting message is greater than 2K | |
| 516839-7 | 3-Major | Add client type detection for Microsoft Edge browser | |
| 516462-3 | 3-Major | Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines | |
| 515943-1 | 3-Major | "Session variables" report may show empty if session variable value contains non-English characters | |
| 514912-2 | 3-Major | Portal Access scripts had not been inserted into HTML page in some cases | |
| 513969-2 | 3-Major | UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running | |
| 513953-2 | 3-Major | K17122 | RADIUS Auth/Acct might fail if server response size is more than 2K |
| 513706-3 | 3-Major | K16958 | Incorrect metric restoration on Network Access on disconnect (Windows) |
| 513283 | 3-Major | Mac Edge Client doesnt send client data if access policy expired | |
| 513165-1 | 3-Major | SAML Service Provider generated SLO requests do not contain 'SessionIndex' attribute | |
| 513098-2 | 3-Major | K17180 | localdb_mysql_restore.sh failed with exit code |
| 512345-6 | 3-Major | K17380 | Dynamic user record removed from memcache but remains in MySQL |
| 512245 | 3-Major | Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname | |
| 511961-2 | 3-Major | BIG-IP Edge Client does not display logon page for FirePass | |
| 511854-3 | 3-Major | K85408112 | Rewriting URLs at client side does not rewrite multi-line URLs |
| 511648-3 | 3-Major | K16959 | On standby TMM can core when active system sends leasepool HA commands to standby device |
| 511441-2 | 3-Major | K17564 | Memory leak on request Cookie header longer than 1024 bytes |
| 510709-3 | 3-Major | Websso start URI match fails if there are more than 2 start URI's in SSO configuration. | |
| 507116-3 | 3-Major | K17030 | Web-application issues and/or unexpected exceptions. |
| 505755-4 | 3-Major | K11043155 | Some scripts on dynamically loaded html page could be not executed. |
| 500938-4 | 3-Major | Network Access can be interrupted if second NIC is disconnected | |
| 500450-2 | 3-Major | ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso. | |
| 498782-5 | 3-Major | K17104 | Config snapshots are deleted when failover happens |
| 495702-3 | 3-Major | K40419383 | Mac Edge Client cannot be downloaded sometimes from management UI |
| 495336-5 | 3-Major | K39768154 | Logon page is not displayed correctly when 'force password change' is on for local users. |
| 494565-3 | 3-Major | K65181614 | CSS patcher crashes when a quoted value consists of spaces only |
| 494189-3 | 3-Major | Poor performance in clipboard channel when copying | |
| 493006 | 3-Major | Export of huge policies might endup with 'too many pipes opened' error | |
| 492701-2 | 3-Major | Resolved LSOs are overwritten by source device in new Policy Sync with new LSO | |
| 492305-2 | 3-Major | Recurring file checker doesn't interrupt session if client machine has missing file | |
| 490830-3 | 3-Major | Protected Workspace is not supported on Windows 10 | |
| 488105-2 | 3-Major | TMM may generate core during certain config change. | |
| 483792-6 | 3-Major | when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources | |
| 483286-2 | 3-Major | APM MySQL database full as log_session_details table keeps growing | |
| 482699-2 | 3-Major | VPE displaying "Uncaught TypeError" | |
| 482269-2 | 3-Major | APM support for Windows 10 out-of-the-box detection | |
| 482251-2 | 3-Major | K95824957 | Portal Access. Location.href(url) support. |
| 480761-2 | 3-Major | Fixed issue causing TunnelServer to crash during reconnect | |
| 479451-2 | 3-Major | K16737 | Different Outlook users with same password and client IP are tied to a single APM session when using Basic auth |
| 478492-5 | 3-Major | K17476 | Incorrect handling of HTML entities in attribute values |
| 478333-4 | 3-Major | Edge-Client client shows an error about corrupted config file, when User's profile and temp folders located on different partitions | |
| 474779-2 | 3-Major | EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails. | |
| 474698-5 | 3-Major | BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions. | |
| 473255-2 | 3-Major | K41869058 | Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement. |
| 472256-4 | 3-Major | K17259 | tmsh and tmctl report unusually high counter values |
| 472062-2 | 3-Major | K17480 | Unmangled requests when form.submit with arguments is called in the page |
| 471117-3 | 3-Major | K17546 | iframe with JavaScript in 'src' attribute not handled correctly in IE11 |
| 468441-2 | 3-Major | OWA2013 may work incorrectly via Portal Access in IE10/11 | |
| 468433-2 | 3-Major | K16860 | OWA2013 may work incorrectly via Portal Access in IE10/11 |
| 468137-12 | 3-Major | Network Access logs missing session ID | |
| 466745-2 | 3-Major | Cannot set the value of a session variable with a leading hyphen. | |
| 457902-5 | 3-Major | No EAM- log stacktrace in /var/log/apm on EAM crash event. | |
| 457760-6 | 3-Major | EAM not redirecting stdout/stderr from standard libraries to /var/log/apm | |
| 457603-3 | 3-Major | K25117932 | Cookies handling issue with Safari on iOS6, iOS7 |
| 457525-3 | 3-Major | K17359 | When DNS resolution for AppTunnel resource fails, the resource is removed |
| 454086-4 | 3-Major | K15832 | Portal Access issues with Firefox version 26.0.0 or later |
| 452527-2 | 3-Major | K17178 | Machine Certificate Checker Agent always works in "Match Subject CN to FQDN" mode |
| 442528-5 | 3-Major | Demangle filter crash | |
| 440841-4 | 3-Major | sso and apm split tunnelling log message is at notice level | |
| 438969-2 | 3-Major | HTML5 VMware View Client does not work with APM when Virtual Server is on non-default route domain | |
| 437744-7 | 3-Major | K15186 | SAML SP service metadata exported from APM may fail to import. |
| 425882-4 | 3-Major | Windows EdgeClient's configuration file could be corrupted on system reboot/sleep | |
| 424936-1 | 3-Major | apm_mobile_ppc.css has duplicate 1st line | |
| 423282-7 | 3-Major | K17116 | BIG-IP JavaScript includes can be improperly injected in case of conditional commment presence |
| 420512-1 | 3-Major | All Messages report does not display any data when the Log Levels are selected to filter data based on Log levels | |
| 416115-13 | 3-Major | Edge client continues to use old IP address even when server IP address changed | |
| 408851-3 | 3-Major | Some Java applications do not work through BIG-IP server | |
| 402793-13 | 3-Major | APM Network Accces tunnel slows down and loses data in secure renegotiation on Linux and Mac clients | |
| 532394-1 | 4-Minor | Client to log value of "SearchList" registry key. | |
| 524756-1 | 4-Minor | APM Log is filled with errors about failing to add/delete session entry | |
| 517872-2 | 4-Minor | Include proxy hostname in logs in case of name resolution failure | |
| 513201-5 | 4-Minor | Edge client is missing localization of some English text in Japanese locale | |
| 510596-5 | 4-Minor | Broken DNS resolution on Linux client when "DNS Default Domain Suffix" is empty | |
| 510459-2 | 4-Minor | In some cases Access does not redirect client requests | |
| 507321-2 | 4-Minor | JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields | |
| 504461-3 | 4-Minor | Logon Page agent gets empty user input in clientless mode 3 when a Variable Assign agent resides in front of it. | |
| 497627-2 | 4-Minor | K58125050 | Tmm cores while using APM network access and no leasepool is created on the BIG-IP system. |
| 482145-4 | 4-Minor | Text in buttons not centered correctly for higher DPI settings | |
| 464547-5 | 4-Minor | Show proper error message when VMware View client sends invalid credentials to APM | |
| 454784-2 | 4-Minor | in VPE %xx symbols such as the variable assign agent might be invalidly decoded. |
WebAccelerator Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 514785-3 | 1-Blocking | TMM crash when processing AAM-optimized video URLs | |
| 522231-2 | 3-Major | TMM may crash when a client resets a connection | |
| 521455-5 | 3-Major | K16963 | Images transcoded to WebP format delivered to Edge browser |
| 511534-2 | 3-Major | K44288136 | A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load, |
| 476460-4 | 3-Major | WAM Range HTTP header limited to 8 ranges | |
| 421791-4 | 3-Major | K15559 | Out of Memory Error |
Wan Optimization Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 461216-2 | 2-Critical | Cannot rename some files using CIFS optimization of the BIG-IP system. | |
| 497389-2 | 3-Major | Extraneous dedup_admin core | |
| 457568-1 | 3-Major | K16966 | Loading of configuration fails intermittently due to WOC Plug-in-related issues. |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 521556-2 | 2-Critical | Assertion "valid pcb" in TCP4 with ICAP adaptation | |
| 516057-5 | 2-Critical | Assertion 'valid proxy' can occur after a configuration change with active IVS flows. | |
| 503652-1 | 2-Critical | K17162 | Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit. |
| 512054-4 | 3-Major | K17135 | CGNAT SIP ALG - RTP connection not created after INVITE |
| 511326-3 | 3-Major | K24410405 | SIP SUBSCRIBE message not forwarded by BIG-IP when configured as SIP ALG with translation. |
| 499701-6 | 3-Major | SIP Filter drops UDP flow when ingressq len limit is reached. | |
| 480311-4 | 3-Major | K47143123 | ADAPT should be able to work with OneConnect |
| 448493-11 | 3-Major | SIP response from the server to the client get dropped |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 524748 | 2-Critical | PCCD optimization for IP address range | |
| 468688-1 | 2-Critical | Initial sync fails for upgraded pair (11.5.x to 11.6)★ | |
| 530865-1 | 3-Major | AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists) | |
| 523465-1 | 3-Major | Log an error message when firewall rule serialization fails due to maximum blob limit being hit. | |
| 515187 | 3-Major | Certain ICMP packets are evaluated twice against Global and Route Domain ACL rules. | |
| 515112-2 | 3-Major | Delayed ehash initialization causes crash when memory is fragmented. | |
| 513565-3 | 3-Major | AFM Kill-on-the-fly does not re-evaluate existing flows against any Virtual/SelfIP ACL policies if a Global or Route-Domain rule action is modified from Accept-Decisively to Accept. | |
| 509919-1 | 3-Major | Incorrect counter for SelfIP traffic on cluster | |
| 497671 | 3-Major | iApp GUI: Unable to add FW Policy/Rule to context via iApp | |
| 485880-3 | 3-Major | Unable to apply ASM policy with forwarding CPM policy via GUI, generic error | |
| 459024-1 | 3-Major | Error L4 packets encounter configured whitelist entries that do not match the protocol | |
| 533808-2 | 4-Minor | Unable to create new rule for virtual server if order is set to "before"/"after" | |
| 533336-1 | 4-Minor | Display 'description' for port list members | |
| 510226-1 | 4-Minor | All descriptions for ports-list's members are flushed after the port-list was updated | |
| 495432-1 | 5-Cosmetic | Add new log messages for AFM rule message load/activation in datapath. |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 491771-1 | 2-Critical | Parking command called from inside catch statement | |
| 450779-1 | 2-Critical | PEM source or destination flow filter attempts match against both source and destination IPs of a flow | |
| 439249-1 | 2-Critical | PEM:Initial quota request in the rating group request is not as configured. | |
| 526295-4 | 3-Major | BIG-IP crashes in debug mode when using PEM iRule to create session with calling-station-id and called-station-id | |
| 511064-2 | 3-Major | K17108 | Repeated install/uninstall of policy with usage monitoring stops after second time |
| 495913-3 | 3-Major | TMM core with CCA-I policy received with uninstall | |
| 478399-6 | 3-Major | PEM subscriber sessions are created without PEM licensed, if "radiusLB-subscriber-awre" profile is configured. | |
| 464273-1 | 3-Major | PEM: CCR-I for the Gx session has only one subscriber ID type even if session created has more than one type | |
| 438608-1 | 3-Major | PEM: CCR-U triggered during Gy session may not have Request Service Unit (RSU) | |
| 438092-2 | 3-Major | PEM: CCR-U triggered by RAR during Gy session will have not have Requested Service Unit(RSU) | |
| 449643-2 | 4-Minor | Error message 'Gx uninit failed!' and 'Gy unint failed!' received during boot of the system |
Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 525595-1 | 1-Blocking | K38134424 | Memory leak of inbound sockets in restjavad. |
| 509273-3 | 2-Critical | hostagentd consumes memory over time | |
| 509120-1 | 2-Critical | BIG-IQ 4.5.0 cannot discover version pre-11.5.4 BIG-IP versions due to /tmp removal★ |
Cumulative fixes from BIG-IP v11.5.3 Hotfix 1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 511651-2 | CVE-2015-5058 | K17047 | CVE-2015-5058: Performance improvement in packet processing. |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v11.5.3 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 513034-2 | CVE-2015-4638 | K17155 | TMM may crash if Fast L4 virtual server has fragmented packets |
| 492368-10 | CVE-2014-8602 | K15931 | Unbound vulnerability CVE-2014-8602 |
| 489323-6 | CVE-2015-8098 | K43552605 | Out-of-bounds memory access when 'remotedesktop' profile is assigned to a virtual server. |
| 507842-4 | CVE-2015-1349 | K16356 | Patch for BIND Vulnerability CVE-2015-1349 |
| 500088-10 | CVE-2014-3571 | K16123 | OpenSSL Vulnerability (January 2015) - OpenSSL 1.0.1l update |
| 497719-12 | CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 | K15934 | NTP vulnerability CVE-2014-9293, NTP vulnerability CVE-2014-9294, NTP vulnerability CVE-2014-9295, and NTP vulnerability CVE-2014-9296 |
| 477281-9 | CVE-2014-6032 | K15605 | Improved XML Parsing |
| 441613-8 | CVE-2015-8022 | K12401251 | APM TMUI Vulnerability CVE-2015-8022 |
| 447483-7 | CVE-2014-3959 | K15296 | CVE-2014-3959 |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 500303-11 | 1-Blocking | K17302 | Virtual Address status may not be reliably communicated with route daemon |
| 499947-3 | 2-Critical | Improved performance loading thousands of Virtual Servers | |
| 502770-3 | 3-Major | clientside and serverside command crashes TMM | |
| 451433-2 | 3-Major | HA group combined with other failover (e.g., VLAN Failsafe or Gateway Failsafe) | |
| 368824-1 | 3-Major | K24050031 | There is no indication that a failed standby cannot go active. |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 477218-6 | 1-Blocking | Simultaneous stats query and pool configuration change results in process exit on secondary. | |
| 452656-4 | 1-Blocking | NVGRE tunnel traffic might stall if the sys db variable tm.tcplargereceiveoffload is set to 'enable' | |
| 425729-1 | 1-Blocking | mcpd debug logging hardening | |
| 509276-3 | 2-Critical | VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on standby device | |
| 507487-3 | 2-Critical | ZebOS Route not withdrawn when VAddr/VIP down and no default pool | |
| 504496-4 | 2-Critical | AAA Local User Database may sync across failover groups | |
| 501343-2 | 2-Critical | In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle | |
| 484733-5 | 2-Critical | aws-failover-tgactive.sh doesn't skip network forwarding virtuals | |
| 471860-2 | 2-Critical | K16209 | Disabling interface keeps DISABLED state even after enabling |
| 467196-4 | 2-Critical | K16015 | Log files limited to 24 hours |
| 466266-3 | 2-Critical | In rare cases, an upgrade (or a restart) can result in an Active/Active state★ | |
| 438674-4 | 2-Critical | K14873 | When log filters include tamd, tamd process may leak descriptors |
| 430323-3 | 2-Critical | VXLAN daemon may restart when 8000 VXLAN tunnels are configured | |
| 412160-4 | 2-Critical | K90882247 | vCMP provisioning may cause continual tmm crash. |
| 394236-4 | 2-Critical | MCP unexpectedly exits, "failure has occurred, There is no active database transaction, status: 0 - | |
| 514450-2 | 3-Major | VXLAN: Remote MAC address movement does not trigger ARL updates across TMMs. | |
| 513294-1 | 3-Major | LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances | |
| 512485-2 | 3-Major | Forwarding of flooded VXLAN-encapsulated unicast frames may introduce additional forwarding | |
| 503604-2 | 3-Major | Tmm core when switching from interface tunnel to policy based tunnel | |
| 501953-1 | 3-Major | HA failsafe triggering on standby device does not clear next active for that device. | |
| 501371-2 | 3-Major | K39672730 | mcpd sometimes exits while doing a file sync operation |
| 500234-3 | 3-Major | TMM may core during failover due to invalid memory access in IPsec components | |
| 495526-2 | 3-Major | IPsec tunnel interface causes TMM core at times | |
| 494367-4 | 3-Major | HSB lockup after HiGig MAC reset | |
| 491791-2 | 3-Major | GET on non-existent pool members does not show error | |
| 489750-2 | 3-Major | K16696 | Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config |
| 488374-3 | 3-Major | K17019 | Mismatched IPsec policy configuration causes racoon to core after failed IPsec tunnel negotiation |
| 484706-7 | 3-Major | K16460 | Incremental sync of iApp changes may fail |
| 477789-2 | 3-Major | SSL Certificate can accommodate & (ampersand) in the Common Name, Organization Name, Division and SAN. | |
| 468235-3 | 3-Major | The worldwide City database (City2) does not contain all of the appropriate Proxy strings. | |
| 456573-5 | 3-Major | Sensor read faults with DC power supply | |
| 453489-3 | 3-Major | userauth_hostbased mismatch: warnings from VIPRION for localhost or slotN | |
| 439343-9 | 3-Major | Client certificate SSL authentication unable to bind to LDAP server | |
| 420204-2 | 3-Major | FIPS key deletion by-handle does not post an error if corresponding key object exists but the keyname is more than 32 characters long | |
| 509063-1 | 4-Minor | K17015 | Creating or loading guest on cluster with empty slot 1 can result in error |
| 493223-2 | 4-Minor | syscalld core dumps now keep more debugging information | |
| 441642-4 | 4-Minor | K16107 | /etc/monitors/monitors_logrotate.conf contains an error |
| 437637-2 | 4-Minor | Sensor critical alarm: Main board +0.9V_CN35XX | |
| 492422-3 | 5-Cosmetic | K24508323 | HTTP request logging reports incorrect response code |
| 456263 | 5-Cosmetic | Platform marketing name for B4300 is incorrectly shown as A108 | |
| 440605-4 | 5-Cosmetic | Unknown BigDB variable type 'port_list' |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 445329-2 | 1-Blocking | K17273 | DNS cache resolver connections can be slow to terminate |
| 507611-1 | 2-Critical | K17151 | On BIG-IP 2000- and 4000-series platforms BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors. |
| 506304-3 | 2-Critical | UDP connections may stall if initialization fails | |
| 505222-3 | 2-Critical | DTLS drops egress packets when traffic is sufficiently heavy. | |
| 504225-1 | 2-Critical | Virtual creation with the multicast IPv6 address returns error message | |
| 503620-2 | 2-Critical | ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later | |
| 495030-3 | 2-Critical | Segfault originating from flow_lookup_nexthop. | |
| 493558-3 | 2-Critical | K16206 | TMM core due to SACK hole value mismatch |
| 486450-5 | 2-Critical | iApp re-deployment causes mcpd on secondaries to restart | |
| 480370-7 | 2-Critical | K17147 | Connections to virtual servers with port-preserve property will cause connections to leak in TMM |
| 475460-6 | 2-Critical | K16581 | tmm can crash if a client-ssl profile is in use without a CRL |
| 474974-2 | 2-Critical | Fix ssl_profile nref counter problem. | |
| 474388-4 | 2-Critical | K16957 | TMM restart, SIGSEGV messages, and core |
| 456853-2 | 2-Critical | DTLS cannot handle client certificate when client does not send CertVerify message. | |
| 511130-2 | 3-Major | TMM core due to invalid memory access while handling CMP acknowledgement | |
| 510720-2 | 3-Major | K81614705 | iRule table command resumption can clear the header buffer before the HTTP command completes |
| 510264-2 | 3-Major | TMM core associated with smtps profile. | |
| 508716-3 | 3-Major | DNS cache resolver drops chunked TCP responses | |
| 506702-2 | 3-Major | TSO can cause rare TMM crash. | |
| 506282-5 | 3-Major | K16168 | GTM DNSSEC keys generation is not sychronized upon key creation |
| 505964-3 | 3-Major | Invalid http cookie handling can lead to TMM core | |
| 504633-7 | 3-Major | DTLS should not update 'expected next sequence number' when the record is bad. | |
| 504396-3 | 3-Major | When a virtual's ARP or ICMP is disabled, the wrong mac address is used | |
| 504306-7 | 3-Major | https monitors might fail to re-use SSL sessions. | |
| 503979-3 | 3-Major | High CPU usage when DNS cache resolver sends a large number of DNS queries to the backend name server. | |
| 503741-14 | 3-Major | K16662 | DTLS session should not be closed when it receives a bad record. |
| 503118-1 | 3-Major | clientside and serverside command crashes TMM | |
| 502959-3 | 3-Major | Unable get response from virtual server after node flapping | |
| 502683-6 | 3-Major | Traffic intermittently dropped in syncookie mode, especially when hardware syncookie is on | |
| 502174-6 | 3-Major | DTLS fragments do not work for ClientHello message. | |
| 502149-2 | 3-Major | K06334742 | Archiving EC cert/key fails with error 'EC keys are incompatible for Webserver/EM/iQuery.' |
| 501690-7 | 3-Major | TMM crash in RESOLV::lookup for multi-RR TXT record | |
| 499950-6 | 3-Major | In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs | |
| 499946-2 | 3-Major | K16801 | Nitrox might report bad records on highly fragmented SSL records |
| 499430-6 | 3-Major | K16623 | Standby unit might bridge network ingress packets when bridge_in_standby is disabled |
| 499150-2 | 3-Major | K16721 | OneConnect does not reuse existing connections in VIP targeting VIP configuration |
| 497742-5 | 3-Major | Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address | |
| 495574-6 | 3-Major | K16111 | DB monitor functionality might cause memory issues |
| 495443-3 | 3-Major | ECDH negotiation failures logged as critical errors. | |
| 495253-5 | 3-Major | K16603 | TMM may core in low memory situations during SSL egress handling |
| 494322-5 | 3-Major | The HTTP_REQUEST iRule event may cause the TMM to crash if the explicit proxy is used | |
| 493673-5 | 3-Major | K12352524 | DNS record data may have domain names compressed when using iRules |
| 491518-5 | 3-Major | SSL persistence can prematurely terminate TCP connection | |
| 491454-8 | 3-Major | SSL negotiation may fail when SPDY profile is enabled | |
| 490713-5 | 3-Major | FTP port might occasionally be reused faster than expected | |
| 485472-4 | 3-Major | iRule virtual command allows for protocol mismatch, resulting in crash | |
| 485176-5 | 3-Major | K07324064 | RADIUS::avp replace command cores TMM when only two arguments are passed to it |
| 484305-5 | 3-Major | K16733 | Clientside or serverside command with parking command crashes TMM |
| 483539-6 | 3-Major | With fastL4, incorrect MSS value might be used if SYN has options without MSS specified | |
| 481844-4 | 3-Major | tmm can crash and/or use the wrong CRL in certain conditions | |
| 481216-5 | 3-Major | Fallback may be attempted incorrectly in an abort after an Early Server Response | |
| 478734-4 | 3-Major | Incorrect 'FIPS import for failed for key' failure when operation actually succeeds | |
| 471625-7 | 3-Major | After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM | |
| 471535-6 | 3-Major | TMM cores via assert during EPSV command | |
| 461587-6 | 3-Major | TCP connection can become stuck if client closes early | |
| 456763-2 | 3-Major | L4 forwarding and TSO can cause rare TMM outages | |
| 456413-4 | 3-Major | Persistence record marked expired though related connection is still active | |
| 455840-5 | 3-Major | EM analytic does not build SSL connection with discovered BIG-IP system | |
| 447272-4 | 3-Major | K17288 | Chassis with MCPD audit logging enabled will sync updates to device group state |
| 444710-8 | 3-Major | Out-of-order TCP packets may be dropped | |
| 438792-10 | 3-Major | Node flapping may, in rare cases, lead to inconsistent persistence behavior | |
| 435335-6 | 3-Major | K16038 | SSL proxy session ID cache does not respect limit set by tmm.proxyssl.cachesize |
| 428163-2 | 3-Major | Removing a DNS cache from configuration can cause TMM crash | |
| 415358-6 | 3-Major | Remote login shell hardening | |
| 384451-8 | 3-Major | Duplicated cert/keys/chain might cause SIGABRTs and low-memory conditions | |
| 498597-8 | 4-Minor | K16761 | SSL profile fails to initialize and might cause SSL operation issues |
| 459884-5 | 4-Minor | Large POST requests are not handled well by APM. | |
| 451224-2 | 4-Minor | IP packets that are fragmented by TMM, the fragments will have their DF bit | |
| 436468-2 | 4-Minor | DNS cache resolver TCP current connection stats not always decremented properly | |
| 442647-4 | 5-Cosmetic | K04311130 | IP::stats iRule command reports incorrect information past 2**31 bits |
| 435044-4 | 5-Cosmetic | K22006218 | Erroneous 'FIPS open failed' error on platforms without FIPS hardware |
Performance Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 497619-7 | 3-Major | K16183 | TMM performance may be impacted when server node is flapping and persist is used |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 479142-8 | 3-Major | K16173 | Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD) |
| 475549-2 | 3-Major | Input handling error in GTM GUI | |
| 468519-6 | 3-Major | BIG-IP DNS configuration load failure from invalid bigip_gtm.conf file. | |
| 420440-7 | 3-Major | K14413 | Multi-line TXT records truncated by ZoneRunner file import |
| 491554-5 | 4-Minor | K54162409 | [big3d] Possible memory leakage for auto-discovery error events. |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 464735-1 | 2-Critical | Errors and unavailable virtual server upon deactivation of ASM policy that is assigned to a non-default rule of L7 policy | |
| 509968 | 3-Major | BD crash when a specific configuration change happens | |
| 501612-5 | 3-Major | Spurious Configuration Synchronizations | |
| 485764-4 | 3-Major | K17401 | WhiteHat vulnerability assessment tool is configured but integration does not work correctly |
| 482915-7 | 3-Major | K17510 | Learning suggestion for the maximum headers check violation appears only for blocked requests |
| 475819-6 | 3-Major | K17325 | BD crash when trying to report attack signatures |
| 442157-2 | 3-Major | Incorrect assignment of ASM policy to virtual server | |
| 512687-2 | 4-Minor | Policy parameter fields minimumValue and maximumValue do not accept decimal values through REST but accept decimal through GUI |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 441214-3 | 2-Critical | K17353 | monpd core dumps in case of MySQL crash |
| 497681-3 | 3-Major | Tuning of Application DoS URL qualification criteria | |
| 479334-4 | 3-Major | monpd/ltm log errors after Hotfix is applied | |
| 439514-6 | 4-Minor | Different time-stamps are translated to the same time (due to DST clock change) and causes database errors |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 488986-13 | 1-Blocking | K16582 | Access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and edge client. |
| 507782-6 | 2-Critical | TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data | |
| 506235-4 | 2-Critical | TMM Crash | |
| 505101-4 | 2-Critical | tmm may panic due to accessing uninitialized memory | |
| 495901-4 | 2-Critical | Tunnel Server crash if probed on loopback listener. | |
| 494098-9 | 2-Critical | K16857 | PAC file download mechanism race condition |
| 493360-4 | 2-Critical | Fixed possible issue causing Edge Client to crash during reconnect | |
| 489328-8 | 2-Critical | When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash. | |
| 484454-7 | 2-Critical | K16669 | Users not able to log on after failover |
| 441790 | 2-Critical | Logd core formed, while executing provisioning run script(mod_combo_7000_12721.py) on 5000 and 7000 series platforms | |
| 511893 | 3-Major | Client connection timeout after clicking Log In to Access Policy Manager on a Chassis | |
| 509956-5 | 3-Major | Improved handling of cookie values inside SWG blocked page. | |
| 509758-3 | 3-Major | EdgeClient shows incorrect warning message about session expiration | |
| 508719-7 | 3-Major | K22391125 | APM logon page missing title |
| 508630-3 | 3-Major | The APM client does not clean up DNS search suffixes correctly in some cases | |
| 507318-2 | 3-Major | JS error when sending message from DWA new message form using Chrome | |
| 506349-5 | 3-Major | BIG-IP Edge Client for Mac identified as browser by APM in some cases | |
| 504606-6 | 3-Major | Session check interval now has minimum value | |
| 503319-5 | 3-Major | K16901 | After network access is established browser sometimes receives truncated proxy.pac file |
| 502441-7 | 3-Major | Network Access connection might reset for large proxy.pac files. | |
| 501498-4 | 3-Major | APM CTU doesn't pick up logs for Machine Certificate Service | |
| 499620-8 | 3-Major | BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated. | |
| 499427-4 | 3-Major | Windows File Check does not work if the filename starts with an ampersand | |
| 498469-8 | 3-Major | Mac Edge Client fails intermittently with machine certificate inspection | |
| 497436-3 | 3-Major | Mac Edge Client behaves erratically while establishing network access connection | |
| 497325-5 | 3-Major | K16643 | New users cannot log in to Windows-based systems after installing BIG-IP EDGE client in certain deployment |
| 496817-7 | 3-Major | Big-IP Edge client for Windows fails to connect to Firepass server if tunnel is established through a proxy | |
| 495319-9 | 3-Major | Connecting to FP with APM edge client is causing corporate network to be inaccessible | |
| 495265-6 | 3-Major | SAML IdP and SP configured in same access profile not supported | |
| 494637-6 | 3-Major | K80550446 | localdbmgr process in constant restart/core loop |
| 494284-10 | 3-Major | K16624 | Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status. |
| 494176-1 | 3-Major | Network access to FP does not work on Yosemite using APM Mac Edge Client. | |
| 494088-5 | 3-Major | APD or APMD should not assert when it can do more by logging error message before exiting. | |
| 494008-4 | 3-Major | tmm crash while initializing the URL filter context for SWG. | |
| 493487-5 | 3-Major | K45558362 | Function::call() and Function::apply() wrapping does not work as expected |
| 493164-4 | 3-Major | K62553244 | flash.net.NetConnection::connect() has an erroneous security check |
| 492238-9 | 3-Major | K16848 | When logging out of Office 365 TMM may restart |
| 492153-7 | 3-Major | K17055 | Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated. |
| 491233-9 | 3-Major | K16105 | Rare deadlock in CustomDialer component |
| 490844-2 | 3-Major | K50522620 | Some controls on a web page might stop working. |
| 490681-5 | 3-Major | K17470 | Memcache entry for dynamic user leaks |
| 490675-5 | 3-Major | K16855 | User name with leading or trailing spaces creates problems. |
| 489382-8 | 3-Major | Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert | |
| 488892-4 | 3-Major | JavaRDP client disconnects | |
| 486597-7 | 3-Major | Fixed Network Access renegotiation procedure | |
| 486268-7 | 3-Major | APM logon page missing title | |
| 485355-4 | 3-Major | Click-to-Run version of Office 2013 does not work inside PWS (Protected WorkSpace) | |
| 484847-13 | 3-Major | DTLS cannot be disabled on Edge Client for troubleshooting purposes | |
| 484582-3 | 3-Major | APM Portal Access is inaccessible. | |
| 483601-4 | 3-Major | K16895 | APM sends a logout Bookmarked Access whitelist URL when session is expired. |
| 480817-4 | 3-Major | Added options to troubleshoot client by disabling specific features | |
| 480242-7 | 3-Major | APD, APMD, MCPD communication error failure now reported with error code | |
| 477898-2 | 3-Major | Some strings on BIG-IP APM EDGE Client User Interface were not localized | |
| 477795-4 | 3-Major | SSL profile passphrase may be displayed in clear text on the Dashboard | |
| 476038-9 | 3-Major | Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name | |
| 476032-6 | 3-Major | BIG-IP Edge Client may hang for sometime when disconnecting from Firepass server | |
| 475735-2 | 3-Major | K30145457 | Failed to load config after removing peer from sync-only group |
| 475505-8 | 3-Major | Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system. | |
| 474582-2 | 3-Major | Add timestamps to logstatd logs for Policy Sync | |
| 473386-13 | 3-Major | K17540 | Improved Machine Certificate Checker matching criteria for FQDN case |
| 473129-6 | 3-Major | K15943 | httpd_apm access_log remains empty after log rotation |
| 470205-4 | 3-Major | /config/.../policy_sync_d Directory Is 100% Full | |
| 469824-9 | 3-Major | Mac Edge client on Mac mini receives settings for iOS Edge Client | |
| 468395-2 | 3-Major | K63044556 | IPv4 Allocation failure ... is out of addresses |
| 458770-4 | 3-Major | [Mac][Edge] Edge client doesn't handle ending redirects to the same box if second access policy assumes interaction | |
| 456608-5 | 3-Major | Direct links for frame content, with 'Frame.src = url' | |
| 453455-9 | 3-Major | Added support of SAML Single Logout to Edgeclient. | |
| 452464-6 | 3-Major | K28271912 | iClient does not handle multiple messages in one payload. |
| 452416-6 | 3-Major | tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values | |
| 452010-4 | 3-Major | K16609 | RADIUS Authentication fails when username or password contain non-ASCII characters |
| 442698-9 | 3-Major | APD Active Directory module memory leak in exception | |
| 437743-8 | 3-Major | Import of Access Profile config that contains ssl-cert is failing | |
| 436201-15 | 3-Major | JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11 | |
| 432900-12 | 3-Major | APM configurations can fail to load on newly-installed systems★ | |
| 431149-8 | 3-Major | K17217 | APM config snapshot disappears and users see "Access Policy configuration has changed on gateway" |
| 428387-9 | 3-Major | SAML SSO could fail if SAML configuration contains special XML characters (&,<,>,",') | |
| 403991-9 | 3-Major | Proxy.pac file larger than 32 KB is not supported | |
| 489364-6 | 4-Minor | Now web VPN client correctly minimizes IE window to tray | |
| 482134-6 | 4-Minor | APD and APMD cores during shutdown. | |
| 465012-5 | 4-Minor | Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access | |
| 464992-8 | 4-Minor | Mac Edge fails to pass machine certificate inspection if domain component is included in search criteria | |
| 461597-10 | 4-Minor | MAC edge client doesn't follow HTTP 302 redirect if new site has untrusted self-signed certificate | |
| 461560-6 | 4-Minor | Edge client CTU report does not contain interface MTU value | |
| 460427-6 | 4-Minor | Address collision reported when the Primary blade goes down or its TMM crashes in an Chassis IntraCluster environment. | |
| 451118-8 | 4-Minor | Fixed mistakes in French localization | |
| 449525-1 | 4-Minor | apd and apmd constantly restarting | |
| 432423-8 | 4-Minor | Need proactive alerts for APM license usage | |
| 493385-9 | 5-Cosmetic | BIG-IP Edge Client uses generic icon set even if F5 icon set is configured | |
| 486344-4 | 5-Cosmetic | French translation does not properly fit buttons in BIG-IP Edge client on Windows |
WebAccelerator Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 486346-2 | 2-Critical | Prevent wamd shutdown cores | |
| 488917-1 | 4-Minor | Potentially confusing wamd shutdown error messages |
Wan Optimization Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 485182-4 | 3-Major | K19303084 | wom_verify_config does not recognize iSession profile in /Common sub-partition |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 503676-5 | 2-Critical | SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events | |
| 500365-5 | 2-Critical | TMM Core as SIP hudnode leaks | |
| 482436-9 | 2-Critical | K16973 | BIG-IP processing of invalid SIP request may result in high CPU utilization |
| 466761-5 | 2-Critical | Heartbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss. | |
| 455006-6 | 2-Critical | K50532341 | Invalid data is merged with next valid SIP message causing SIP connection failures |
| 507143-2 | 3-Major | K17071 | Diameter filter may process HUDCTL_ABORT message before processing previously queued events leading to tmm assertion |
| 472092-6 | 3-Major | ICAP loses payload at start of request in response to long execution time of iRule | |
| 464116-5 | 3-Major | HTTP responses are not cached when response-adapt is applied |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 512609-2 | 2-Critical | Firewall rules specifying wildcard IPv6 addresses match IPv4 addresses | |
| 478470 | 4-Minor | AFM Online Help updated: DoS Detection Threshold Percentage |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 484278-3 | 2-Critical | K16734 | BIG-IP crash when processing packet and running iRule at the same time |
Carrier-Grade NAT Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 493807-4 | 2-Critical | K15989 | TMM might crash when using PPTP with profile logging enabled |
| 487660-1 | 3-Major | K16268 | LSN translation failures when persistence is enabled, cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN and using a small port range |
Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 462827-8 | 1-Blocking | K16634 | Headers starting with X-F5 may cause problems if not X-F5-REST-Coordination-Id |
| 463380-4 | 3-Major | K16693 | URIs with space characters may not work properly in ODATA query |
Cumulative fixes from BIG-IP v11.5.2 Hotfix 1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 496849-2 | CVE-2014-9326 | K16090 | F5 website update retrievals vulnerability |
| 477274-12 | CVE-2014-6031 | K16196 | Buffer Overflow in MCPQ |
| 496845-2 | CVE-2014-9342 | K15933 | NTP vulnerability CVE-2014-9296 |
| 477278-11 | CVE-2014-6032 | K15605 | XML Entity Injection vulnerabilities CVE-2014-6032 and CVE-2014-6033 |
| 468345-2 | CVE-2015-1050 | K16081 | Blocking page with harmful JavaScript can be run by system administrator |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 382157-2 | 3-Major | K17163 | Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 498704-1 | 2-Critical | Module provisioning doesn't properly account for disk space | |
| 487567-3 | 2-Critical | Addition of a DoS Profile Along with a Required Profile May Fail | |
| 472202-2 | 2-Critical | Potential false positive report of DMA RX lockup failure | |
| 507461-2 | 3-Major | Net cos config may not persist on HA unit following staggered restart of both HA pairs. | |
| 504572-3 | 3-Major | K30038035 | PVA accelerated 3WHS packets are sent in wrong hardware COS queue |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 509310-1 | 2-Critical | Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances | |
| 498005-1 | 2-Critical | The HTTP:payload command could cause the TMM to crash if invoked in a non-HTTP event | |
| 506290-3 | 3-Major | MPI redirected traffic should be sent to HSB ring1 | |
| 505452-1 | 3-Major | New db variable to control packet priority for TMM generated packets | |
| 505056-3 | 3-Major | BIG-IP system might send an egress packet with a priority different from that of ingress packet on the same flow. | |
| 496588-2 | 3-Major | HTTP header that is larger than 64K can be analyzed incorrectly, leading to TMM crash |
Performance Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 489259-2 | 2-Critical | [AFM] packets from good ip's are being dropped by DoS Sweep & Flood logic | |
| 496998-2 | 3-Major | Update offenders more aggressively. Increase batch size for Dwbld processing. |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 510287 | 1-Blocking | Create ASM security policy by BIG-IQ | |
| 509663 | 1-Blocking | ASM restarts periodically with errors in asm_config_server.log: ASM Config server died unexpectedly | |
| 508908-2 | 2-Critical | Enforcer crash | |
| 507919-2 | 2-Critical | Updating ASM through iControl REST does not affect CMI sync state | |
| 504182-2 | 2-Critical | Enforcer cores after upgrade upon the first request★ | |
| 498361 | 2-Critical | Manage ASM security policies from BIG-IQ | |
| 493401-3 | 2-Critical | Concurrent REST calls on a single endpoint may fail | |
| 489705-3 | 2-Critical | K16245 | Running out of memory while parsing large XML SOAP requests |
| 481476-10 | 2-Critical | MySQL performance | |
| 468387-2 | 2-Critical | Enforcer core related to specific error condition in the session db | |
| 511477 | 3-Major | Manage ASM security policies from BIG-IQ | |
| 511029 | 3-Major | "selfLink" for ASM Policy was incorrect for iControl REST | |
| 510818 | 3-Major | Manage ASM security policies from BIG-IQ | |
| 508519-1 | 3-Major | Performance of Policy List screen | |
| 508338-2 | 3-Major | Under rare conditions cookies are enforced as base64 instead of clear text | |
| 507905-1 | 3-Major | Saving Policy History during UCS load causes db deadlock/timeout★ | |
| 507289-1 | 3-Major | User interface performance of Web Application Security Editor users | |
| 506386-1 | 3-Major | Automatic ASM sync group remains stuck in init state when configured from tmsh | |
| 506355-2 | 3-Major | Importing an XML file without defined entity sections | |
| 504973-2 | 3-Major | Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead | |
| 497769-2 | 3-Major | Policy Export: BIG-IP does not export redirect URL for 'Login Response Page' | |
| 496565-2 | 3-Major | Secondary Blades Request a Sync | |
| 496011-2 | 3-Major | K17385 | Resets when session awareness enabled |
| 490284-6 | 3-Major | K17383 | ASM user interface extremely slow to respond (e.g., longer that 2 minutes to render policy list) |
| 469786-2 | 3-Major | K04393808 | Web Scraping Mitigation: Display of request status when configuration includes an ASM iRule |
| 465181-4 | 3-Major | Unhandled connection error in iprepd causes memory leak in iprepd or merged | |
| 510828 | 5-Cosmetic | Manage ASM security policies from BIG-IQ |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 461715-2 | 2-Critical | AVR: Collecting geolocation IDs | |
| 503471-2 | 3-Major | K17395 | Memory leak can occur when there is a compressed response, and abnormal termination of the connection |
| 500034-2 | 3-Major | [SMTP Configuration] Encrypted password not shown in GUI | |
| 489682-4 | 3-Major | K40339022 | Configuration upgrade failure due to change in an ASM predefined report name★ |
| 468874-1 | 3-Major | K17456 | Monpd errors appear when AVR loads data to MySQL |
| 467945-4 | 3-Major | Error messages in AVR monpd log |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 497662-4 | 1-Blocking | BIG-IP DoS via buffer overflow in rrdstats | |
| 431980-2 | 2-Critical | K17310 | SWG Reports: Overview and Reports do not show correct data. |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 514651 | 2-Critical | db variable to disable rate-tracker | |
| 514266 | 2-Critical | Change firewall rules with ip-protocol ICMP and ICMP type 0, code 0 cause pccd crash | |
| 513403-3 | 2-Critical | K16490 | TMM asserts when certain ICMP packets (e.g multicast echo) are classified by AFM and match rules at Global and Route Domain context with logging enabled for these rules and also log-translations is enabled in AFM Logging configuration. |
| 510162 | 2-Critical | potential TMM crash when AFM DoS Sweep & Flood is configured | |
| 503541-3 | 2-Critical | Use 64 bit instead of 10 bit for Rate Tracker library hashing. | |
| 501480-2 | 2-Critical | AFM DoS Single Endpoint Sweep and Flood Vectors crash TMM under heavy traffic. | |
| 500925-2 | 2-Critical | Introduce a new sys db variable to control number of merges per second of Rate Tracker library. | |
| 498227 | 2-Critical | Incorrect AFM firewall rule counter update after pktclass-daemon restarts. | |
| 497342-2 | 2-Critical | TMM crash while executing FLOW_INIT event (with multiple commands that abort the connection) in an iRule attached to an AFM firewall rule. | |
| 489845-1 | 2-Critical | Sometimes auto-blacklisting will not function after the provisioning of AFM and APM modules | |
| 511406 | 3-Major | K16421 | Pagination issue on firewall policy rules page |
| 510224-1 | 3-Major | All descriptions for address-list members are flushed after the address-list was updated | |
| 506452-1 | 3-Major | Issues with firewall rules configured with a source or destination IPv6 address whose most significant bit is 1 | |
| 505624-2 | 3-Major | Remote logger will continue to get DoS L7 messages after it was removed from the virtual server configuration | |
| 504384-3 | 3-Major | ICMP attack thresholds | |
| 503085-2 | 3-Major | Make the RateTracker threshold a constant | |
| 502414-3 | 3-Major | Make the RateTracker tier3 initialization number less variant. | |
| 501986-2 | 3-Major | Add a sys db tunable to make Sweep and Flood vectors be rate-limited per-TMM process | |
| 500640-2 | 3-Major | K21264026 | TMM core might occur if FLOW_INIT iRule attached to Virtual server |
| 497732 | 3-Major | Enabling specific logging may trigger other unrelated events to be logged. | |
| 497667 | 3-Major | Configuring of ICMPv4/ICMPv6 ip-protocol in mgmt port ACL Rules generated error | |
| 497263-2 | 3-Major | Global whitelist count exhausted prematurely | |
| 496278 | 3-Major | K16294 | Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name |
| 495928-4 | 3-Major | APM RDP connection gets dropped on AFM firewall policy change | |
| 495698 | 3-Major | iRule can be deleted even though it exists in a rule-list | |
| 495390-2 | 3-Major | An error occurs on Active Rules page after attempting to reorder Rules in a Policy | |
| 485771-2 | 3-Major | TMM crashes while executing multiple FLOW_INIT events and one of the event triggers an abort. | |
| 469297-2 | 3-Major | Address list summary page does not display the description for individual address list entries. | |
| 465229-1 | 3-Major | Fix for Policy Rule Names Displaying Distorted in Rare Conditions | |
| 464972-2 | 3-Major | Wrong parsing of Country Code (Geo) from address region list if Country name contains parentheses. | |
| 464966-1 | 3-Major | Active Rule page may display incorrectly if showing multiple rules and at least one rule list | |
| 464762-1 | 3-Major | Rule lists may not display schedules for rules that have them | |
| 464222-1 | 3-Major | Policy Rule Missing from TMSH Overlapping Status Output | |
| 458810-1 | 3-Major | Time field may not display correctly in log search function | |
| 445984-1 | 3-Major | Wrong overlapping status is shown if there are firewall rules with source or destination port range that begins with "1" | |
| 438773-1 | 3-Major | Network Firewall event logs page pops up date/time picker automatically during drag-and-drop | |
| 506470 | 4-Minor | Reduce pccd OOM probability with port expansion change | |
| 497311-1 | 4-Minor | Can't add a ICMPv6 type and code to a FW rule. | |
| 473589-1 | 4-Minor | Error at attempt to add GeoIP with parentheses. |
Cumulative fix details for BIG-IP v11.5.7 that are included in this release
721895-3 : Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)
Component: Global Traffic Manager (DNS)
Symptoms:
big3d advertises a TLSv1.0 version. Even though big3d requires previously exchanged certificates to validate a connection request, the TLSv1.0 advertisement triggers various vulnerability scanners and is flagged.
Conditions:
Running a vulnerability scanner or other SSL test tool.
Impact:
The scanner or tool reports that big3d might potentially accept a TLSv1.0 connection request (which is considered insecure). Vulnerability scanners then flag the BIG-IP system as vulnerable.
Workaround:
Although there is no workaround, because big3d accepts connections only from clients that match the certificates on the BIG-IP system, the risk is minimal.
In addition, you can deploy firewall rules to accept connections only on port 4353 from know BIG-IP systems.
Fix:
This version adds a db variable for the big3d
big3d.minimumtlsversion. By default the value is 'TLSV1.0'. You can also specify TLSV1.1 or TLSV1.2 (the setting is case insensitive).
After changing the DB variable, restart big3d. Change the value on all BIG-IP systems that are subject to scans. This includes GTM as well as LTM configurations.
716992-5 : The ASM bd process may crash
Component: Application Security Manager
Symptoms:
Under certain conditions, when processing CSRF protections, the bd process may crash.
Conditions:
ASM is enabled
CSRF is configured
Impact:
The BIG-IP ASM system fails to process traffic temporarily while the bd process restarts.
Workaround:
N/A
Fix:
The bd process will now handle CSRF protections as expected.
716922-6 : Reduction in PUSH flags when Nagle Enabled
Component: Local Traffic Manager
Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.
Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.
Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.
Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.
Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.
Mote: To take advantage of some of the Nagle benefits, use 'Auto'.
Fix:
Revised PUSH flag setting logic to set the flag in cases where sending is Nagle-limited.
715923-4 : When processing TLS traffic TMM may reset connections
Component: Local Traffic Manager
Symptoms:
Under certain conditions TMM may reset TLS connections with a BAD_RECORD_MAC alert.
Conditions:
TLS profile active.
Impact:
BIG-IP sends a BAD_RECORD_MAC alert and terminates the SSL connection.
Workaround:
None.
Fix:
TMM now processes TLS traffic as expected.
713951-1 : tmm core files produced by nitrox_diag may be missing data
Component: Local Traffic Manager
Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.
Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.
Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.
711281-1 : nitrox_diag may run out of space on /shared
Component: Local Traffic Manager
Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.
Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.
Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.
Workaround:
The only workaround is to ensure there is enough free space for the files to be created.
In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.
Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.
710314-4 : TMM may crash while processing HTML traffic
Component: TMOS
Symptoms:
Under certain conditions, TMM may crash while processing HTML traffic
Conditions:
HTML profile enabled
Impact:
TMM may crash, leading to a failover event
Fix:
TMM now processes HTML traffic as expected
710148-6 : CVE-2017-1000111 & CVE-2017-1000112
Solution Article: K60250153
708653-5 : TMM may crash while processing TCP traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing TCP traffic
Conditions:
TCP profile enabled
Impact:
TMM crash leading to a failover event
Fix:
TMM processes TCP traffic as expected
708249-6 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit
Component: Local Traffic Manager
Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.
Conditions:
Run the nitrox_diag command.
Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.
Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0
Fix:
Nitrox_diag utility now uses the -s0 command to generate QKView files, so there is no longer a 5 MB maximum file size limit, and the full QKView file is created.
707226-4 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
Component: TMOS
Symptoms:
Mitigations might CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.
Impact:
Meltdown/PTI mitigations may negatively impact performance.
Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.
To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:
tmsh modify sys db kernel.pti value disable
Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, they must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
706304-1 : ASU and other Update Check services overload F5 download server
Component: Application Security Manager
Symptoms:
ASM Signature Update (ASU) and other Update Check services may fail due to an overload on the F5 download server.
Conditions:
-- Automatic update attempt is initiated during specified schedule.
-- F5 download server is overloaded by Update attempts.
Impact:
ASU and other Update Check services fail.
Workaround:
To work around this issue, run manual updates instead.
To prevent this issue, change the time of the daily job run. To do so, follow these steps:
1. Open the cron job text file.
# vi /etc/crontab
2. Change this line as follows:
From: 02 4 * * * root run-parts /etc/cron.daily
To: 10 4 * * * root run-parts /etc/cron.daily
3. Save the changes, and quit vi.
This will change the automatic updates to run at 4:10 rather than 4:02.
Fix:
ASU and other Update Check services now stagger download attempts to prevent F5 download server overload.
705476-6 : Appliance Mode does not follow design best practices
Component: TMOS
Symptoms:
Appliance Mode does not follow design best practices
Conditions:
Appliance Mode does not follow design best practices
Impact:
Appliance Mode does not follow design best practices
Fix:
Appliance Mode now follows design best practices
704490-2 : CVE-2017-5754 (Meltdown)
Solution Article: K91229003
704483-2 : CVE-2017-5753 (Spectre Variant 1)
Solution Article: K91229003
702490-6 : Windows Credential Reuse feature may not work
Component: Access Policy Manager
Symptoms:
Windows Credential Reuse feature may not work requiring that the EdgeClient end user enter credentials in the EdgeClient login window as well as at the Microsoft Windows logon screen, instead of getting Single Sign-On (SSO).
The logterminal.txt file contains messages similar to the following:
<Date and time>, 1312,1320,, 48, \certinfo.cpp, 926, CCertInfo::IsSignerTrusted(), the file is signed by 3rd party certificate
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1004, CCertInfo::IsSignerTrusted(), EXCEPTION - CertFindCertificateInStore() failed, -2146885628 (0x80092004) Cannot find object or property.
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1009, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 256, IsTrustedClient, EXCEPTION - File signed by untrusted certificate
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 264, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 360, GetCredentials, EXCEPTION - Access Denied - client not trusted
Conditions:
-- Using a specific combination of versions of F5 Credential Manager Service and EdgeClient on Windows systems.
-- The Reuse Credential option is enabled in the Connectivity Profile.
Impact:
The EdgeClient end user must retype credentials in EdgeClient login windows instead of having the login occur without requiring credentials, as SSO supports.
Workaround:
There is no workaround at this time.
Fix:
Previously, in some situations, Windows Credential Reuse did not work, requiring the EdgeClient end user to log in separately. This issue has been fixed.
699803 : TMM may crash while processing IPv6 traffic
Solution Article: K77671456
699455-1 : SAML export does not follow best practices
Solution Article: K50254952
697303-5 : BD crash
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.
Impact:
BD crash, failover, and traffic disturbance.
Workaround:
Turn off the internal parameter relax_unicode_in_json.
Fix:
BD no longer crashes under these conditions.
696265-1 : BD crash
Component: Application Security Manager
Symptoms:
BD crash.
Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.
Impact:
Potential traffic disturbance and failover.
Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.
Fix:
Fixed a BD crash scenario.
696049-5 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
Solution Article: K55660303
Component: Service Provider
Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.
Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.
Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.
Workaround:
None.
Fix:
Request_sequence_numbers are not assigned to response messages until the Tcl event is executed for that message. This avoids assigning the same number to multiple events.
695901-4 : TMM may crash when processing ProxySSL data
Solution Article: K46940010
695878-1 : Signature enforcement issue on specific requests
Component: Application Security Manager
Symptoms:
Request payload does not get enforced by attack signatures on a certain policy configuration with specific traffic.
Conditions:
-- The violation 'Request exceeds max buffer size' is turned off.
-- The request is longer than the max buffer size (i.e., a request is larger than the internal long_request_buffer_size).
Impact:
Attack signatures are not enforced on the payload of this request at all.
Workaround:
Turn on the violation in blocking 'Request exceed max buffer size'.
Fix:
The operation now looks into part of the payload for the attack signatures enforcement.
694922-1 : ASM Auto-Sync Device Group Does Not Sync
Component: Application Security Manager
Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.
Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device
Impact:
ASM configuration is not correctly synchronized between devices
Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic
Fix:
Devices no longer spuriously enter an untrusted state
694901 : CVE-2015-8710: Libxml2 Vulnerability
Solution Article: K45439210
693744-1 : High CPU Usage by the TMM Can Cause SOD to Kill vCMP Guests
Component: TMOS
Symptoms:
vCMP Guests restart or go offline.
Conditions:
In vCMP mode, when the TMM on the host uses too much CPU.
Impact:
vCMP Guests restart or go offline.
Workaround:
An adjustment to the scheduling can be made by this setting of the vCMP Host configuration:
# echo "realtime yield 3" > /config/tmm_init.tcl
# bigstart restart tmm
(This setting must be performed individually on all blades.)
Fix:
The TMM will not use as much CPU and allow vCMP guests to function properly.
693739-4 : VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled
Component: Access Policy Manager
Symptoms:
For some Network Access configurations, VPN cannot establish a connection with client systems running macOS High Sierra 10.13.1 using F5 Edge client or Browser helper apps.
Conditions:
The following conditions must be true:
-- The Network Access resource Traffic Options setting is configured for Force all Traffic Through Tunnel.
-- The Network Access resource Allow Local Subnet setting is disabled.
(Both of these options are defaults.)
-- Client running macOS High Sierra 10.13.1.
Impact:
The Edge Client unsuccessfully tries to connect, resulting in a loop. The client cannot establish VPN.
Workaround:
1. Navigate to the Network Access resource.
2. Set the Network Access resource Allow Local Subnet checkbox to Enabled.
3. Save the setting, and apply the Access Policy.
Fix:
Edge Client operation does not go into a reconnect loop and is able to establish and maintain connection successfully on macOS High Sierra 10.13.1.
692369-1 : TMM crash caused by SSOv2 form based due to null config
Component: Access Policy Manager
Symptoms:
Service outage because of tmm restart.
Conditions:
When SSO V2 client initiated is configured and user sending a small POST request with a small payload (< 4K)
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
691806-5 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
Solution Article: K61815412
Component: Local Traffic Manager
Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.
Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.
Impact:
The BIG-IP system resets connection with RST.
Workaround:
None.
Fix:
The BIG-IP system now responds with FIN/ACK to early FIN/ACK.
691670-1 : Rare BD crash in a specific scenario
Component: Application Security Manager
Symptoms:
BD crash or False reporting of signature ID 200023003.
Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).
Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.
Workaround:
Removing attack signature 200023003 from the security policy stops the issue.
Fix:
Fix a bug in the signatures engine that causes a false positive reporting of a signature. In some rare cases, this false reporting may cause a crash.
A newly released attack signature update changes the signature in a way that it no longer causes the issue to happen.
689826-4 : Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)
Component: Access Policy Manager
Symptoms:
On a Microsoft Windows 10 system configured for a Unicode language (Japanese, Korean, or Chinese, for example) the client proxy autoconfig file is not assigned in the Microsoft Internet Explorer browser after the VPN connection is established.
Conditions:
- Client proxy settings provided in Network Access settings, or client is configured with proxy prior to establishing VPN tunnel.
- Windows 10 configured for a unicode-language (Japanese/Korean/Chinese/etc.).
- VPN tunnel is established using either a browser or the Edge Client.
Impact:
Proxy settings are not applied on client side after VPN is established.
Workaround:
There are two possible workarounds:
Workaround A
============
-- Change the language to English from Control panel :: Region :: Administrative :: Language for non-Unicode programs :: Change System locale.
Workaround B
============
-- Add a variable assign agent in the access policy, after the logon item and before the resource is assigned. To do so, follow this procedure:
1. Set the custom variable name to the following value:
config.connectivity_resource_network_access./Common/<network_access_resource_name>.client.ConnectionTrayIcon
Note: <network access resource name> is the name of the network access resource.
2. Set the value to be of the type 'custom expression' and populate it with the following value (including the quotation marks):
return "</ConnectionTrayIcon><connection_name_txt>F5VPN</connection_name_txt><ConnectionTrayIcon>"
Note: The <connection_name_txt> tag contains the name of the adapter that the client will create.
3. After making these two changes, apply the access policy. The next time the VPN is established, a new virtual adapter entry will be created with the name provided in <connection_name_txt> tag.
Fix:
Previously, on a Windows 10 system configured for a Unicode language (for example, Japanese, Korean, or Chinese) the client proxy autoconfig file was not assigned with Internet Explorer after the VPN connection was established. This issue has been fixed.
688625-4 : PHP Vulnerability CVE-2017-11628
Solution Article: K75543432
687193-2 : TMM may leak memory when processing SSL Forward Proxy traffic
Solution Article: K45325728
686305-4 : TMM may crash while processing SSL forward proxy traffic
Solution Article: K64552448
685615-1 : Incorrect source mac for TCP Reset with vlangroup for host traffic
Solution Article: K24447043
Component: Local Traffic Manager
Symptoms:
BIG-IP outbound host TCP RST packets have incorrect source-mac-address.
Conditions:
BIG-IP host traffic is exiting via VLANs in a VLAN group.
Impact:
TCP Reset for traffic exiting the BIG-IP system with incorrect source-mac-address, which could include monitor traffic.
Workaround:
Use transparent mode on the VLAN group.
Fix:
source-mac-address for host traffic is correctly set.
685207-4 : DoS client side challenge does not encode the Referer header.
Component: Application Security Manager
Symptoms:
XSS reflection when DoS client side is enabled as a mitigation, or a proactive bot defense is enabled.
Conditions:
1. Login to the client IP address and send the ab request.
2. Once the DoS attack starts, sends the curl request
hl=en&q=drpdrp'-alert(1)-'drpdrp".
3. Unencoded Referer header is visible.
Impact:
The XSS reflection occurs after triggering the DoS attack.
Workaround:
None.
Fix:
DoS client side challenge now encodes the Referer header.
684937-4 : [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
Component: Access Policy Manager
Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over period of time.
Websso process CPU usage is very high during this time. The latency can vary between APM end users.
Conditions:
-- A large number of APM end users have logged on and are using Kerberos SSO.
-- Running APM.
Impact:
Increased latency of HTTP request processing.
Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.
Fix:
LRU cache performance no longer drops linearly with the number of caches Kerberos tickets, the latency of HTTP request processing has been significantly improved.
684879-4 : Malformed TLS1.2 records may result in TMM segmentation fault.
Solution Article: K02714910
683241-5 : Improve CSRF token handling
Solution Article: K70517410
Component: Application Security Manager
Symptoms:
Under certain conditions, CSRF token handling does not follow current best practices.
Conditions:
CSRF is configured.
Impact:
CSRF token handling does not follow current best practices.
Workaround:
None.
Fix:
CSRF token handling now follows current best practices.
683113-4 : [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
Component: Access Policy Manager
Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over a period of time.
Websso CPU usage is very high.
The BIG-IP system response can rate drop to the point that the clients disconnect after waiting for a response. The system logs error messages similar to the following: Failure occurred when processing the work item.
Conditions:
-- Running APM.
-- A large number of APM end users (~20 KB) have logged on and are using Kerberos SSO.
Impact:
Increased latency of HTTP request processing.
Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.
Fix:
Improvements to the krb5 library have been implemented for better scalability, so the latency of HTTP request processing has been significantly improved.
682682-4 : tmm asserts on a virtual server-to-virtual server connection
Component: Local Traffic Manager
Symptoms:
tmm might crash when using a virtual server-to-virtual server connection, and that connection has a TCP profile with keepalive configured.
Conditions:
-- L7 virtual server-to-virtual server connection (Virtual command, cpm rule, etc.).
-- TCP profile with keepalive configured.
-- (Deflate profile.)
-- At the beginning of the connection, there is a stall for longer than the specified keepalive timer interval.
-- The received response decompresses to a size that is greater than the advertised window size on the first virtual server's TCP stack.
Impact:
Shortly after the keepalive packet is received, which then is decompressed, the assert is triggered, and tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
Remove keepalive from the TCP profiles of the two virtual servers involved.
Fix:
The system now honors the current receive window size when sending keepalives, so the tmm crash no longer occurs.
681710-6 : Malformed HTTP/2 requests may cause TMM to crash
Solution Article: K10930474
680755-3 : max-request enforcement no longer works outside of OneConnect
Solution Article: K27015502
Component: Local Traffic Manager
Symptoms:
max-request enforcement does not work when OneConnect is not configured.
Conditions:
-- The max-request enforcement option is configured.
-- OneConnect is not configured.
Impact:
max-request enforcement does not work.
Workaround:
Always use OneConnect.
Fix:
max-request enforcement now works when OneConnect is not configured.
679603-4 : bd core upon request, when profile has sensitive element configured.
Solution Article: K15460886
Component: Application Security Manager
Symptoms:
bd crash, system goes offline.
Conditions:
ASM provisioned.
-- ASM policy attached on a virtual server.
-- json profile configured with sensitive element.
Impact:
System goes offline/fails over.
Workaround:
Remove sensitive elements from the json profile in the ASM policy.
Fix:
ASM now handles this condition so the crash no longer occurs.
679235-3 : Inspection Host NPAPI Plugin for Safari can not be installed
Component: Access Policy Manager
Symptoms:
Inspection Host NPAPI Plugin for Safari on macOS High Sierra can not be installed.
Conditions:
macOS High Sierra, Inspection Host Plugin package installation triggered.
Impact:
Inspection Host plugin cannot be installed, therefore, endpoint checks will not work.
Workaround:
There is no workaround at this time.
Fix:
Previously, the Inspection Host NPAPI Plugin for Safari on macOS High Sierra could not be successfully installed. This plugin can now be successfully installed.
678976-4 : Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.
Solution Article: K24756214
Component: Access Policy Manager
Symptoms:
VDI debug logs print user credentials to /var/log/apm.
Conditions:
VDI debug logs are enabled and VDI functionality is used on the virtual server.
Impact:
User credentials are written to /var/log/apm.
Workaround:
Set VDI debug level to Notice.
Fix:
The system no longer prints user credentials to VDI debug logs.
677525-4 : Translucent VLAN group may use unexpected source MAC address
Component: Local Traffic Manager
Symptoms:
When a VLAN group is configured in translucent mode, IPv6 neighbor discovery packets sent from the BIG-IP system may have the locally unique bit flipped in the source MAC address.
Conditions:
VLAN group in translucent mode.
Impact:
In an HA configuration, switches in the network may have FDB entries for the standby system assigned to the port of the active system.
Workaround:
No workaround at this time.
Fix:
Translucent VLAN group no longer send neighbor discovery packets whose source MAC has the locally unique bit flipped.
677088-6 : Qkview does not follow current best practices
Component: TMOS
Symptoms:
Qkview does not follow current best practices
Conditions:
Authenticated administrative user initiates a Qkview
Impact:
Qkview output not processed as expected
Fix:
Qkview now follows current best practices
676457-1 : TMM may consume excessive resource when processing compressed data
Solution Article: K52167636
676355-4 : DTLS retransmission does not comply with RFC in certain resumed SSL session
Component: Local Traffic Manager
Symptoms:
The DTLS FINISHED message is not retransmitted if it is lost in the Cavium SSL offloading platform. Specifically, it is the CCS plus FINISHED messages that are not retransmitted.
Conditions:
-- In the Cavium SSL offloading platform.
-- DTLS FINISHED Message is lost.
Impact:
When the DTLS FINISHED Message is lost in the Cavium SSL offloading platform, the CCS and FINISHED messages do not get retransmitted.
Workaround:
None.
Fix:
The FINISHED messages are saved before transmitting the Cavium encrypted FINISHED message, and starting the DTLS re-transmit timer. When the re-transmit timer expires, the CCS plus FINISHED messages will be retransmitted.
674486-2 : Expat Vulnerability: CVE-2017-9233
Component: TMOS
Symptoms:
An infinite loop vulnerability due to malformed XML in external entity was found in entityValueInitProcessor function affecting versions of Expat 2.2.0 and earlier.
Conditions:
Version of expat in use on BIG-IP is v2.2.0 or earlier.
Impact:
BIG-IP is vulnerable to CVE-2017-9233 via the administrative interface.
Fix:
Expat updated to v2.2.0 or later
674320-4 : Syncing a large number of folders can prevent the configuration getting saved on the peer systems
Solution Article: K11357182
Component: TMOS
Symptoms:
When syncing a large number of folders (more than 56), the configuration on the peer systems fails to save. An error similar to the following appears in the audit log, possibly followed by garbage characters:
notice tmsh[15819]: 01420002:5: AUDIT - pid=15819 user=root folder=/Common module=(tmos)# status=[Syntax Error: "}" is missing] cmd_data=save / sys config partitions { tf01 tf02 tf03 tf04 tf05 tf06 tf07 tf08 tf09 tf10 tf11 tf12 tf13 tf14 tf15 tf16 tf17 tf18 tf19 tf20 tf21 tf22 tf23 tf24 tf25 tf26 tf27 tf28 tf29 tf30 tf31 tf32 tf33 tf34 tf35 tf36 tf37 tf38 tf39 tf40 tf41 tf42 tf43 tf44 tf45 tf46 tf47 tf48 tf49 tf50 tf51 tf52 tf53 tf54 tf55 tf56 tf57 tf58 tf59
Note: These 'tfnn' folder names are examples. The audit log will contain a list of the actual folder names. (Folders are also called 'partitions'.)
Conditions:
-- System is in a device group.
-- Sync operation occurs on the device group.
-- There are a large number of folders (more than 56).
Impact:
Configuration on peer systems in a device group does not get saved after a sync.
Workaround:
Manually save the configuration on peer systems after a sync.
Fix:
The configuration on peer systems is now saved when a large number of folders are involved in the sync.
674189-5 : iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0
Solution Article: K52320548
673165-3 : CVE-2017-7895: Linux Kernel Vulnerability
Solution Article: K15004519
672988-4 : MCP memory leak when performing incremental ConfigSync
Solution Article: K03433341
Component: TMOS
Symptoms:
MCP will leak memory when performing incremental ConfigSync operations to peers in its device group. The memory leak can be seen tmctl utility to watch the umem_alloc_80 cache over time.
This leak occurs on the device that is sending the configuration.
Conditions:
A device group that has incremental sync enabled. In versions prior to BIG-IP v13.0.0, this is controlled by the 'Full Sync' checkbox. When unchecked, the system attempts to perform incremental sync operations.
Impact:
MCP leaks a small amount of memory during each sync operation, and after an extended period of time, might eventually crash.
Workaround:
None.
Fix:
MCPD no longer leaks when performing incremental ConfigSync operations.
672480-1 : WebSSO plugin process may become unresponsive in rare situations for Kerberos SSO
Component: Access Policy Manager
Symptoms:
HTTP requests that are being processed by Kerberos SSO never leaves APM, and connections simply time out.
Conditions:
There is an issue in MIT krb5 library for calculating wait time for responses from KDC, which ends up with a negative value. This translates to infinite timeout by poll() syscall. At the same time, if all Kerberos requests to KDC are dropped (e.g., by a misconfigured firewall), Kerberos SSO never receives the responses, and Kerberos SSO never gives up on waiting for the KDC response (this is an issue in the library).
Impact:
A deadlock occurs within the Kerberos SSO. Eventually there will be a global deadlock, which causes this particular WebSSO process to be completely unresponsive for Kerberos SSO functionality. APM end users cannot access the backend.
Workaround:
For this issue to have a real impact, there must be an unresponded-to Kerberos request. To eliminate this possibility, make sure there is no firewall blockage, incorrect routing, etc., so that WebSSO always receives responses, even negative ones.
Note: WebSSO will never use infinite timeout when waiting for Kerberos responses, so even if a firewall blocks the Kerberos request, although Kerberos SSO does not function, it does not cause global unresponsiveness from the WebSSO process.
671497-3 : TSIG authentication bypass in AXFR requests
Solution Article: K59448931
670822-5 : TMM may crash when processing SOCKS data
Solution Article: K55225440
670804 : Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP
Solution Article: K03163260
Component: Local Traffic Manager
Symptoms:
The system experiences a 'verify_accept' assert in server-side TCP.
Conditions:
-- Verified Accept enabled in TCP profile.
-- Hardware syncookies enabled.
-- OneConnect profile on virtual servers.
-- Syncookie threshold crossed.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Disable verified accept when used with OneConnect on a virtual server.
Fix:
Verified accept, OneConnect, and hardware syncookies now work together correctly.
667278-6 : DSC connections between BIG-IP units may fail to establish
Component: TMOS
Symptoms:
The device service clustering (DSC) connection between two BIG-IP units may fail to establish. One unit will log messages similar to the following example:
-- err mcpd[7912]: 01071af4:3: Inbound CMI connection from IP (192.168.100.1) denied because it came from VLAN (v1542), not from expected VLAN (tmm).
While the unit at the other end of the connection will log messages similar to the following example:
-- notice mcpd[5730]: 01071432:5: CMI peer connection established to 192.168.200.1 port 6699 after 0 retries
May 31 20:58:04 BIG-IP-c-sea notice mcpd[5730]: 0107143c:5: Connection to CMI peer 192.168.200.1 has been removed
Conditions:
This issue occurs when the Self-IP addresses used for Config-Sync by the two BIG-IP units are not in the same IP subnet, and special routing is configured between the BIG-IP units. Examples of special routing include a gateway pool or dynamic routing configurations with multiple routes to the same destination (i.e., ECMP routing).
Impact:
Config-Sync and device discovery operations will fail between affected units.
Workaround:
You can work around this issue by using Self-IP addresses for Config-Sync that are on the same IP subnet or rely on simpler routing to achieve connectivity (i.e., a single route).
Fix:
Config-Sync and device discovery operations no longer fail.
666454-4 : Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update
Solution Article: K05520115
Component: Access Policy Manager
Symptoms:
Edge client running on Macbook Pro 2016 with a touch bar interface cannot connect to VPN in a full tunneling configuration with 'Prohibit routing table modification' option selected.
Edge client's svpn.log shows an error entry similar to
2017-05-18,13:55:17:000, 16637,16638,svpn, 1, , 870, CMacOSXRouteTable::UpdateIpForwardEntry2(), EXCEPTION - write failed, 22, Invalid argument.
Conditions:
This occurs when all of the following conditions are met:
1) Edge client is running on Macbook Pro that has the iBridge interface (e.g., one with the touch bar).
2) VPN is configured in full tunneling configuration
3) Mac OS X version is v10.12.5.
Note: You can find the interface on the Macbook Pro in the Network Utility under the Info tab.
Impact:
VPN connection will fail.
Workaround:
Use one of the following workarounds:
- Disable 'Prohibit Routing table change' in the network access configuration.
- Enable 'Allow access to local subnets'.
- Enable a split tunneling configuration.
664769-3 : TMM may restart when using SOCKS profile and an iRule
Component: Local Traffic Manager
Symptoms:
TMM restarts when sending traffic through a SOCKS virtual server that has an attached iRule that uses certain blocking commands.
Conditions:
Virtual server has a SOCKS profile, and an iRule which triggers on the SERVER_CONNECTED event. If the iRule uses commands that block, tmm might restart.
Impact:
Unexpected tmm restart. Traffic disrupted while tmm restarts.
Workaround:
Avoid adding iRule on the SERVER_CONNECTED event, or avoid using certain iRule commands which do not complete immediately, such as 'after', 'table', 'session', and others.
Fix:
TMM no longer crashes when using SOCKS profile and serverside iRule parks.
663924-4 : Qkview archives includes Kerberos keytab files
Component: TMOS
Symptoms:
Qkview captures Kerberos keytab files used for APM dataplane services.
Conditions:
APM provisioned with Kerberos authentication.
Impact:
Private security key exposure.
Workaround:
There is no workaround.
Fix:
Qkview no longer collects 'kerberos_keytab_file_d' directory containing keytab files when creating qkview archive.
663310-1 : named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★
Component: Global Traffic Manager (DNS)
Symptoms:
named reports "file format mismatch", zone files are renamed randomly to db-XXXX files, and zone cannot be loaded.
Conditions:
-- Upgrade from BIG-IP containing pre-9.9.X versions of Bind, to BIG-IP versions with Bind versions later than 9.9.x.
-- Slave zone files are in text format.
-- No options set for masterfile-format text.
Impact:
Zones cannot be loaded.
Workaround:
Before upgrading, add the following line to the named.conf options:
masterfile-format text;
Fix:
BIND 9.9.x changes the default behavior governing the storage format of slave zone files to "raw" from "text".
On upgrade, the config needs to be parsed looking for slave zones that do not specify the masterfile-format and set them to "text".
662881-4 : L7 mirrored packets from standby to active might cause tmm core when it goes active.
Solution Article: K10443875
Component: Local Traffic Manager
Symptoms:
L7 mirrored packets from standby to active might cause tmm core when it goes active.
Conditions:
-- Spurious ACK sent to the standby unit that is mirrored over to the active unit for processing.
-- Matching connection on the active has not been fully initialized.
Impact:
tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.
662850-4 : Expat XML library vulnerability CVE-2015-2716
Solution Article: K50459349
662663-5 : Decryption failure Nitrox platforms in vCMP mode
Solution Article: K52521791
660239-4 : When accessing the dashboard, invalid HTTP headers may be present
Component: TMOS
Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.
Conditions:
Access the dashboard via Statistics :: Dashboard.
Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.
You may see such errors in the http error logs
Feb 20 08:47:58 myBIG-IP err httpd[13777]: [error] [client 10.20.30.40] Response header name '<PostData><![CDATA[table=log%5Fstat]]></PostData>Cache-Control' contains invalid characters, aborting request, referer: https://mybigip.com/tmui/dashboard/MonitorDashboardModule.swf
Workaround:
There is no workaround at this time.
Fix:
Eliminated invalid header data.
659899-4 : Rare, intermittent system instability observed in dynamic load-balancing modes
Solution Article: K10589537
Component: Local Traffic Manager
Symptoms:
The dynamic pool member load-balancing modes require a precision measurement of active connection counts and/or rates. Rare, intermittent system instability has been observed in dynamic pool member selection when a new connection arrives. TMM may restart, leaving a core file.
Conditions:
LTM pool configured to use a dynamic load-balancing mode ('ltm pool NAME load-balancing-mode MODE' where MODE is one of the dynamic load-balancing modes, such as dynamic-ratio-member, least-connections-node, predictive-node, etc.). The dynamic modes use the session database to share data among all TMM instances, and under extremely rare conditions, the session database may become unreliable.
Impact:
TMM restarts and leaves a core file. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The dynamic load-balancing modes are now more tolerant of errors from the underlying session database.
658214-4 : TCP connection fail intermittently for mirrored fastl4 virtual server
Solution Article: K20228504
Component: Local Traffic Manager
Symptoms:
In some cases, a mirrored FastL4 virtual server may fail to forward the SYN on the server-side after receiving the context-ack from the peer. Note: This is a connection-failure through the active system, not simply a failure to mirror to the peer.
Symptoms include:
-- TCP connection failures.
-- Possibly other packets lost.
Conditions:
-- FastL4 virtual server.
-- Mirroring is enabled.
-- Certain traffic interleaving might be necessary for this intermittent problem to occur.
Impact:
FastL4 mirroring does not always forward SYN to server after receiving context ACK. Connections fail.
Workaround:
Set the tm.fastl4_ack_mirror dv variable using the following command: tmsh modify sys db tm.fastl4_ack_mirror value disable.
Fix:
In this release, mirrored FastL4 virtual server now forward the SYN on the server-side after receiving the context-ack from the peer as expected.
657961 : The edit button on the GSLB Wide IP create page does not place the pool name back into the select dropdown
Solution Article: K44031930
Component: Global Traffic Manager (DNS)
Symptoms:
The edit button in the Pools section of a Wide IP create page does not place the pool name entry back into the select dropdown.
Conditions:
There must be a pool in the selected list, that pool must be highlighted when the edit button is clicked.
Impact:
The edit button does not work as intended.
Workaround:
Use the delete button and find the pool in the select dropdown to edit its ratio.
Fix:
Fixed issue that caused the edit button on the Wide IP create page to not place the pool name back into the select dropdown.
656902 : Upgrade to 11.5.4 HF3 may remove valid cipher suite configuration from SSL profile
Component: Local Traffic Manager
Symptoms:
During the upgrade to 11.5.4 HF3, the upgrade will remove the DHE-DSS from cipher suite, which will cause the cipher suites configured beginning with the characters '@', '+', '-', or '!' will be removed from the configuration.
Conditions:
clientssl/serverssl profile ciphers configuration contains keywords beginning with the characters '@', '+', '-', or '!'.
Impact:
Cipher suites are configured using keywords such as AES, AES-GCM, !DES, -ADH, @STRENGTH, etc. The issue causes keywords beginning with the characters '@', '+', '-', or '!' to be removed from the configuration.
For example, if the cipher suite configuration before installing 11.5.4 HF3 was: 'NATIVE:!SSLV2:!SSLV3:!MD5:!EXPORT:!LOW:ECDHE+AES-GCM:ECDHE+AES:DHE+AES-GCM:DHE+AES:AES-GCM+RSA:RSA+AES:RSA+3DES:!RC4:!ADH:!ECDHE_ECDSA:!ECDH_ECDSA:!ECDH_RSA:!DHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!DHE-RSA-AES128-SHA:+DES-CBC3-SHA'
After installing 11.5.4 HF3 it would be reduced to: 'NATIVE:ECDHE+AES-GCM:ECDHE+AES:DHE+AES-GCM:DHE+AES:AES-GCM+RSA:RSA+AES:RSA+3DES'
Workaround:
Manually restore the clientssl/serverssl profile cipher configuration.
Fix:
Fixed an issue that causes the cipher suites configured beginning with the characters '@', '+', '-', or '!' to be removed from the configuration on upgrade.
655756 : TMM might crash while using SSL profiles on BIG-IP 2000/4000 platforms.
Component: Local Traffic Manager
Symptoms:
TMM might crash while using SSL profiles on BIG-IP 2000/4000 platforms.
Conditions:
-- TMOS v11.5.4 HF3.
-- SSL profile active.
-- BIG-IP 2000/4000 platform.
Impact:
TMM may crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The cause of the crash was identified and removed.
655649-5 : BGP last update timer incorrectly resets to 0
Solution Article: K88627152
Component: TMOS
Symptoms:
In ZebOS, every time the scan timer resets it also incorrectly resets the BGP last update timer as shown under the imish command 'sh ip route'.
Output from 'sh ip route':
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:32
[20/0] via 10.10.1.6, eno33554952, 00:00:32
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:33
[20/0] via 10.10.1.6, eno33554952, 00:00:33
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:00 <<<< shouldn't reset
[20/0] via 10.10.1.6, eno33554952, 00:00:00
Conditions:
Once ZebOS has learned a route from a BGP peer the route will show up under 'sh ip route' and the BGP last update timer will incorrectly reset.
Impact:
If BGP routes are being redistributed into other protocols, the route may flap in the destination process.
Workaround:
None.
Fix:
BIG-IP no longer resets the last update time of learned routes via BGP and BGP routes redistributed into other protocols no longer flap.
655059-1 : TMM Crash
Solution Article: K37404773
655021-4 : BIND vulnerability CVE-2017-3138
Solution Article: K23598445
654599-3 : The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
Solution Article: K74132601
Component: Global Traffic Manager (DNS)
Symptoms:
Tomcat can potentially drop requests made by the client via the Web GUI on the GSLB Pool Members Manage page.
Conditions:
The config contains a large amount (in the thousands) of GSLB virtual servers or wide IP's, resulting in the action not being completed.
Impact:
The "Finished" button on that page does not save the changes made on that page.
Workaround:
Use TMSH.
Fix:
Fixed an issue with saving GSLB data via the GUI in large configurations.
653993-1 : A specific sequence of packets to the HA listener may cause tmm to produce a core file
Solution Article: K12044607
653880-2 : Kernel Vulnerability: CVE-2017-6214
Solution Article: K81211720
652516-2 : Multiple Linux Kernel Vulnerabilities
Solution Article: K31603170
651772-6 : IPv6 host traffic may use incorrect IPv6 and MAC address after route updates
Component: Local Traffic Manager
Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, may use an MAC and IPv6 source address from a different VLAN.
Conditions:
- Multiple vlans with IPv6 configured addresses.
- Multiple routes to the same destination, either the same or more specific, default routes, etc. that cover the traffic destination.
- Changes in routes that will cause the traffic to the destination to shift from one vlan and gateway to another. This can be typically observed with dynamic routing updates.
Impact:
Traffic to the destination may fail due to using incorrect source IPv6/MAC address.
This may cause monitor traffic to fail.
Workaround:
Continuous traffic to the IPv6 link-local nexthops can avoid this issue.
This may be achieved by a script or an external monitor pinging the nexthop link-local address using the specific vlan.
Fix:
IPv6 host traffic no longer use incorrect IPv6 and MAC address after route updates.
Behavior Change:
Introduction of sys db ipv6.host.router_probe_interval, to control sysctl net.ipv6.conf.default.router_probe_interval value. This value is default to 5s.
649933-5 : Fragmented RADIUS messages may be dropped
Component: Service Provider
Symptoms:
Large RADIUS messages may be dropped when processed by iRules.
Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.
Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:
Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""
Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.
649907-4 : BIND vulnerability CVE-2017-3137
Solution Article: K30164784
649904-4 : BIND vulnerability CVE-2017-3136
Solution Article: K23598445
648865-3 : Linux kernel vulnerability: CVE-2017-6074
Solution Article: K82508682
648217-2 : CVE-2017-6074: Linux Kernel Vulnerability
Solution Article: K82508682
646643-4 : HA standby virtual server with non-default lasthop settings may crash.
Solution Article: K43005132
Component: Local Traffic Manager
Symptoms:
A long-running high availability (HA) Standby Virtual Server with non-default lasthop settings may crash TMM.
Conditions:
-- HA standby virtual server is configured on the system with non-default lasthop configurations (e.g., lasthop pools or autolasthop disabled, etc).
-- That virtual server receives more than 2 billion connections (2 billion is the maximum value of a 32-bit integer).
Impact:
TMM on the next-active device crashes. The Active device is not affected. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
HA standby virtual server configured with non-default lasthop configurations no longer crashes.
646604-4 : Client connection may hang when NTLM and OneConnect profiles used together
Solution Article: K21005334
Component: Local Traffic Manager
Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.
Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.
Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.
Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.
Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.
645615-4 : zxfrd may fail and restart after multiple failovers between blades in a chassis.
Solution Article: K70543226
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.
Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.
Impact:
zxfrd will create a core file and restart, picking up where it left off.
Workaround:
None.
Fix:
The cause of the failure is now addressed.
645589 : Password-less ssh access lost for non-admin users after tmsh load sys ucs
Component: TMOS
Symptoms:
During the load of ucs, the $HOME/.ssh/authorized_keys file is moved to /etc/ssh/<user> and then a symbolic link is pointed to that file in the $HOME/.ssh such that the ucs load modification of ownership won't break the password-less ssh access to the BIG-IP. The problem is that the /etc/ssh/<user> directory has no other-group read permissions and non-admin users can't read the file and hence the password-less access is denied and a password is requested.
Conditions:
Always happens as the permissions for /etc/ssh/<user> are 0700 (user read-write-execute only) and it is owned by root.
Impact:
Non-admin users lose password-less access to their BIG-IP after tmsh load sys ucs.
Workaround:
An admin user needs to manually change the permissions of the /etc/ssh and /etc/ssh/<user> permissions to be 0755.
A non-admin user has no such capability and thus has no workaround.
Fix:
By simply setting the umask to 0022 prior to the call to mkpath (with 0755 permissions) makes the /usr/local/bin/install_ucs.pm script behave as expected.
The override of the umask is then set back to previous value as to not affect the script elsewhere.
645179-4 : Traffic group becomes active on more than one BIG-IP after a long uptime
Component: TMOS
Symptoms:
Traffic-groups become active/active for 30 seconds after a long uptime interval.
Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.
For example:
-- For 7 traffic groups, the interval is ~710 days.
-- For 15 traffic groups, the interval is ~331 days.
Conditions:
-- Two or more BIG-IP systems defined in a device group for sync/failover.
-- There is one or more traffic groups configured.
-- The BIG-IP systems have a long uptime.
Impact:
Outage due to traffic-group members being active on both systems at the same time.
Workaround:
There is no workaround.
The only option is to reboot all the BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.
Fix:
Traffic groups no longer becomes active on more than one BIG-IP system in a device group after a long uptime interval.
645101-3 : OpenSSL vulnerability CVE-2017-3732
Solution Article: K44512851
644904-3 : tcpdump 4.9
Solution Article: K55129614
644693-6 : Fix for multiple CVE for openjdk-1.7.0
Solution Article: K15518610
644220-1 : Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page
Component: Global Traffic Manager (DNS)
Symptoms:
Under LTM :: Virtual Servers :: Properties, the "Link" value sometimes displays "none" when it should display an actual link name.
Conditions:
This happens under certain configuration of Self IP / GTM Servers / GTM Links / LTM Virtual Servers.
Impact:
When conditions are met, the Virtual Server's link information displayed is not correct.
Workaround:
None.
Fix:
Virtual Server's assigned Link on the LTM Virtual Server Properties page is now displayed correctly.
644184-6 : ZebOS daemons hang while AgentX SNMP daemon is waiting.
Solution Article: K36427438
Component: TMOS
Symptoms:
ZebOS daemons hang while AgentX SNMP daemon is unresponsive.
Conditions:
- Dynamic routing is enabled.
- SNMP is enabled.
- SNMP is unresponsive which could be caused by several issues such as snmpd calling an external script that takes several moments to return or mcpd is slow to respond to snmpd queries.
Impact:
Dynamic routing may be halted for the duration of AgentX daemon being busy.
Workaround:
If snmpd is calling external scripts that take several moments to return, then stop using the external script.
Fix:
ZebOS daemons no longer hangs while AgentX is waiting.
643375-3 : TMM may crash when processing compressed data
Solution Article: K10329515
643187-4 : BIND vulnerability CVE-2017-3135
Solution Article: K80533167
642330-4 : GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★
Component: Global Traffic Manager (DNS)
Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.
Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Configuration fails to load.
Workaround:
Manually edit each string in the BIG-IP_gtm.conf to include enclosing quotes in order to get the config to load the first time.
Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the BIG-IP_gtm.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list gtm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.
642039-4 : TMM core when persist is enabled for wideip with certain iRule commands triggered.
Component: Global Traffic Manager (DNS)
Symptoms:
tmm cores with SIGSEGV.
Conditions:
This occurs when persist is enabled for wideip, and an iRule with the following commands triggered:
forward
reject
drop
discard
noerror
host
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable persist on wideip.
Note: Although this is not an ideal workaround, it provides a way that to use those iRule commands without causing a tmm core.
Fix:
TMM no longer coreswhen persist is enabled for wideip with certain iRule commands triggered.
641512-2 : DNSSEC key generations fail with lots of invalid SSL traffic
Solution Article: K51064420
Component: Local Traffic Manager
Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.
The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.
Conditions:
DNSSEC keys configured with periodic rollover. The certificate path queues an error (situations include but not limited to lots of SSL traffic with invalid certificates).
Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.
Workaround:
Restart the TMM after the new key generation is created.
Fix:
DNSSEC key generations now complete successfully, even with a lot of SSL traffic with invalid certificates.
641360-4 : SOCKS proxy protocol error
Solution Article: K30201296
641013-4 : GRE tunnel traffic pinned to one TMM
Component: TMOS
Symptoms:
GRE tunnel traffic can be sent to one TMM if BIG-IP doesn't proxy the GRE tunnel and uses forwarding virtual to handle GRE tunnel traffic.
Conditions:
Use forwarding virtual to handle GRE tunnel traffic.
Impact:
GRE tunnel traffic can overwhelm the one TMM and cause performance degradation.
Workaround:
None.
Fix:
Improved GRE tunnel traffic handling so traffic does not overwhelm one TMM and cause performance degradation.
639575-3 : Using libtar with files larger than 2 GB will create an unusable tarball
Solution Article: K63042400
Component: TMOS
Symptoms:
Programs such as qkview will create a .tar file (tarball) using libtar and if any of the files collected is greater than 2 GB, the output tar file cannot be read by /bin/tar.
Conditions:
The file collected via libtar (e.g., by qkview or other program dynamically linking with /usr/lib/libtar-1.2.11) is greater than 2 GB.
Impact:
You will be unable to submit a qkview to iHealth for analysis. Other applications using libtar will produce invalid tar files.
Workaround:
The qkview tarball can be extracted with /usr/bin/libtar, but the offending file will be a zero-length file. Alternatively, the offending file that is greater than 2 GB must be removed from the system prior to running qkview or other program that uses libtar.
Fix:
With the fix to 3rd party software, libtar, programs using libtar no longer create an unusable tarball when dealing with files larger than 2 GB.
638935-1 : Monitor with send/receive string containing double-quote may cause upgrade to fail.★
Component: TMOS
Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.
Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Configuration fails to load.
Workaround:
Manually edit each string in the bigip.conf to include enclosing quotes in order to get the config to load the first time.
Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the bigip.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list ltm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.
If you have an escaped quote in your configuration, and are moving to a configuration with this the dependency of this fix, you cannot reload the configuration or the license which also reloads the configuration. Doing so, will cause the config load to fail.
638137-3 : CVE-2016-7117 CVE-2016-4998 CVE-2016-6828
Solution Article: K51201255
637181-2 : VIP-on-VIP traffic may stall after routing updates
Component: Local Traffic Manager
Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.
Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.
Impact:
Existing connections to the outer VIP may stall.
Workaround:
None.
Fix:
Connections to VIP-on-VIP virtual servers no longer stall after routing updates.
636702-1 : BIND vulnerability CVE-2016-9444
Solution Article: K40181790
636700-2 : BIND vulnerability CVE-2016-9147
Solution Article: K02138183
636699-3 : BIND vulnerability CVE-2016-9131
Solution Article: K86272821
635933-2 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
Solution Article: K23440942
635412-1 : Invalid mss with fast flow forwarding and software syn cookies
Solution Article: K82851041
635314-3 : vim Vulnerability: CVE-2016-1248
Solution Article: K22183127
633723-1 : New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
Component: Local Traffic Manager
Symptoms:
A new db variable has been added to print diagnostic information when Cavium Nitrox devices encounter a 'request queue stuck' error. When this occurs, the system posts a log message such as:
crit tmm1[19936]: 01010260:2: Hardware Error(Co-Processor): cn1 request queue stuck.
Conditions:
-- A Cavium Nitrox 'request queue stuck' error occurs.
-- The db variable 'crypto.ha.action' is set to reboot.
Impact:
The system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.
The system immediately fails over to the standby system, but will then spend approximately one minute gathering diagnostic information before rebooting.
See https://support.f5.com/csp/article/K95944198 for more information about nitrox_diag.
Workaround:
None.
Fix:
The system now automatically gathers nitrox data collection when request queue stuck errors occur.
Behavior Change:
Under rare conditions, the system will take approximately one additional minute to reboot.
If a Cavium Nitrox 'request queue stuck' error occurs and the db variable 'crypto.ha.action' is set to reboot, the system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.
When the error happens, failover to the standby system will still happen immediately. The delay occurs only on rebooting the system that has already gone to standby mode.
633691-2 : HTTP transaction may not finish gracefully due to TCP connection is closed by RST
Component: Local Traffic Manager
Symptoms:
HTTP or other higher layer protocol transactions may not finish gracefully due to TCP connection is closed by RST.
Conditions:
1. There is ClientSSL or ServerSSL configured on the Virtual Server.
2. HTTP or other higher layer protocol has not finished the translations yet.
3. Client or Server sends out the TCP FIN packet.
Impact:
Application-level responses may not be received at all by the client.
Workaround:
No Workaround.
Fix:
TMM should try to use the TCP FIN to close the connection gracefully as much as possible instead of using RST which will abandon the data which has not been sent out to the wire.
633465-1 : Curl cannot be forced to use TLSv1.0 or TLSv1.1
Solution Article: K09748643
Component: TMOS
Symptoms:
Curl fails when connecting to server that does not accept TLSv1.1 or TLSv1.2 handshakes. This occurs even if the "--tlsv1.0" or "--tlsv1.1" options to the curl command are used.
Conditions:
Curl is used to attempt to connect to a server that does not understand TLSv1.1 and/or TLSv1.2 handshakes. This occurs when using software v11.5.4 HF2 or v11.6.1 HF1.
Impact:
Curl will fail.
Workaround:
Use "curl-apd" rather than "curl". curl-apd does not currently implement TLSv1.1 or TLSv1.2.
Fix:
Curl now honors the tlsv version flag, so the system correctly uses TLSv1.0, TLSv1.1, or TLSv1.2, as specified.
632798-3 : Double-free may occur if Access initialization fails
Component: Access Policy Manager
Symptoms:
Double-free may occur if Access initialization fails.
Conditions:
Access initialization failure occurs, possibly due to license issues.
Impact:
tmm crashes and cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release fixes a double free condition so that the associated tmm crash no longer occurs.
632618 : ImageMagick vulnerability CVE-2016-3717
Solution Article: K29154575
632423-1 : DNS::query can cause tmm crash if AXFR/IXFR types specified.
Component: Global Traffic Manager (DNS)
Symptoms:
Passing "AXFR" or "IXFR" as the type to the DNS::query iRule command can cause a tmm crash.
Conditions:
DNS Express must be enabled when one of the XFR types is used in the DNS::query iRule command.
Impact:
tmm will crash and restart every time this command is issued. Traffic disrupted while tmm restarts.
Workaround:
Do not explicitly use AXFR or IXFR query types.
If the [DNS::question type] command is being used to dynamically pass in the type, add a preceding check similar to the following:
if { not [DNS::question type] ends_with "XFR" } {
set rrs [DNS::query dnsx [DNS::question name] [DNS::question type]]
}
Fix:
The iRule now provides an error message in /var/log/ltm indicating that AXFR and IXFR are not valid types to use with the DNS::query command, and no tmm crash occurs as a result.
631688-3 : Multiple NTP vulnerabilities
Solution Article: K55405388 K87922456 K63326092 K51444934 K80996302
631627-3 : Applying BWC over route domain sometimes results in tmm not becoming ready on system start
Component: TMOS
Symptoms:
Rebooting after applying BWC to route domain stops vlan traffic on VCMP guest. You will experience connection failures when bandwidth Controller (bwc) and Web Accelerator are enabled.
Running the tmsh show sys ha-status all-properties command will indicate that tmm is in "ready-for-world", but the Fail status will read "Yes" when this is triggered.
Conditions:
BWC enabled and associated with a route domain, Web Accelerator is enabled, and the system is rebooted.
Impact:
The system does not comes up fully. TMM does not reach a ready state and will not pass traffic.
Workaround:
Remove BWC from route domain and then reapply the BWC back.
Fix:
BWC enabled and associated with a route domain, Web Accelerator enabled, and the system is rebooted, now results in the system and TMM coming up fully and passing traffic.
631582-3 : Administrative interface enhancement
Solution Article: K55792317
631530 : TAI offset not adjusted immediately during leap second
Solution Article: K32246335
Component: TMOS
Symptoms:
When repeating a UTC time value during a leap second (when UTC time should be 23:59:60), the International Atomic Time (TAI) timescale should not stop, the kernel increments the TAI offset one second too late.
Conditions:
This occurs during an NTP leap second event, for example an event occurs on December 31, 2016, at 23:59:60 UTC
Impact:
Impact to applications unknown, system will stay stable and a timer may be fired off later than expected.
Workaround:
None.
Fix:
International Atomic Time (TAI) offset during leap second has been corrected.
631204-3 : GeoIP lookups incorrectly parse IP addresses
Solution Article: K23124150
631172-2 : GUI user logged off when idle for 30 minutes, even when longer timeout is set
Solution Article: K54071336
Component: TMOS
Symptoms:
GUI user is auto-logged off when idle for 30 minutes, even though the configured idle timeout is longer.
Conditions:
User logged in to gui and idle for 20-30 minutes
Impact:
User is logged out of the GUI.
Workaround:
None.
Fix:
GUI user is no longer auto-logged off when idle for 30 minutes when the configured idle timeout is longer.
630475-3 : TMM Crash
Solution Article: K13421245
630446-3 : Expat vulnerability CVE-2016-0718
Solution Article: K52320548
629771 : the TCP::unused_port does erroneous accept IPV4_COMPAT addresses
Component: Local Traffic Manager
Symptoms:
when calling TCP::unused_port command with a tcl ip addr object which represents the IPv4 address as IPv4-Compatible IPv6 address,
the function searches for existing flows related to this address.
IPv4-Compatible IPv6 addresses are deprecated, the flow table uses IPv4-Mapped IPv6 address
Conditions:
the IP::Addr object has been crafted with the following command
[IP::addr <addr> mask ::ffff:ffff]
Impact:
The TCP::unused_port command is unable to return an unused port
Workaround:
use the string representation by forcing the object to be a string
e.g.
set ipv6_addr "fe80::250:56ff:0a1e:0101"
set ipv4_from_ipv6 [ string tolower [IP::addr $ipv6_addr mask ::ffff:ffff] ]
set free [TCP::unused_port $ipv4_from_ipv6 [TCP::local_port] 10.30.1.64 [TCP::client_port] 48000 48255]
Fix:
ID598860-5 fixes the IP::addr command to return IPV4 MAPPED addr
629530-8 : Under certain conditions, monitors do not time out.
Solution Article: K53675033
Component: Global Traffic Manager (DNS)
Symptoms:
Some monitored resources are marked as "Unknown" when the actual status is "offline".
Conditions:
This can rarely occur when the monitor timeout period elapses when either no response has been received, or a response has been received indicating that the resource is "down" and the monitor is configured to ignore down responses. It is more likely to occur when many monitor timeout periods elapse at the same time, and the monitor timeout value is evenly divisible by the monitor's monitor interval.
Impact:
The status of the monitored resource is incorrect. This does not materially affect the operation of the system since resources marked "Unknown" will not be used.
Workaround:
Disable the affected resources, and then enable them again.
Fix:
The resource status is now correct under all monitor timeout conditions.
629033-1 : BIG-IP should send SHA1 in supported signature hash algorithm last (clientside / Server Hello).
Component: Local Traffic Manager
Symptoms:
BIG-IP should send SHA1 in supported signature hash algorithm last (clientside / Server Hello). Instead, the BIG-IP system is sending SHA1 signature algorithms in the Server Hello first.
Conditions:
clientside / Server Hello.
Impact:
Minimal. SHA1 algorithms are listed first and they should be last.
Workaround:
None.
Fix:
The system now reorders signature hash algorithms such that SHA1 is last.
628164-1 : OSPF with multiple processes may incorrectly redistribute routes
Solution Article: K20766432
Component: TMOS
Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.
Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.
Impact:
Incorrect routing information in the network when OSPF converges.
Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.
Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.
OSPF routes are now created synchronously when the LSA database is updated. If routes are rapidly deleted and re-added, OSPF will send maxage LSAs followed by new LSAs. This is potentially a behavior change where, previously, only a single updated LSA would have been sent.
627907-4 : Improve cURL usage
Solution Article: K11464209
626360-4 : TMM may crash when processing HTTP2 traffic
Solution Article: K22541983
625824-4 : iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
Component: TMOS
Symptoms:
iControl calls related to Management::KeyCertificate might leak memory slowly, that causes swap space to increase continuously and might lead to exhaustion of swap space
Conditions:
This occurs with the iControl command bigip.Management.KeyCertificate.certificate_export_to_pem
Impact:
iControlPortal.cgi memory increases
Workaround:
Restart httpd to reload the iControl daemon.
Fix:
Fixed a memory leak associated with iControl
625671-1 : The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
Component: Global Traffic Manager (DNS)
Symptoms:
If the dnsxdump diagnostic tool is run when the DNS Express database has a DNS resource record using a non-standard type, the process may crash providing incomplete diagnostic output.
Conditions:
Running dnsxdump with a DNS Express database containing non-standard resource record types.
Impact:
dnsxdump provide incomplete diagnostic output, stopping on the zone containing the resource record with the non-standard type.
Workaround:
This is primarily known to be caused by non-standard RR types created for WINS records. Removing the WINS records from the master nameserver, will allow dnsxdump to work again after the next zone transfer.
Fix:
dnsxdump handles non-standard resource record types.
625376-2 : In some cases, download of PAC file by edge client may fail
Component: Access Policy Manager
Symptoms:
Edge client may fail to download PAC file and incorrectly apply proxy configuration after VPN connection.
Conditions:
- User machine proxy configuration points to a proxy auto configuration file.
- Network access proxy configuration points to a proxy auto configuration file.
- PAC file URI in either case has uppercase characters.
- PAC file is hosted on a server where resource names are case sensitive.
Impact:
PAC file download will fail and client will use incorrect proxy settings due to unavailability of PAC file.
Workaround:
Use only lowercase characters in PAC file URI.
Fix:
Now Edge client can download PAC files from URIs that have uppercase as well as lowercase characters.
625372-1 : OpenSSL vulnerability CVE-2016-2179
Solution Article: K23512141
625198-4 : TMM might crash when TCP DSACK is enabled
Component: Local Traffic Manager
Symptoms:
TMM crashes
Conditions:
All of the below are required to see this behavior:
DSACK is enabled
MPTCP, rate-pace, tail-loss-probe, and fast-open are disabled.
cmetrics-cache-timeout is set to zero; congestion control is high-speed, new-reno, reno, or scalable; AND Nagle is not set to 'auto'.
an iRule exists that changes any of the conditions above besides DSACK.
various client packet combinations interact in certain ways with the iRule logic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Change any of the conditions above.
Fix:
TCP maintains state appropriately to avoid crash.
624931 : getLopSensorData "sensor data reply too short" errors with FND300 DC PSU
Component: TMOS
Symptoms:
On a BIG-IP 2000-/4000-series or 5000-/7000-series appliances with FND300 DC power supplies running BIG-IP v11.5.4-HF2, errors similar to the following are logged every 30+ seconds:
warning chmand[8220]: 012a0004:4: getLopSensorData: LopHlprDev: sensor data reply too short, objId: 16d size: 39
warning chmand[8220]: 012a0004:4: getLopSensorData: LopHlprDev: sensor data reply too short, objId: 16e size: 39
In addition, the PSU status is reported as Not Present by the "tmsh show sys hardware" and "tmctl chassis_power_supply_status_stat" commands.
tmsh show sys hardware:
Chassis Power Supply Status
Index Status Current
1 not-present NA
2 not-present NA
tmctl chassis_power_supply_status_stat:
name index status input_status output_status fan_status current_status
==============================================================================
pwr1 1 2 2 2 2 0
pwr2 2 2 2 2 2 0
Totals 3 4 4 4 4 0
------------------------------------------------------------------------------
(Where a status value of 2 == Not Present)
Conditions:
This problem occurs when all of the following conditions are true:
1. BIG-IP 2000-/4000-series or 5000-/7000-series appliance
2. One or more FND300 DC power supplies installed
3. Running BIG-IP v11.5.4-HF2
Impact:
1. Errors logged every 30+ seconds
2. PSU status is reported as Not Present
Fix:
The status of FND300 DC power supplies is reported correctly on BIG-IP 2000-/4000-series and 5000-/7000-series appliances.
624903-2 : Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.
Solution Article: K55102452
624692-1 : Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying
Component: TMOS
Symptoms:
SSL Certificate List page displays "An error has occurred while trying to process your request." or unable to view certificate information via iControl/REST.
Conditions:
Certificate with multi-byte encoded strings.
Impact:
Unable to view certificate list page or view certificate information via iControl/REST.
624570-4 : BIND vulnerability CVE-2016-8864
Solution Article: K35322517
624457-2 : Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
Solution Article: K10558632
624263-1 : iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
Component: TMOS
Symptoms:
For profiles, iControl REST does not provide visibility for profile property override when "none" is specified, including references, passwords, and array of strings.
Conditions:
-- Use iControl REST API.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.
Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for profile property overrides.
Workaround:
None.
Fix:
iControl REST API now returns elements (i.e., string, enum, or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.
624193 : Topology load balancing not working as expected
Component: Global Traffic Manager (DNS)
Symptoms:
Under certain conditions, load balancing decisions can result in an unequal or unexpected distribution.
Conditions:
Occurs when topology load balancing is used for a wide IP and more than one pool share the highest assigned score for a particular load balancing decision.
Impact:
The resulting load balancing decisions can lead to an unequal or unexpected distribution of pool selections.
Workaround:
Topology records and pools can be configured to avoid the conditions which cause the condition.
Fix:
A system DB variable, gtm.wideiptoporandom, has been added. When this system DB variable is assigned the value of "enable" and more than one pool shares the highest assigned score for a given load balancing decision, a random pool is selected.
623930-1 : vCMP guests with vlangroups may loop packets internally
Component: TMOS
Symptoms:
If a vlangroup is configured within a vCMP guest, under some circumstances unicast packets may be looped between the switchboard and the BIG-IP guest. This is most likely to occur when the guest is part of an HA pair.
Conditions:
vCMP guest, vlangroups.
Impact:
High CPU utilization and potentially undelivered packets.
Workaround:
Correctly configure proxy ARP excludes on the vlangroup and increase the FDB timeout by setting the vlan.fdb.timeout database key to a larger value such as 3600.
Fix:
Packets are no longer looped between vlangroup children on vCMP guests.
623119-3 : Linux kernel vulnerability CVE-2016-4470
Solution Article: K55672042
622856-2 : BIG-IP may enter SYN cookie mode later than expected
Component: Local Traffic Manager
Symptoms:
BIG-IP entry to SYN cookie mode may not occur even though traffic pattern would dictate that it should.
Conditions:
Verified accept enabled on a Virtual IP.
Large volume of traffic being processed by BIG-IP.
Impact:
BIG-IP does not enter SYN cookie mode at the expected time.
Workaround:
Disable verified accept on all VIP TCP profiles.
Fix:
BIG-IP correctly enters SYN cookie mode when traffic pattern
dictates that it should.
622662-4 : OpenSSL vulnerability CVE-2016-6306
Solution Article: K90492697
622496-3 : Linux kernel vulnerability CVE-2016-5829
Solution Article: K28056114
622178-4 : Improve flow handling when Autolasthop is disabled
Solution Article: K19361245
622166-1 : HTTP GET requests with HTTP::cookie iRule command receive no response
Component: Local Traffic Manager
Symptoms:
HTTP GET requests to virtual servers using the command "HTTP::cookie <name> <value>" in HTTP_REQUEST iRule event handlers do not get a response.
Conditions:
An LTM virtual server with an iRule including the HTTP::cookie command.
Impact:
No response is received by the client.
Workaround:
None.
Fix:
HTTP GET requests to virtual servers using the command "HTTP::cookie <name> <value>" in HTTP_REQUEST iRule event handlers now get a response as expected.
621935-4 : OpenSSL vulnerability CVE-2016-6304
Solution Article: K54211024
621465 : The minimum IP packet fragment size is now 1 and not 24
Component: Local Traffic Manager
Symptoms:
The minimum IP packet fragment size, set via DB Var [TM.MinIPfragSize], is 24 and that causes problems if you need to use smaller fragments in your network.
Conditions:
You are trying to configure TM.MinIPfragSize and need it to be set to a value smaller than 24.
Impact:
You are unable to configure fragment sizes smaller than 24 in your network.
Workaround:
NA
Fix:
Changed DB Var [TM.MinIPfragSize] minimum value from 24 to 1.
621452-4 : Connections can stall with TCP::collect iRule
Solution Article: K58146172
Component: Local Traffic Manager
Symptoms:
Connection does not complete.
Conditions:
-- A TCP::collect command is in use.
-- The first packet received after the SYN carries data.
The Initial Sequence number in the SYN, plus the length of the data in the first packet, plus 1, is greater than-or equal to 2^31.
Note: APM VDI profiles internally use TCP::collect, so virtual servers with VDI profiles may be affected as well.
Impact:
Connection fails.
Workaround:
There is no workaround at this time.
Fix:
The system no properly sets state variables associated with TCP::collect.
621417-2 : sys-icheck error for /usr/share/defaults/bigip_base.conf in AWS.
Component: TMOS
Symptoms:
On a BIG-IP deployed in AWS cloud, sys-icheck reports size an md5 errors for /usr/share/defaults/BIG-IP_base.conf file as following:
ERROR: S.5...... c /usr/share/defaults/BIG-IP_base.conf (no backup)
Conditions:
BIG-IP deployed in AWS cloud.
Impact:
sys-icheck reports "rpm --verify" size and md5 errors for /usr/share/defaults/BIG-IP_base.conf. This doesn't have any functional impact on the product but looks like factory config file was modified incorrectly by a user/application.
Workaround:
No workaround exists for this issue.
Fix:
sys-icheck error for /usr/share/defaults/BIG-IP_base.conf in AWS.
621337-4 : XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469
Solution Article: K97285349
621314-1 : SCTP virtual server with mirroring may cause excessive memory use on standby device
Solution Article: K55358710
Component: TMOS
Symptoms:
If a SCTP virtual server has high availability (HA) mirroring enabled, the send buffer on the standby may have extremely high memory usage until the connections close.
Conditions:
SCTP virtual server has mirroring enabled.
Impact:
TMMs will have high memory usage on standby device.
Workaround:
Disable mirroring on the SCTP virtual server.
Fix:
SCTP virtual server with mirroring no longer causes excessive memory use on standby device.
621273-5 : DSR tunnels with transparent monitors may cause TMM crash.
Component: TMOS
Symptoms:
The TMM may crash if the BIG-IP system is configured with a DSR tunnel with a transparent monitor.
Conditions:
The BIG-IP system is configured with a DSR tunnel with a transparent monitor and the DB variable tm.monitorencap is set to "enable".
Impact:
Traffic disrupted while tmm restarts.
Fix:
The TMM does not crash.
621242-2 : Reserve enough space in the image for future upgrades.
Component: TMOS
Symptoms:
Increased the reserved free space in VM image from 15% to 30% to accommodate upgrades to future versions. Each next version tends to be bigger and require more disk space to install. The increased reserved space will allow upgrading to at least next 2 versions.
Conditions:
VE in local hypervisors and VE in the Cloud (AWS, Azure).
Impact:
Extends the disk image to reserve more disk space for upgrades.
Workaround:
N/A
Fix:
Increased the reserved free space on VE images.
620829-5 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
Component: Access Policy Manager
Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.
Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:
var a = { default: 1, continue: 2 };
Impact:
JavaScript code is not rewritten and may not work correctly.
Workaround:
None.
Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.
620712 : Added better search capabilities on the Pool Members Manage & Pool Create page.
Component: Global Traffic Manager (DNS)
Symptoms:
Large amount of virtual servers were hard to manage on the GSLB Pool Member Manage page.
Conditions:
Having large amount of virtual servers/wide ips
Impact:
Poor usability.
Workaround:
No workaround.
Fix:
The GSLB Pool Member Manage page now has a new search feature in the form of a combo box to allow for better management of large amount of virtual servers.
Behavior Change:
The GSLB Pool Member Manage page now has the new search feature to allow for better management of large amount of virtual servers.
620659-1 : The BIG-IP system may unecessarily run provisioning on successive reboots
Component: TMOS
Symptoms:
After the first boot, the system runs provisioning and boots successfully, but there is a file left on the system /mprov_firstboot. This will appear in /var/log/ltm:
info mprov:4614:: \'\'provision.initialized\' indicates force TMOS only provisioning - forcing.\'
During a subsequent boot, provisioning will run again, potentially unnecessarily, due to the existence of this file. The following will appear in /var/log/ltm during the second boot:
info mprov:4609:: \'Existence of file \'/mprov_firstboot\' indicates force TMOS only provisioning - forcing.\'
Conditions:
The memory size of the host changes and there is some other need for reprovisioning (for example a new configuration load).
Impact:
On a vCMP host, the second provisioning may not complete properly and guest systems will not pass traffic.
The vCMP host will continually try to start more than one tmm and fail when there should only be one tmm running. The /var/log/tmm logfile on the vCMP host will contain:
<13> Sep 25 01:33:28 vcmphost1 notice Too small memsize (60) -- need at least 136 MB
The /var/log/tmm logfile on the vCMP guest will contain:
<13> Sep 25 01:38:21 bigip1 notice Failed to write /var/run/libdag.so_2, err: -30
<13> Sep 25 01:38:21 bigip1 notice panic: vdag failed to attach
<13> Sep 25 01:38:21 bigip1 notice ** SIGFPE **
Workaround:
If the vCMP host is in a tmm restart loop due to this issue, reboot the vCMP host to allow the system to come up properly.
Fix:
The BIG-IP software now always removes the /mprov_firstboot file when the system is reprovisioned.
619849-1 : In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
Component: Local Traffic Manager
Symptoms:
TMM crashes with a SIGABRT (killed by sod)
Conditions:
TCP (full proxy) virtual servers with verified-accept enabled in the TCP profiles, that must be handling traffic.
This issue occurs extremely rarely.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
disable verify accept.
Fix:
the loop is fixed.
619757-4 : iSession causes routing entry to be prematurely freed
Component: Wan Optimization Manager
Symptoms:
iSession may cause TMM to prematurely free a routing entry resulting in memory corruption and TMM restarting.
Conditions:
iSession-enabled virtual.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
No reasonable workaround short of not using iSession functionality.
Fix:
iSession no longer causes routing entries to be prematurely freed.
619398-3 : TMM out of memory causes core in DNS cache
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.
Conditions:
This can occur when the TMM memory is exhausted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Provision sufficient memory for the TMM or reduce load.
Fix:
The fix was to properly handle the failure allocating memory.
619071-1 : OneConnect with verified accept issues
Component: Local Traffic Manager
Symptoms:
System may experience an outage.
Conditions:
Verified Accept enabled in TCP profile
hardware syncookies enabled
OneConnect profile on VIP
Syncookie threshold crossed
Impact:
System outage.
Workaround:
Disabled verified accept when used with OneConnect on a VIP.
Fix:
Verified accept, OneConnect and hardware syncookies work
correctly together.
618905-2 : tmm core while installing Safenet 6.2 client
Component: Local Traffic Manager
Symptoms:
tmm core while installing Safenet 6.2 client.
Conditions:
Safenet 6.2 client installation
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm core related to Safenet 6.2 client installation.
618324-3 : Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
Component: Access Policy Manager
Symptoms:
When upgrading from OPSWAT SDK V3 to V4, opening Access Policy in VPE if one of the opswat checker (e.g. Anti-Virus checker) contains an Undefined (i.e. previously defined but out of support) ID it will display as "Any." The correct display should be "Unsupported" or "Invalid" product.
Conditions:
Wrongful information displayed.
Impact:
Wrongful information displayed.
Workaround:
N/A
Fix:
Correct (*** Invalid ***) information displayed.
618261-4 : OpenSSL vulnerability CVE-2016-2182
Solution Article: K01276005
618258-4 : OpenSSL vulnerability CVE-2016-2182
Solution Article: K01276005
617901-4 : GUI to handle file path manipulation to prevent GUI instability.
Solution Article: K00363258
617862-3 : Fastl4 handshake timeout is absolute instead of relative
Component: Local Traffic Manager
Symptoms:
TCP connections that are pending completion of the three-way handshake are expired based on the absolute value of handshake timeout. For example, if handshake timeout is 5 seconds, then the connection is reset after 5 seconds of receiving the initial SYN from the client.
Conditions:
A TCP connection in three-way handshake.
Impact:
Connections are expired prematurely if they are still in three-way handshake.
Workaround:
Disable handshake timeout.
Impact of workaround: Your TCP handshake will not prematurely timeout and connections remains open until the Idle Timeout expires.
Fix:
The handshake timeout now expires based on idleness of the connection, taking into consideration of any SYN retransmissions, etc., that might occur.
617824-1 : "SSL::disable/enable serverside" + oneconnect reuse is broken
Component: Local Traffic Manager
Symptoms:
If "SSL::disable/enable serverside" is configured in an iRule and oneConnect is configured in the iRule or in the Virtual Server profile, BIG-IP may not receive the backend server's HTTP response for every client's HTTP Request.
Conditions:
1. "SSL::disable/enable serverside" exists in the iRule
2. OneConnect is configured in the iRule or in the VS profile
3. apply the iRule and oneConnect Profile to the VS.
Impact:
The oneConnect behavior is unexpected, and may not get the backend Server's HTTP response for every client's HTTP Request.
Workaround:
You can work around the problem by disabling oneConnect.
617628-3 : SNMP reports incorrect value for sysBladeTempTemperature OID
Component: TMOS
Symptoms:
SNMP reports incorrect value for sysBladeTempTemperature OID, while TMSH reports the corresponding value correctly.
# snmpwalk -v2c -c public localhost .1.3.6.1.4.1.3375.2.1.3.2.4.2.1.2.8.1
F5-BIGIP-SYSTEM-MIB::sysBladeTempTemperature.8.1 = Gauge32: 4294967245
# tmsh show sys hardware
Sys::Hardware
Blade Temperature Status
Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
...
1 8 0 -48 0 Blade CPU #1 TControl Delta tem
...
The negative "Blade CPU #1 TControl Delta" temperature is being incorrectly reported as a large positive temperature by SNMP.
Impact:
A negative temperature may be incorrectly reported by SNMP as an impossibly high positive value.
Workaround:
Use tmsh show sys hardware to view blade temperatures. Negative temperatures are properly reported.
config # tmsh show /sys hardware
Sys::Hardware
Blade Temperature Status
Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
1 1 0 19 49 Blade air outlet temperature 1
1 2 0 14 41 Blade air inlet temperature 1
1 3 0 21 57 Blade air outlet temperature 2
1 4 0 16 41 Blade air inlet temperature 2
1 5 0 25 60 Mezzanine air outlet temperatur
1 6 0 27 72 Mezzanine HSB temperature 1
1 7 0 17 63 Blade PECI-Bridge local tempera
1 8 0 -48 0 Blade CPU #1 TControl Delta tem
1 9 0 25 68 Mezzanine BCM56846 proximity te
1 10 0 22 69 Mezzanine BCM5718 proximity tem
1 11 0 19 57 Mezzanine Nitrox3 proximity tem
1 12 0 16 46 Mezzanine SHT21 Temperature
617273-4 : Expat XML library vulnerability CVE-2016-5300
Solution Article: K70938105
616864-4 : BIND vulnerability CVE-2016-2776
Solution Article: K18829561
616772-3 : CVE-2014-3568 : OpenSSL Vulnerability (Oracle Access Manager)
Solution Article: K15724
616765-3 : CVE-2013-6449 : OpenSSL Vulnerability (Oracle Access Manager)
Solution Article: K15147
616498-3 : CVE-2009-3245 : OpenSSL Vulnerability (Oracle Access Manager)
Solution Article: K15404
616491-3 : CVE-2006-3738 : OpenSSL Vulnerability (Oracle Access Manager)
Solution Article: K6734
616382 : OpenSSL Vulnerability (TMM)
Solution Article: K93122894
616242-1 : basic_string::compare error in encrypted SSL key file if the first line of the file is blank★
Solution Article: K39944245
Component: TMOS
Symptoms:
Trying to load a configuration that references an encrypted SSL key file may fail if the first line of the SSL key file is blank. When this occurs, the system will report a vague error message:
01070711:3: basic_string::compare
If this happens during an upgrade, the system will not load the configuration under the new software version, and will remain inoperative.
Conditions:
This can occur if an affected configuration is present on a system running BIG-IP v11.3.0 or earlier, and is upgraded to BIG-IP v11.4.0 through v12.1.1.
Impact:
Configuration fails to load on upgrade with extremely unhelpful error message, and absolutely no indication as to what file was being processed at the time (or that this relates to a filestore file).
Workaround:
Remove the newlines at the beginning of any SSL key files that begin with a newline. During an upgrade scenario, edit the files in the filestore.
616215-1 : TMM can core when using LB::detach and TCP::notify commands in an iRule
Component: Local Traffic Manager
Symptoms:
TMM cores when running an iRule that has the LB::detach command before the TCP::notify command.
Conditions:
A virtual server with an iRule that has the LB::detach command executed before the TCP::notify command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid the combination of the TCP::notify and LB::detach commands.
Fix:
TMM no longer cores in this instance.
616169-1 : ASM Policy Export returns HTML error file
Component: Application Security Manager
Symptoms:
When attempting to export an ASM Policy the resulting file contains an HTML error page.
Conditions:
It is not known what triggers this condition.
Impact:
Unable to export ASM Policies.
Workaround:
Delete all files in /ts/dms/policy/upload_files/. All files are transient and can safely be deleted.
Fix:
Permissions are now explicitly set on exported ASM Policies so the GUI PHP process can successfully download it.
615934 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
Component: TMOS
Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.
Conditions:
If there is an existing key/certificate, and the key/certificate management iControl functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.
Impact:
Key/certificate overwrite using iControl operations might fail.
Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.
615695 : Fixes to bd and iprepd components not included in BIG-IP v11.5.4-HF2
Component: Application Security Manager
Symptoms:
The following bugs were documented as fixed in BIG-IP v11.5.4-HF2:
ID 531809: FTP/SMTP traffic related bd crash
ID 559541: ICAP anti virus tests are not initiated on XML with when should
ID 562775: Memory leak in iprepd
However, the packages containing these fixes were not actually included in the BIG-IP v11.5.4-HF2 ISO.
Therefore, these bugs are not actually fixed in BIG-IP v11.5.4-HF2.
Conditions:
BIG-IP v11.5.4-HF2
Impact:
Referenced bugs are not actually fixed in BIG-IP v11.5.4-HF2.
Fix:
[BIG-IP v11.5.4 Hotfix Rollup containing this fix] includes the packages which contain the fixes for the following bugs:
ID 531809: FTP/SMTP traffic related bd crash
ID 559541: ICAP anti virus tests are not initiated on XML with when should
ID 562775: Memory leak in iprepd
615187 : Missing hyperlink to GSLB virtual servers and servers on the pool member page.
Component: Global Traffic Manager (DNS)
Symptoms:
Hyperlinks to to GSLB virtual servers and servers on the pool member page were removed in 11.x.
Conditions:
Have a GSLB pool with pool members set up.
Impact:
Must manually note of the member's virtual or server.
Workaround:
Manually take note of virtual or server and search for it.
Fix:
Added hyperlink to GSLB virtuals and servers on the pool member page.
614865 : Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
Component: TMOS
Symptoms:
Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
Specifically, the functions are:
key_import_from_pem()
certificate_import_from_pem()
key_import_from_pem_v2()
certificate_import_from_pem_v2()
Conditions:
When there is an existing key or certificate on the BIG-IP system, and you want to overwrite them using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls, it results in errors stating that the key or certificate already exists on the BIG-IP system.
Impact:
Cannot overwrite the key/certificate file-objects using these iControl calls.
Workaround:
There are two workarounds:
- Delete and import the key/certificate using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls.
- Use key_import_from_file and certificate_import_from_file iControl calls as an alternative to import key/certificate from a file.
Fix:
Overwrite flag in iControl functions key/certificate_import_from_pem_v2() functions are now processed correctly and no longer produce errors.
614675 : iControl SOAP API call "LocalLB::ProfileClientSSL::create_v2" creates invalid profile
Component: TMOS
Symptoms:
iControl function "LocalLB::ProfileClientSSL::create_v2" creates a profile with two cert-key-chain objects containing identical cert and key but with different name:
ltm profile client-ssl my_prof {
app-service none
cert mycert.crt
cert-key-chain {
"" {
cert mycert.crt
key mycert.key
}
default_rsa_ckc {
cert mycert.crt
key mycert.key
}
}
chain none
inherit-certkeychain false
key mycert.key
passphrase none
}
Conditions:
When the user creates clientSSL profile using iControl function create_v2().
Impact:
Unable to add the invalid clientSSL profile to a virtual server.
Workaround:
Remove the invalid clientSSL profile and re-create the profile using TMSH or GUI.
Fix:
iControl SOAP API call "LocalLB::ProfileClientSSL::create_v2" no longer creates invalid profile when creating clientSSL profile using iControl function create_v2().
614441-1 : False Positive for illegal method (GET)
Solution Article: K04950182
Component: Application Security Manager
Symptoms:
False Positive for illegal method (GET) and errors in BD log on Apply Policy:
----
ECARD|ERR |Sep 04 07:38:47.992|23835|table.h:0287|KEY_REMOVE: Failed to REMOVE data
----
Conditions:
This was seen after upgrade and/or failover.
Impact:
-- False positives.
-- BD has the incorrect security configuration.
Workaround:
Run the following command: restart asm.
614147-4 : SOCKS proxy defect resolution
Solution Article: K02692210
614097-4 : HTTP Explicit proxy defect resolution
Solution Article: K02692210
613613 : Incorrect handling of form that contains a tag with id=action
Component: Access Policy Manager
Symptoms:
In some cases, a form with an absolute path in the action is handled incorrectly in Internet Explorer (IE) versions 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.
Conditions:
This issue occurs under these conditions:
-- HTML Form with absolute action path.
-- A tag with id=action inside this form.
-- A submit button in the form.
-- IE versions 7 through 9.
Impact:
The impact of this issue is that the web application can not work as expected.
Workaround:
This issue has no workaround at this time.
Fix:
Forms with absolute action paths and tag with id=action inside are handled correctly.
613576-9 : QOS load balancing links display as gray
Component: Global Traffic Manager (DNS)
Symptoms:
All links in all data centers appear gray. After this patch all link appear to be green and the functional of load balancing to the first available link in each pool is restored.
Conditions:
This bug only affects devices licensed after 9/1/2016 which contain the gtm_lc: disabled field.
Impact:
Any GTM/LC devices licensed after 9/1/2016 and using links as part of their configuration will have the links reported as gray.
Workaround:
Remove all ilnks from configuration or install this hotfix.
613524-1 : TMM crash when call HTTP::respond twice in LB_FAILED
Component: Local Traffic Manager
Symptoms:
TMM core-dumps when these conditions are met:
- LB_FAILED event
- irule script must use a "delay" (parked) statement together with two HTTP::respond statements.
Conditions:
- LB_FAILED event must be triggered by good IP address and bad port so that the serverside connflow is establish. you will not see this bug if no pool member is used or invalid IP address is used.
- irule script must use a "delay" (parked) statement. the delay together with http response creates the right timing for the client side connflow to go away while proxy is pushing Abort event down to both clientside and serverside.
Impact:
Traffic disrupted while tmm restarts.
Fix:
This fix rectifies the problem.
613369-5 : Half-Open TCP Connections Not Discoverable
Component: Local Traffic Manager
Symptoms:
New TCP connection requests are reset after a specific sequence of TCP packets.
Conditions:
A TCP connection in half-open state.
Impact:
Half-open TCP connections are not discoverable
Fix:
Properly acknowledge half-open TCP connections.
613225-4 : OpenSSL vulnerability CVE-2016-6306
Solution Article: K90492697
613127-5 : Linux TCP Stack vulnerability CVE-2016-5696
Solution Article: K46514822
612721 : FIPS: .exp keys cannot be imported when the local source directory contains .key file
Component: TMOS
Symptoms:
*.exp exported FIPS keys cannot be imported from local directory when the directory contains any file named *.key with matching name. For example, if the directory /shared/abc/ contains an exported FIPS key named xyz.exp and another file named xyz.key, the user will fail to import xyz.exp as a FIPS key into the system.
Conditions:
When the local source directory of the exported FIPS key (xyz.exp) also contains a file with matching name (xyz.key).
Impact:
Unable to import the FIPS key
Workaround:
Remove the same name *.key file from the local directory before importing the FIPS exported key *.exp.
612419-3 : APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))
Component: Access Policy Manager
Symptoms:
When there are multiple network access resources, and users switch between them within the same connection, a small memory leak happens.
Conditions:
Network access; full webtop, multiple Network Access resources.
Impact:
Memory usage increases over time.
Workaround:
There is no workaround. It is a relatively slow leak though. In the case where it was observed, the leak was about 130MB per month.
Fix:
Fixed a memory leak related to network access.
612128-2 : OpenSSH vulnerability CVE-2016-6515
Solution Article: K31510510
611830 : TMM may crash when processing TCP traffic
Solution Article: K13053402
611704-1 : tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event
Component: Local Traffic Manager
Symptoms:
A tmm crash was discovered during internal testing.
Conditions:
HTTPS virtual server configured with an iRule that uses TCP::close in the CLIENTSSL_CLIENTCERT iRule event.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm crash related to TCP::close in CLIENTSSL_CLIENTCERT
611469-6 : Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
Solution Article: K95444512
611278-1 : Connections to a BIG-IP system's Self-IP address may fail when the VLAN cmp-hash is altered
Component: Local Traffic Manager
Symptoms:
On a BIG-IP system belonging to a Sync or Sync-Failover Device Group, you encounter intermittent Device Group errors during normal operation. This can include the device status flipping from Offline to In Sync, or actual sync errors on a manual or automatic config sync. You may also see iQuery errors in the logs of BIG-IP GTM systems.
Conditions:
This issue is known to occur on BIG-IP systems belonging to a Sync or Sync-Failover Device Group where the config sync VLAN cmp-hash mode is set to something other than default.
Impact:
Intermittent sync status or occasional config sync failures.
Workaround:
Ensure that the config sync IP is on a VLAN that has the cmp-hash mode set to default.
610609-4 : Total connections in bigtop, SNMP are incorrect
Component: Local Traffic Manager
Symptoms:
While looking at total connections for the active BIG-IP using bigtop or SNMP, the connections are reported too high. For example if you sent a single connection through BIG-IP it is reported as 2 connections. Meanwhile, the standby device with mirroring configured accurately shows the number of connections.
Conditions:
This occurs on PVA-enabled hardware platforms.
Impact:
The total connection count statistic is incorrect.
610582-8 : Device Guard prevents Edge Client connections
Component: Access Policy Manager
Symptoms:
When Device Guard is enabled, BIG-IP Edge Client cannot establish a VPN connection.
Conditions:
-- Clients running Windows 10.
-- Device Guard enabled.
-- Attempting to connect using the Edge client.
Impact:
Clients are unable to establish a VPN connection.
Workaround:
As a workaround, have the affected Edge Client users disable Device Guard.
Note: Previously, Device Guard was disabled by default. Starting with the Windows 10 Creators Update, however, Device Guard is enabled by default.
Fix:
The F5 VPN Driver is recertified and is now compliant with Microsoft Device Guard, so that Edge Client users can now establish a VPN connection as expected.
610429-2 : X509::cert_fields iRule command may memory with subpubkey argument
Component: Local Traffic Manager
Symptoms:
The X509::cert_fields iRule command can leak memory in the 'method' memory subsystem if called with the 'subpubkey' argument, when the 'subpubkey' argument is not the last argument.
Conditions:
Create an iRule using X509::cert_fields where the subpubkey is not the last argument.
Example/signature to look for:
ltm rule rule_leak {
when HTTP_REQUEST {
if { [SSL::cert 0] ne "" } {
HTTP::respond 200 content "[X509::cert_fields [SSL::cert 0] 0 subpubkey hash]\n"
} else {
HTTP::respond 200 content "no client cert (WRONG!)"
}
}
}
Impact:
Memory will leak, eventually impacting the operation of tmm.
Workaround:
Ensure that 'subpubkey' is the last argument to X509::cert_fields
610417-4 : Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
Solution Article: K54511423
Component: TMOS
Symptoms:
When adding a device to the trust, the SSL connection can use insecure ciphers. Also it will use the undesirable TLSv1 protocol instead of negotiating to the highest safest protocol available which is TLSv1.2
If the peer device is configured to use TLSv1.1 or TLSv1.2 only, device trust will not be established
Conditions:
This exists when configuring devices in a device cluster.
Impact:
Unable to configure stronger ciphers for device trust.
If the peer device is modified to not use TLSv1.0, it is impossible to establish Device Trust.
Workaround:
None.
Fix:
Advertised client ciphers reduced to what the common criteria compliance standard approves.
Changed the initial OpenSSL call to use the correct one to negotiate to the highest available TLS protocol (1.2).
610354-3 : TMM crash on invalid memory access to loopback interface stats object
Component: TMOS
Symptoms:
TMM can crash with segmentation fault when TMM drops packets on its internal loopback interface. TMM needs to update interface stats associated with the loopback interface when dropping packets on that interface. The interface stats object for loopback interface is not allocated yet. That results in segmentation fault.
Conditions:
TMM drops packets on its internal loopback interfaces.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No Workaround.
610255-3 : CMI improvement
Solution Article: K62279530
610243-1 : HTML5 access fails for Citrix Storefront integration mode with gateway pass through authentication
Component: Access Policy Manager
Symptoms:
HTML5 client can not be used to access the published applications or desktops.
HTML5 client access displays returns blank/black screen and displays "Can not connect to the server".
Conditions:
APM is configured Citrix Storefront integration mode. And in Storefront html5 client access is enabled.
Impact:
HTML5 client can not be used to access the published resources
Workaround:
None
Fix:
HTML5 client can be used to access the published resources.
610180-5 : SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
Component: Access Policy Manager
Symptoms:
When BIG-IP is used as SAML SP, and SLO is not properly configured on associated saml-idp-connector objects, IdP initiated SAML SLO may result in memory leak in SSO plugin.
Conditions:
- BIG-IP is used as SP.
- Associated saml-idp-connector object has 'single-logout-uri' property configured, but 'single-logout-response-uri' property is empty.
- User performs IdP initiated SAML SLO
Impact:
SSO plugin leaks memory
Workaround:
There are two possible workarounds:
- Fix misconfiguration: Configure SLO correctly by adding value to 'single-logout-response-uri' property of IdP connector object.
- Disable SLO by removing single-logout-uri' property of IdP connector object.
Fix:
When fixed, memory will no longer leak in SSO plugin even when SLO is misconfigured.
609691-5 : GnuPG vulnerability CVE-2014-4617
Solution Article: K21284031
608551-2 : Half-closed congested SSL connections with unclean shutdown might stall.
Component: Local Traffic Manager
Symptoms:
Half-closed congested SSL connections with unclean shutdown might stall.
Conditions:
If SSL egress is congested and the client FINs with no Close Notify, connection might stall as SSL does not request more egress data from HTTP.
Impact:
Possible stalled flow.
Workaround:
Use SSL client that sends clean shutdown.
Fix:
Resolved half-closed congested SSL connections with unclean shutdown, so connections no longer stall.
608320-2 : iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
Component: TMOS
Symptoms:
For persistence profiles, iControl REST does not provide visibility for property override when "none" is specified, including references, passwords, and array of strings.
Conditions:
-- Use iControl REST API with persistence profiles.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.
Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for persistence profile property overrides.
Workaround:
None.
Fix:
iControl REST API now returns persistence profile elements (i.e., string, enum , or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.
608024-2 : Unnecessary DTLS retransmissions occur during handshake.
Component: Local Traffic Manager
Symptoms:
Unnecessary DTLS retransmissions occur during handshake.
Conditions:
During DTLS handshake, unnecessary retransmissions of handshake message may occur on VE platform.
Impact:
Possible DTLS handshake failure on VE platform.
Workaround:
None.
Fix:
This release fixes a possible failed DTLS handshake on VE platforms.
607304-1 : TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
Component: Local Traffic Manager
Symptoms:
TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
Conditions:
This can occur under normal operation, while running the geo_update command.
Impact:
Traffic disrupted while tmm restarts.
606575-2 : Request-oriented OneConnect load balancing ends when the server returns an error status code.
Component: Local Traffic Manager
Symptoms:
Request-oriented OneConnect load balancing ends when the server returns an error status code.
Conditions:
OneConnect is enabled and the server responds with a HTTP error status code.
Impact:
The client remains connected to the server, and no further load-balancing decisions are made.
Workaround:
It may be possible to detect the HTTP status code in the response, and manually detach the client-side.
To do so, use an iRule similar to the following:
when HTTP_RESPONSE {
if { [HTTP::status] == 200 } { return }
if { [HTTP::status] == 401 } {
set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]]
if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } {
# Connection-oriented auth. System should already be doing the right thing
unset auth_header
return
}
unset auth_header
}
catch { ONECONNECT::detach enable }
}.
Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).
Fix:
With OneConnect, the client-side remains detachable when the server-side returns an HTTP error status code.
605865-1 : Debug TMM produces core on certain ICMP PMTUD packets
Component: Local Traffic Manager
Symptoms:
The debug TMM will produce a core on the assert "cwnd or ssthresh too low" when receiving an ICMP PMTUD packet with an MTU larger than the current MTU. This does not affect the default TMM.
Conditions:
While using the debug TMM, an ICMP PMTUD packet is received with an MTU larger than the current MTU.
Impact:
Debug TMM crashes on assert "cwnd or ssthresh too low." Traffic disrupted while tmm restarts.
Workaround:
Block incoming ICMP PMTUD packets. Note that this will cause Path MTU Discovery to fail, and IP packets sent by the BIG-IP system with the Don't Fragment (DF) bit set may be dropped silently if the MTUs of the devices on the path are configured incorrectly.
Fix:
The system now always updates TCP MSS after an ICMP PMTUD packet, so there is no debug TMM core.
605661-1 : Update TZ data
Component: TMOS
Symptoms:
Prior to this update, the data files provided by the tzdata package reflected the Egyptian government's plan to transition to daylight saving time (DST) on July 7, but the Egyptian government canceled the planned transition. This update provides tzdata data files that reflect the change of plans, and will thus provide correct time zone information.
This update also includes a time zone transition for Asia/Novosibirsk from +06 to +07 on 2016-07-24 at 02:00.
Conditions:
Egyptian or Asia/Novosibirsk time zone active
Impact:
Timezone calculations do not reflect current standards
Fix:
Timezone data files updated to reflect current standards
605579-9 : iControl-SOAP expat client library is subjected to entropy attack
Solution Article: K65460334
605476 : statsd can core when reading corrupt stats files.
Component: TMOS
Symptoms:
-- The istatsd process produces a core file in the /shared/core directory.
Conditions:
This issue occurs when the following condition is met:
The istatsd process attempts to read a corrupt iStats segment file with duplicate FIDs.
Under these conditions, the istatsd process continually consumes memory which produces a core causing the istatsd process to restart.
Impact:
iStatsd process will restart due to resource exhaustion.
Workaround:
To work around this issue, you can remove the iStats files and restart the istatsd processes. To do so, perform the following procedure:
Impact of workaround: This workaround will cause all statistics in the iStats files to reset.
1. Log in to the BIG-IP command line.
2. To stop the istatsd and related processes, type the following command:
tmsh stop sys service istatsd avrd merged.
3. To delete the iStats files, type the following command:
find /var/tmstat2/ -depth -type f -delete.
4. To start the istatsd and related processes, type the following command:
tmsh start sys service istatsd avrd merged.
Fix:
Added a fix to protect against a continually reading a segment file that is corrupted and has Duplicate Fids.
605270-3 : On some platforms the SYN-Cookie status report is not accurate
Component: TMOS
Symptoms:
On a vCMP guest, after a ePVA-enabled virtual server enters SYN Cookie mode, the FPGA will never leave SYN Cookie mode even though BIG-IP has returned to normal mode.
Conditions:
This occurs intermittently on virtual servers with ePVA enabled on a vCMP instance where SYN Protection is triggered.
Impact:
Since this occurs very intermittently, the entire impact is not known. Initially this is an incorrect SYN Cookie status reporting issue for LTM Virtual statistics, but it is possible that if SYN Cookie mode is triggered again, hardware SYN might not be enabled properly.
Workaround:
Upgrade with new fixes for this.
Fix:
BIG-IP FPGAs now correctly report hardware SYN Cookie mode.
605039-1 : lwresd and bind vulnerability CVE-2016-2775
Solution Article: K92991044
604977-4 : Wrong alert when DTLS cookie size is 32
Solution Article: K08905542
Component: Local Traffic Manager
Symptoms:
When ServerSSL profile using DTLS receives a cookie with length of 32 bytes, the system reports a fatal alert.
Conditions:
Another LTM with ClientSSL profile issues 32-byte long cookie.
Impact:
DTLS with cookie size 32-byte fails.
Workaround:
None.
Fix:
DTLS now accepts cookies with a length of 32 bytes.
604880-1 : tmm assert "valid pcb" in tcp.c
Component: Local Traffic Manager
Symptoms:
tmm panic tcp.c:2435: Assertion "valid pcb" failed
Conditions:
Unknown.
Impact:
Traffic disrupted while tmm restarts.
604767-6 : Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
Component: Access Policy Manager
Symptoms:
When importing SAML IdP's metadata, certificate object might not be assigned as 'idp-certificate' value of saml-idp-connector object.
Conditions:
BIG-IP is used as SAML SP.
Impact:
Described behavior will result in misconfiguration. SAML WebSSO will subsequently fail.
Workaround:
Manually assign imported certificate as a 'idp-certificate' value of saml-idp-connector object.
604496-1 : SQL (Oracle) monitor daemon might hang.
Component: Local Traffic Manager
Symptoms:
SQL (Oracle) monitor daemon might hang with high monitoring load (hundreds of monitors). DBDaemon debug log contains messages indicating hung connection aborting and that the address in use, unable to connect.
Conditions:
High number of SQL (Oracle, MSSQL, MySQL, PostgresSQL) monitors. Slow SQL responses might make the condition worse.
Impact:
Flapping pool members connected to SQL monitors. Frequent aborts and restarts of SQL monitor daemon.
Workaround:
You can mitigate this issue in the following ways:
-- Reduce number of monitored pool members.
-- Reduce frequency of monitor interval.
-- Split monitors among multiple devices.
-- Run monitors on bladed systems.
Fix:
This release fixes the address-in-use issue, and contains multiple monitor improvements to handle aborts and restarts of the SQL monitor daemon as well so that the system handles hung connections without aborting.
604442-3 : iControl log
Solution Article: K12685114
604272-3 : SMTPS profile connections_current stat does not reflect actual connection count.
Component: Local Traffic Manager
Symptoms:
SMTPS profile connections_current stat does not reflect actual connection count.
Conditions:
This occurs if you have an SMTPS virtual server configured.
Impact:
profile_smtps_stat.connections_current rises over time and doesn't reflect actual number of SMTPS connections active.
604237-1 : Vlan allowed mismatch found error in VCMP guest
Component: TMOS
Symptoms:
Your vCMP guests are unable to reach the network. You see in /var/log/ltm "mcpd[5503]: 01071322:4: Vlan allowed mismatch found: hypervisor "
Conditions:
When a VLAN exists in the vlan-allowed list contains a VLAN which matches the suffix of another VLAN in the list and both VLANs are configured on the VCMP guest. For example, xyz and abc_xyz will produce the error "warning mcpd[6374]: 01071322:4: Vlan allowed mismatch found: hypervisor (abc_xyz:1860), guest (/Common/xyz:1850)."
Impact:
Unable to use VLAN.
Workaround:
Rename the VLANs such that no VLAN matches suffix of any other VLAN.
603945-3 : BD config update should be considered as config addition in case of update failure
Component: Application Security Manager
Symptoms:
A configuration update fails when the system cannot find the item to update. Configuration failures are shown in bd.log.
Conditions:
The condition that leads to this scenario is not clear and is still under investigation.
Impact:
The update fails and the entity is not added.
Workaround:
Delete the faulty entity and re-add, and then issue the following command: restart asm.
This fixes the issue in the cases in which it is a single entity.
Fix:
A configuration update no longer fails when the system cannot find the item to update. Now, the system adds the item with its updated value if the entity does not already exist. Otherwise, the operation updates the value of the existing entry.
603758-4 : Big3D security hardening
Solution Article: K82038789
603723-1 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
Component: Local Traffic Manager
Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.
Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.
Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.
Workaround:
None.
Fix:
The system now successfully handles TLS v1.0 fallback when pool members are configured to use TLS v1.2 only, so pool members are correctly marked as being up.
603667-1 : TMM may leak or corrupt memory when configuration changes occur with plugins in use
Component: Local Traffic Manager
Symptoms:
TMM may leak memory when plugins are in use and the plugin is re-initialized (typically due to configuration changes). In rare cases, memory corruption may occur causing TMM to restart.
Conditions:
Plugin-based functionality configured (ASM, APM, etc.) and configuration changes occur.
Impact:
The memory leakage generally occurs infrequently and at a rate that TMM operations are not affected. However, when memory corruption occurs, a traffic interruption may occur due to TMM restarting.
Workaround:
No workaround except disabling plugin-based functionality (such as ASM, APM, etc.).
Fix:
TMM now properly manages plugin memory, and no longer leaks or corrupts this memory.
603609-5 : Policy unable to match initial path segment when request-URI starts with "//"
Component: Local Traffic Manager
Symptoms:
HTTP URI path policy does not match when request-URI starts with "//".
Conditions:
Policy unable to catch request when HTTP URI path configured to match value anywhere in path or in initial path segment when the request-URI starts with "//".
Impact:
The policy does not match in this case.
Workaround:
The policy could be modified to scan the full URI instead of just the path element however care should be taken to correctly handle potential matches with absolute URIs or in the query string.
603606-1 : tmm core
Component: Local Traffic Manager
Symptoms:
A tmm core occurrs with the following log message: notice panic: ../kern/page_alloc.c:521: Assertion "vmem_hashlist_remove not found" failed.
Conditions:
It is not known exactly what triggers this condition.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
603598-1 : big3d memory under extreme load conditions
Component: Global Traffic Manager (DNS)
Symptoms:
big3d memory consumption can grow if big3d is unable to process monitor requests in a timely fashion.
This can be seen by monitoring the memory consumption of big3d using standard OS tools such as top.
Conditions:
big3d maintains a queue for monitor requests.
Incoming monitor requests are first placed in the Pending queue.
Requests are moved from the Pending queue to the Active queue, if there is room in the Active queue.
When the Pending queue is full, there is no room for the Monitor Request. big3d attempts to clean up the Monitor request, but fails to completely free the memory.
This might result in a significant memory leak.
For this to happen, the Active queue must be full as well as the Pending queue.
One possible condition that might cause this is if multiple Monitors time out. This results in Monitors having long life times, which keeps the Active queue full.
Thus the Pending queue might become full and the memory leak can occur.
In BIG-IP 11.1.0 versions of big3d,
the Active queue has 256 slots and
the Pending queue has 4096 slots.
In BIG-IP 11.1.0-hf3, the queue sizes were expanded to
2048 for the Active queue and 16384 for the Pending queue.
Since the queues were smaller n versions prior to
11.1.0-hf3, this leaks is more likely to manifest itself.
In later versions, the leak is still possible, but is less likely to occur.
Impact:
big3d memory consumption grows unbounded. This might result in a big3d restart or memory starvation of other processes.
Workaround:
This can be partially mitigated by ensuring that monitors
settings are reasonable and that big3d is not overloaded.
This will minimize the chances that the Pending queue
does not become full.
There is no mechanism to resize the queues.
Fix:
When a monitor request is unable to be placed in the queue, the memory for the request is freed properly.
603550-4 : Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
Solution Article: K63164073
Component: Local Traffic Manager
Symptoms:
Virtual server remains in syncookie mode even after the syn flood stops.
As a result of this issue, you might see the following symptoms:
-- Virtual servers that use both FastL4 and HTTP profiles might show incorrect 'Current SYN Cache' stats.
-- Virtual stats 'Current SYN Cache' does not decrease.
Conditions:
This issue occurs when the configuration contains a virtual server that uses FastL4 as a filter (for example, has both the FastL4 profile and layer 7 profile (HTTP) syn flood to the virtual server).
Impact:
The virtual server stays stuck in syncookie mode after the synflood is over, and does not recover.
Workaround:
None.
Fix:
Virtual servers that use both FastL4 and HTTP profiles will have correct syn cache stats.
602749 : Memory exhaustion when asking for missing page of learning suggestion occurrences
Component: Application Security Manager
Symptoms:
High CPU Utilization: event code I706 Bypassing ASM
Conditions:
Open occurrences for some suggestion, there should be multiple pages, clear requests (on real machine that'll be because of traffic, but can be done directly in database by cleaning LRN_REQUESTS table), then change to the second page.
Impact:
memory exhaustion
Workaround:
None
601938-5 : MCPD stores certain data incorrectly
Solution Article: K52180214
601927-4 : Security hardening of control plane
Solution Article: K52180214
Component: TMOS
Symptoms:
File permissions changes needed as found by internal testing
Conditions:
N/A
Impact:
N/A
Fix:
Apply latest security practices to control plane files.
601709-4 : I2C error recovery for BIG-IP 4340N/4300 blades
Solution Article: K02314881
Component: TMOS
Symptoms:
The I2C internal bus for the front switch on BIG-IP 4340N/4300 blades may not work.
Conditions:
This rarely happens.
Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up.
Workaround:
bigstart restart bcm56xxd
Fix:
The system now ensures that the I2C internal bus can recover from occasional errors.
601527-1 : mcpd memory leak and core
Component: TMOS
Symptoms:
Mcpd can leak memory during config update or config sync.
Conditions:
All of the conditions that trigger this are not known but it seems to occur during full configuration sync and is most severe on the config sync peers. It was triggered making a single change on the primary by configuring a monitor rule, e.g., tmsh create ltm pool p members { 1.2.3.4:80 } monitor http
Impact:
Loss of memory over time, which may result in out-of-memory and mcpd core.
Fix:
Fixed a memory lean in mcpd
601407 : Legacy PNAgent access does not work from Citrix Receiver 4.3 onwards
Component: Access Policy Manager
Symptoms:
While adding a new account from Citrix Receiver, it does not prompt for the credentials
Conditions:
APM is in integration mode with Storefront or web interface and APM uses only pnagent protocol for the integration.
Impact:
Could not access the published applications.
Workaround:
None
Fix:
APM supports new user agent string from Citrix Receiver 4.3 onwards.
601268-2 : PHP vulnerability CVE-2016-5766
Solution Article: K43267483
600982-7 : TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"
Component: Local Traffic Manager
Symptoms:
When SSL is configured, the TMM might rarely crash, logging the following error in /var/log/ltm: notice panic: ../modules/hudfilter/ssl/ssl_session.c:538: Assertion "cached" failed.
Conditions:
No conditions to be set, however this is a very rare occurrence in which a random number generator can technically generate the number Zero ( 0 ) which would trigger this.
Impact:
Traffic disrupted while TMM restarts, and failover occurs if high availability is configured. Mirroring and LB may be lost with renegotiation for certain types of traffic.
Workaround:
None.
Fix:
When SSL is configured, the TMM no longer intermittently crashes with the message: Assertion "cached" failed.
600827-3 : Stuck Nitrox crypto queue can erroneously be reported
Solution Article: K21220807
Component: Local Traffic Manager
Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Cavium Nitrox-based (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Hardware Error(Co-Processor): n3-crypto0 request queue stuck.
Conditions:
This issue occurs when all of the following conditions are met:
- Your BIG-IP system uses Nitrox PX or Nitrox 3 encryption hardware.
- You are making use of hardware-based SSL encryption.
- The BIG-IP system is under heavy load.
Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.
Workaround:
None.
Fix:
The Nitrox crypto driver uses a proper timeout value for crypto requests.
600662-5 : NAT64 vulnerability CVE-2016-5745
Solution Article: K64743453
600558-10 : Errors logged after deleting user in GUI
Component: TMOS
Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may be observed:
1. After approximately 10 minutes, an error similar to the following appears in the LTM log (/var/log/ltm):
mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests
This message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.
2. After clicking Refresh, the GUI may not show the correct web page.
Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.
Impact:
Error messages logged.
GUI may not show the correct web page.
Workaround:
Use the CLI (tmsh) to delete local users.
Fix:
Errors are no longer logged after deleting user in GUI.
600396-1 : iControl REST may return 404 for all requests in AWS
Component: TMOS
Symptoms:
iControl REST queries may fail against specific versions of BIG-IP in AWS. When this issue is encountered, all queries fail for the entirety of the BIG-IP uptime. An error message mentioning "RestWorkerUriNotFoundException" will be returned. For instance, this basic query will always return 404:
curl -k -u admin:ADMINPASSWORD -sv -X GET https://1.2.3.4/mgmt/tm/ltm
* Trying 1.2.3.4...
* Connected to 1.2.3.4 (1.2.3.4) port 443 (#0)
* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* Server certificate: localhost.localdomain
* Server auth using Basic with user 'admin'
> GET /mgmt/tm/ltm HTTP/1.1
> Host: 1.2.3.4
> Authorization: Basic ....
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Date: 20 Jun 2016 17:49:39 UTC
< Server: com.f5.rest.common.RestRequestSender
...
{ [1093 bytes data]
* Connection #0 to host 1.2.3.4 left intact
{
"errorStack" : [
"com.f5.rest.common.RestWorkerUriNotFoundException: http://localhost:8100/mgmt/tm/ltm",
"at com.f5.rest.workers.ForwarderPassThroughWorker.cloneAndForwardRequest(ForwarderPassThroughWorker.java:293)",
"at com.f5.rest.workers.ForwarderPassThroughWorker.onForward(ForwarderPassThroughWorker.java:211)",
"at com.f5.rest.workers.ForwarderPassThroughWorker.onGet(ForwarderPassThroughWorker.java:370)",
"at com.f5.rest.common.RestWorker.callDerivedRestMethod(RestWorker.java:1009)",
"at com.f5.rest.common.RestWorker.callRestMethodHandler(RestWorker.java:976)",
"at com.f5.rest.common.RestServer.processQueuedRequests(RestServer.java:850)",
"at com.f5.rest.common.RestServer.access$000(RestServer.java:43)",
"at com.f5.rest.common.RestServer$1.run(RestServer.java:147)",
"at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)",
"at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)",
"at java.lang.Thread.run(Thread.java:722)\n"
],
"restOperationId" : 8827,
"code" : 404,
"referer" : "4.3.2.1",
"message" : "http://localhost:8100/mgmt/tm/ltm"
}
Conditions:
It is not known what triggers this, it intermittently affects new BIG-IP instances running in Amazon Web Services (AWS EC2) cloud environments.
Impact:
All iControl REST queries (GETs, PUTs, POSTs, DELETEs) will fail always until the BIG-IP is restarted.
Workaround:
Restart the BIG-IP.
600248-5 : OpenSSL vulnerability CVE-2016-2177
Solution Article: K23873366
600232-5 : OpenSSL vulnerability CVE-2016-2177
Solution Article: K23873366
600223-5 : OpenSSL vulnerability CVE-2016-2177
Solution Article: K23873366
600205-5 : OpenSSL Vulnerability: CVE-2016-2178
Solution Article: K53084033
600198-5 : OpenSSL vulnerability CVE-2016-2178
Solution Article: K53084033
600116 : DNS resolution request may take a long time in some cases
Component: Access Policy Manager
Symptoms:
DNS resolution may appear slow in some cases
Conditions:
All of following conditions should be met
1) DNS Relay proxy is installed on user's machine
2) User's machine has multiple network adapters and some of them are in disconnected state.
Impact:
DNS resolution will be slow
Workaround:
Disable network adapters that are not connected.
Fix:
Now DNS Relay proxy server doesn't proxy DNS servers on non-connected interfaces. This fixes slow resolution DNS issue.
600069-4 : Portal Access: Requests handled incorrectly
Solution Article: K54358225
599536-5 : IPsec peer with wildcard selector brings up wrong phase2 SAs
Solution Article: K05263202
599285-5 : PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
Solution Article: K51390683
599191-1 : One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card
Component: TMOS
Symptoms:
When running the tmsh show sys crypto fips command, you notice stale keys that you have previously deleted are left behind on the FIPS card.
Conditions:
This occurs when you have BIG-IPs with FIPS HSMs, configured in manual sync mode, under the following set of actions:
- Create a key-cert pair
- Associate the new key-cert pair with a clientssl profile
- Config sync to the peers
- Associate the clientssl profile with the default key and cert
- Delete the key and cert
- Manual sync
Impact:
A stale key is left on the FIPS card. There is no impact to functionality.
Workaround:
Check for the handles/key-ids of the keys in configuration using tmsh. Then remove the key that is not in use using the command tmsh delete sys crypto key <keyname>
599168-5 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
Solution Article: K35520031
598983-5 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
Solution Article: K35520031
598981-1 : APM ACL does not get enforced all the time under certain conditions
Solution Article: K06913155
Component: Access Policy Manager
Symptoms:
APM ACL does not get enforced all the time under certain conditions
Conditions:
The following conditions individually increase the chances for this problem to occur:
1. The device is very busy. (Construction of ACL windows is prolonged.)
2. Concentration of connections into one TMM. (e.g., VPN feature.)
3. Small number of TMMs (e.g., BIG-IP low-end platform, Virtual Edition (VE) configurations.)
4. Application starts with a high number of concurrent connections.
Impact:
ACL is not applied for subsequent connections for that TMM. This issue does not consistently reproduce.
Workaround:
Mitigation:
Administrator can kill the affected session, which forces the user to re-login, and ultimately restarts the ACL construction process.
Fix:
Switching context when applying ACL is properly processed, and no longer cause ACL to be not enforced.
598874-1 : GTM Resolver sends FIN after SYN retransmission timeout
Component: Local Traffic Manager
Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.
Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.
Impact:
Firewalls may log the FIN as a possible attack.
Fix:
Do not send anything in response to a SYN retransmission timeout.
598860-5 : IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address
Component: Local Traffic Manager
Symptoms:
The IP::addr iRule can be used to translate an IPv6 address containing an IPv4 address, but instead it converts it into an IPv4 compatible IPv6 address.
Example:
ltm rule test_bug {
when CLIENT_DATA {
log local0. "[IP::addr 2A01:CB09:8000:46F5::A38:1 mask ::ffff:ffff]"
}
Expected result:
Rule /Common/test_bug <CLIENT_DATA>: 10.56.0.1
Actual result:
Rule /Common/test_bug <CLIENT_DATA>: ::10.56.0.1
Conditions:
using IP::addr to convert an IPv6 to an IPv4 address
Impact:
Address is converted into an IPv4-compatible IPv6 address.
598211-3 : Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
Component: Access Policy Manager
Symptoms:
During the logon to Citrix StoreFront through an APM virtual server, after the login page, the BIG-IP system sends the client the following error: Error 404 file or directory not found.
Conditions:
This occurs when the following conditions are met:
- Citrix Android receiver 3.9.
- APM is in integration mode with Citrix StoreFront.
- Storefront unified experience mode is enabled.
Impact:
Cannot access Citrix StoreFront unified UI through Android Receiver 3.9.
Workaround:
For StoreFront integration mode, there is an iRule that is created by the iApp that redirects the root page to the store's URI. The workaround is to add an additional redirect for the receiver_uri ending with receiver.html. The iRule below contains this workaround.
It is also recommended to delete and recreate the existing store account.
when HTTP_REQUEST {
if { [regexp -nocase {/citrix/(.+)/receiver\.html} [HTTP::path] dummy store_name] } {
log -noname accesscontrol.local1.debug "01490000:7: setting http path to /Citrix/$store_name/"
HTTP::path "/Citrix/$store_name/"
}
}
Fix:
Citrix Android Receiver 3.9 now works through APM in StoreFront integration mode.
598039-8 : MCP memory may leak when performing a wildcard query
Component: TMOS
Symptoms:
MCP's umem_alloc_80 cache (visible using tmctl -a) increases in size after certain wildcard queries. Accordingly, the MCP process shows increased memory usage.
Conditions:
Folders must be in use, and the user must execute a wildcard query for objects that are in the upper levels of the folder hierarchy (i.e. not at the very bottom of the folder tree).
Impact:
MCP loses available memory with each query. MCP could eventually run out of memory and core, resulting in an outage or failover (depending on whether or not the customer is running in a device cluster).
Workaround:
Do not perform wildcard queries.
Fix:
Stopped MCP leaking when wildcard queries are performed.
598002-4 : OpenSSL vulnerability CVE-2016-2178
Solution Article: K53084033
597978-5 : GARPs may be transmitted by active going offline
Component: Local Traffic Manager
Symptoms:
GARPs may be transmitted by the active when going offline. As the standby which takes over for the active will also transmit GARPs, it is not expected that this will cause impact.
Conditions:
Multiple traffic-groups configured and active goes offline.
Impact:
It is not expected that this will cause any impact.
Workaround:
Make the unit standby before forcing offline.
597966-1 : ARP/neighbor cache nexthop object can be freed while still referenced by another structure
Component: Local Traffic Manager
Symptoms:
Use after free or double-free of the nexthop object may cause memory corruption or TMM core.
Conditions:
This can happen if the server-side connection establishment takes some time to complete, creating a large enough time window where the nexthop object might be freed.
Impact:
The BIG-IP dataplane might crash. This is a very timing/memory-usage-dependent issue.
Workaround:
None.
Fix:
Management of nexthop object reference counting is more consistent.
597652-1 : CVE-2015-3217 pcre: stack overflow caused by mishandled group empty match
Solution Article: K20225390
597431-6 : VPN establishment may fail when computer wakes up from sleep
Component: Access Policy Manager
Symptoms:
EdgeClient doesn't cleanup routing table before windows goes to hibernate. This may result in establishment of VPN when computer wakes up. It may also result in other network connectivity issues
Conditions:
-VPN connection is not disconnected
-Computer goes in hibernation
Impact:
Issues with Network connectivity
Workaround:
Renew DHCP lease by running
ipconfig/renew.
or
reboot the machine.
597429 : eam maintains lock on /var/log/apm.1 after logrotate
Component: Access Policy Manager
Symptoms:
/var/log fills up and eventually runs out of disk space. Old log files are not being deleted from the rotation, and they are locked and unable to be removed.
Conditions:
This occurs when eam is configured. eam provides external access management for 3rd party identity integration such as Oracle Access Manager (OAM) SSO.
Impact:
/var/log consumes an unusually high amount of disk space, and logrotate does not work correctly.
597394-5 : Improper handling of IP options
Solution Article: K46535047
597214-6 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
Component: Access Policy Manager
Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.
Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:
var a = { default: 1, continue: 2 };
Impact:
JavaScript code is not rewritten and may not work correctly.
Workaround:
It is possible to use iRule to rename field names in original code.
Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.
597089-3 : Connections are terminated after 5 seconds when using ePVA full acceleration
Component: Local Traffic Manager
Symptoms:
When using a fast L4 profile with ePVA full acceleration configured, the 5-second TCP 3WHS handshake timeout is not being updated to the TCP idle timeout after the handshake is completed. The symptom is an unusually high number of connections getting reset in a short period of time.
Conditions:
It is not known all of the conditions that trigger this, but it is seen when using the fast L4 profile with pva-acceleration set to full.
Impact:
High number of connections get reset, longer than expected idling TCP connections, and potential performance issues.
Workaround:
Disabling the PVA resolves the issue.
597023-5 : NTP vulnerability CVE-2016-4954
Solution Article: K82644737
597010-5 : NTP vulnerability CVE-2016-4955
Solution Article: K03331206
596997-5 : NTP vulnerability CVE-2016-4956
Solution Article: K64505405
596814-2 : HA Failover fails in certain valid AWS configurations
Component: TMOS
Symptoms:
Some of the floating object's IPs might not be reattached to the instance acting as the new active device.
Conditions:
AWS deployments where there are multiple coincidences for the provided IP address (corresponding to other Amazon VPCs in the same Availability Zone containing unrelated instances but having the same IP address as the BIG-IP's floating IP address.
Impact:
Potential traffic disruption. Some of the floating object's IPs might not be reattached to the instance acting as the new active device.
Workaround:
Do not have AWS deployments with multiple VPCs sharing the same IP address as the BIG-IP's floating IP address.
Fix:
Failover now narrows network description by filtering with VPC id.
596603-5 : AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.
Component: TMOS
Symptoms:
When deploying BIG-IP VE in AWS with c4.8xlarge instance type, the system never boots and remains in "Stopped" state after briefly trying to start-up.
Conditions:
BIG-IP VE is deployed with c4.8xlarge instance type in AWS.
Impact:
c4.8xlarge instance type are not supported for BIG-IP VE in AWS.
Workaround:
Choose c4.4xlarge or other instance types in AWS.
Fix:
Issue corrected so that BIG-IP VE will work with c4.8xlarge instance type AWS.
596488-5 : GraphicsMagick vulnerability CVE-2016-5118.
Solution Article: K82747025
596433-1 : Virtual with lasthop configured rejects request with no route to client.
Component: Local Traffic Manager
Symptoms:
Virtual with lasthop pool configured rejects requests which are sourced from MAC address which is not configured in the lasthop pool.
Conditions:
This issue occurs when the following conditions are meet:
- Virtual with lasthop pool.
- Connection sourced from MAC address which is not configured in the lasthop pool.
- Lasthop pool member is local to TMM.
- tm.lhpnomemberaction db key is set to 2.
Impact:
Connection is erroneously reset with no route to client.
Workaround:
- Change tm.lhpnomemberaction db key to 0 or 1 (behavior change).
- Add IP address for lasthop member which client is originating from to lasthop pool.
596340-4 : F5 TLS vulnerability CVE-2016-9244
Solution Article: K05121675
596134-1 : TMM core with PEM virtual server
Component: Policy Enforcement Manager
Symptoms:
TMM cores, this signature is contained in /var/log/ltm:
err tmm1[7822]: 011f0007:3: http_process_state_prepend - Invalid action:0x109010
Conditions:
A core may occur if a PEM virtual has a parked flow (through an iRule, persistence profile, or other mechanism), where an internal control event occurs while the flow is parked.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Check for the processing of a HUDCTL_ABORT message prior processing other HUD messages in PEM.
595874-3 : Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.★
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) instances that use the Amazon Web Services (AWS) hourly billing license model may fail when upgrading to version 12.1.0.
As a result of this issue, you may encounter the following symptom:
After upgrading to version 12.1.0, the BIG-IP VE instance license is invalid.
Conditions:
This issue occurs when all of the following conditions are met:
-- You have BIG-IP VE instances that use the hourly billing licensing model.
-- Your BIG-IP VE instances are running 11.5.x or 11.6.x software versions.
-- Your BIG-IP VE instances are running within the AWS EC2 environment.
-- You upgrade the BIG-IP VE instance using the liveinstall method.
Impact:
BIG-IP VE instance licenses are not valid after upgrading to software version 12.1.0.
Workaround:
To work around this issue, you can use the liveinstall method on the hotfix image directly (instead of installing the base software image and then the hotfix image). To do so, perform the following procedure:
Impact of workaround: Performing the following procedure requires rebooting the system and should be performed only during a maintenance window.
Download the BIGIP-12.1.0.0.0.1434.iso and Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso files to your workstation. For more information about downloading software, refer to SOL167: Downloading software and firmware from F5.
Copy the downloaded files from your workstation to the /shared/images directory on the VE instance.
To perform the installation by using the liveinstall method, and reboot the BIG-IP VE instance to the volume running the new software, use the following command syntax:
tmsh install sys software hotfix Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso volume <volume-number> reboot
For example, to install the hotfix to volume HD1.3 and reboot to the volume running the newly installed software, type the following command:
tmsh install sys software hotfix Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso volume HD1.3 reboot
Verify the installation progress by typing the following command:
tmsh show sys software
Output appears similar to the following example:
Sys::Software Status
Volume Product Version Build Active Status
----------------------------------------------------------------
HD1.1 BIG-IP 12.0.0 0.0.606 yes complete
HD1.2 BIG-IP 12.1.0 0.0.1434 no complete
HD1.3 BIG-IP 12.1.0 0.0.1434 no installing 6.000 pct
Fix:
BIG-IP VE instances that use the AWS hourly billing license model now complete successfully when upgrading to version 12.1.0.
595773-6 : Cancellation requests for chunked stats queries do not propagate to secondary blades
Component: TMOS
Symptoms:
Canceling a request for a chunked stats query (e.g. hitting ctrl-c during "tmsh show sys connection") does not stop data flowing from secondary blades.
Conditions:
A chassis-based system with multiple blades. Users must execute a chunked stats query (e.g. "tmsh show sys connection") and then cancel it before it finishes (e.g. with ctrl-c in tmsh).
Impact:
Unnecessary data will be sent from TMM to secondary mcpd instances, as well as from secondary mcpd instances to the primary mcpd instance. This could cause mcpd to restart unexpectedly.
Fix:
Cancellations for chunked stats queries are now propagated to secondary blades.
594496-4 : PHP Vulnerability CVE-2016-4539
Solution Article: K35240323
593447-3 : BIG-IP TMM iRules vulnerability CVE-2016-5024
Solution Article: K92859602
593390-1 : Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.
Component: Local Traffic Manager
Symptoms:
If an iRule selects a profile using just its name, not the full path, the internal lookup might fail. This might cause a new version of the profile to be instantiated, leading to memory issues.
Conditions:
An iRule calls SSL::profile but does not supply the complete path (e.g., /Common/clientssl); rather, the iRule uses only the profile name.
Impact:
Higher memory usage than necessary.
Workaround:
Always have iRules select profiles using the complete path.
Fix:
If an iRule attempts to select a profile using only its name, the system now prepends the /Common path prior to looking it up, so there is no potential of instantiating another version of the profile, so no memory issue occurs.
592871-1 : Cavium Nitrox PX/III stuck queue diagnostics missing.
Component: Local Traffic Manager
Symptoms:
Diagnostics tool to investigate rare issue where the Cavium Nitrox PX/III crypto chip gets into a "request queue stuck" situation.
Conditions:
System with Cavium Nitrox PX/III chip(s) which includes the BIG-IP 5xxx, 7xxx, 10xxx, and 12xxx platforms as well as the VIPRIOn B2200 blade, that hits a rare issue which logs a "request queue stuck" message in /var/log/ltm.
Impact:
This tool enables F5 engineers to obtain more data about this problem to help diagnose the issue.
Workaround:
None.
Fix:
Provides a diagnostics tool. Does not directly mitigate the problem.
592869 : Syntax Error when reimporting exported content containing acl-order 0
Component: Access Policy Manager
Symptoms:
Syntax Error when reimporting exported content containing acl-order 0. The error message is similar to the following.
Syntax Error: ... 'acl-order' may not be specified more than once; Validating configuration...
Conditions:
Exported config has apm resource with acl-order 0.
Impact:
Unable to import exported .conf.tar.gz.
Workaround:
None.
Fix:
It is now possible to export and then import config that contains apm resource with acl-order 0.
592868-1 : Rewrite may crash processing HTML tag with HTML entity in attribute value
Component: Access Policy Manager
Symptoms:
If HTML page contains HTML entities in attribute values, rewrite may crash processing this page.
Conditions:
HTML tag like this:
<script src=" " type="text/javascript"></script>
Impact:
Web application may not work correctly.
Workaround:
In most cases HTML entities can be replaced by appropriate characters by iRule.
Fix:
Now rewrite correctly handles HTML entities in attribute values.
592854-2 : Protocol version set incorrectly on serverssl renegotiation
Component: Local Traffic Manager
Symptoms:
If the BIG-IP serverssl profile sends a new ClientHello request to renegotiate SSL, the protocol version will be set to 0. This will cause renegotiation to fail.
Conditions:
ServerSSL profile configured on a virtual server, and BIG-IP initiates a renegotiation.
Impact:
Protocol field is invalid (0), and the server will reset the connection.
Fix:
Fixed a reset issue with SSL renegotiation in the serverssl profile.
592784 : Compression stalls, does not recover, and compression facilities cease.
Component: Local Traffic Manager
Symptoms:
Compression stalls, does not recover, and compression facilities may cease.
Conditions:
A device error of any kind, or requests that result in the device reporting an error (for example, attempting to decompress an invalid compression stream).
Impact:
In general, compression stops altogether. Under some circumstances, compression requests may end up routed to zlib (software compression), but generally the SSL hardware accelerator card does not correctly report that it is unavailable when it stalls.
Workaround:
Select the softwareonly compression provider by running the following tmsh command: tmsh modify sys db compression.strategy value softwareonly.
Fix:
The compression device driver now attempts to recover after a failure. If it still cannot recover, new compression requests will be assigned to zlib (software) for compression.
592485-1 : Linux kernel vulnerability CVE-2015-5157
Solution Article: K17326
592414-3 : IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
Component: Access Policy Manager
Symptoms:
IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed from dynamically generated child.
Conditions:
Browsers: IE11 and Chrome
When: After document.write() into its parent has been performed from dynamically generated child.
Impact:
Web application malfunction.
Workaround:
None.
Fix:
Fixed.
591918-6 : ImageMagick vulnerability CVE-2016-3718
Solution Article: K61974123
591908-6 : ImageMagick vulnerability CVE-2016-3717
Solution Article: K29154575
591894-6 : ImageMagick vulnerability CVE-2016-3715
Solution Article: K10550253
591881-5 : ImageMagick vulnerability CVE-2016-3716
Solution Article: K25102203
591828-3 : For unmatched connection, TCP RST may not be sent for data packet
Component: Advanced Firewall Manager
Symptoms:
When TCP connection times out (no entry in 'show sys conn'), and subsequent data packet comes in (not SYN), The BIG-IP system does not send a RST to the client to reset the connection.
Conditions:
This issue occurs if AFM is provisioned. Additionally, in BIG-IP v12.1.0 and above, it occurs if ASM is provisioned (regardless of AFM provisioning).
-- Packets other than SYN with no entry in the connection table arrive.
This can occur either after a failover (when mirroring is disabled) when traffic arrives at the newly-active system, or can occur if the relevant virtual server has 'reset-on-timeout' disabled.
Impact:
Client retransmits several times and then terminates TCP connection. There is no RST sent from BIG-IP to client for unmatched connection.
Workaround:
Enable the reset on timeout option to send TCP RST to client when connection times out.
Note: This workaround does not address the circumstances where a newly-active BIG-IP system receives traffic (e.g. after a failover or system reboot).
Fix:
The BIG-IP system now sends a TCP RST for unknown connections so the clients and backend servers can start a new connection.
591806-4 : ImageMagick vulnerability CVE-2016-3714
Solution Article: K03151140
591789 : IPv4 fragments are dropped when packet filtering is enabled.
Component: Local Traffic Manager
Symptoms:
IPv4 fragments are dropped when packet filtering is enabled.
Conditions:
Packet filtering is enabled on version 11.5.4, 11.6.0 HF6, or 11.6.1.
Impact:
IPv4 fragments with a non-zero offset are lost.
Workaround:
Disable packet filtering.
Fix:
IPv4 fragments are no longer incorrectly dropped when packet filtering is enabled.
591767-4 : NTP vulnerability CVE-2016-1547
Solution Article: K11251130
591666-1 : TMM crash in DNS processing on TCP virtual with no available pool members
Component: Local Traffic Manager
Symptoms:
TMM crash when processing requests to a DNS virtual server.
Conditions:
The issue can occur if a TCP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.
Ensure datagram LB mode is enabled on UDP DNS virtuals.
Fix:
Product corrected to prevent crash when there are no available members.
591659-2 : Server shutdown is propagated to client after X-Cnection: close transformation.
Solution Article: K47203554
Component: Local Traffic Manager
Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.
Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.
Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.
Workaround:
Set the OneConnect profile "Maximum Reuse" value to 2 below the value of the pool members max keep-alive setting. This forces OneConnect to close the connection before the pool member.
Fix:
Server shutdown is no longer propagated to client after X-Cnection: close transformation, so client side connections are now kept open by the BIG-IP system as expected, and subsequent requests are no longer dropped.
591476-6 : Stuck crypto queue can erroneously be reported
Solution Article: K53220379
Component: Local Traffic Manager
Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Cavium Nitrox-based (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Device error: crypto codec cn-crypto-0 queue is stuck.
Conditions:
-- Running on one of the following platforms:
+ BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 2xxx, 4xxx, 5xxx, 7xxx, 10xxx, 11xxx, 12xxx, i2xxx, and i4xxx
+ VIPRION B41xx-B43xx, B21xx, and B22xx blades.
-- Performing SSL.
-- Under heavy load.
Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.
Workaround:
Modify the crypto queue timeout value to 0 to prevent timeouts using the following command:
tmsh modify sys db crypto.queue.timeout value 0
Fix:
The crypto driver now only examines requests in the hardware DMA ring to detect a stuck queue on Nitrox devices.
591455-3 : NTP vulnerability CVE-2016-2516
Solution Article: K24613253
591447-4 : PHP vulnerability CVE-2016-4070
Solution Article: K42065024
591438-3 : PHP vulnerability CVE-2015-8865
Solution Article: K54924436
591328-3 : OpenSSL vulnerability CVE-2016-2106
Solution Article: K36488941
591327-3 : OpenSSL vulnerability CVE-2016-2106
Solution Article: K36488941
591325-3 : OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
Solution Article: K75152412
591117-2 : APM ACL construction may cause TMM to core if TMM is out of memory
Component: Access Policy Manager
Symptoms:
During ACL construction, TMM send queries regarding assigned ACL information. If the reply message contains error message of out-of-memory, TMM was not handling this error message properly, and cause TMM to core.
Conditions:
BIG-IP is extremely loaded and out of memory.
Impact:
Traffic disrupted while tmm restarts.
Fix:
When handling the error reply message of out-of-memory during ACL construction, TMM can handle it without causing TMM to crash.
591042-6 : OpenSSL vulnerabilities
Solution Article: K23230229
590820-5 : Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
Component: Access Policy Manager
Symptoms:
Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
Conditions:
Intense usage of JavaScript methods such as: appendChild(), insertBefore(), and other, similar JavaScript methods, in a customer's web application code.
Impact:
Very low web application performance when using Microsoft Internet Explorer.
Workaround:
None.
Fix:
Applications that use appendChild() or similar JavaScript functions to build UI now experience expected performance in Microsoft Internet Explorer browser.
590345-4 : ACCESS policy running iRule event agent intermittently hangs
Component: Access Policy Manager
Symptoms:
If you are using iRule event agent on the 12.1.0 release, you may see an intermittent Access Policy execution hang. The hang occurs during the execution of ACCESS::policy agent_id.
Conditions:
iRule event agent is configured.
iRule uses ACCESS_POLICY_EVENT_AGENT event
Within this event, ACCESS::policy agent_id command is used.
Impact:
Policy execution intermittently hangs.
Workaround:
Please use this command:
ACCESS::session data get {session.custom_event.id}
Fix:
A hang related to the use of ACCESS::policy agent_id has been fixed.
589856 : iControl REST : possible to get duplicate transaction ids when transactions are created by multiple clients
Component: TMOS
Symptoms:
When 2 iControl REST clients using the same username create transactions simultaneously, they can potentially get the same transaction id. This completely messes up both the client code execution.
Conditions:
Client requests to create transaction are close to each other in time.
Impact:
Transaction semantics are not followed, and unintended errors may occur
589400-5 : With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
Component: Local Traffic Manager
Symptoms:
With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
Conditions:
Congestion window is small relative to message size; abc is enabled; also might manifest when serverside MTU is greater than clientside MTU.
Impact:
Additional connection latency.
Workaround:
Enabling proxy-mss on the serverside TCP profile significantly reduces incidence of this problem in observed cases.
If init-cwnd is low, raising it might also help.
Disabling abc can also reduce the problem, but might have other negative network implications.
Fix:
Incoming packets are now pulled more aggressively into the send buffer, if there are no negative implications for CPU performance.
589379-1 : ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
Solution Article: K20937139
Component: TMOS
Symptoms:
In a configuration with a summary route that is added to ZebOS and configured with 'not-advertise', when deleting the exactly matching route, ospfd sends LSA route with age 1, then immediately sends update with age 3600.
Conditions:
OSPF using route health injection for default route.
Impact:
No functional impact. The extraneous LSA is immediately aged out.
Workaround:
Configure a static default route in imish instead of using RHI for the default route.
Fix:
ZebOS no longer adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
589338-2 : Linux host may lose dynamic routes on secondary blades
Component: TMOS
Symptoms:
The Linux host residing on a secondary blade might lose dynamic routes previously learned via a dynamic routing protocol.
Conditions:
- Multibladed chassis or vCMP guest.
- Routes learned via dynamic routing.
- Restart of services or reboot of secondary blade.
Impact:
Routes on Linux host of secondary blade are lost. This might affect host traffic, such as monitoring, remote logging, etc., due to the lack of routing information.
Workaround:
Modify the ZebOS maximum-paths setting on the primary blade to trigger a route update to the non-primary blades.
Add a custom alert to the user_alert.conf to auto-mitigate this issue whenever a blade joins the cluster.
# 11.5.x workaround for user_alert.conf
alert BLADE_JOINED_CLUSTER "010719fc:5: Mate cluster member (.*) turned Green." {
exec command="/usr/sbin/zebos -a cmd 'enable,conf t,maximum-paths 5,maximum-paths 4,exit,exit'"
}
Note: The Mate cluster log is not present in 11.6.x, so this an 11.5.x only workaround.
Fix:
This issue no longer occurs, so there is consistency among blades.
589298 : TMM crash with a core dump
Component: Application Security Manager
Symptoms:
TMM crash with a core dump
Conditions:
ASM provisioned
Session Awareness enabled
Mirroring is enabled
HA (CMI) setup
Impact:
Traffic disrupted while tmm restarts.
Workaround:
none
Fix:
We've fixed the handling of Session Awareness in HA (CMI) setup to prevent TMM crashes
589256-4 : DNSSEC NSEC3 records with different type bitmap for same name.
Solution Article: K71283501
Component: Global Traffic Manager (DNS)
Symptoms:
For a delegation from a secure zone to an insecure zone, the BIG-IP system returns different type of bitmaps in the NSEC3 record depending on the query type. This causes BIND9's validator to reject the secure delegation to the insecure zone.
Conditions:
For insecure delegations, the DNSSEC implementation does not support the DS record. Those queries are forwarded to the backend, BIND, if selected as fallback. Without ZSK/KSK for an insecure child zone, BIND responds SOA which the system dynamically signs.
Impact:
DNS lookups may fail if BIND9's validator rejects the delegation.
Workaround:
None.
Fix:
If response is a NODATA from either the proxy or a transparent cache, and the query is a DS, set the types bitmap to NS.
589039-3 : Clearing masquerade MAC results in unexpected link-local self IP addresses.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system advertises fe80::200:ff:fe00:0 as a self IP address.
Conditions:
Masquerade MAC changes from non-zero to zero.
Impact:
This might cause IP address conflicts between devices in a high availability (HA) configuration.
Workaround:
Restart tmm after setting masquerade MAC to zero.
Fix:
The system does not advertise invalid self IP addresses on clearing masquerade MAC.
588572-2 : Unnecessary re-transmission of packets on higher ICMP PMTU.
Component: Local Traffic Manager
Symptoms:
LTM re-transmits TCP segments even when ICMP Path maximum transmission unit (PMTU) is higher than existing MTU.
Conditions:
ICMP PMTU is higher than existing MTU. User enables MPTCP, Rate Pacing, or any of the following congestion controls:
Vegas, Illinois, Woodside, CHD, CHG
Impact:
Burst traffic generated.
Workaround:
Disable Path MTU Discovery by entering the command: tmsh modify sys db tm.enforcepathmtu value disable.
Fix:
Fixed unnecessary re-transmission of packets on higher ICMP Path maximum transmission unit (PMTU) in the advanced TCP implementation.
588569-2 : Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
Component: Local Traffic Manager
Symptoms:
TCP segment size is 40 bytes less.
Conditions:
ICMP implementation using Path MTU (PMTU). User enables MPTCP, Rate Pacing, or any of the following congestion controls:
Vegas, Illinois, Woodside, CHD, CHG
Impact:
The impact of this issue is less data per TCP segment.
Workaround:
Disable Path MTU Discovery by doing the following,
"tmsh modify sys db tm.enforcepathmtu value disable"
Fix:
Don't include maximum TCP options length in calculating MSS on ICMP PMTU in the advanced TCP implementation.
588351-3 : IPv6 fragments are dropped when packet filtering is enabled.
Component: Local Traffic Manager
Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.
Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.
Impact:
IPv6 fragments with a non-zero offset are lost.
Workaround:
Disable packet filtering.
Fix:
IPv6 fragments are no longer dropped when packet filtering is enabled.
588115-4 : TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
Component: Local Traffic Manager
Symptoms:
As a result of a known issue TMM may crash in some specific scenarios if there is an overlapping and more specific route to the floating self-IP range configured on the unit.
Conditions:
- Unit configured with a floating self-IP and allow-service != none.
- More specific route exists via GW to the self-IP.
- Configured gateway for the overlapping route is unreachable.
- Ingress traffic to the floating self-IP.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid the use of routes overlapping with configured floating self-IPs.
Fix:
TMM no longer crashes when floating self IPs are configured with more specific overlapping routes.
587966-5 : LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
Solution Article: K77283304
Component: Local Traffic Manager
Symptoms:
LTM FastL4 DNS virtual server or SNAT: first A query dropped when A and AAAA requested at the same time with same source IP:port.
Conditions:
A and AAAA DNS Query requested at the same time with the same source IP and Port.
Impact:
A Type DNS Query dropped intermittently.
Workaround:
Configure a standard virtual server with a UDP profile for the traffic instead of using FastL4 or SNAT.
Fix:
Type A requests no longer dropped when A and AAAA DNS Query requested at the same time with the same source IP and Port.
587892 : Multiple iRule proc names might clash, causing the wrong rule to be executed.
Component: Local Traffic Manager
Symptoms:
Multiple iRule proc names might clash, causing the wrong rule to be executed.
Conditions:
This occurs when there is an iRule configured with more than one proc, which might cause the wrong proc to get executed.
Impact:
The call proc might execute the wrong proc.
Workaround:
None.
Fix:
Multiple iRules configured with more than one proc no longer cause the wrong proc to get executed.
587705-6 : Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
Solution Article: K98547701
Component: Local Traffic Manager
Symptoms:
Persist lookups fail for source_addr with match-across-virtual servers when multiple entries exist for the client, but pointing to different pools.
Conditions:
'Match_across_virtual' enabled. Multiple persistence entries for a client address exist, and some of these persistence entries point to poolmembers from different pools. Some of these poolmembers do not belong to any of the current virtual server's pools.
Impact:
Source address persistence fails for this client, even though there is a valid persistence entry that can be used.
Workaround:
None.
Fix:
Persist lookups now succeed for source_addr with match-across-virtual servers when multiple entries exist with different pools.
587691-2 : TMM crashes upon SSL handshake cancellation.
Solution Article: K41679973
Component: Local Traffic Manager
Symptoms:
TMM crashes upon SSL handshake cancellation.
Conditions:
SSL handshake cancellation.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when SSL handshake is canceled.
587617-4 : While adding GTM server, failure to configure new IP on existing server leads to gtmd core
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd core with SIGSEGV in selfip_needs_xlation.
Conditions:
No GTM server object configured with existent selfip.
Impact:
gtmd cores. GTM unable to respond to DNS queries. DNS traffic disrupted while gtmd restarts.
Workaround:
Configure the GTM server object with an existent selfip. For more information, see K15671: The BIG-IP GTM system must use a local self IP address to define a server to represent the BIG-IP GTM system at https://support.f5.com/csp/#/article/K15671
Fix:
gtmd will not core.
587077-4 : Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
Solution Article: K37603172
586878-1 : During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★
Component: TMOS
Symptoms:
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3.
The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade.
Conditions:
The issue occurs when all the below conditions are met.
1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, 11.6.1, and versions 12.1.0 and later).
Impact:
Configuration fails to load. The system posts an error message that might appear similar to one of the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Unexpected Error: Loading configuration process failed.
Workaround:
To workaround this situation, modify the configuration file before upgrading:
1. Check the config file /config/bigip.conf.
2. Identify the clientssl profile without a cert/key.
For example, it might look similar to the following:
ltm profile client-ssl /Common/cssl_no-cert-key2 {
app-service none
cert none
cert-key-chain {
"" { }
}
chain none
defaults-from /Common/clientssl
inherit-certkeychain false
key none
passphrase none
}
Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example:
ltm profile client-ssl /Common/cssl_no-cert-key2 {
app-service none
cert none
cert-key-chain {
default { }
}
chain none
defaults-from /Common/clientssl
inherit-certkeychain false
key none
passphrase none
}
3. Remove the clientssl profile from /config/bigip.conf.
4. Run the command: tmsh load sys conf.
5. Re-create the clientssl profiles you need.
586738-3 : The tmm might crash with a segfault.
Component: Local Traffic Manager
Symptoms:
The tmm might crash with a segfault.
Conditions:
Using IPsec with hardware encryption.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
IPsec is configured with hardware encryption error now returns an error code when appropriate, and manages the error as expected, so tmm no longer crashes with a segfault.
586718-5 : Session variable substitutions are logged
Component: Access Policy Manager
Symptoms:
With the log level set to debug, session variable substitutions are logged, including the encrypted password if you are substituting the password variable. You may see the following logs: debug apmd[3531]: 01490000:7: Util.cpp func: "ScanReplaceSessionVar()" line: 608 Msg: data: '%{session.logon.last.password}' start_pos: 0, count: 30 on 'session.logon.last.password' with the encrypted password logged
Conditions:
APM Access Policy log level set to debug, and session variable substitution is performed.
Impact:
Session variable substitution should not be logged, even if it is secure.
Workaround:
Set log level to informational or notice for normal operations. Logging at debug level is not recommended unless absolutely needed for specific troubleshooting as it adversely affects system performance.
Fix:
Session variable substitutions are no longer logged.
586056 : Machine cert checker doesn't work as expected if issuer or AltName is specified
Component: Access Policy Manager
Symptoms:
Windows Machine cert checker doesn't work as expected if issuer or AltName is specified. User cannot pass access policy even with valid machine cert.
Logs in client PC can be produced, such as:
EXCEPTION - CCertCheckCtrl::Verify FindCertificateInStore failed with error code:
and
CCertCheckCtrl::Verify, Store name:"MY", Store location:"LocalMachine", Subject match FQDN:"1", Allow elevation UI:"0", Serial number(HEX):"", Issuer:"??????????????????????", SubjectAltName:""
Conditions:
Issuer or Subject AltName fields are populated.
Site recently upgraded to 11.5.4.
Impact:
User may not pass policy as expected
Workaround:
N/A
Fix:
Now Machine Cert checker correctly processes issuer and SAN fields.
586006-5 : Failed to retrieve CRLDP list from client certificate if DirName type is present
Component: Access Policy Manager
Symptoms:
Client certification revocation check will fail.
Conditions:
Two conditions will trigger this problem:
1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND
2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.
Impact:
Users may fail access policy evaluation when client certification is used.
Workaround:
Configure an LDAP server for the CRLDP object. It need not return a valid CRL.
585547-4 : NTP configuration items are no longer collected by qkview★
Solution Article: K58243048
Component: TMOS
Symptoms:
qkview was collecting the file "/etc/ntp/keys" which in some cases, contains secret keys used for integrity verification of NTP messages.
Conditions:
Execute qkview to collect diagnostic information.
Impact:
Possibility for keys to be exposed.
Workaround:
1. Do not execute qkview.
2. If executing qkview, do not share this file with untrusted parties.
Fix:
With this release, qkview no longer collects this file.
585424-4 : Mozilla NSS vulnerability CVE-2016-1979
Solution Article: K20145801
585412-1 : SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
Component: Local Traffic Manager
Symptoms:
Connections to a virtual server that uses an SMTPS profile may be reset with a reset cause of 'Out of memory.'
Conditions:
This might occur under the following conditions:
-- A virtual server that uses an SMTPS profile with activation-mode set to allow.
-- A client connection which does not use TLS that sends a DATA section with a text line that is longer than approximately 8192 characters.
8192 characters is an approximation for the maximum line length. The actual problem length can be affected by the MSS value and the particular way that the TCP traffic is segmented.
Impact:
The TCP connection is reset with a reset-cause of Out of memory' and the email will not be delivered.
Workaround:
None.
Fix:
A virtual server that uses an SMTPS profile with activation-mode set to allow no longer resets connections when the client does not use STARTTLS and the email body contains very long lines.
585045 : ASM REST: Missing 'gwt' support for urlContentProfiles
Component: Application Security Manager
Symptoms:
A URL's header content profile cannot be set to 'gwt' via REST, and if such a configuration exists on the device, then REST will fail to retrieve the collection.
Conditions:
ASM REST is used to configure or inspect URLs on a Security Policy, and GWT profiles are used.
Impact:
Unusable REST for the collection.
Workaround:
None.
Fix:
GWT profiles on URLs are now correctly supported via REST.
584717 : TCP window scaling is not applied when SYN cookies are active
Component: Local Traffic Manager
Symptoms:
TCP window scaling is not applied, which can be observed in transmitted packets containing small segments that are about the size of the unscaled window.
Conditions:
SYN cookies have been activated.
Impact:
Poor performance / throughput.
Workaround:
None
Fix:
The tmm now properly scales the TCP window upon SYN cookie activation.
584583-2 : Timeout error when using the REST API to retrieve large amount of data
Solution Article: K18410170
Component: TMOS
Symptoms:
The Rest API might time out when attempting to retrieve large dataset, such as a large GTM pool list. The error signature when using the Rest API appears as follows: errorStack":["java.util.concurrent.TimeoutException: remoteSender:127.0.0.1, uri:http://localhost:8110/tm/gtm/pool, method:GET
Conditions:
Configuration containing a large number of GTM pools and pool members (numbering in the thousands).
Impact:
If using the Rest API to retrieve the pool list, you may receive timeout errors.
Workaround:
There is no workaround at this time.
Fix:
TMSH performance has been improved for this GTM case (improvement ~5-10 times), which is root case for REST failure. Timeout is no longer triggered for this amount of data.
584373-1 : AD/LDAP resource group mapping table controls are not accessible sometimes
Component: Access Policy Manager
Symptoms:
AD/LDAP resource group mapping
In case of both lengthy group names and resource names edit link and control buttons could disapper under dialogue bounds
Conditions:
very long group names and resource names
Impact:
Impossible to delete and move rows in table - still possible to edit tho.
Workaround:
Spread one assign thru multiple rows
Fix:
Scroll bar is appearing when needed
584310 : TCP:Collect ignores the 'skip' parameter when used in serverside events
Solution Article: K83393638
Component: Local Traffic Manager
Symptoms:
When TCP::Collect is used with 'skip' and 'length' arguments in SERVER_CONNECTED, the "skip' argument does not take effect and is ignored. The Collect works, but collects only the length bytes from start.
Conditions:
TCP:Collect on server side events like SERVER_CONNECTED used with the 'skip' parameter. This is an intermittent issue that have happen only with IIS server.
Impact:
TCP:Collect collects bytes without taking into account the skip, so the bytes collected are not the correct ones.
Workaround:
None.
Fix:
The settings for TCP::Collect command skip and length arguments are now honored during packet processing.
584029-7 : Fragmented packets may cause tmm to core under heavy load
Component: Local Traffic Manager
Symptoms:
In rare circumstances, the Traffic Management Microkernel (TMM) process may produce a core file while processing fragmented packets.
As a result of this issue, you may encounter one or more of the following symptoms:
-- TMM generates a core file in the /shared/core directory.
-- In one of the /var/log/tmm log files, you observe an error message similar to the following example:
notice panic: ../base/flow_fwd.c:255: Assertion "ffwd flag set" failed.
panic: ../net/packet.c:168: Assertion "packet is locked by a driver" failed.
notice ** SIGFPE **
Conditions:
This issue occurs when all of the following conditions are met:
-- The TMM process offloads a fragmented packet by way of an ffwd operation.
-- Your BIG-IP system is under heavy load.
Impact:
The BIG-IP system temporarily fails to process traffic while the TMM process restarts. If the BIG-IP system is configured for high availability (HA), the system fails over to a peer system.
Workaround:
None.
Fix:
Fragmented packets no longer cause tmm to core under heavy load.
583957-3 : The TMM may hang handling pipelined HTTP requests with certain iRule commands.
Component: Local Traffic Manager
Symptoms:
Rarely, the TMM may hang during a HTTP::respond or HTTP::redirect iRule command if it is part of a pipelined HTTP request.
Conditions:
A HTTP::respond or HTTP::redirect iRule is used.
The iRule command is in an event triggered on the client-side.
A pipelined HTTP request is being handled.
Impact:
The TMM will be restarted by SOD.
Fix:
The TMM no longer hangs in rare situations when processing a pipelined HTTP request and invoking a HTTP::respond or HTTP::redirect iRule command.
583936-1 : Removing ECMP route from BGP does not clear route from NSM
Component: TMOS
Symptoms:
When configured to install multiple routes into the routing table, ZebOS does not withdraw BGP routes when a neighbor is shut down and it has more than two routes already installed for the same route prefix.
Conditions:
ECMP routing must be enabled and in-use.
Impact:
ECMP routes are not properly removed from the main routing table.
Fix:
Now properly removing ECMP routes from the routing table.
583631-1 : ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.
Component: Local Traffic Manager
Symptoms:
Server SSL ClientHello does not encode lowest supported TLS version. The outer record for a ClientHello contains the same version as the ClientHello. If, for example, the ClientHello is TLS1.2, the outer record will contain TLS1.2. Older servers that do not support later TLS versions might generate an alert and close the connection.
Conditions:
A BIG-IP system with a server SSL profile that supports a TLS version higher than that of the server to which it is connecting.
Impact:
The connection fails. The system might generate an alert.
Workaround:
Force the server SSL profile to use a lower TLS version number by selecting 'No TLSv1.2' or 'No TLSv1.1' in the `options' section of the Server SSL Profile.
Fix:
When enabled by setting the db variable, 'SSL.OuterRecordTls1_0,' to, 'enable,' the outer SSL record will always contain TLS1.0. This is the default. You can use this db variable to prevent an issue in older servers that do not support TLS versions later than 1.0, in which an alert might be generated closing the connection.
Behavior Change:
Formerly, the version present in the ClientHello and the version present in the outer record would match. Now, if the sys db variable, 'SSL.OuterRecordTls1_0,' is set to 'enable' the version present in the outer record will be TLS 1.0 regardless of the version in the ClientHello. This is the default.
583502-3 : Considerations for transferring files from F5 devices
Solution Article: K58243048
Component: TMOS
Symptoms:
For more information, see K58243048: Considerations for transferring files from F5 devices, available at https://support.f5.com/csp/article/K58243048
Conditions:
For more information, see K58243048: Considerations for transferring files from F5 devices, available at https://support.f5.com/csp/article/K58243048
Impact:
For more information, see K58243048: Considerations for transferring files from F5 devices, available at https://support.f5.com/csp/article/K58243048
Fix:
For more information, see K58243048: Considerations for transferring files from F5 devices, available at https://support.f5.com/csp/article/K58243048
583285-2 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
Solution Article: K24331010
Component: TMOS
Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message.
Note: There are three parts to this issue, as recorded in the following bugs: 569236, 583285, and 662331.
Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.
Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.
Workaround:
Manually remove the invalid SA on the BIG-IP system by running the following command:
delete /net ipsec ipsec-sa spi <invalid_spi>
Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again.
Note: There is a three-part fix provided for this issue, as provided in the following bugs: 569236, 583285, and 662331.
582952 : Linux kernel vulnerability CVE-2013-4483
Solution Article: K31300371
582813-4 : Linux Kernel CVE-2016-0774
Solution Article: K08440897
582773-3 : DNS server for child zone can continue to resolve domain names after revoked from parent
Solution Article: K48224824
582683-1 : xpath parser doesn't reset a namespace hash value between each and every scan
Component: Application Security Manager
Symptoms:
After a while the iRule event stops firing until the cbrd daemon is restarted.
Conditions:
The customer has a virtual server configured with an XML, along with an iRule that triggers on the XML_CONTENT_BASED_ROUTING event.
Impact:
XML content based routing does not work dependably.
Workaround:
N/A
Fix:
fixing xpath parer -- Restoring namespace declaration each time the xpath parser finishes to parse the document.
582440-1 : Linux client does not restore route to the default GW on Ubuntu 15.10
Component: Access Policy Manager
Symptoms:
Default route may be deleted after network access connection is deleted on Linux Ubuntu 15.10 distribution.
Conditions:
Ubuntu 15.10, network access tunnel connect and then disconnect
Impact:
User will not be able to reach internet after disconnecting from network access.
Workaround:
If Wifi is in use then turn off and on again.
If Ethernet is used then unplugging and plugging cable again should solve the problem.
582295 : ospfd core dump when redistributing NSSA routes in a HA failover
Solution Article: K62302950
Component: TMOS
Symptoms:
The ospfd is dumping a core when nssa routes are redistributed.
Conditions:
When a failover is initiated through the GUI on a BIG-IP high availability (HA) configuration, and a standby BIG-IP system cannot take the active role due to low HA score. The original active BIG-IP system takes back the active role.
Impact:
ospfd terminates on the BIG-IP system leading to connectivity issues until the ospfd comes up.
Workaround:
None.
Fix:
ospfd no longer crashes when redistributing NSSA routes in a HA failover event.
581834-3 : Firefox signed plugin for VPN, Endpoint Check, etc
Component: Access Policy Manager
Symptoms:
clients are unable to use the Firefox plugin on Firefox version 47 and above
Conditions:
Clients using Firefox v47 and above attempting to use the Firefox plugin
Impact:
Clients will be unable to use the plugin if they are using Firefox version 47 and above
Fix:
The Firefox plugin now supports all versions.
581770-1 : Network Access traffic does not pass IPv6 traffic if a Network Access resource contains IPv4&IPv6
Component: Access Policy Manager
Symptoms:
Network Access clients are unable to pass IPv6 traffic
Conditions:
Network Access resource configured with IPv4&IPv6
Client attempts to pass IPv6 traffic
Impact:
IPv6 traffic is dropped
Fix:
APM will now pass IPv6 traffic through the tunnel if an IPv4&IPv6 resource is configured.
581746-4 : MPTCP or SSL traffic handling may cause a BIG-IP outage
Solution Article: K42175594
Component: Local Traffic Manager
Symptoms:
Occasional BIG-IP outages may occur when MPTCP or SSL traffic is being handled by a virtual server.
Conditions:
MPTCP has been enabled on a TCP profile on a virtual server, or SSL is in use.
Impact:
A system outage may occur.
Workaround:
None.
Fix:
An issue with handling of MPTCP and SSL traffic has been corrected.
580817-4 : Edge Client may crash after upgrade★
Component: Access Policy Manager
Symptoms:
The Edge client may crash after upgrading to 11.4.1 through 12.0.0.
Conditions:
Access Policy with Firewall Checker
Update BIG-IP to 12.1.0
Impact:
Users are unable to use the Edge client
Fix:
Fixed a crash in the Edge client
580596-5 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907
Solution Article: K14190 K39508724
580429-3 : CTU does not show second Class ID for InstallerControll.dll
Component: Access Policy Manager
Symptoms:
Client troubleshooting utility does not display the registered class id of Installer control.dll.
Conditions:
Client troubleshooting utility is used to display all installed edge client components.
Impact:
No impact to end user or administrator. Impacts F5 support.
Workaround:
None.
Fix:
CTU now shows the class id of installer control.dll.
580421-4 : Edge Client may not register DLLs correctly
Component: Access Policy Manager
Symptoms:
After an end-user confirms that they want to install InstallerControll.cab, the browser gets stuck in 'Checking client'.
Conditions:
Client is using Internet Explorer
Impact:
Clients are unable to install the Edge client components
Fix:
Edge client components are now getting properly registered.
580340-4 : OpenSSL vulnerability CVE-2016-2842
Solution Article: K52349521
580313-4 : OpenSSL vulnerability CVE-2016-0799
Solution Article: K22334603
580303-2 : When going from active to offline, tmm might send a GARP for a floating address.
Component: Local Traffic Manager
Symptoms:
When moving from active to offline, tmm might send one final GARP for a floating address from the device that is moving offline.
Conditions:
Using high availability, and switching a device from active to offline.
Impact:
The GARP from the offline device can arrive on upstream devices after the GARP from the newly active device, which might poison the address cache of the upstream device. The result is that failover takes longer, since the upstream devices must rediscover the active device.
Workaround:
Use MAC masquerading along with the floating address; the system sends a GARP for the MAC masqueraded address, which prevents the issue.
Fix:
tmm no longer sends a final GARP for a floating address immediately before going offline.
580026-4 : HSM logging error
Solution Article: K74759095
579975-4 : OpenSSL vulnerability
Solution Article: K79215841
579955-4 : BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
Solution Article: K01587042
579926-2 : HTTP starts dropping traffic for a half-closed connection when in passthrough mode
Component: Local Traffic Manager
Symptoms:
HTTP starts dropping traffic for a half-closed connection when in passthrough mode.
Conditions:
HTTP is in passthrough mode. Traffic is flowing for a half-closed connection.
Impact:
Incomplete data transfer to end-point, when the connection is half-closed and HTTP is in passthrough mode.
Workaround:
No workaround.
579919 : TMM may core when LSN translation is enabled
Component: Local Traffic Manager
Symptoms:
tmm core
Conditions:
Virtual uses LSN translation with a destination matching a pool-based route
Impact:
Traffic disrupted while tmm restarts.
Fix:
Virtual with LSN translation no longer leads tmm coring when destination matches a pool-based route.
579909-3 : Secondary MCPD exits for APM Sandbox warning improperly treated as configuration error
Component: Access Policy Manager
Symptoms:
Secondary blade MCPD exits if APM Sandbox intends to log a warning message when it fails to remove the corresponding sandbox directory /var/sam/www/webtop/sandbox/files_d/<partition_name>_d while the user is removing the partition.
There are multiple cases that can potentially log such kind of Sandbox warning message and cause an mcpd crash and/or tmm crash. APM can log the warning if it encounters a directory which is not empty, or if the directory does not exist. You will see this error signature in /var/log/ltm:
Mar 11 11:36:49 slot2/viprion-3 warning mcpd[6022]: 010717ac:4: Configuration Warning: Cannot remove directory with symlink to sandbox for partition (p1). Error: Directory not empty. If you have access to bash shell, try to run command: rmdir /var/sam/www/webtop/sandbox/files_d/p1_d/
Conditions:
The sandbox directory corresponding to the partition that you are deleting cannot be removed due to any reason such as Not Existing, Not Empty, etc. on the secondary blade. This can occur on the secondary blades if you create a partition before provisioning APM, then delete the partition on the primary blade, and auto-sync is enabled in the device group.
Impact:
Secondary MCPD exits and blade restarts. Tmm can core. Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Fixed such that Secondary MCP will not exit but only log the warning message as the partition is successfully deleted.
579843-4 : tmrouted may not re-announce routes after a specific succession of failover states
Component: Local Traffic Manager
Symptoms:
tmrouted does not re-announce RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.
Conditions:
- Active/Standby HA pair set up
- Both units configured with a dynamic routing protocol and Route Health Injection enabled on one or more Virtual-Addresses.
- Active unit has the following succession of failover states:
Active->Offline->Online->Standby->Active
Impact:
Tmrouted may not announce the Virtual addresses when coming back to Active state after the mention succession.
Workaround:
A failover to Standby and back to Active works around the issue.
Restarting tmrouted is also an alternative option.
Fix:
tmrouted now re-announces RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.
579829-4 : OpenSSL vulnerability CVE-2016-0702
Solution Article: K79215841
579559-4 : DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration
Component: Access Policy Manager
Symptoms:
Network Access always fallbacks to TLS connection even if DTLS is configured when connecting to some hardware platforms.
Conditions:
Network Access is configured to use DTLS
Hardware BIG-IP with DTLS Nitrox acceleration is used,
Impact:
Network Access connection always fallbacks to TLS connection
Workaround:
N/A
Fix:
Previously, Network Access always fell back to a TLS connection even if DTLS was configured when connecting to some hardware platforms. Network Access no longer falls back to TLS.
579371-1 : BIG-IP may generate ARPs after transition to standby
Solution Article: K70126130
Component: Local Traffic Manager
Symptoms:
tmm generates unexpected ARPs after entering standby.
Conditions:
-- High availability configuration with a vlangroup with bridge-in-standby disabled.
-- ARP is received just before transition to standby.
Impact:
Unexpected ARP requests that might result in packet loops.
Workaround:
None.
Fix:
ARPs will no longer be proxied on vlangroups with bridge-in-standby disabled after entering standby.
579284-5 : Potential memory corruption in MCPd
Component: TMOS
Symptoms:
Memory in mcpd could get corrupted. The effect of this is unpredictable.
Conditions:
Varies. One way (but not the only way) this could be seen is by cancelling a chunked stats query (e.g. hitting ctrl-c during "show sys connection").
Impact:
Varies. Sometimes nothing will happen; other times MCP could start acting unpredictably. In one case it closed its connection to TMM, which caused all TMMs to restart.
Fix:
Identified and fixed areas of potential memory corruption in MCP.
579237-4 : OpenSSL Vulnerability CVE-2016-0705
Solution Article: K93122894
579220-2 : Mozilla NSS vulnerability CVE-2016-1950
Solution Article: K91100352
579085-3 : OpenSSL vulnerability CVE-2016-0797
Solution Article: K40524634
579047 : Unable to update the default http-explicit profile using the GUI.
Component: TMOS
Symptoms:
Trying to update default Local Traffic :: Profiles : Services : HTTP :: http-explicit profile, the system posts the following error: 'Some fields below contain errors. Correct them before continuing.' Under the 'Explicit Proxy' section for 'DNS Resolver' option, the system posts the following error: '010717e8:3: Invalid 'dns-resolver' value for profile /Common/http-explicit. The dns-resolver does not exist.'
Conditions:
Updating default http-explicit profile using the GUI.
Impact:
Error messages. Unable to update the default http-explicit profile using the GUI.
Workaround:
Use tmsh to update the default http-explicit profile.
Fix:
You can now update the default http-explicit profile without error using the GUI.
578844-3 : tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client.
Component: Access Policy Manager
Symptoms:
tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client.
Conditions:
NA resource with IPv4&IPv6 is used (SNAT pool in NA resource is set to None). User is connected to IPv4 Virtual server.
While connected user clicks on 'Change server' and chooses an IPv6 virtual server.
Impact:
Traffic disrupted while tmm restarts.
578570-3 : OpenSSL Vulnerability CVE-2016-0705
Solution Article: K93122894
578353-1 : Statistics data aggregation process is not optimized
Component: Application Visibility and Reporting
Symptoms:
CPU spikes may occur every 5 minutes
Conditions:
Occurs all the time
Impact:
High CPU usage may be observed every 5 minutes
Workaround:
For versions based on 11.5.4 and 11.6.0 take the following steps:
1. Edit the entry 'AggregationMode' under the /etc/avr/monpd/monpd.cfg file and set it to be 'low' instead of 'medium' or 'high'.
2.Restart Monpd afterwards.
For 12.0.0 and on:
tmsh modify sys db avr.stats.aggregation value low
Fix:
The aggregation process of statistics in DB which is done using monpd should be optimized, and skip redundant updates of tables.
578045-5 : The HTTP_PROXY_REQUEST iRule event can cause the TMM to crash if pipelined ingress occurs when the iRule parks
Component: Local Traffic Manager
Symptoms:
The TMM crashes while resuming from a HTTP_PROXY_REQUEST event.
Conditions:
A HTTP_PROXY_REQUEST iRule event parks. Pipelined ingress occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Don't use parking iRule commands within the HTTP_PROXY_REQUEST event.
If a parking command must be used, the following may work:
Try using TCP::collect to disable ingress while a potentially parking iRule command executes. TCP::release can be used after the command completes to restore normal behavior.
Another work-around is to set max-requests to 1. (Disabling pipelining.)
577828-4 : BIND vulnerability CVE-2016-2088
Solution Article: K59692558
577826-3 : BIND vulnerability CVE-2016-1286
Solution Article: K62012529
577823-3 : BIND vulnerability CVE-2016-1285
Solution Article: K46264120
577814 : MCPd might leak memory in PEM stats queries.
Component: Policy Enforcement Manager
Symptoms:
Memory leak may result in an "Out of Memory" condition causing functional issues in the BIG-IP.
Conditions:
Occurs when a valid PEM stats query is issued by a UI (GUI TMSH, REST, etc.) and PEM is configured on the BIG-IP.
Impact:
System may be unresponsive or crash due to being out of memory.
Workaround:
None.
Fix:
Fixed the potential MCPd memory leak in PEM stats queries.
577811 : SNMP sysObjectID OID reports ID of blade on VIPRION 2xxx-series platforms
Component: TMOS
Symptoms:
In BIG-IP v11.5.4, the behavior of the SNMP sysObjectID changed for VIPRION 2xxx-series platforms.
On other BIG-IP 10.x and 11.x versions running on VIPRION 2xxx-series platforms, the SNMP sysObjectID reports the ID of the Chassis (BIG-IPVprC2400 or BIG-IPVprC2200).
In BIG-IP v11.5.4 and v12.0.0 and later running on VIPRION 2xxx-series platforms, the SNMP sysObjectID reports the ID of the Blade (BIG-IPVprB2100, BIG-IPVprB2150, or BIG-IPVprB2250).
In all versions of BIG-IP running on VIPRION 4xxx-series platforms, the SNMP sysObjectID reports the ID of the Blade (BIG-IPPb100, BIG-IPPb100n, BIG-IPPb200, BIG-IPPb200N, BIG-IPVprB4300 or BIG-IPVprB4300N).
In BIG-IP v12.0.0 and later running on VIPRION 2xxx-series platforms, the BIG-IP design is changed such that the SNMP sysObjectID reports the ID of the Blade (BIG-IPVprB2100, BIG-IPVprB2150, or BIG-IPVprB2250), consistent with VIPRION 4xxx-series platforms.
[See Solution article for ID 425331, when published.]
Conditions:
VIPRION C2400 and C2200 chassis
VIPRION B2100, B2150 and B2250 blades
BIG-IP v11.5.4 (release)
Impact:
SNMP queries to identify VIPRION 2xxx-series platforms return the Blade ID instead of the Chassis ID, requiring changes in how the returned sysObjectID is interpreted.
Workaround:
Identify a VIPRION 2xxx-series platform by the appropriate Blade ID (BIG-IPVprB2100, BIG-IPVprB2150, or BIG-IPVprB2250), instead of by the Chassis ID (BIG-IPVprC2400 or BIG-IPVprC2200).
Fix:
On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports the ID of the Chassis, to match the behavior on VIPRION 2xxx-series platforms with previous BIG-IP versions 10.2.x and 11.x.
Behavior Change:
On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID now reports the ID of the Chassis, to match the behavior on VIPRION 2xxx-series platforms with previous BIG-IP versions 10.2.x and 11.x.
Previously, SNMP sysObjectID reported the ID of the Blade on VIPRION 2xxx-series platforms, to match the behavior on VIPRION 4xxx-series platforms.
577668-2 : ASM Remote logger doesn't log 64 KB request.
Component: Application Security Manager
Symptoms:
A request longer than 10 KB is truncated to 10 KB in the ASM remote logger although the remote logger is configured to log up to 64 KB requests.
Conditions:
The remote logger is configured to max request size 64k .
A request is longer than 10 KB.
Impact:
Incorrect request size in the log.
Workaround:
N/A
Fix:
ASM can now logs up to 64 KB requests. (Actual size depends on the total message size and the other fields in the message.)
576897-2 : Using snat/snatpool in related-rule results in crash
Component: Local Traffic Manager
Symptoms:
TMM crash resulting in failover.
Conditions:
Using snat/snatpool command in related-rule.
Impact:
TMM crash resulting in failover.
Workaround:
Do not use snat/snatpool commands in related rule.
576591-3 : Support for some future credit card number ranges
Component: Application Security Manager
Symptoms:
ASM does not block or mask when a specific credit card number range appears in the response.
Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card number with specific ranges.
Impact:
The traffic passes unmasked or unblocked to the end client.
Workaround:
A custom pattern is possible for these cases, but should be adjusted to each configuration specifically.
576314 : SNMP traps for FIPS device fault inconsistent among versions.
Component: Local Traffic Manager
Symptoms:
The snmp traps bigipFipsDeviceError and bigipFipsFault are inconsistent among versions.
Conditions:
This trap is raised if the FIPS device firmware has stopped responding to requests and is no longer functional. The trap is different on the BIG-IP 10350 FIPS platform.
Impact:
The meaning of the trap is that the system is not able to perform any FIPS operations and process FIPS related traffic. You will need to be mindful of which version you are on to interpret the OIDs correctly.
Fix:
An SNMP trap is generated when the system has detected a FIPS device fault indicating that said device can no longer service FIPS operations. The OIDs are different across versions and one specific platform. Here is the OIDs and versions:
BIGIP-COMMON-MIB::bigipFipsDeviceError .1.3.6.1.4.1.3375.2.4.0.152
This trap means "Encountered error in the FIPS card operation" on all FIPS platforms
BIGIP-COMMON-MIB::bigipFipsFault .1.3.6.1.4.1.3375.2.4.0.156 (from v11.5.4-hf1 and 11.6.1, not 12.0.0)
BIGIP-COMMON-MIB::bigipFipsFault .1.3.6.1.4.1.3375.2.4.0.166 (from v12.1.0)
These traps mean "The FIPS card is currently in faulty state" for the specific FIPS hardware included on the BIG-IP 10350
576305-1 : Potential MCPd leak in IPSEC SPD stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying IPSEC SPD stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IPSEC SPD stats.
576296-1 : MCPd might leak memory in SCTP profile stats query.
Component: Local Traffic Manager
Symptoms:
The memory allocation for mcpd might grow by a small amount if SCTP profile stats are queried. In order to begin to impact the performance of the system, the stats would have to be queried many thousands of times.
Conditions:
An SCTP profile is configured, and the stats are displayed in TMSH or the GUI.
Impact:
Performance may be degraded.
Workaround:
None.
Fix:
Resolved a memory leak in mcpd resulting from a query of SCTP profile stats.
576069-1 : Rewrite can crash in some rare corner cases
Component: Access Policy Manager
Symptoms:
Rewrite can crash in some rare corner cases when some specific erroneous elements are present in an HTML content.
Conditions:
Any of the strings:
<meta http-equiv="refresh" />
<meta http-equiv="location" />
<param name="general_servername" />
<param name="wmode" />
triggers guaranteed rewrite crash.
Impact:
Web application malfunction.
Workaround:
iRule or direct fix of improper HTML tag.
Fix:
Fixed.
575735-1 : Potential MCPd leak in global CPU info stats code
Component: TMOS
Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.
Conditions:
In some cases, querying global CPU information stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying global CPU information stats.
575726-1 : MCPd might leak memory in vCMP interface stats.
Component: TMOS
Symptoms:
MCPd might leak memory in vCMP interface stats.
Conditions:
The memory leak occurs when viewing VCMP interface statistics.
Impact:
Over time this can cause MCPd to run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying vCMP interface stats.
575716-1 : MCPd might leak memory in VCMP base stats.
Component: TMOS
Symptoms:
MCPd might leak memory in VCMP base stats.
Conditions:
This occurs when looking at VCMP base statistics.
Impact:
Over time this might cause MCPd to run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying VCMP base stats.
575708-1 : MCPd might leak memory in CPU info stats.
Component: TMOS
Symptoms:
MCPd might leak memory in CPU info stats.
Conditions:
In some cases, querying CPU information stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying CPU information stats.
575671-1 : MCPd might leak memory in host info stats.
Component: TMOS
Symptoms:
MCPd might leak memory in host info stats.
Conditions:
In some cases, querying host information stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying host information stats.
575631-2 : Potential MCPd leak in WAM stats query code
Component: WebAccelerator
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying WAM stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying WAM stats.
575626-6 : Minor memory leak in DNS Express stats error conditions
Solution Article: K04672803
Component: Local Traffic Manager
Symptoms:
A minor memory leak might occur in certain error conditions relating to DNS Express statistics.
Conditions:
There are no known DNS Express configurations that lead to this issue. The problem was detected through standard code review practices.
Impact:
Memory leaks might eventually lead to system reboots.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur in certain error conditions relating to DNS Express statistics.
575619-1 : Potential MCPd leak in pool member stats query code
Component: TMOS
Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.
Conditions:
In some cases, querying pool member stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying pool member stats.
575612-4 : Potential MCPd leak in policy action stats query code
Component: Local Traffic Manager
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying policy action stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying policy action stats.
575609-4 : Zlib accelerated compression can result in a dropped flow.
Component: Access Policy Manager
Symptoms:
Some compression requests would fail when the estimated compression output block was too small. Such errors deposit an error in the log similar to: Device error: n3-compress0 Zip engine ctx eviction (comp_code=2): ctx dropped.
Conditions:
A block that will not compress can generate a compression output that exceeds the estimated output block size.
Impact:
The flow that encounters the error is dropped.
Workaround:
Disable hardware accelerated compression.
Fix:
Difficult to compress requests may be dropped.
575608-1 : MCPd might leak memory in virtual server stats query.
Component: TMOS
Symptoms:
MCPd might leak memory in virtual server stats query.
Conditions:
In some cases, querying virtual server stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying virtual server stats.
575587-1 : Potential MCPd leak in BWC policy class stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying BWC policy stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying BWC policy stats.
575582-1 : MCPd might leak memory in FW network attack stats.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW network attack stats.
Conditions:
This occurs when looking at firewall network attack statistics.
Impact:
Over time this can cause MCPd to run out of memory and core.
575571-1 : MCPd might leak memory in FW DOS SIP attack stats query.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW DOS SIP attack stats query.
Conditions:
This occurs when looking at firewall DOS SIP stats.
Impact:
Over time this can cause MCPd to run out of memory and core.
575569-1 : MCPd might leak memory in FW DOS DNS stats query.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW DOS DNS stats query.
Conditions:
This occurs when looking at firewall DOS DNS statistics.
Impact:
Over time this can cause MCPd to run out of memory and core.
575565-1 : MCPd might leak memory in FW policy rule stats query.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW policy rule stats query.
Conditions:
This occurs when looking at firewall policy rule stats.
Impact:
Over time this can cause MCPd to run out of memory and core.
575564-1 : MCPd might leak memory in FW rule stats query.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW rule stats query.
Conditions:
This occurs when looking at firewall rule statistics.
Impact:
Over time this can cause MCPd to run out of memory and core.
575557-2 : MCPd might leak memory in FW rule stats.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW rule stats.
Conditions:
This occurs when looking at firewall rule statistics.
Impact:
Over time this can cause MCPd to run out of memory and core.
575499-3 : VPN filter may leave renew_lease timer active after teardown
Component: Access Policy Manager
Symptoms:
TMM core making the system unavailable for a period of time until it comes back up.
Conditions:
When using both IPv4 & IPv6 network access resources with static IP address for IPv4 and dynamic address assignment for IPv6 tmm will core while NA tunnel is running or on NA's disconnect time.
Impact:
TMM core and bring down the system.
Workaround:
N/A
Fix:
No more stale renew_lease timer in vpn_ctx to cause TMM core.
575321-1 : MCPd might leak memory in firewall stats.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in firewall stats.
Conditions:
This occurs when looking at firewall stats.
Impact:
Over time this can cause MCPd to run out of memory and core.
575292-2 : DNS Relay proxy service does not respond to SCM commands in timely manner
Component: Access Policy Manager
Symptoms:
DNS relay proxy service may appear unresponsive when stopped/started through Service control manager and user may see a system dialog box saying "Service did not respond in a timely manner"
Conditions:
DNS relay services component of edge client is installed on user's machine
Impact:
Usability, User may think that service has failed.
Workaround:
Wait for service to respond proper status
Fix:
Service now reports correct status to service control manager immediately.
575027-3 : Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
Component: TMOS
Symptoms:
Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
Conditions:
This occurs when the following conditions are met:
1. Use of tagged VLANs in the configuration.
2. Change cmp-hash of the tagged VLAN.
Impact:
Throughput is lower than expected. Packets are not being hashed using the hash set in config. (This can be verified by looking at 'tmm/flow_redir_stat'.)
Workaround:
Use untagged VLANs and hypervisor side tagging.
Fix:
You can now use tagged VLAN configurations along with a cmp-hash setting for the VLAN, without compromising performance.
575011-9 : Memory leak. Nitrox3 Hang Detected.
Solution Article: K21137299
Component: Local Traffic Manager
Symptoms:
System exhausts available memory due to compression memory leak. Prior to running out of memory, repeatedly logs "Nitrox3 Hang Detected".
Conditions:
Compression device unavailable during creation of a new context.
Impact:
System can run out of memory.
Workaround:
Disable hardware compression using tmsh:
% tmsh modify sys db compression.strategy softwareonly
Fix:
Repaired memory leak.
574781-3 : APM Network Access IPV4/IPV6 virtual may leak memory
Component: Access Policy Manager
Symptoms:
Observation of performance graphs shows increasing TMM memory usage over time. Specifically, xhead and xdata caches grow over time. Additionally, the ppp_npmode_errors in the ppp stat table will increment with each leak.
Conditions:
APM virtual with Network Access configured with IPV4 and IPv6.
Impact:
Memory leakage over time leads to performance degradation and possible traffic outage.
Workaround:
No workaround short of not enabling IPv6.
Fix:
APM Network Access now correctly manages its memory resources.
574318-4 : Unable to resume session when switching to Protected Workspace
Component: Access Policy Manager
Symptoms:
Clients logging into Protected Workspace are unable to view the page. The client's log file may have the following signature: HandlePwsCmd, detoured.dll signature validation error
Conditions:
This occurs infrequently on certain Windows clients logging into Protected Workspace
Impact:
Client browser cannot render the protected workspace
Fix:
Fixed an issue preventing Windows clients from using Protected Workspace
574262 : Rarely encountered lockup for N3FIPS module when processing key management requests.
Component: Local Traffic Manager
Symptoms:
The N3FIPS module does not respond to key management requests.
Conditions:
No specific condition has been identified for this failure.
Impact:
Existing data continues to forward, but new traffic keys fail. MGMT locks up. This is a rarely encountered issue.
Workaround:
A SNMP trap is generated when N3FIPS is locked up. The trap informs the user that the BIG-IP system must be rebooted. Rebooting clears the condition.
Fix:
The N3FIPS module no longer experiences occasional lockups when processing key management requests.
574214-2 : Content Based Routing daemon (cbrd) logging control
Component: Application Security Manager
Symptoms:
The cbrd logger might not produce enough useful output for troubleshooting purposes, and debug logging is not available.
Conditions:
Using xml profile, and you would like to see the xpath prints to a log file.
Impact:
Unable to see the xpath information
Fix:
It is now possible to enable xpath logging by adding these lines to /etc/cbr/logger.cfg:
MODULE=CBR_PLUGIN;
LOG_LEVEL=TS_INFO | TS_DEBUG;
FILE = 2;
Then:
bigstart restart cbrd
574153-3 : If an SSL client disconnects while data is being sent to SSL client, the connection may stall until TCP timeout.
Component: Local Traffic Manager
Symptoms:
If an SSL connection gracefully begins to disconnect at the same time as data is being encrypted by SSL acceleration hardware, the connection will remain open until the TCP profile timeout occurs instead of being closed immediately. This can cause unwanted higher memory usage, possibly causing crashes elsewhere.
Conditions:
* A virtual server with ClientSSL or ServerSSL profile.
* BIG-IP SSL acceleration hardware.
* While an SSL record is being encrypted by SSL accelerator hardware, the SSL connection begins to close by client TCP FIN or by any iRule command that closes the connection.
Impact:
There is a potential for higher memory usage, which in turn may cause TMM crash due to memory exhaustion resulting in service disruption.
Workaround:
If the affected SSL traffic does not include any long idle periods, memory consumption can be mitigated by reducing the idle timeout of the TCP or SCTP profile.
Fix:
SSL connections now disconnect normally if a disconnect attempt occurs while data is being encrypted by SSL acceleration hardware.
574116-3 : MCP may crash when syncing configuration between device groups
Component: TMOS
Symptoms:
mcpd on the sync target crashes when syncing configuration.
Conditions:
This can occur when a local non-synced object references an object that is synced (such as a local-only virtual server referencing a synced iRule), and a non-synced object on the target machine happens to be referencing the same synced object. In this condition, mcpd could crash if objects in a sync group are deleted and synced.
Impact:
Outage due to mcp crash which causes tmm to restart.
Workaround:
When you have devices with local-only resources that are referencing objects contained in a sync/failover group, avoid deleting any objects (such as iRules) that might be referenced by other local-only resources on other devices. Instead of a "this object is in use error", mcpd on the target machine will crash.
Fix:
Verify existence of rule objects when validating configuration.
574073 : Support for New Platform: BIG-IP 10350 FIPS with NEBS support
Component: Local Traffic Manager
Symptoms:
New platform introduction
Conditions:
New platform introduction
Impact:
New platform introduction
574045-3 : BGP may not accept attributes using extended length
Component: TMOS
Symptoms:
If a BGP peer sends a path attribute using the "extended length" flag and field, the attribute may be rejected and the BGP connection terminated.
Conditions:
Neighbor sends path attributes using extended length.
Impact:
The BGP adacency will repeatedly bounce and the RIB will never converge.
Fix:
Received BGP attributes using extended length are no longer rejected.
573778-5 : QEMU vulnerability CVE-2016-1714
Solution Article: K75248350
573581-2 : DNS Search suffix are not restored properly in some cases after VPN establishment
Component: Access Policy Manager
Symptoms:
Modified DNS suffix after VPN establishment and closure may result in failure to resolve some DNS names
Conditions:
DNS Relay proxy service is stopped in the middle of VPN session.
User's machine is rebooted.
Impact:
DNS suffixes are not restored properly which may lead to incorrect resolution of certain DNS names.
Workaround:
Any of the following workarounds
1) Do not stop DNS relay proxy service in the middle of a VPN session
2)Restore DNS search suffixes manually.
573529 : F-bit is not set in IPv6 OSPF Type-7 LSAs
Component: TMOS
Symptoms:
The forwarding address and the F-bit are not set in Type-7 LSAs sent out by the ASBR.
Conditions:
Virtual IP from a virtual server is redistributed as a Type-7 route by the ASBR.
Impact:
ABR routers are not able to propagate NSSA routes to other OSPF areas as External Type-5 routes. As a result, OSPF areas cannot reach external networks.
Fix:
ASBR sets the F-bit and forwarding address correctly.
573429-2 : APM Network Access IPv4/IPv6 virtual may leak memory
Component: Access Policy Manager
Symptoms:
Observation of performance graphs shows increasing TMM memory usage over time. Specifically, connflow and tunnel_nexthop caches grow over time.
Conditions:
APM virtual with Network Access configured with no SNAT and both IPV4 and IPV6 enabled.
Impact:
Memory leakage over time leads to performance degradation and possible traffic outage.
Workaround:
No workaround short of not enabling IPv6 support.
Fix:
Network Access now correctly manages its memory resources.
573406-2 : ASU cannot be completed if license was last activated more than 18 months before
Component: Application Security Manager
Symptoms:
Attack Signature Update (ASU) if license was last activated more than 18 months before.
Conditions:
The license was last activated more than 18 months before.
Impact:
Attack SIgnature Update (ASU) cannot be performed.
Workaround:
The license must be re-activated.
Fix:
Attack Signature Update (ASU) can now be completed based on a license retrieved from server.
573343-4 : NTP vulnerability CVE-2015-8158
Solution Article: K01324833
573124-5 : TMM vulnerability CVE-2016-5022
Solution Article: K06045217
572922-3 : Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES.★
Component: Application Security Manager
Symptoms:
The following error is produced in ASM log during upgrade:
-----------
ASM subsystem error (ts_configsync.pl,F5::DbUtils::insert_data_to_table): Row <some_row_id> of table <some_db_table_name> is missing <some_field_name> (DDD) -- skipping F5::<some_package_name>
-----------
Conditions:
-- ASM provisioned.
-- Upgrade performed.
Impact:
Different portions of the security policy may be incorrectly upgraded.
Workaround:
N/A
Fix:
This release fixes the root cause so that the security policy upgrades correctly, and the following error does not reproduce upon upgrading:
ASM subsystem error (ts_configsync.pl,F5::DbUtils::insert_data_to_table): Row <some_row_id> of table <some_db_table_name> is missing <some_field_name> (DDD) -- skipping F5::<some_package_name>
572893-5 : error "The modem (or other connecting device) is already in use or is not configured properly"
Component: Access Policy Manager
Symptoms:
Clients get an error: error "The modem (or other connecting device) is already in use or is not configured properly"
Conditions:
The exact reproduction steps are not known, but it was seen to occur on certain Windows 10 clients where the access components were removed and login was attempted afterward.
Impact:
Clients will be unable to connect to the VPN
Workaround:
Rebooting might correct the issue on the client machine.
Fix:
Network Access will no longer fail on client machines that first uninstall the components and then attempt to reconnect.
572600 : mcpd can run out of file descriptors
Component: TMOS
Symptoms:
Mcpd crashes with the log message err mcpd[8835]: 01071070:3: Failed to open file /config/BigDB.dat.tmp with error 24
Conditions:
This can happen in multiple ways, in this case it was detected while running BIG-IQ policy sync.
Impact:
Mcpd can crash, rendering the system instable
Fix:
A crash related to mcpd running out of file descriptors has been fixed.
572563-4 : PWS session does not launch on Internet Explorer after upgrade
Component: Access Policy Manager
Symptoms:
Internet Explorer (IE) gets stuck entering Protected Work Space (PWS).
Conditions:
One of the DLLs provided by APM, vdeskctrl.dll, provides COM services. IE consumes the COM services. The DLL is loaded by IE during upgrade of PWS components. Intermittently, (especially on slow systems), IE does not unload the old DLL promptly after upgrading PWS. When COM services are invoked to initialize PWS after upgrade, the old DLL provides the service.
Impact:
Due to the recent renewal of the signing certificate, the old DLL cannot certify the integrity of the new PWS components. PWS session does not launch.
Workaround:
After upgrade, if IE does not enter into PWS within 60 seconds, close IE and start a new session. This is a one-time event.
Fix:
Internet Explorer can now launch a Protected Workspace session.
572543-4 : User is prompted to install components repeatedly after client components are updated.
Component: Access Policy Manager
Symptoms:
After auto-update of client components from internet explorer, user will be prompted to install components again if he goes to VPN site again.
Conditions:
Administrator upgrades big-ip to 12.1.
User has client components from a release older than 12.1
Impact:
User is prompted to install components again and again
Workaround:
Restart browser after components are updated the first time.
572495-4 : TMM may crash if it receives a malformed packet CVE-2016-5023
Solution Article: K19784568
572281-3 : Variable value in the nesting script of foreach command get reset when there is parking command in the script
Component: Local Traffic Manager
Symptoms:
When there is something like the following script:
foreach a [list 1 2 3 4] {
set a 10
after 100
}
There is parking command, after, in the script and it runs after "set a 10", when after command returns, the value of a goes back to the initial value set in the foreach, value of 10 is lost.
Conditions:
There is parking command in the nesting script of foreach. For more information on commands that park, see K12962: Some iRule commands temporarily suspend iRule processing at https://support.f5.com/csp/#/article/K12962
Impact:
Variable values get reset.
Workaround:
Set(or set again) the variable value after the parking command.
Fix:
Will fix in later release.
572272-3 : BIG-IP - Anonymous Certificate ID Enumeration
Solution Article: K65355492
572234-4 : When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.
Component: Local Traffic Manager
Symptoms:
When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. This is the MAC address of Linux's tmm0 or tmm interface.
Conditions:
The traffic destination is the BIG-IP Linux host, e.g. big3d iQuery server.
The traffic is proxied via fastL4, e.g. ConfigSync "Local Address" is set to None.
The return route is a pool route.
The traffic is interrupted, e.g. a router between the iQuery server and the client is switched off for several seconds.
Impact:
The traffic is sourced from invalid ethernet MAC 00:98:76:54:32:10.
The iQuery connection cannot continue.
Workaround:
Increase the lasthop module's TCP idle timeout.
echo 121 > /proc/sys/net/lasthop/idle_timeout/tcp
Fix:
TCP connections no longer emit packets that have a source MAC address of 00:98:76:54:32:10.
572224 : Buffer error due to RADIUS::avp command when vendor IDs do not match
Component: Service Provider
Symptoms:
Errors similar to the following in the ltm log:
err tmm3[21915]: 01220001:3: TCL error: /Common/RadiusTest CLIENT_DATA - Buffer error (line 1) (line 1) invoked from within 'RADIUS::avp 26 ip4 index 0 vendor-id 12345 vendor-type 6'.
Conditions:
The issue happens when there is a RADIUS::avp command for a vendor specific AVP and there's a RADIUS request that contains a different vendor-id than what was specified in the iRule command.
Impact:
You are unable to use vendor-specific RADIUS AVP commands
Workaround:
None.
Fix:
Vendor-specific RADIUS AVP commands no longer generate errors.
572133-3 : tmsh save /sys ucs command sends status messages to stderr
Component: TMOS
Symptoms:
When you run the tmsh save /sys ucs command, some normal status messages are being sent to stderr instead of stdout. This will be seen if a you are watching stderr for error messages.
Conditions:
There are no conditions, every time the command is run, it will send some status type messages to stderr.
Impact:
If a script runs the command it may report that the save failed because messages were send to stderr.
Workaround:
You can ignore the message "Saving active configuration..." being sent to stderr. It is not an error.
Fix:
The command will send the status messages to stdout.
571573-3 : Persistence may override node/pmbr connection limit
Solution Article: K20320811
Component: Local Traffic Manager
Symptoms:
In certain circumstances the BIG-IP system may load balance connections to a node or poolmember over the configured connection limit.
Conditions:
- Node or pool member configured with connection limit.
- L4 or L7 virtual server.
- Persistence configured on the Virtual Server.
- Very high load on unit.
Impact:
BIG-IP system may load balance connections to a node or pool member over the configured connection limit.
Workaround:
Remove persistence or use another method of limiting the connections (rate limiting or connection limit on the Virtual Server).
Fix:
The BIG-IP system now correctly enforces the pool member/node connection limit.
571344-2 : SSL Certificate with special characters might cause exception when GUI retrieves items list page.★
Component: TMOS
Symptoms:
After upgrading, unable to view certain certs from gui. Catalina.out file could contain the signature MalformedByteSequenceException: Invalid byte 2 of 3-byte UTF-8 sequence.
iControl SOAP methods
====================
Management::KeyCertificate::get_certificate_list and get_certificate_list_v2 will return an exception if returning a certificate with special characters.
Conditions:
SSL Certificate with special characters might cause exception when GUI retrieves items list page. This has been observed on upgrades to BIG-IP version 11.5.4 through 12.0.0.
Impact:
The GUI does not display the page containing certificate information. iControl SOAP cannot return a list of certificates if they contain information with special characters.
Workaround:
None.
Fix:
The GUI now correctly displays certificates with special characters, and iControl SOAP methods Management::KeyCertificate::get_certificate_list and get_certificate_list_v2 no longer return exceptions.
571210-3 : Upgrade, load config, or sync might fail on large configs with large objects.
Component: TMOS
Symptoms:
Attempting to load a large config with large objects may result in the following error message:
err mcpd[7366]: 01070710:3: Database error (52), Can't write blob data, attribute:implementation status:52 - EdbBlobData.cpp, line 57
Attempting to synchronize a large change may result in the following error messages and a crash of the MCPD process:
err mcpd[8210]: 01071693:3: Incremental sync: Caught an exception while adding a transaction to the incremental config sync cache: unexpected exception.
err mcpd[8210]: 01070734:3: Configuration error: MCPProcessor::processRequestNow: Can't write blob data, attribute:msgs status:52
err mcpd[8210]: 01070596:3: An unexpected failure has occurred, request_group destroyed while processing, exiting...
Conditions:
The config must be approximately 19.75 MB (slightly less) prior to processing a large object in the config that exceeds 256 KB.
Or, once config exceeds 19.75 MB and 2 MB of additional memory has been allocated, processing config objects that exceed 256 KB (the larger, the more likely to occur) lead to the error.
Impact:
Upgrade, load config, or sync might fail, and a system crash and restart might occur.
Workaround:
Stagger the load, or reduce the size of particularly large objects within a config.
Fix:
Memory handling is improved so that large configs with large objects now successfully complete upon upgrade, load config, or sync.
571183-3 : Bundle-certificates Not Accessible via iControl REST.
Component: Local Traffic Manager
Symptoms:
Bundle-certificates Not Accessible via iControl REST.
Conditions:
This occurs when using iControl REST to look at bundle certificates via /mgmt/tm/sys/file/ssl-cert/~Common~ca-bundle.crt/bundle-certificates
Impact:
Unable to get data from the command.
Workaround:
If you do not need to do it via iControl REST, you can view bundle certificates using the tmsh command tmsh list sys file ssl-cert ca-bundle.crt bundle-certificates
Fix:
The iControl rest command for viewing bundle-certificates now displays all of the certificates.
571090-1 : When BIG-IP is used as SAML IdP, tmm may restart under certain conditions
Component: Access Policy Manager
Symptoms:
tmm restarts.
Conditions:
It is not known exactly what the conditions are, but this occurs when BIG-IP is configured as SAML IdP.
Impact:
Tmm may restart.
Workaround:
None
571019-2 : Topology records can be ordered incorrectly.
Component: TMOS
Symptoms:
Topology records can contain missing order numbers, duplicate order numbers, and differences in the ordering of topology records on BIG-IP's in a sync group.
Conditions:
When adding or deleting topology records or modifying the order of existing topology records, the resulting ordering of the topology records can be inconsistent. This can lead to ordering issues including differences in the ordering of topology records on BIG-IP's in a sync group.
Impact:
It is difficult to manage the order of topology records. Topology records are evaluated in different orders on different BIG-IP's in a sync group.
Workaround:
None.
Fix:
Topology records are now ordered consistently.
571003-4 : TMM Restarts After Failover
Component: Access Policy Manager
Symptoms:
TMM generates core file and restarts.
Conditions:
1. In a HA pair running pre 11.5.3-HF2 or 11.6.0-HF6, the standby is upgraded to 11.6.0-HF6 EHF 186, 241, 243, or 247.
2. Force failover.
3. A new session is established or an existing session terminated.
Impact:
Serivce is disrupted. All existing sessions are terminated.
Workaround:
None.
Fix:
TMM no longer generates core file and restarts upon upgrade.
570716-1 : BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736
Solution Article: K10133477
570667-10 : OpenSSL vulnerabilities
Solution Article: K64009378
570663-2 : Using iControl get_certificate_bundle_v2 causes a memory leak
Component: TMOS
Symptoms:
Using iControl call get_certificate_bundle_v2() causes a memory leak. iControlPortal memory use grows unbounded every time the method is called.
Conditions:
This occurs anytime the method is invoked; BIG-IP devices managed by Enterprise Manager can be especially impacted.
Impact:
Eventually iControlPortal will run out of memory and crash.
Fix:
The memory leak issue has been fixed.
570640-4 : APM Cannot create symbolic link to sandbox. Error: No such file or directory
Component: Access Policy Manager
Symptoms:
The user may encounter the following configuration error when adding a new APM sandbox-contained object in a non-default partition (other than /Common) if the user has ever attempted (but failed) to delete this partition (for example, couldn't delete it because it was not empty).
01070734:3: Configuration error: Cannot create symbolic link to sandbox. Error: No such file or directory. If you have access to bash shell, try to run command: ln -s /config/filestore/files_d/p1_d/sandbox_file_d /var/sam/www/webtop/sandbox/files_d/p1_d/sandbox_file_d. Then try to upload file again.
Unexpected Error: Validating configuration process failed.
Conditions:
The user has ever attempted (but failed) to delete the partition.
Impact:
No more APM sandbox object such as Hosted-Content can be added to the partition.
Upgrade may fail to install configuration with the impacted sandbox object.
Workaround:
Manually use the shell command 'mkdir -p' to re-create the missing folder where the symbolic link is suppsed to be created as shown in the error message.
Directories are: {to do mkdir -p)
/config/filestore/files_d/OUTSIDE_PROD_d/sandbox_file_d
/var/sam/www/webtop/sandbox/files_d/OUTSIDE_PROD_d/sandbox_file_d
After creating the directors sync to active unit.
570617-5 : HTTP parses fragmented response versions incorrectly
Component: Local Traffic Manager
Symptoms:
When a fragmented response is parsed by HTTP, the version field may be incorrectly bounded. HTTP correctly determines the version of the response. However, other filters that re-scan the version field might see a truncated value. The filters then miss-parse the HTTP version.
Conditions:
A fragmented response where the HTTP version field appears in multiple packets. Another filter, for example VDI, re-scans the HTTP version field.
Impact:
The detected version of HTTP may be incorrect. Typically, the response is detected as a HTTP/0.9 response rather than the 1.0 or 1.1 response it actually uses.
Workaround:
None.
Fix:
HTTP correctly bounds the response version for other filters to parse.
570570-2 : Default crypto failure action is now 'go-offline-downlinks'.
Component: Local Traffic Manager
Symptoms:
Previously, if a crypto accelerator encountered a failure, the default action was "none" or "failover". Now, the default behavior is "go-offline-downlinks".
(Note: You can find information on crypto accelerator fail-safe behavior in K16951: Overview of SSL hardware acceleration fail-safe :: https://support.f5.com/csp/article/K16951.)
Conditions:
Crypto accelerator encounters a failure and crypto.ha.action has not been changed from its default.
Impact:
If a hardware accelerator failed on a blade in a chassis, the system would failover, but if there was a second failover back to the chassis with the failed blade, SSL traffic might get dropped.
Workaround:
Set the db variable crypto.ha.action to your desired value.
Fix:
Previously, if a crypto accelerator encountered a failure, the default action was either 'none' or 'failover'. Now, the default behavior is 'go-offline-downlinks'.
Behavior Change:
The default value of the db variable crypto.ha.action has changed to 'go-offline-downlinks'. The only time this has an effect on the system is when a crypto accelerator fails. For a chassis, this value will cause the blade that had the failed crypto device to go offline, leaving the other blades to handle the load, while an appliance will failover to its standby peer. See https://support.f5.com/csp/article/K16951 for more details.
570064-4 : IE gives a security warning asking: "Do you want to run ... InstallerControll.cab"
Component: Access Policy Manager
Symptoms:
When logging into a VPN connection using Internet Explorer, Internet Explorer may prompt "Do you want to run ... InstallerControll.cab"
Conditions:
BIG-IP APM configured and is accessed by Internet Explorer. This can happen after an upgrade of BIG-IP.
Impact:
The prompt should not occur.
Fix:
Internet Explorer will no longer prompt to run InstallerControll.cab
570053-1 : HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.
Solution Article: K78448635
Component: TMOS
Symptoms:
HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.
Conditions:
The issue is seen when all the below conditions are met.
1. When more than one certkeychains are configured in the clientSSL profile.
2. When the content of a certkeychain of the clientSSL profile is modified. For example, "modify ltm profile client-ssl a4 cert-key-chain modify { default { cert rsa.crt key rsa.key } }".
3. Performs config sync in HA setup.
Impact:
Missing certkeychain of a clientSSL profile can result in its inability to handle some kind of SSL traffic. For example, if the clientSSL originally has EC key/cert but loses it, then it is no longer able to handle SSL connection using EC cipher suites.
Workaround:
Basically reconfigure certkeychain but avoid modifying the content.
1. On any BIG-IP system, leave only the RSA certkeychain in the clientSSL profile, just like the default configuration.
2. Config sync, so that both systems have only the RSA certkeychain.
3. In any BIG-IP system, add certkeychains for other types (EC or DSA) you need. You can "add" or "delete" but do not "modify" any existing certkeychain.
4. Do config sync, so that both systems have the same certkeychains in the clientSSL profile.
569972-3 : Unable to create gtm topology records using iControl REST
Component: Global Traffic Manager (DNS)
Symptoms:
The user is unable to create gtm topology records using iControl REST.
Conditions:
This occurs when a user issues an iControl REST POST command for a gtm topology record.
Impact:
The iControl REST POST command fails with the following error: 'Topologies must specify both regions: ldns: server:'.
Workaround:
Use TMSH, iControl SOAP, or the GUI to create gtm topology records.
Fix:
You can now create gtm topology records using iControl REST.
Please be sure to format the gtm topology oid string using the following rules:
1) Use only a single space between each item in the topology string.
2) Use a fully-pathed name for datacenter, isp, region, and pool objects.
For example:
"ldns: subnet 11.11.11.0/24 server: datacenter /Common/DC".
569958-3 : Upgrade for application security anomalies
Component: Application Visibility and Reporting
Symptoms:
If upgrading to newer version, old statistics for application security anomalies are not shown.
Conditions:
Upgrade from BIG-IP version older than 12.1.0 to newer version
Impact:
Losing old statistics for application security anomalies
Fix:
Upgrade to newer version and verify that old statistics are shown.
569718-3 : Traffic not sent to default pool after pool selection from rule
Component: Local Traffic Manager
Symptoms:
If you have an iRule configured to match a pattern in the HTTP::uri and send it to a non-default pool, subsequent requests in the HTTP keep-alive session will also be sent to the non-default pool even though they do not match the iRule.
Conditions:
This occurs after upgrading from 11.5.3 HF1 to 11.5.3 HF2.
Impact:
If the pool members are not configured to accept traffic that doesn't match the uri criterial, the server will not respond properly.
Fix:
Reverted a change that caused subsequent HTTP requests to go to the non-default pool after it was selected in an iRule.
569642-3 : Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core
Component: Local Traffic Manager
Symptoms:
In certain circumstances TMM may core if an HA pair configured with mirroring has all the routes to the server pool removed.
Conditions:
- HA pair.
- FastL4 VIP with mirroring.
- default route to pool via an intermediate router.
- The active unit is handling traffic.
- Active unit fails over and loses its mirroring connection.
- Prior active unit comes back and HA connection is reestablished.
- During the loss of HA and its recovery the now active unit loses its only route to the pool member.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not remove all routes to poolmembers. If this is needed please create other backup routes prior to the deletion.
Fix:
TMM no longer cores on deleting all routes on a unit with a mirroring fastL4 Virtual during HA connection loss and recovery.
569521-2 : Invalid WideIP name without dots crashes gtmd.
Component: Global Traffic Manager (DNS)
Symptoms:
If a user creates a WideIP or WideIP Alias with a name that does not contain a dot, gtmd crashes.
The symptom is a crash and core dump from gtmd.
Conditions:
This occurs when the following conditions are met:
-- FQDN validation is suppressed by the following setting: gtm global-settings general domain-name-check == 'none'.
-- User attempts to create a WideIP with a name that does not contain a dot.
Impact:
gtmd crashes and WideIPs do not function.
Workaround:
When creating a WideIP or WideIP Alias while FQDN validation has been disabled (by setting gtm global-settings general domain-name-check == 'none'), make sure that the WideIP or WideIP Alias name contains at least one dot, and follows these rules:
-- The name must not end with a dot.
-- The name must not begin with a dot, unless '.' is the entire name.
-- The name contains no consecutive dots.
Fix:
FQDN now validates to confirm that a WideIP or WideIP Alias name has at least one dot in an appropriate position, and has no consecutive dots, so there is no crash and core dump from gtmd. This validation occurs even when other FQDN validation has been suppressed by setting
gtm globlal-settings general domain name check == 'none'.
569472-3 : TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled
Component: Global Traffic Manager (DNS)
Symptoms:
tmm cores with sigsegv within lb_why_pmbr_str.
Conditions:
1. Disable a GTM/BIG-IP DNS pool or pool member;
2. pool-member-selection is enabled for load-balancing-decision-log-verbosity.
Impact:
tmm cores.
Workaround:
Disable pool-member-selection for load-balancing-decision-log-verbosity.
Fix:
tmm no longer cores when disabling pool-member-selection for load-balancing-decision-log-verbosity.
569467-2 : BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
Solution Article: K11772107
569356-5 : BGP ECMP learned routes may use incorrect VLAN for nexthop
Solution Article: K91428939
Component: TMOS
Symptoms:
Border Gateway Protocol (BGP) with Equal Cost Multipath (ECMP) may result in learned routes that use an incorrect nexthop Virtual Local Area Network (VLAN).
As a result of this issue, you may encounter one or more of the following symptoms:
The system may randomly send the traffic using the incorrect nexthop.
Conditions:
-- BIG-IP configuration with two or more VLANs configured with IPv6 global addresses.
-- BGP with ECMP is peered with an active IPv6 BGP neighbor. -- BGP is configured with max-paths.
Impact:
The traffic randomly gets sent using the incorrect nexthop.
Workaround:
None.
Fix:
Routes learned from the peer now have the correct nexthop VLANs.
569349-3 : Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled
Component: Local Traffic Manager
Symptoms:
When net cos (class of Service) feature is enabled, vlan priority for those cmp redirected packets are not being preserved from ingress to egress.
Conditions:
1. net cos feature is enabled
2. packet is being cmp redirected from one tmm to another tmm for processing.
Impact:
Egress packets are not being processed according to the ingress vlan priority by BIG-IP and down stream router. Certain packets will be dropped by downstream router due to the wrong mark of vlan priority.
Workaround:
None.
569337-4 : TCP events are logged twice in a HA setup
Component: Advanced Firewall Manager
Symptoms:
TCP log events are logged twice (if enabled in security log profile) with connection mirroring enabled on the virtual server in a HA setup (Active/Standby).
Conditions:
When there's a HA setup (Active/Standby) or both client side and server side connection flow.
Impact:
TCP log events are logged twice (duplicate events from active unit and standby unit or from both client side and server side of the connection flow).
Workaround:
N/A
Fix:
TCP log events are no longer logged twice when enabled in the security log profile with connection mirroring enabled on the virtual server in a HA setup (Active/Standby).
569306-5 : Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected
Component: Access Policy Manager
Symptoms:
User is shown the logon page to connect to VPN after he logs on. Windows logon credentials are not used for VPN automatically.
Conditions:
Connectivity profile has "Reuse Windows Logon Credentials" selected
Impact:
User has to retype his credentials to connect to VPN
Workaround:
Enter the credentials again to connect to VPN
Fix:
Now logged on credentials are used automatically to connect to VPN
569288-4 : Different LACP key may be used in different blades in a chassis system causing trunking failures
Component: Local Traffic Manager
Symptoms:
In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch.
Conditions:
This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation.
Impact:
Non aggregated trunk members won't be able to pass traffic.
Workaround:
Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd"
569255-5 : Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON
Solution Article: K81130213
Component: Access Policy Manager
Symptoms:
When Network Access is already established and a second network interface is being connected to client system, VPN quickly reconnects, which breaks existing TCP connections. Because reconnect occurs very quickly, it might appear to the user that nothing happened.
Conditions:
-- 'Allow Local subnet access' enabled.
-- Client system is getting second network interface connected.
Impact:
Long-standing TCP connection may break, for example, VPN over Network Access.
Workaround:
Disable 'Allow Local subnet access'.
Fix:
Now Network Access remains stable when a second network interface is being connected, so any long-standing TCP connections (such as VPN over Network Access) continue as expected.
569236-2 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
Solution Article: K24331010
Component: TMOS
Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message.
Note: There are three parts to this issue, as recorded in the following bugs: 569236, 583285, and 662331.
Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.
Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.
Workaround:
Manually remove the invalid SA on the BIG-IP system by running the following command:
delete /net ipsec ipsec-sa spi <invalid_spi>
Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again.
Note: There is a three-part fix provided for this issue, as provided in the following bugs: 569236, 583285, and 662331.
568889-5 : Some ZebOS daemons do not start on blade transition secondary to primary.
Solution Article: K22989000
Component: TMOS
Symptoms:
In some specific cases the standby unit's secondary blade ZebOS daemons might not get started when it becomes active.
Conditions:
If the failover occurs as a result of the primary blade's mcpd restarting
Impact:
The new primary blade does not start some ZebOS daemons resulting in ospf not working as expected on the standby unit.
Workaround:
Run the following tmsh command on the new active unit: bigstart restart tmrouted.
Fix:
The BIG_IP system now correctly starts ZebOS daemons on the standby unit on a new blade that is starting up as a primary.
568743-2 : TMM core when dnssec queries to dns-express zone exceed nethsm capacity
Component: Local Traffic Manager
Symptoms:
tmm crashes, and in /var/log/ltm you see entries indicating "Signature failed":
err tmm1[16816]: 01010216:3: DNSSEC: Signature failed (signature creation) for RRSET (host0530.f5test.net, 1) with key /Common/myZSK2, generation 1.
Conditions:
This can occur when a dns-express zone generates more responses than the Thales can sign. The excess requests are queued and tmm can core.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer core when dnssec queries to dns-express zone exceed nethsm capacity.
568543-2 : Syncookie mode is activated on wildcard virtuals
Component: Local Traffic Manager
Symptoms:
Syncookie mode can be activated with a wildcard virtual, even in the case where there is no SYN flood.
Conditions:
The default number of connections per second before activating syncookie mode is 1993. This value can be increased to a max of 4093. After this threshold is reached, then syncookie mode is activated. This is an insufficient maximum for wildcard virtuals, since they can have 30k+ connections per second.
Impact:
Syncookie mode is activated with high connection rates to a wildcard virtual.
Workaround:
Break up the wildcard virtual into multiple virtuals to reduce the number of connections per virtual.
Fix:
It is now possible to set the PvaSynCookies.Virtual.MaxSynCache DB variable to 64K (previous max was 4093)
568445-7 : User cannot perform endpoint check or launch VPN from Firefox on Windows 10
Component: Access Policy Manager
Symptoms:
If Firefox is used on Windows 10 to connect to APM, access policy may fail, or system fails to launch VPN.
Conditions:
Firefox is used to connect to APM on Windows 10. The following conditions are exclusive and have different impact:
1) Access policy requires client side inspection.
2) Attempt to launch VPN from WebTop.
Impact:
1) Access policy will fail.
2) VPN cannot be launched from WebTop.
Workaround:
None.
Fix:
User can now perform endpoint check or launch VPN from Firefox on Windows 10.
568347-3 : BD Memory corruption
Component: Application Security Manager
Symptoms:
An Enforcer crash occurs and UMU errors may appear in the bd.log file.
Conditions:
N/A
Impact:
Traffic goes down while the Enforcer goes back up.
Fix:
Fixed a memory corruption issue.
567484-4 : BIND Vulnerability CVE-2015-8705
Solution Article: K86533083
567475-4 : BIND vulnerability CVE-2015-8704
Solution Article: K53445000
567379-2 : libtar vulnerability CVE-2013-4397
Solution Article: K16015326
566908-3 : Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file
Solution Article: K54435973
Component: Access Policy Manager
Symptoms:
Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN if proxy.pac is defined in a way that forwards all web traffic over VPN.
Conditions:
proxy.pac, network access, OS X system.
Impact:
Local web server is inaccessible if proxy.pac is defined in a way that forwards all traffic over VPN to corporate proxy server.
Workaround:
None.
Fix:
Webserver listening on local Wifi or Ethernet IP can be accessed after VPN even if proxy.pac is defined in a way that forwards all web traffic over VPN to corporate proxy server.
566758-3 : Manual changes to policy imported as XML may introduce corruption for Login Pages
Component: Application Security Manager
Symptoms:
Manual changes to policy imported as XML may introduce corruption for Login Pages. If the expiration period is omitted, the Login Page will be inaccessible.
Conditions:
Expiration period is omitted in hand-crafted XML policy file.
Impact:
The Login Page created as a result is inaccessible in GUI and REST.
Workaround:
Ensure that expiration period exists in XML policy file before import.
Fix:
A policy file, with a missing expiration field, imported as XML is now handled correctly.
566646-2 : Portal Access could respond very slowly for large text files when using IE < 11
Component: Access Policy Manager
Symptoms:
When accessing a large 'text/plain' file from server with Internet Explorer versions 7 through 10 client browsers, Portal Access sometimes holds the response until it fetches and processes the entire file contents. This can take several dozen seconds, or even minutes.
Conditions:
Internet Explorer version 7 through 10 with Portal Access
Impact:
Large text files can't be accessed or downloaded through Portal Access.
Workaround:
Irule that does any of following:
a) Preferred: append F5CH=I to request uri in HTTP_REQUEST for affected requests.
b) Call REWRITE::disable for affected requests.
Fix:
Fixed the issue where Portal Access could try to buffer contents of some large files and respond with significant delay.
566361-2 : RAM Cache Key Collision
Solution Article: K11543589
Component: Local Traffic Manager
Symptoms:
Intermittent tmm SIGSEGV when RAM Cache is enabled
Conditions:
This occurs when RAM cache is enabled in certain circumstances.
Impact:
Invalid response format, and/or serving the wrong object from cache, and/or tmm crash, interruption of service.
Workaround:
None.
Fix:
The system now avoids RAM Cache Key collisions, the correct object and response format are delivered from the cache, and tmm no longer cores.
565895-3 : Multiple PCRE Vulnerabilities
Solution Article: K17235
565810-5 : OneConnect profile with an idle or strict limit-type might lead to tmm core.
Solution Article: K93065637
Component: Local Traffic Manager
Symptoms:
OneConnect profile with an idle or strict limit-type might lead to tmm core.
Conditions:
OneConnect profile with a limit-type value of idle or strict.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use a limit-type of 'none'.
Fix:
A OneConnect profile using an idle or strict limit-type no longer causes the tmm to core when attempting to shutdown idle connections.
565534-3 : Some failover configuration items may fail to take effect
Solution Article: K40254066
Component: TMOS
Symptoms:
These symptoms apply to version 12.0.0 and later:
When only multicast failover is configured, traffic-groups are active on all devices in the device-group. If unicast failover is also configured, the traffic-group unexpectedly switches to a different device.
These symptoms can occur on all versions:
When the unicast address list is changed at the same time as other device properties, sod (the failover daemon) may fail to recognize one of the other changes.
Conditions:
For version 12.0.0 and later:
Multicast failover is configured and the system loads the configuration from the configuration files. For example during the first boot of a new boot location, or after performing the procedure in K13030: Forcing the mcpd process to reload the BIG-IP configuration https://support.f5.com/csp/article/K13030.
For all versions:
A change is made to the cm device configuration that includes a unicast-address change along with something else.
Impact:
When only multicast failover is configured, traffic-groups may become active on all devices in the device-group. If unicast failover is also configured, the traffic-group might switch to a different device.
Workaround:
Mitigation for v12.0.0 (and later) symptom:
To restore multicast failover, disable and re-enable multicast failover.
To do so, perform the following procedure on the the local device.
1. Determine which interface is being used for multicast failover by running the following tmsh command:
list cm device device1 multicast-interface.
3. Disable and re-enable multicast failover by running the following tmsh commands:
modify cm device device1 { multicast-interface none }.
modify cm device device1 { multicast-interface eth0 }.
Mitigation for all versions symptoms:
Do not make cm device unicast-address changes simultaneously with changes to other cm device properties.
Fix:
With the fix, sod now sends out multicast FO heartbeat datagrams under the same condition.
565409-3 : Invalid MSS with HW syncookies and flow forwarding
Component: Local Traffic Manager
Symptoms:
A packet may have an MSS set to 65536 when using HW syncookies and flow forwarding.
Conditions:
The conditions which cause this are not fully known.
Impact:
TMM core/reboot.
Workaround:
Disable HW syncookies or TSO.
565231-1 : Importing a previously exported policy which had two object names may fail
Component: Access Policy Manager
Symptoms:
If an exported access policy includes two object names profile_name-aaa and aaa, import that policy may fail or be incorrect.
Conditions:
For example:
access policy name "test"
access policy item name "test-empty"
access policy item name "empty"
For example:
access policy name "test"
access policy item name "test-empty"
macro name "empty"
Impact:
Rare case, but the import of such a policy may fail.
Workaround:
One of the objects could be renamed in the bigip.conf file to avoid such a naming pattern.
Fix:
Objects are being exported correctly without error.
565169-1 : Multiple Java Vulnerabilities
Solution Article: K48802597
565167-3 : Additional garbage data being logged on user name and domain name for NTLM authentication
Component: Access Policy Manager
Symptoms:
ECA logs an error message in this format:
Could not verify user (<Domain Name>\<User Name>) credential (<Reason>)
Example:
Could not verify user (mv4\test1) credential (STATUS_NO_LOGON_SERVERS)
However, due to missing NUL termination, the user name and domain name may include garbage data such as follwing example:
Could not verify user (mv413abfee\test1ewq12dsasd) credential (STATUS_NO_LOGON_SERVERS)
Conditions:
When NTLM front end authentication could not send the verification of the user's credential (e.g. ActiveDirectory server is down)
Impact:
BIG-IP could not send the verification to ActiveDirectory server for any reasons such as down ActiveDirectory server, incorrect machine account information between BIG-IP, and ActiveDirectory server, etc.
Workaround:
No workaround
Fix:
Now it properly logs the message with correct domain name and user name.
565085-4 : Analytics profile allows invalid combination of entities for Alerts setup
Component: Application Visibility and Reporting
Symptoms:
When non cumulative metrics are selected for an Alert on a dimension that's other than a Virtual Server, errors appear in the log.
Conditions:
Analytics in use, and non-cumulative metrics such as the following are used on a time dimension:
- Maximum TPS
- Maximum Server Latency
- Maximum Page Load Time
- Maximum Request Throughput
- Maximum Response Throughput
Impact:
You are able to configure invalid alerts but no warning is given and the metric does not work and generates errors in the /var/log/monpd.log file.
Workaround:
None needed. This is Cosmetic.
Fix:
Invalid combination of entities for Alerts setup is no longer allowed. Validation is present both on UI side and the backend.
565056-5 : Fail to update VPN correctly for non-admin user.
Solution Article: K87617654
Component: Access Policy Manager
Symptoms:
VPN is not updated correctly for non-admin users.
Conditions:
Steps to Reproduce:
1. In BIG-IP 12.0, create Access Policy containing (Firewall Check, Machine Info, Machine Cert Auth, Cache and Session Control, Protected Workspace, VPN Resources with Optimized Applications.)
2. Login with a User without admin privileges
3. Run FF
4. Login to VS and install components
5. Click on NA resource on the webtop to start VPN tunnel => a user is asked for an admin password and VPN is successfully installed and established
6. Close FF and exit PWD
Impact:
VPN is not updated. A user is not asked to enter admin credentials and an error is given: "Error downloading required files (-1)"
Workaround:
None.
Fix:
VPN is now updated as expected for non-admin users.
564521-2 : JavaScript passed to ExternalInterface.call() may be erroneously unescaped
Component: Access Policy Manager
Symptoms:
JavaScript passed to ExternalInterface.call() may be erroneously unescaped.
Conditions:
Adobe ActionScript 3.0 version 24 or less.
Impact:
Adobe Flash application may crash.
Workaround:
None
Fix:
Completely fixed.
564496-2 : Applying APM Add-on License Does Not Change Effective License Limit
Component: Access Policy Manager
Symptoms:
When an add-on license is applied on the active node, the effective license limit is not updated, even though telnet output shows that it is.
Conditions:
1. Set up a high availability (HA) configuration with a base APM license.
2. Apply an APM add-on license to increase Access and CCU license limits.
Impact:
The actual number of sessions that can be established remains unchanged after adding an add-on license.
Workaround:
To make the add-on license effective, run the following command:
bigstart restart tmm.
For systems running v11.5.3, v11.5.4, and v11.6.0, use the following workaround:
- Take one unit Offline.
- Remove the HA configuration.
- Reactivate license on the offline unit.
- Take a peer unit Offline.
- Release the first unit from Offline.
- Reactivate license on the peer unit.
- Rebuild HA configuration.
- Release the peer unit from Offline.
Fix:
Applying APM add-on license now increases Access and CCU license limits, as expected.
564482-3 : Kerberos SSO does not support AES256 encryption
Component: Access Policy Manager
Symptoms:
If the delegation account is enforced to use AES256 encryption, then APM Kerberos SSO will fail. Example error message: Dec 18 19:22:19 bigip8910mgmt err websso.7[31499]: 014d0005:3: Kerberos: can't decrypt S4U2Self ticket for user 'username' - Decrypt integrity check failed (-1765328353).
Conditions:
Delegation account is enforced to use AES256 encryption.
Impact:
Kerberos SSO will fail and user will be prompted to enter credential.
Workaround:
Disable the option to enforce AES256 encryption for the delegation account.
Fix:
Delegation account can be enforced to use AES256 encryption, provided the delegation account is configured as SPN format on the Kerberos SSO configuration.
564427-1 : Use of iControl call get_certificate_list_v2() causes a memory leak.
Component: TMOS
Symptoms:
Use of iControl call get_certificate_list_v2() causes a memory leak.
Conditions:
This occurs when using the Management::KeyCertificate::get_certificate_list_v2 method in iControl.
Impact:
memory leak.
Workaround:
Restarting httpd helps reduce memory, but it must be restarted periodically to clear up the memory issues.
Fix:
Use of Management::KeyCertificate::get_certificate_list_v2 method in iControl no longer causes a memory leak.
564262-3 : Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code
Solution Article: K21518043
Component: Access Policy Manager
Symptoms:
Tunnel server component of Edge client crashes, and user cannot establish VPN.
Conditions:
-DNS names cannot be resolved on client system.
-PAC file used to determine proxy server uses JavaScript DNS resolution function.
Impact:
Tunnel server crashes and user cannot establish VPN.
Workaround:
Enable DNS resolution on client or do not use DNS resolution JavaScript functions in PAC file.
Fix:
Network Access now works as expected even when DNS cannot be resolved on client and PAC file contains DNS resolution code.
564253-6 : Firefox signed plugin for VPN, Endpoint Check, etc
Component: Access Policy Manager
Symptoms:
Firefox v44.0 and later does not allow loading of Netscape Plugin Application Programming Interface (NPAPI) plugins, which are not signed by Firefox.
Conditions:
Using APM with Firefox v44.0 and later.
Impact:
Firefox v44.0 and later cannot establish network access or perform endpoint checking.
Workaround:
- Use Firefox v43.0 and earlier on all platforms.
- Use Safari on Mac systems and Microsoft Internet Explorer on Microsoft Windows systems.
Fix:
Firefox v44.0 through v46.0 can now install F5 Network plugins, perform endpoint checking, and establish network access connections.
564111-2 : Multiple PCRE vulnerabilities
Solution Article: K05428062
563905 : vCMP guest fails to go Active after the host system is rebooted
Solution Article: K62975642
Component: TMOS
Symptoms:
A vCMP guest fails to go Active after the host system is rebooted. When this occurs, the system posts the following message: confpp[9184]: rollback FAILED for 'unix_config_syslog'
Conditions:
The host of a vCMP guest is rebooted.
Impact:
The guest will not become active.
Workaround:
None.
Fix:
vCMP guest now correctly goes Active after the host system is rebooted
563670-5 : OpenSSL vulnerabilities
Solution Article: K86772626
563591-3 : reference to freed loop_nexthop may cause tmm crash.
Component: Local Traffic Manager
Symptoms:
tmm may crash intermittently when there are cmp directed VIP (Virtual IP) to VIP traffic.
Conditions:
When CMP directed VIP to VIP traffic exists.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
none.
Fix:
tmm should not crash on this condition any more
563475-1 : ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.
Solution Article: K00301400
Component: TMOS
Symptoms:
ePVA dynamic offloading can result in immediate eviction and re-offloading of flows. If dynamic offloading is enabled in the fastl4 profile, flows that collide in the ePVA will ping/pong in and out of the ePVA due to immediate eviction and re-offloading. Flows that are evicted due to collisions are reported in the epva_flowstat stats, tot.hash_evict.
Conditions:
A fastl4 profile with PVA Offload Dynamic enabled and two flows that result in a hash collision, resulting in an evicted flow.
Impact:
Flows that collide will be re-offloaded, evicted, and then re-offloaded again within a short time span. It is unknown if there is a direct impact, but in some cases a delay in processing packets on a connection may occur.
Workaround:
Disable PVA Offload Dynamic in the fastl4 profile. Another option would be to disable PVA Flow Evict in the fastl4 profile.
Fix:
The system now handles flows involved in hash collisions such that ePVA dynamic offloading no longer results in immediate eviction and re-offloading of flows.
563443-3 : WebSSO plugin core dumps under very rare conditions.
Component: Access Policy Manager
Symptoms:
WebSSO plugin core dumps under very rare conditions.
Conditions:
This occurs rarely when the WebSSO plugin is enabled.
Impact:
WebSSO plugin core dumps.
Workaround:
None.
Fix:
This release fixes a rare core dump related to the Websso plugin.
563419-3 : IPv6 packets containing extended trailer are dropped
Component: Local Traffic Manager
Symptoms:
Some IPv6 packets are dropped
Conditions:
IPv6 packet contains trailing bytes after payload
Impact:
Packet loss
Fix:
IPv6 packets that exceed the size of the 'Payload Length' header will be trimmed and processed instead of being dropped.
563349-2 : On MAC, Network Access proxy settings are not applied to tun adapter after VPN is established
Component: Access Policy Manager
Symptoms:
In some cases, user may not be able to browse to external or internal web sites, Because the proxy settings won't be used.
Conditions:
User's machine has local proxy settings configured
NA settings specify a proxy configuration
Impact:
User may not be able to browse some sites, or the connection would not take the proxy settings into account.
Workaround:
None
563227-4 : When a pool member goes down, persistence entries may vary among tmms
Solution Article: K31104342
Component: Local Traffic Manager
Symptoms:
When a pool member goes down, persistence entries may vary among tmms. The result will be that rather than persisting to a single pool member, the new connections may arrive on different pool members based on the number of tmms on the BIG-IP platform in use.
Conditions:
Using persistence with some connections persisted to a pool member that goes down, either administratively or due to a monitor. During this time, the client is issuing several new connections to the BIG-IP system.
Impact:
Inconsistent persistence entries.
Workaround:
None.
Fix:
The race conditions that involved dropping an offline pool member have been resolved.
563154-3 : Multiple Linux Kernel vulnerabilities
Solution Article: K31026324 K94105604 K90230486
563135-2 : SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt
Component: Access Policy Manager
Symptoms:
When the SWG Explicit Proxy is configured to perform a 407 Authentication Request, if the client accesses a non-standard HTTP port (e.g. http://www.example.com:8080) the first request after authentication will fail.
Conditions:
SWG Explicit Proxy configured
HTTP 407 Authorization configured in Per-Request Policy for authentication
Client requests a non-standard HTTP port in request
Impact:
The first request after authentication will fail.
Workaround:
If the user refreshes their browser request, subsequent requests will work as expected.
563064-5 : Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory
Component: TMOS
Symptoms:
Cipher memory initialized when an IPsec tunnel is created is not cleaned up when IPsec tunnel is removed.
Conditions:
Every time an IPsec tunnel is established and then removed will leave the allocated cipher memory in the system.
Impact:
Slowly leak TMM memory
Fix:
Cipher memory is freed when an IPsec tunnel is removed
562959-3 : In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.
Component: TMOS
Symptoms:
In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.
Conditions:
This occurs when there is some issue processing the packet going through IPsec tunnel.
Impact:
Tmm restart without core due to internal connection timeout.
Workaround:
None.
Fix:
IPsec now only sends packets intended for IPsec over the tunnel.
562921-2 : Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP systems use the iQuery protocol to securely communicate with other BIG-IP systems. The BIG-IP system supports the AES/3DES ciphers for encrypting iQuery traffic. Some of these ciphers are now considered unsecure.
Conditions:
The value is hardcoded into the product.
Note: This is completely independent of the TMM profiles or the httpd cipher values.
Impact:
There is no way to configure this; the value is hardcoded. Scanner operations performed on your configuration will report this as an unsecure cipher.
Workaround:
If you do not need iQuery at all, you can block port 4353 completely. For those who do need it, there is no workaround.
Fix:
The cipher list in use is now
"AESGCM:AES:!ADH:!AECDH:!PSK:!aECDH:!DSS:!ECDSA:!AES128:-SHA1:AES256-SHA"
562919-1 : TMM cores in renew lease timer handler
Component: Access Policy Manager
Symptoms:
TMM generates core.
Conditions:
All three following conditions have to be met for this to trigger :
1) Both IPv4 and IPv6 network access connection has to be enabled for the same network access resource.
2) IPv4 address have to be statically assigned.
3) IPv6 address have to be dynamically assigned from the leasepool.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Workaround 1) Use IPv4 only network access connection.
Workaround 2) While using both IPv4 and IPv6 network access connection, assign both IPv4 and IPv6 endpoint addresses from IPv4 and IPv6 leasepool respectively.
Workaround 3) While using both IPv4 and IPv6 network access connection, assign both IPv4 and IPv6 endpoint statically.
Fix:
TMM no longer cores in renew lease timer handler
562775-3 : Memory leak in iprepd
Component: Application Security Manager
Symptoms:
The IP reputation daemon (iprepd) has a small leak of around ~8 to ~16 bytes every 5 minutes.
Conditions:
This occurs when the BIG-IP box is licensed with IPI Subscription, and iprepd is running.
Impact:
Memory increases slowly until the kernel out-of-memory kills the iprepd process.
Workaround:
None.
Fix:
This release fixes a memory leak in the IP reputation daemon (iprepd).
562566-3 : High Availability connection flap may cause mirrored persistence entries to be retained after expiration on multi-blade systems
Solution Article: K39483533
Component: Local Traffic Manager
Symptoms:
Prior to expiration, the age of persistence entries is reset back to 0, thus retaining the persistence entries forever.
Conditions:
Persistence is configured on a multi-blade system, a configured High Availability peer is present, and a flap occurs on the High Availability connection between active and standby systems.
Impact:
Retention of persistence entries leads to eventual low memory conditions, performance degradation, and traffic outage or restarting of some daemons.
Workaround:
Although no reasonable workaround exists, you can clear the persistence table to reclaim leaked memory.
Fix:
Persistence entries are no longer retained beyond their expiration.
562427 : Trust domain changes do not persist on reboot.
Component: TMOS
Symptoms:
Some earlier releases saved only the internal binary database for trust domain changes (generally, changes to device group objects and device objects), rather than saving the text-based authoritative configuration in '/config/bigip*.conf'.
Conditions:
This occurs when making changes to devices via the Device Management UI.
Impact:
Device Group configuration may not be correct after a reboot.
Workaround:
Explicitly run a command to save the configuration before rebooting devices.
Fix:
Trust domain changes do not persist on reboot.
562044-1 : Statistics slow_merge option does not work
Component: TMOS
Symptoms:
When the statistics DB variable option 'merged.method' is set to 'slow_merge' then the merging of statistics stops working. This causes statistics to no longer appear to be updated.
Conditions:
The DB variable 'merged.method' is set to 'slow_merge'.
Impact:
Statistics no longer appear to be updated.
Workaround:
1) Set "merged.method" to "fast_merge" which is the default.
-or-
2) Create the /var/tmstat/cluster directory using mkdir. Please note the directory must be created on every blade in a chassis. Additionally, this directory needs to be re-created after reboots, so something like "/bin/mkdir /var/tmstat/cluster" should be added to "/config/startup"
Fix:
Statistics are now updated as expected when the statistics DB variable option 'merged.method' is set to 'slow_merge'.
561814-4 : TMM Core on Multi-Blade Chassis
Component: TMOS
Symptoms:
TMM core.
Conditions:
On a multi-blade chassis with WAM caching in use, where the datastor daemon is stopped and restarted, and where traffic is being cached by datastor.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The software defect has been found and fixed.
561798-3 : Windows edge client may show scripting error on certain 3rd party authentication sites
Component: Access Policy Manager
Symptoms:
User sees JavaScript error on third party IDP sites.
Conditions:
Windows Edge client is used
Access policy requires user to authenticate on a third party site
Impact:
Usability of Edge Client
Fix:
Edge Client now runs embedded browser in Internet Explorer 10 emulation mode, which has support for modern JavaScript.
561539-1 : [Upgrade] GTM pool member ratio setting to 0 is not honored when upgrading from v10.2.4 to v11.5.3.★
Component: Global Traffic Manager (DNS)
Symptoms:
When upgrading from 10.x to 11.x Wide IP pool member ratio value is changed from 0 to 1.
Conditions:
1. Upgrade from v10.x to v11.x through 12.0.0
2. Have a Wide IP pool member ratio set to 0.
Impact:
Wide IP pool member ratio is changed to 1 (the default) from 0 after upgrading, potentially enabling selection of members that had been "disabled" with a ratio of 0.
Workaround:
Manually change ratio back to 0 after upgrade.
561433-6 : TMM Packets can be dropped indiscriminately while under DoS attack
Component: Advanced Firewall Manager
Symptoms:
When there is a loaded tmm that cannot consume packets fast enough, packets might be dropped while when AFM DoS flood mitigation is taking place.
Conditions:
-- Loaded tmm that cannot consume packets fast enough.
-- AFM DoS flood mitigation is taking place.
Impact:
Packets will be dropped indiscriminately.
Workaround:
None.
Fix:
There is now a sys db tunable (sys db dos.scrubtime) which can be set to drop DoS attack packets in hardware more aggressively. This will prevent other non-attack packets from being dropped indiscriminately.
561348-2 : krb5.conf file is not synchronized between blades and not backed up
Component: Access Policy Manager
Symptoms:
krb5.conf file is not in sync across all blades.
this may cause a feature (Kerberos SSO / Kerberos Auth) to not work as expected.
Conditions:
When administrator made changes to krb5.conf file manually, the configuration file is not synchronized to all blades or is lost upon upgrade.
Impact:
Kerberos Auth / Kerberos SSO does not work properly on all blades.
Workaround:
None.
Fix:
The APM code now automatically synchronizes the changes to /etc/krb5.conf file to all devices in the Failover Device group. Any change made to this file either in Active Device or Standby device will be automatically synced to other device.
In Chassis, all the Secondary blades will mirror the file on the Primary blade. Any manual change done on the Secondary blade(s) will be lost. The admin has to do the changes on Primary blade only and it will be synchronized with all others blades.
Behavior Change:
When admin modifies /etc/krb5.conf file, the changes are automatically updated on other devices in the same Failover Device group.
When admin modifies the /etc/krb5.conf file on the primary blade of the chassis, the changes are automatically updated on all secondary blades.
560975-1 : iControl can remove hardware SSL keys while in use
Component: TMOS
Symptoms:
When deleting SSL keys via iControl it is possible to delete keys from the Hardware Security Module even while they are configured in an active profile.
Conditions:
Using iControl to delete SSL key installed in hardware.
Impact:
Key is removed from HSM and must be reloaded.
Workaround:
Verify that keys are not in use before using iControl to delete them.
560948-3 : OpenSSL vulnerability CVE-2015-3195
Solution Article: K12824341
560910-3 : OpenSSL Vulnerability fix
Solution Article: K86772626
560748 : BIG-IQ discovery fails
Component: Application Security Manager
Symptoms:
After updating attack signatures, a Signature-system called "IBM WebSphere" may be created that does not contain a REST ID, and BIG-IQ will fail discovery.
If you look at the REST output for this item at https://bigip_address/mgmt/tm/asm/signature-systems/
and look for "IBM WebSphere", you will see that the id field is empty.
Conditions:
This can occur when updating attack signatures, and when using BIG-IQ discovery.
Impact:
BIG-IQ discovery fails.
Workaround:
On the affected device run the following:
perl -MF5::Utils::Rest -MF5::DbUtils -MF5::ASMConfig::Entity::SignatureSystem -e "F5::Utils::Rest::populate_uuids(dbh => F5::DbUtils::get_dbh(), rest_entities => ['F5::ASMConfig::Entity::SignatureSystem'])"
Fix:
Fixed an issue with attack signature updates causing BIG-IQ discovery to fail.
560510-4 : Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down.
Component: TMOS
Symptoms:
When MCPD is not in the running state, dhclient directly writes domain-name-server information into /etc/resolv.conf. If multiple domain-name-servers are given by DHCP server, they are written in the incorrect format with multiple domain-name-servers in a single line comma-separated. Each domain-name-servers entry should be written in a single line with "nameserver" prefix.
Conditions:
- MCPD is not in the running state.
- DHCP is enabled.
- DHCP server has provided multiple domain-name-server entries in the lease.
Impact:
Domain name resolution doesn't work.
Workaround:
Bring up MCPD which would write the resolv.conf in the correct format. Alternatively, user can manually modify /etc/resolv.conf to write multiple nameserver entry one per line.
Fix:
DHCP will now write a single nameserver per line in /etc/resolv.conf when multiple nameservers are configured in DHCP.
560405-5 : Optional target IP address and port in the 'virtual' iRule API is not supported.
Component: Local Traffic Manager
Symptoms:
In certain scenarios there is a need to redirect an HTTP request through a given virtual server to a another virtual server (or remote endpoint). Such an operation is also known as 'vip-to-vip' forwarding. The available iRule API (specifically, the 'virtual' command) does not currently support this functionality.
Conditions:
Using an iRule to forward a request through a given virtual server to another virtual server or remote endpoint.
Impact:
Cannot implement HTTP Forward Proxy plus Transparent redirection to Web-Cache Pool.
Workaround:
None.
Behavior Change:
The 'virtual' iRule API has been changed to support a secondary target IP address and port to redirect the connection to, from a given virtual server. The new signature of the 'virtual' iRule API is:
virtual [<name>] [<ipaddr> [<port>]]
where:
-- <name> = the name of the virtual server to redirect the connection from.
-- <ipaddr> = the target IP address of the remote endpoint to route the connection to, through the specified virtual server; <ipaddr> can also have a route-domain (%).
-- <port> = the port of the remote endpoint to route the connection to, through the specified virtual server.
560180-3 : BIND Vulnerability CVE-2015-8000
Solution Article: K34250741
560114-2 : Monpd is being affected by an I/O issue which makes some of its threads freeze
Component: Application Visibility and Reporting
Symptoms:
When Monpd is restarted, it starts printing non-stop error message to logs. Analytics statistics may be lost, and new data cannot be loaded. The ltm log contains this error signature - err stat_bridge_thread[8278]: monpd`ERR`date`11285` [stat_bridge_thread::validateCorrectNumberOfPartitions, ] Too many partitions (44) defined for DB table AVR_STAT_DISK_T
Conditions:
A system I/O issue (maybe caused by /var/log being full).
Impact:
AVR statistics are lost.
Monpd thread cannot load new data, and it prints non-stop error messages to the logs.
Workaround:
Run the following:
find /var/avr/loader/ -mindepth 1 -name "*" -print0 | xargs -0 rm
touch /var/avr/init_avrdb
bigstart restart monpd
560109-4 : Client capabilities failure
Solution Article: K19430431
559975-4 : Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth
Component: Global Traffic Manager (DNS)
Symptoms:
HTTP basic authentication uses a base64 encoded string. When an HTTP monitor username or password is changed, the b64 string is regenerated and may become malformed.
Conditions:
When an http monitor username or password is changed, e.g. shortened, then the HTTP basic auth string may be mangled.
Impact:
An HTTP monitor may show its resource as unavailable after changing the username or password.
Workaround:
Restart big3d, or delete then recreate the monitor instead of modifying the existing monitor.
Fix:
HTTP monitors will now correctly handle a username or password change.
559973-5 : Nitrox can hang on RSA verification
Component: Local Traffic Manager
Symptoms:
With certain signatures, RSA verification can hang the Nitrox crypto accelerator chip. Errors in the ltm log show crit tmm[11041]: 01010260:2: Hardware Error(Co-Processor): n3-crypto2 request queue stuck
Conditions:
RSA verification with certain signatures.
Impact:
Nitrox crypto accelerator can hang.
Fix:
The Nitrox crypto accelerator will no longer hang when performing RSA verification.
559953-3 : tmm core on long DIAMETER::host value
Component: Service Provider
Symptoms:
tmm crashes and restarts when an iRule is accessed that contains a large DIAMETER::host value.
Conditions:
This occurs with a DIAMETER::host iRule parameter set to a very large value (2000 characters).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Limit the length of the DIAMETER::host parameter to less than 1000 characters.
Fix:
BIG-IP now limits the DIAMETER::host parameter to 1000 characters.
559939-3 : Changing hostname on host sometimes causes blade to go RED / HA TABLE offline
Solution Article: K30040319
Component: TMOS
Symptoms:
If the UI System::Platform screen is used to change the hostname on a Standalone VIPRION, the non-primary blades in the chassis may temporarily report an offline state.
Conditions:
This affects only multi-blade chassis systems in Standalone mode.
Impact:
If the system is hosting vCMP guests, it may cause unexpected failovers, and interruption of traffic.
Workaround:
To change the hostname on the VIPRION, use the tmsh command:
'modify sys global-settings hostname new-host-name'.
Fix:
Changing hostname on Standalone VIPRION no longer causes the non-primary blade to go RED / HA TABLE offline.
559541-3 : ICAP anti virus tests are not initiated on XML with when should
Component: Application Security Manager
Symptoms:
ICAP anti virus tests are not performed on XML with sensitive data.
Conditions:
ICAP and XML profile are configured on the policy, the ICAP configured to inspect the XML.
The XML has sensitive data configured.
The XML request contained sensitive data.
The expectation was that XML with sensitive data would initiate ICAP tests.
Impact:
Virus tests will not be enabled on this request if the only reason for testing the ICAP was the existence of the sensitive XML data.
Fix:
ICAP tests are performed on XML with sensitive data.
559138-4 : Linux CLI VPN client fails to establish VPN connection on Ubuntu
Component: Access Policy Manager
Symptoms:
Linux client is unable to establish a VPN connection. An error is displayed which says that server certificate verification has failed.
Conditions:
CLI client used on Ubuntu to establish VPN connection.
Impact:
User cannot connect to VPN
Workaround:
Use web client.
Fix:
Fixed bug in certificate verification code.
559055 : Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All"
Component: Application Security Manager
Symptoms:
Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All Entities".
Conditions:
Learn New Parameters is set to "Add All Entities".
Impact:
Staging on wildcard parameter "*" remains unchanged.
Workaround:
Disable staging on wildcard parameter "*" manually.
Fix:
Staging is now disabled correctly on wildcard parameter "*" when Learn New Parameters is set to "Add All Entities".
559034-3 : Mcpd core dump in the sync secondary during config sync
Component: TMOS
Symptoms:
mcpd will crash if certain files are missing from the file store during sync operations.
Conditions:
This can happen when files associated with file objects are removed from the file store. Users are not permitted to directly modify the contents of the file store.
Impact:
mcpd will crash
Workaround:
Users are not permitted to directly modify the contents of the file store. Use tmsh or the Configuration Utility to manage BIG-IP objects such certificates.
Fix:
Mcpd will no longer crash during a config sync if a file store object is missing.
558946-3 : TMM may core when APM is provisioned and access profile is attached to the virtual
Component: Access Policy Manager
Symptoms:
TMM may core when APM is provisioned and access profile is attached to the virtual.
Conditions:
This crash is most likely to occur when there are more than 1 ABORT events sent to a connection on a virtual with attached access profile.
Impact:
Traffic disrupted while tmm restarts.
Fix:
APM virtual server that can have multiple ABORTs events to a connection will no longer cause TMM to crash and restart.
558870-4 : Protected workspace does not work correctly with third party products
Solution Article: K12012384
Component: Access Policy Manager
Symptoms:
1) Internet Explorer and Firefox cannot be launched in Windows protected workspace if Norton Internet Security 22.x is present on user's machines.
2) Microsoft OneDrive does not work correctly inside protected workspace.
Conditions:
Norton Internet Security 22.x is installed on user's desktop.
Protected workspace is used.
Impact:
User cannot launch Internet Explorer or Firefox inside protected workspace.
Files cannot be synced to OneDrive.
Workaround:
There is no workaround.
Fix:
User can now launch Internet Explorer or Firefox inside protected workspace.
558859 : Control insertion to log_session_details table by Access policy logging level.
Component: Access Policy Manager
Symptoms:
Session records are always written to log_session_details table upon new session creation, regardless of access log level.
Conditions:
New sessions created
Impact:
CPU hogged when large numbers of sessions are created within short time period
Fix:
Control insertion to log_session_details table by Access policy logging level.
558858-1 : Unexpected loss of communication between slots of a vCMP Guest
Solution Article: K80079953
Component: TMOS
Symptoms:
1. Within the vCMP guest, the affected slot shows the other slot(s) to be offline. When logged into any other "offline" slot, the slot shows itself to be online.
2. Within the vCMP guest, on the affected slot, the log files (such as /var/log/ltm) have stopped recording log entries from the other slot(s).
3. Within the vCMP guest, on the affected slot, the eth1 interface shows TX increasing but RX not increasing. The eth1 interface on other slots shows both TX and RX increasing.
Conditions:
Only affects vCMP guests with 2 or more slots on VIPRION C2000-series chassis.
Impact:
The number of working slots in a vCMP guest is reduced to 1 slot. The effect on traffic may range from none to severe.
Workaround:
Within the vCMP guest, login to the command line (vconsole or SSH) of the affected slot and run the following:
ifconfig eth1 down ; ifconfig eth1 up
Alternatively, from the hypervisor, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.
Fix:
This release no long exhibits loss of communication between slots of a vCMP Guest.
558779-5 : SNMP dot3 stats occassionally unavailable
Component: TMOS
Symptoms:
SNMP would not provide values for some dot3 stats.
Conditions:
Always under affected version
Impact:
SNMP would not provide values for some dot3 stats.
This is no impact actual traffic.
Workaround:
None
Fix:
The dot3 stats are now available.
558631-6 : APM Network Access VPN feature may leak memory
Solution Article: K81306414
Component: Access Policy Manager
Symptoms:
VPN connections may cause memory usage to increase with the memory never being reclaimed.
Conditions:
-- APM Network Access feature is configured.
-- VPN connections are being established.
Impact:
Slow memory leak over time with eventual out-of-memory condition, performance degradation, and traffic outage.
Workaround:
No workaround short of not using the APM Network Access feature.
Fix:
The APM Network Access VPN feature no longer leaks memory.
558612-3 : System may fail when syncookie mode is activated
Component: Local Traffic Manager
Symptoms:
TMM may core when syncookie mode has been activated when under extreme memory pressure.
Conditions:
L7 VIP with certain TCP profile attributes enabled.
Syncookies have been activated.
System under memory pressure due to heavy load.
Impact:
tmm may core.
Workaround:
Use the default TCP profile for all L7 VIPs.
Fix:
The BIG-IP will not encounter a system failure when syncookie mode has been activated.
558602-2 : Active mode FTP data channel issue when using lasthop pool
Component: Local Traffic Manager
Symptoms:
The data channel for active mode FTP may fail.
Conditions:
Active mode FTP through a virtual with ftp profile with port set to zero and configured to use a lasthop pool.
Impact:
Active mode FTP does not work.
Workaround:
Use auto-lasthop instead of lasthop pool.
Use passive mode FTP.
Fix:
Active mode FTP now works correctly.
558573-3 : MCPD restart on secondary blade after updating Pool via GUI
Solution Article: K65352421
Component: TMOS
Symptoms:
If you use the LTM GUI in a clustered environment to add an IP Encapsulation profile to a Pool, then click Update, mcpd and other daemons may restart on secondary blades in the cluster.
When this occurs, errors similar to the following will be logging from the secondary blades:
-- err mcpd[22537]: 01020036:3: The requested pool profile (49825) was not found.
-- err mcpd[22537]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool profile (49825) was not found.
Conditions:
This problem may occur when operating BIG-IP in a clustered environment (VIPRION), and using the GUI to update the properties of an LTM pool with an IP Encapsulation profile defined.
Impact:
Daemon restarts, disruption of traffic passing on secondary blades.
Workaround:
Perform pool updates via the tmsh command-line utility.
Fix:
Pool profile update is performed by name rather than object ID, so MCPD no longer restarts on secondary blade after updating a pool using the GUI.
557783-3 : TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr
Solution Article: K14147369
Component: Local Traffic Manager
Symptoms:
TMM might use a link-local IPv6 address when attempting to reach an external global address for traffic generated from TMM (for example, dns resolver, sideband connections, etc.).
Conditions:
- ECMP IPv6 routes to a remote destination where the next hop is a link local address. Typically this occurs with dynamic routing.
- Have configured a virtual server that generates traffic from TMM (for example, dns resolver, sideband connections, etc.).
Impact:
Traffic might fail as its egresses from a link-local address instead of a global address.
Workaround:
It might be possible to work around if the dynamic routing peer can announce the route from a global address instead of a link local.
Use of static routes might also work around the issue.
Fix:
TMM now uses the correct IPv6 global address when generating traffic to a remote address using ECMP routes via link-local next-hops.
557645-1 : Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.
Component: Local Traffic Manager
Symptoms:
Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.
Conditions:
VIPRION 2200 and 2400 platforms with more than one blade.
Multiple devices in an HA configuration.
TMM incorrectly identifies which TMM should handle host connections from an HA peer.
The host connection will be reset after the SYN retransmits are exceeded between TMM and the host process.
Impact:
Periodic reported failures in host-to-host communication. This could affect config sync, and other HA related communication.
Workaround:
None.
Fix:
Host communication on VIPRION 2200 and 2400 platforms behaves the same as host communication on non-VIPRION 2200 and 2400 platforms, as expected.
557281-3 : The audit_forwarder process fails to exit normally causing the process to consume CPU to near 100%
Component: TMOS
Symptoms:
audit_forwarder and mcpd consume almost 100% CPU. When syslog-ng restarts, it starts another audit_forwarder process, but it is the orphaned audit_forwarder process that will consume almost 100% CPU. When syslog-ng is restarted and audit_forwarder does not exit cleanly, the mcpd process will also begin consuming high CPU.
Conditions:
syslog-ng is stopped manually or sometimes (rarely) during a normal restart of syslog-ng.
Impact:
The audit_forwarder and mcpd processes consume excessive CPU.
Workaround:
Stop audit_forwarder manually (kill -9), once the orphaned audit_forwarder process is stopped, mcpd will return to normal CPU consumption.
Fix:
When syslog-ng is stopped manually (or when expected), audit_forwarder also exits, so the audit_forward process no longer consumes increasing CPU.
557221 : Inbound ISP link load balancing will use pool members for only one ISP link per data center
Component: Global Traffic Manager (DNS)
Symptoms:
In BIG-IP Link Controller and GTM 11.5.3, 11.6.0 and prior versions, and BIG-IP DNS 12.0.0, the inbound ISP link load balancing functionality uses pool members for more than one ISP link per data center.
Conditions:
Using the inbound ISP link load balancing functionality in BIG-IP Link Controller and GTM 11.5.3, 11.6.0 and prior versions, and BIG-IP DNS 12.0.0.
Impact:
If a pool has multiple members that use different ISP links within a data center, the system uses only pool members associated with the ISP link of the first available pool member. The system marks pool members associated with subsequent ISP links as unavailable (grey).
Fix:
The inbound ISP link load balancing functionality will use pool members for only one ISP link per data center for each pool.
Behavior Change:
Beginning in BIG-IP Link Controller and GTM 11.5.4, 11.6.1, and BIG-IP DNS 12.1.0, the ISP link load balancing functionality will use pool members for only one ISP link per data center for each pool.
The link that is associated with the first configured and available pool member within each data center will determine the link that will be used for the data center. The system will use only pool members associated with that link.
557144-1 : Dynamic route flapping may lead to tmm crash
Component: TMOS
Symptoms:
When dynamic routing is in use and routes are being actively added and removed, tmm may crash.
Conditions:
Virtual Server configured with Dynamic Routing
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Flapping dynamic routes no longer trigger a tmm crash.
557062-3 : The BIG-IP ASM configuration fails to load after an upgrade.★
Component: Application Visibility and Reporting
Symptoms:
A configuration load failure occurs after creating an ASM predefined report in a previous version - (11.3 or 11.4) and upgrading to a version prior to 12.1.0.
Conditions:
Define scheduled report with 'predefined-report-name: '/Common/Top alerted URLs' on version 11.3 or 11.4 upgrade the version.
Impact:
Version upgrade fails (the BIG-IP system becomes unusable).
Workaround:
Manually change predefined-report-name '/Common/Top alerted URLs' to predefined-report-name '/Common/Top alarmed URLs'.
Fix:
If an ASM predefined report was created in a previous version and the system was updated, it could have caused the configuration upgrade to fail. This failure no longer occurs.
556774-1 : EdgeClient cannot connect through captive portal
Component: Access Policy Manager
Symptoms:
EdgeClient cannot connect through captive portal.
Conditions:
1) Install EdgeClient on a PC that connects to the APM through a captive portal.
2) Launch EdgeClient and try to connect to the APM.
3) System posts certificate warnings. Accept them.
4) Captive portal is not shown to the user.
5) EdgeClient just toggles between 'Waiting to connect to server' and 'Downloading server settings' messages.
Impact:
No captive portal displayed to the user. EdgeClient UI shows he user.
5) EdgeClient just toggles between 'Waiting to connect to server' and 'Downloading server settings' messages.
Workaround:
None.
Fix:
Install EdgeClient on a PC that connects to the APM through a captive portal now opens as expected.
556694-6 : DoS Whitelist IPv6 addresses may "overmatch"
Component: Advanced Firewall Manager
Symptoms:
When using the 8-entry "rich" DoS whitelist with IPv6 addresses, the HW matches only 32 bits of an incoming IPv6 address against the whitelist entry, meaning that if an incoming IPv6 address matches those 32 bits, the whitelist will result in "match", even if other bits of the IPv6 address do not match.
Note that the configuration can select which set of bits (there are 4 choices -- 127:96, 95:64, 63:32, 31:0) to match against, via the db.tunable dos.wlipv6addrsel.
Also, note that IPv4 matches are always perfect, and are not affected by this issue.
Conditions:
Occurs when the 8-entry AFM DoS Whitelist is used to match against IPv6 addresses.
Impact:
In some cases, the Whitelist may overmatch, meaning some IPv6 addresses will be considered whitelist matches, when they do not match the whitelist.
556597-3 : CertHelper may crash when performing Machine Cert Inspection
Component: Access Policy Manager
Symptoms:
CertHelper may crash while checking of machine certificate.
Conditions:
APM installed
Impact:
Authentication may fail.
Fix:
Fixed crash cause in CertHelper.
556560-1 : DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records.
Solution Article: K80741043
Component: Local Traffic Manager
Symptoms:
A DNS message may become malformed when its Additional records section contains an OPT record followed by multiple other DNS records.
As a result of this issue, you may encounter the following symptom:
The BIG-IP system receives properly formed DNS packets but after processing them sends them as malformed DNS packets.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP configuration contains a virtual server with an associated DNS profile.
-- The BIG-IP system receives a DNS message that contains an OPT record.
-- The DNS message's Additional records section contains multiple other DNS records.
Impact:
This issue impacts all DNS messages that contain an OPT record followed by more than one record. The DNS handling code expects a message containing an OPT record to have 0 or 1 TSIG record following the OPT record in the additional record section of a message.
The RFCs permit the OPT record to be placed anywhere in the additional record section of a DNS message, with the exception of a TSIG record. If a TSIG record is present, it must always be last. If no TSIG record is present, then an OPT record can be last.
The RFCs do not restrict a query from containing records in the additional record section of the message.
When a DNS query or response is passed through the TMM DNS message handler, and that message contains an OPT record followed by more than one record, and those records that follow the OPT record contain compression pointers to other records that also follow the OPT record, then the message becomes mangled.
Workaround:
Disable DNS compression on the resolver, or configure the resolver to place OPT records at the end of the additional section (except TSIG records which must always be last).
Fix:
DNS messages which contain a record other than TSIG following an OPT record in the additional record section will be transformed in the message handler and the message inspection will be restarted.
The transformation involves safely moving the OPT record to be last or second-to-last (in the presence of a TSIG record) position of the additional record section. 'Safely' means updating the relevant compression pointers.
The subsequent code paths which depend on the OPT record's position now work as expected.
556383-2 : Multiple NSS Vulnerabilities
Solution Article: K31372672
556380-3 : mcpd can assert on active connection deletion
Component: TMOS
Symptoms:
When all of the peers in an HA / DSC configuration are removed, then it is possible for the connection tear down to result in an assert.
Conditions:
Removal of all peers while a connection is handling a transaction.
Impact:
MCPD asserts and restarts.
Workaround:
No workaround is necessary. MCPD restarts.
Fix:
Connection tear down checks for active connections and does not result in an assert when removing all peers while a connection is handling a transaction.
556284-3 : iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found
Solution Article: K55622762
Component: TMOS
Symptoms:
GTM/LC config sync fails with error in /var/log/gtm and /var/log/ltm similar to the following:
Monitor /Common/my_http_monitor parent not found
Conditions:
There is a customized GTM monitor on one member of a high availability configuration, but not on others.
Impact:
Config sync fails. On the device that does not have the monitor, the system logs a parent-not-found message into /var/log/gtm.
Workaround:
None.
Fix:
GTM/LC sync now completes successfully even when the configuration being sync'd contains a custom GTM/LC monitor definition.
556277-4 : Config Sync error after hotfix installation (chroot failed rsync error)★
Component: TMOS
Symptoms:
Once an installation has been booted into, applying a hotfix over that installation does not change the SELinux policy, but instead uses the previously installed SELinux policy.
Conditions:
This affects installations of a later hotfix atop an earlier hotfix, or onto a base build of the same software version. Installation onto a new volume is unaffected.
To determine whether the configuration will experience this issue, use md5sum to see whether the following have the same checksums:
-- /etc/selinux/targeted/modules/active/modules/f5_mcpd.pp
-- /usr/share/selinux/targeted/f5_mcpd.pp.
If the checksums are the same, the system will use the SELinux policy installed with the previous hotfix, and this issue will occur.
Impact:
Sync of file objects might fail with an error similar to the following:
01071488:3: Remote transaction for device group [name] to commit id [number] failed with error 01070712:3: Caught configuration exception (0), verify_sync_result:() :Failed to sync files. - sys/validation/FileObject.cpp, line 6276..
Workaround:
Instead of installing the hotfix over an existing installation of the base build of that version (or an earlier hotfix), install the base ISO (for example 11.5.4) into a volume, and then install the hotfix onto that volume, without booting the volume in between.
Fix:
Installing a hotfix over an existing base install now rebuilds the SELinux policy as expected.
556252 : sysGlobalTmmStatTmUsageRatio5s and sysGlobalTmmStatNpus in chassis
Component: TMOS
Symptoms:
The sysGlobalTmmStatTmUsageRatio5s and sysGlobalTmmStatNpus OIDs read lower than expected given the traffic on the system. The values suddenly increase when a non-running blade is powered down.
Conditions:
This occurs on a chassis where one or more of the blades are not in the cluster, but are not powered down. The usage ratios and Npus stats treat the blades as if they are in the cluster, and are factored into the calculation, making them appear lower than they actually are because non-working blades are in the calculation.
Impact:
Misleading, confusing statistics
Workaround:
You can completely power down the blade and it will be removed from the statistics calculation.
Fix:
sysGlobalTmmStatTmUsageRatio5s and sysGlobalTmmStatNpus are now calculated only against running blades.
556117-1 : client-ssl profile is case-sensitive when checking server_name extension
Component: Local Traffic Manager
Symptoms:
The client-ssl profile is Case-Sensitive when configuring server-name in the client-ssl profiles and checking server_name extension in the ClientHello Message.
Conditions:
When using mixed upper-lower case server-name in the client-ssl profile configuration and ClientHello messages.
Impact:
The system treats mixed upper-lower case server-name as different names which violate the RFC6066, which states: "Currently, the only server names supported are DNS hostnames. DNS hostnames are case-insensitive."
Workaround:
1. Configure only one client-ssl profile with same server-name.
2. Use only lower-case server-name when configure the client-ssl profile.
3. Use lower-case server-name in the Client side.
Fix:
The system now treats mixed upper-lower case server-names as the same name, so server-name is no longer case sensitive.
556103-2 : Abnormally high CPU utilization for external monitors
Component: Local Traffic Manager
Symptoms:
High CPU utilization for external monitors that use SSL.
Conditions:
External monitor using SSL.
Impact:
Abnormally high CPU utilization.
Workaround:
None.
Fix:
This release improves the handling of external monitors that use SSL so that CPU utilization no longer increases.
556088-2 : In a chassis system with APM provisioned mcpd daemon on secondary blade will restart.
Component: Access Policy Manager
Symptoms:
Uploading and installing an epsec/Opswat package on a chassis system will result in mcpd restart on the secondary blades.
Conditions:
Installing a new epsec package in a chassis system is the only condition under which this can happen.
Impact:
All daemons dependent on mcpd will restart
Fix:
Prevent validation of epsec package on secondary blades
555905-1 : sod health logging inconsistent when device removed from failover group or device trust
Component: TMOS
Symptoms:
When a device is in a failover group, sod logs the state change messages indicating the reachability of other devices in the group. For example:
Nov 2 11:34:54 BIGIP-1 notice sod[5716]: 010c007f:5: Receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Online).
Nov 2 11:31:19 BIGIP-1 notice sod[5716]: 010c007f:5: Receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Offline).
Nov 2 11:31:43 BIGIP-1 notice sod[5716]: 010c007e:5: Not receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Disconnected).
If a reachable device is removed from the failover group, no "Disconnected" message is issued, so the last reported status will be inaccurate.
When a device is part of a trust, sod logs messages indicating what unicast addresses it is monitoring on remote devices:
Nov 2 11:34:29 BIGIP-1 info sod[5716]: 010c007a:6: Added unicast failover address 10.145.192.5 port 1026 for device /Common/BIGIP-3.localdomain.
If devices are removed from the trust, sod does not log a message that those unicast addresses are no longer in use.
Conditions:
When a device is removed from a failover device group, or removed from a device trust.
Impact:
Inaccurate state reporting.
Fix:
When a device is removed from a failover device group, it is now reported as "Disconnected".
When a device is removed from the device trust, sod on the other devices correctly reports that the unicast addresses belonging to the other devices have been deleted.
555686-2 : Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers
Component: TMOS
Symptoms:
Some OPT-0015 copper small form-factor pluggable (SFP) transceiver might cause an internal bus to hang.
Conditions:
This happens only when the following conditions are met:
-- 10000-series appliances.
-- At reboot, at a restart of the bcm56xxd daemon, or when a copper SFP is enabled or disabled.
-- There is at least one copper SFP present in the appliance.
-- Interfaces are spread between hardware muxes. That means some SFPs are in ports 1.1-1.8 and other SFPs are in ports 1.9-1.16.
Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up. Enable and disable of copper SFPs may not work.
Workaround:
None.
Fix:
The system now ensures that the I2C bus muxes only enable a single interface, so the issue with interfaces on Copper SFPs OPT-0015 on 10000-series appliances no longer occurs.
555549-2 : 'tmsh modify ltm node <ip_addr> state user-down' fails to bring pool member state offline.
Component: Local Traffic Manager
Symptoms:
The command to set the ltm note state to user-down fails to bring pool member state offline.
Running the command results in error messages similar to the following:
01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 1137
Conditions:
This occurs when running the command to set the ltm node state to user-down, for example: tmsh modify ltm node 10.10.10.10 state user-down.
Impact:
Session status fails to update for pool member.
Workaround:
None.
Fix:
The command to set the ltm node state to user-down now successfully brings pool member state offline.
555507-3 : Under certain conditions, SSO plugin can overrun memory not owned by the plugin.
Solution Article: K88973987
Component: Access Policy Manager
Symptoms:
Under certain conditions, SSO plugin can overrun memory not owned by the plugin. Symptoms could be different based on the owner of overrun memory.
Conditions:
This occurs when the following conditions are met:
1. The BIG-IP system is configured and used as SAML Identity Provider.
2. Single Logout (SLO) protocol is configured on an attached SP connector.
3. At least one user executed SAML WebSSO profile.
Impact:
Symptoms might differ based on the owner of overrun memory.
Potentially, tmm could restart as a result of this issue.
Workaround:
Disable SAML SLO: remove SLO request and SLO response URLs from configuration in appropriate SAML SP connectors.
Fix:
SSO plugin no longer overruns memory not owned by the plugin, so the system supports the following configuration without memory issues:
The BIG-IP system is configured and used as a SAML Identity Provider.
Single Logout (SLO) protocol is configured on the attached Service Provider (SP) connector.
At least one user executed SAML webSSO profile.
555457-4 : Reboot is required, but not prompted after F5 Networks components have been uninstalled
Solution Article: K16415235
Component: Access Policy Manager
Symptoms:
Attempt to establish a VPN connection from a Windows 10, Windows 8.1, Windows 7, or Vista desktop fails if F5 Networks components have been removed previously and the desktop was not rebooted.
Typically this issue can be identified by these log records:
<snip>
DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP)
DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP)
DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter <--- Two F5 Devices
DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter (7) <--- Two F5 Devices
DIALER, 48, \driverstatechecker.cpp, 155, GetVPNDriverRASDeviceName, found device, F5 Networks VPN Adapter
<snip>
DIALER, 1, \urdialer.cpp, 1573, CURDialer::OnRasCallback(), RAS error (state=RASCS_OpenPort, error=633: The modem (or other connecting device) is already in use or is not configured properly.)
Conditions:
Windows desktop.
Existing F5 components uninstalled.
Reboot was not performed after uninstall.
Impact:
End users cannot establish a VPN connection from Windows-based clients.
Workaround:
Reboot the affected Windows desktop.
Fix:
After F5 Networks components have been uninstalled, the system does not require reboot, and uses the latest installed software-device for VPN, as expected.
555432-2 : Large configuration files may go missing on secondary blades
Component: Local Traffic Manager
Symptoms:
bigip.conf or other configuration files may go missing on secondary blades once the configuration exceeds a certain size (approximately 8 MB).
Conditions:
This is only relevant on chassis.
Impact:
If the primary changes, then the configuration is at risk of being lost.
Workaround:
touch the relevant configuration file (usually bigip.conf) and the configuration file will reappear.
Fix:
bigip.conf or other configuration files would go missing on secondary blades once the configuration exceeded a certain size (approximately 8 MB). This has been fixed.
555272-3 : Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade★
Component: Access Policy Manager
Symptoms:
Previously, F5 Client components were signed using SHA1 certificate. SHA1 is now considered insecure and Windows will reject components signed using a SHA1 certificate after March 31st 2016.
To support this new requirement, F5 has changed the client component signing certificates to utilize a higher security validation algorithm.
The result of this change is that clients utilizing client components built prior to these versions:
Big-IP 12.0.0HF1 or earlier
Big-IP 11.6.0 HF8 or earlier
Big-IP 11.5.4 (base release) or earlier
cannot Endpoint Security updates build 431 or greater.
If you require updated Endpoint Security (OPSWAT / EPSEC) builds greater than 431 you must upgrade to these versions:
Big-IP 12.1.0 or later
Big-IP 12.0.0HF2 or later
Big-IP 11.6.1 or later
Big-IP 11.5.4 HF1 or later
Conditions:
Running incompatible BIG-IP version with EPSEC build 431 or later.
Impact:
User will see certificate warnings and installation of client component updates may fail. The failure may occur multiple times.
Workaround:
Upgrade BIG-IP to the correct version.
Use the BIG-IP Web GUI's Software Management :: Antivirus Check Check Updates section to install an EPSEC build prior to 431.
Fix:
Updated signing certificate to a sha256 certificate. Client components and EPSEC binaries are now signed using the new, higher security certificate. Please note that upgrade to a HF in which client is signed using updated certificate is needed to install updated EPSEC releases. Please review the information carefully.
555057-1 : ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies.
Component: Application Security Manager
Symptoms:
When using ASM REST to remove a signature set association from a policy (DELETE), the set is removed from all policies in the system.
Conditions:
ASM REST is used to remove a signature set association from a policy.
DELETE /mgmt/tm/asm/policies/<ID>/signature-sets/<ID>
Impact:
All policies will lose their association to that signature set. This may leave some policies not enforcing all the Attack Signatures that they are expected to.
Workaround:
A DELETE can be issued to the collection endpoint: /mgmt/tm/asm/policies/<ID>/signature-sets utilizing the $filter parameter to delete only the desired sets.
Ex. DELETE /mgmt/tm/asm/policies/<ID>/signature-sets?$filter=id eq '<ID>'
Fix:
When using ASM REST to remove a signature set association from a policy (DELETE), the signature set association is removed only from the desired policy and not from all policies in the system.
555039-1 : VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
Solution Article: K24458124
Component: TMOS
Symptoms:
There is a high drop counts when running tmsh show net interface, and running tmctl -a drop_reason shows that a large number of drops are due to counters.rx_cosq_drop
Smaller buffering alpha values are configured for egress buffering to allow an 8 HW CoS queue feature to correctly implement weight based egress dropping. This results in busy ports dropping more aggressively, although allowing more fair buffering amongst multiple active ports.
Conditions:
Higher traffic rates, which stress switch MMU buffering resources, might result in egress CoS queue drop on busy ports.
This affects the BIG-IP 5000- and 7000 series platforms, and VIPRION B2100, B2150, and PB200 blades.
Impact:
This results in busy ports dropping more aggressively. Note that using smaller values allows more fair buffering amongst multiple active ports, whereas higher values allow better burst absorption but less fair buffering.
Workaround:
None.
Fix:
This release uses a larger alpha value for better burst absorption when the 8 hardware CoS queue feature is not enabled.
555006-1 : ASM REST: lastUpdateMicros is not updated when changing a Custom Signature
Component: Application Security Manager
Symptoms:
The lastUpdateMicros field is meant to be updated if a user changes a custom signature, but it is not.
Conditions:
REST client is used to look at/filter the signatures collection (/mgmt/tm/asm/sigantures)
Impact:
Checking for updated signatures does not return the expected result.
Workaround:
None.
Fix:
REST: The lastUpdateMicros field is now correctly updated after updating a user defined signature.
554993-1 : Profile Stats Not Updated After Standby Upgrade Followed By Failover
Component: Access Policy Manager
Symptoms:
1. The current active sessions, current pending sessions, and current established sessions counts shown in commands 'tmsh show /apm profile access' and 'tmctl profile_access_stat' become zero after failover.
2. The system posts an error message to /var/log/apm:
01490559:3: 00000000: Access stats encountered error: SessionDB operation failed (ERR_NOT_FOUND).
Conditions:
This issue happens when the following conditions are met:
1. The HA configuration is running a release prior to 11.5.3 HF2, 11.6.0 HF6, or 12.0.0.
2. A standby unit is upgraded to version 11.5.3 HF2, 11.6.0 HF6, or 12.0.0.
3. Failover is triggered.
Impact:
The current active sessions, current pending sessions, and current established sessions counts of profile access stats remain zero after failover.
Workaround:
Upgrade all devices in the HA configuration to the same release and reboot them simultaneously.
Fix:
The current active sessions, current pending sessions, and current established sessions counts of profile access stats now report correctly after failover.
554977-1 : TMM might crash on failed SSL handshake
Solution Article: K64401960
Component: Local Traffic Manager
Symptoms:
SSL handshake failures may crash in ssl_verify().
Conditions:
Certain types of failed SSL handshakes in versions 11.5.0 through 11.5.4.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Modifying serverssl cipher string to exclude ECDHE_RSA and ECDHE_ECDSA might help prevent the crash.
Fix:
This release fixes a TMM crash that might be encountered during the SSL handshake.
554967-2 : Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets
Component: Local Traffic Manager
Symptoms:
A resolver sending a query with a small EDNS0 UDP buffer limit can lead to packet truncation. These response packets are flagged as truncated in the header, but the OPT record might be cut/missing leading some resolvers to consider the packet malformed.
Conditions:
Primarily via dynamic settings such as iRules on DNS_RESPONSE events adding new records, or DNSSEC record signing with responses over UDP.
Impact:
Some resolvers regard OPT-less truncated packets as malformed and cease follow-up requests via TCP or a larger EDNS0 UDP limit.
Workaround:
none
Fix:
Truncated DNSSEC or iRule DNS packets are RFC-compliant.
554774-3 : Persist lookup across services might fail to return a matching record when multiple records exist.
Component: Local Traffic Manager
Symptoms:
Persist lookup across services might fail to return a matching record when multiple records exist.
Conditions:
Persistence profile with 'match-across-services' enabled, and the configuration contains multiple records that correspond to the same pool.
Impact:
Connection routed to unexpected pool member.
Workaround:
None.
Fix:
The operation now continues searching persistence records when 'match-across-services' is enabled until the operation finds a record that corresponds to the same pool.
554761-4 : Unexpected handling of TCP timestamps under syncookie protection.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system experiences intermittent packet drops.
Despite being negotiated during TCP handshake, the BIG-IP system fails to present timestamp option in subsequent segments.
The BIG-IP system calculates invalid round trip time immediately after handshake, which might result in delayed retransmissions.
Conditions:
This occurs when the following conditions are met:
- Virtual server configured with a TCP profile with timestamps enabled.
- The syncookie mode has been activated.
- Clients that support timestamps.
Impact:
Connection might be reset by remote TCP stack (e.g., NetBSD and FreeBSD), which requires timestamps to be maintained once negotiated.
Retransmission timeout (RTO) value may be skewed. Segments that are subject to RTO might take up to 64 segments to retransmit.
Workaround:
Choose or create a TCP profile that has timestamps disabled.
Fix:
TCP Timestamps are now maintained on all negotiated flows.
554626 : Database logging truncates log values greater than 1024
Solution Article: K14263316
Component: Access Policy Manager
Symptoms:
The Logging agent truncates log values greater than 1024. If the log value size is greater than 4060, the field is empty or null.
Conditions:
Logging into local database with log values (such as session variables) greater than 1024. If this size is too high (greater than 4060), the field displays as empty or null in reports.
Impact:
The reporting UI displays null or empty fields when the logged value is too large in size, such as a huge session variable.
Workaround:
No workaround.
Fix:
This release handles large single log values.
554624-1 : NTP CVE-2015-5300 CVE-2015-7704
Solution Article: K10600056 K17566
554563-2 : Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics.
Component: TMOS
Symptoms:
Class of Service Queues (cosq) egress drop statistics are counted against both Drops In and Drops Out interface statistics.
Conditions:
This occurs for all cosq drops in response to excess egress traffic and MMU egress congestion.
Impact:
Any CoS queue egress drop is also counted against ingress drop stats, which could be interpreted incorrectly as doubled total drop stats.
Workaround:
None.
Fix:
The Drops In interface statistics no longer includes Class of Service Queues (cosq) egress drop counts, which is correct behavior.
554340-2 : IPsec tunnels fail when connection.vlankeyed db variable is disabled
Component: TMOS
Symptoms:
When connection.vlankeyed db variable is disabled, if the data traffic coming out of IKEv1 tunnels that needs to be secured using IKEv2 tunnels lands on tmm's other than tmm0, it will be dropped. The system establishes the IKEv2 tunnel but the data traffic will not be secured.
Conditions:
This issue is seen when the interesting data traffic lands on tmm's other than tmm0. The reason for this issue is due to incorrectly creating a flow on another TMM that is the owner of the outbound SA (IKEv2 tunnel).
Impact:
The system drops the data traffic to be secured using IPsec and connections fail.
Workaround:
Disable the cmp in the virtual server configuration.
Fix:
Flow creation at the TMM that owns the outbound SA for the IKEv2 tunnel is properly handled. TMM can handle the inner traffic from IKEv1 tunnel and secure it over another IKEv2 tunnel.
554295-5 : CMP disabled flows are not properly mirrored
Component: Local Traffic Manager
Symptoms:
A client connection to a virtual server configured for 'cmp-enabled no' and 'mirror enabled' will be dropped if the standby unit is promoted to active.
Conditions:
The virtual server is configured for 'cmp-enabled no' and 'mirror enabled' on multiple BIG-IP appliances peered in a high availability configuration.
Impact:
Mirroring does not work as expected on BIG-IP appliances.
Note: CMP is required on VIPRION chassis, so this expectation applies only to appliances.
Workaround:
Do not disable CMP on virtual servers that are mirrored.
Fix:
The system now supports mirroring connections between BIG-IP appliances in a high availability configuration on CMP-disabled virtual servers.
Note: If CMP is disabled, hardware syn cookie must also be disabled for virtual servers to mirror connections. This is expected behavior.
554228-4 : OneConnect does not work when WEBSSO is enabled/configured.
Component: Access Policy Manager
Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and doesn't reuse pooled connections.
Conditions:
WEBSSO and OneConnect.
Impact:
Idle serverside connections that should be eligible for reuse by the virtual server are not used. This might lead to build-up of idle serverside connections, and may result in unexpected 'Inet port exhaustion' errors.
Workaround:
None.
Fix:
OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server side connections.
554074-3 : If the user cancels a connection attempt, there may be a delay in estabilshing the next connection.
Component: Access Policy Manager
Symptoms:
Clicking on connect button does not trigger start of VPN connection immediately.
Conditions:
User cancelled previous connection attempt
Impact:
User must wait for ten seconds before attempting to reconnect.
Workaround:
None
Fix:
Fixed code to trigger VPN connection immediately even when user clicked cancel before.
554041-4 : No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client loses all connectivity and an option to establish VPN is not available.
Conditions:
All of the following conditions must apply.
1) Edge Client is installed in "Always Connected" mode.
2) The Connectivity profile on server has location DNS list entries.
3) One of the DNS locations matches the DNS suffix set on the local network adapter.
Impact:
Client shows "LAN Detected" in the UI and does not try to connect to VPN.
All traffic to and from the user's machine is blocked.
Workaround:
This issue has no workaround at this time.
Fix:
Edge Client now ignores DNS location settings in Always Connected mode and establishes VPN even inside enterprise networks.
553925-3 : Manual upgrade of Edge Client fails in some cases on Windows★
Component: Access Policy Manager
Symptoms:
Manual upgrade of BIG-IP Edge Client for Windows fails and this message displays "Newer version of this product is already installed."
Conditions:
Edge Client version 11.2.0. Version 12.0 is installed.
User tries to upgrade Edge Client by running a newer installer package of Edge Client.
Impact:
Edge Client cannot be upgraded.
Workaround:
Uninstall and reinstall Edge Client or use the installer service component for automatic update of Edge Client.
Fix:
Fixed installer package.
553902-3 : Multiple NTP Vulnerabilities
Solution Article: K17516
553795-3 : Differing certificate/key after successful config-sync
Component: TMOS
Symptoms:
1) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with the same name as the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip will retain a copy of the original key.
2) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with a different name from the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer's client-ssl profile will still use the original certificate/key instead of the new one.
Conditions:
1) High Availability failover systems with FIPS configured with Manual Sync.
2) High Availability failover systems configured with Manual Sync.
Impact:
1) An abandoned FIPS key is left behind.
2) The systems claim to be synced, but one system's client-ssl profile uses one certificate/key pair, while the other system(s)' same client-ssl profile uses a different certificate/key pair.
Workaround:
1) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
Workaround #2: Delete the FIPS key by-handle on the peer system(s).
2) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
Workaround #2: Manually update the client-ssl profile then delete the old certificate/key on the peer system(s).
Fix:
Systems now have the same certificate/key after successful config-sync of High Availability configurations.
553688-3 : TMM can core due to memory corruption when using SPDY profile.
Component: Local Traffic Manager
Symptoms:
TMM corefiles containing memory corruption within 112-byte memory cache.
Conditions:
Virtual server using a SPDY profile encounters an internal error while processing a SPDY packet.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release contains a fix that prevents a double free on error within the SPDY component.
553649 : The SNMP daemon might lock up and fail to respond to SNMP requests.
Component: TMOS
Symptoms:
The SNMP daemon might lock up and fail to respond to SNMP requests.
Conditions:
If the SNMP configuration on the BIG-IP changes and the SNMP daemon restarts. This is a timing issue that might appear intermittently.
Impact:
The BIG-IP system stops responding to SNMP requests. You then cannot monitor the BIG-IP system via SNMP.
Workaround:
If the SNMP daemon is locked up, restart it by issuing the following command: bigstart restart snmpd.
Fix:
The SNMP daemon no longer locks up and become unresponsive when it is restarted.
553576-2 : Intermittent 'zero millivolt' reading from FND-850 PSU
Solution Article: K17356
Component: TMOS
Symptoms:
In rare instances, certain BIG-IP platforms may erroneously generate power supply error messages that indicate zero milli-voltage.
Specific symptoms include:
- SNMP alert 'BIG-IPSystemCheckAlertMilliVoltageLow' detected.
- Front panel Alarm LED is blinking amber.
- Errors such as the following are logged:
emerg system_check[<#>]: 010d0017:0: Power supply #<x> meas. main outpu: milli-voltage (0) is too low.
[where <x> is the power supply location (either 1 or 2)]
- Errors such as the following may also be logged:
-- err chmand[<#>]: 012a0003:3: Sensor read fault for Power supply #<x> meas. main outpu : File sensor/LopSensSvc.cpp Line 1453.
-- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>).
-- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>).
Note that this condition may affect either PSU 1 or PSU 2.
Conditions:
This may occur intermittently on BIG-IP 10000-/12000-series appliances (including 10000s/10200v, 10050s/10250v, 10055/10255, 10350v and 12250v models) with FND850 model DC power supplies.
Impact:
There is no impact; these error messages are benign.
Workaround:
None.
Fix:
Resolved intermittent erroneous "zero millivolt" reading from FND-850 PSU on BIG-IP 10000-/12000-series appliances.
553454-3 : Mozilla NSS vulnerability CVE-2015-2730
Solution Article: K15955144
553330-2 : Unable to create a new document with SharePoint 2010
Component: Access Policy Manager
Symptoms:
VPN users are unable to create a new document with SharePoint 2010
An error is given: "The Internet address https://ip:port/shared documents/forms/template.dotx" is not valid
Conditions:
Create a new document using the"New Document button".
Impact:
User cannot create a new document with SharePoint 2010.
Workaround:
none
Fix:
You can create a new document with Microsoft SharePoint 2010.
553311-1 : Route pool configuration may cause TMM to produce a core file
Solution Article: K13710973
Component: Local Traffic Manager
Symptoms:
TMM might produce a core file and take the action defined in configuration.
Conditions:
Client-side route pool configuration that configures a route pool to route back and has auto lasthop disabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid using any route at client side (using auto lasthop or lasthop pool).
Fix:
The tmm crash caused by the route pool configuration is fixed.
553174-2 : Unable to query admin IP via SNMP on VCMP guest
Component: TMOS
Symptoms:
The admin IP address is not returned via ipAdEntAddr.
Conditions:
Query admin IP via SNMP on VCMP guest via ipAdEntAddr.
Impact:
Unable to obtain admin IP address via SNMP for VCMP guests.
Workaround:
none
Fix:
ipAdEntAddr will now return the admin IP address on a VCMP guest.
553063-4 : Epsec version rolls back to previous version on a reboot
Component: Access Policy Manager
Symptoms:
If administrator has installed multiple EPSEC packages, after a reboot the EPSEC version rolls back to the previously installed version.
Conditions:
The BIG-IP system needs to be rebooted for this issue to be seen, and multiple EPSEC packages must have been installed on the system before the reboot.
Impact:
OPSWAT version rolls back without prompting or logging. This might open up the end-point security issues that are supposed to be fixed by the latest installed OPSWAT package.
Workaround:
The workaround is to upload a dummy file in Sandbox.
1. Go to Access Policy :: Hosted Content :: Manage Files.
2. Upload any dummy file, even a 0 byte file. Change the security level to 'session'.
After this change, even if you reboot or shutdown-restart, the EPSEC version does not revert.
Fix:
The most recently installed EPSEC version now remains configured, and does not roll back after reboot or shutdown-restart.
553037 : iOS Citrix Receiver web interface mode cannot launch the apps
Component: Access Policy Manager
Symptoms:
When a user clicks an app, a window displays with this message: "Cannot start the requested App. Select More info for further details."
Conditions:
An iOS Citrix Receiver in Web interface connection type and a BIG-IP system in Web interface configuration.
Impact:
Customer cannot launch app.
Workaround:
1. In the Citrix Receiver, you can use the native GUI with Access-Gateway Enterprise edition type with this URI:
https://<BIG-IP system virtual server FQDN>/
2. Define an LTM data-group with FQDN set to /config/<storename>/pnagent/config.xml
Fix:
LaunchICA get request to be passed through VDI.
552937-2 : HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.
Component: Local Traffic Manager
Symptoms:
An iRule that calls HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the TMM to core on the next pipelined request.
Conditions:
HTTP::respond or HTTP::redirect used in a non-HTTP iRule event. A pipelined request follows the request that triggers the iRule response.
Impact:
TMM core.
Workaround:
Add the close header to the HTTP::response, and the connection will be automatically closed.
Fix:
The TMM will no longer core due to not being able to handle the next pipelined request after a HTTP::respond or HTTP::redirect is used in a non-HTTP iRule event.
552931-2 : Configuration fails to load if DNS Express Zone name contains an underscore
Component: Local Traffic Manager
Symptoms:
A configuration with a DNS Express Zone with an underscore in the name does not load, even though the gtm global-settings general domain-name-check is set to any of allow-underscore, svn-compatible, or none.
Conditions:
-- Configuration setting gtm global-settings general domain-name-check is set to any of allow-underscore, svn-compatible, or none.
-- DNS Express Zone exists with an underscore in the name.
Impact:
Cannot load the LTM configuration when restarting BIG-IP system when DNS Express Zones that have an underscore character in the name.
Workaround:
Force the GTM configuration to load by sequentially running the following commands:
tmsh load sys config gtm-only.
tmsh load sys config.
Fix:
All FQDNs may now contain underscore character. The BIG-IP system now correctly load configurations that contain DNS Express Zones with underscores in the name.
552865-5 : SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'.
Solution Article: K34035224
Component: Local Traffic Manager
Symptoms:
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, handshake might fail if the client sends an invalid signed Certificate Verify message.
Conditions:
When SSL client certificate mode is request, and the client sends an invalid signed Certificate Verify message to the BIG-IP system.
Impact:
The handshake does not ignore the invalid signed certificate verify message, and handshake might fail. SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'. Regardless of whether the Certificate and Certificate Verify message is valid, the handshake should ignore the Certificate Verify signature error and let the handshake continue.
Workaround:
None.
Fix:
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, the handshake now ignores the Certificate Verify signature error and lets the handshake continue. This is correct behavior.
552532-3 : Oracle monitor fails with certain time zones.
Solution Article: K73453525
Component: Local Traffic Manager
Symptoms:
Occasionally, the OJDBC driver reads a time zone file that it cannot understand, which causes Oracle monitors to fail.
Conditions:
- The system uses ojdbc6.jar for Oracle monitor functionality.
- The UTC time zone is configured.
- Contents of the /usr/share/zoneinfo directory are arranged so that the 'UTC' file is not the first in the list. (Versions prior to 10.2.4 use the 1.4-compatible ojdbc14.jar driver. The objdbc6.jar OJDBC driver, as supplied by Oracle for Java 6 (aka 1.6) auto-detects the local system's time zone name by scanning and comparing files under /usr/share/zoneinfo. The filenames are created during installation, and seem to depend on the 'Directory Hash Seed' of the /usr filesystem, so there is no predictable result.)
Impact:
Cannot use direct Oracle monitoring to ensure the backend is functionally operational. OJDBC driver seems to negotiate the time zone for the session, and instead of 'UTC', it attempts to change the time zone to: 'Universal', 'Zulu', 'Etc/Universal', 'Etc/Zulu', which will cause the monitor to fail, and not execute the actual monitoring.
Note: Other time zones might be affected.For example, a similar issue might happen with the time zone set to GMT, which can become 'Greenwich' because of the same functionality.
Workaround:
Although there is no reliable workaround, reinstalling might resolve the issue, as may using another time zone.
Fix:
Oracle monitor functions now as expected with UTC and other time zones.
552498-2 : APMD basic authentication cookie domains are not processed correctly
Component: Access Policy Manager
Symptoms:
401 responses containing Set-Cookie headers might not be processed correctly. Domains that begin with a dot will be truncated and the cookies will not be sent to pool members.
Conditions:
An access policy needs to use Basic or NTLM authentication and one or more of the 401 responses must contain Set-Cookie headers. If a domain is specified and the domain begins with a dot, it will not be processed correctly.
Impact:
Cookies assigned during the authentication handshake might not be sent to pool members.
Workaround:
An iRule can be used to process the 401 responses and remove any leading dots from domain fields of Set-Cookie headers.
Fix:
Domain fields in Set-Cookie headers found in 401 responses are processed correctly.
552385 : Virtual servers using an SSL profile and two UDP profiles may not be accepted
Component: Local Traffic Manager
Symptoms:
Error message:
01070711:3: Found disallowed profile: Not Profile profile_clientssl
or
01070711:3: Found disallowed profile: Not Profile profile_serverssl
Conditions:
Create a virtual server with a client-ssl profile and/or a server-ssl profile and two different UDP profiles (one on the server side and one on the client side).
Impact:
When using either a client-ssl profile or a server-ssl profile, depending on the sort order of the UDP profiles, the configuration may not be accepted.
When using both a client-ssl profile and a server-ssl profile, the configuration is not accepted.
Workaround:
When using either a client-ssl profile or a server-ssl profile, either use a common UDP profile for both client and server side or try renaming one of the UDP profiles to alter the sort order.
When using both a client-ssl profile and a server-ssl profile, try using one UDP profile for both the client and server side.
Fix:
Virtual servers that utilize an SSL profile and a combination of UDP profiles are now accepted.
552352-3 : tmsh list display incorrectly for default values of gtm listener translate-address/translate-port
Solution Article: K18701002
Component: Global Traffic Manager (DNS)
Symptoms:
tmsh list displays incorrectly for default values of GTM listener translate-address/translate-port settings.
Conditions:
Using the tmsh list command to show translate-address/translate-port for GTM listener.
Impact:
tmsh list gtm listener does not display 'translate-address'/'translate-port' when it is set to enabled, but the command does show the values when it is set to disabled. The tmsh list gtm listener command should not show the default settings. This becomes an issue when used with the TMSH merge command, where the value gets set to the LTM virtual server default instead of maintained as the GTM Listener default. This might eventually result in failing traffic.
Workaround:
Use tmsh list with 'all-properties' instead.
Fix:
GTM Listener's translate-address and translate-port field are now always displayed in TMSH commands. This is because there are different defaults in GTM Listeners than the LTM virtual servers. When used with the TMSH merge command, the value gets set to the LTM virtual server default instead of maintained as the GTM Listener default. By always displaying this attribute, no matter what the value is, the merge will always be handled appropriately.
552198-3 : APM App Tunnel/AM iSession Connection Memory Leak
Solution Article: K27590443
Component: Wan Optimization Manager
Symptoms:
A memory leak occurs when APM application tunnels or AM iSession connections are aborted while waiting to be reused.
Conditions:
The iSession profile reuse-connection attribute is true.
A large number of iSession connections are aborted while waiting to be reused.
Impact:
Available memory might be significantly reduced when a large number of iSession connections waiting to be reused are aborted.
Workaround:
Disable the iSession profile reuse-connection attribute. Restart TMM.
Fix:
This release fixes an APM App Tunnel/AM iSession connection memory leak.
552151-1 : Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected
Component: Local Traffic Manager
Symptoms:
Hardware compression slowly and progressively fails to handle compression operations. The system posts the following errors in ltm.log: crit tmm3[14130]: 01010025:2: Device error: n3-compress0 Nitrox 3.
Conditions:
This occurs when the system encounters errors during hardware compression handling. This occurs on the BIG-IP 5000-, 7000-, 10000-, and 12000-series platforms, and on VIPRION B22xx blades.
Impact:
Compression is (eventually) performed by software. This can result in high CPU utilization.
Workaround:
Disable compression if CPU usage is too high.
Fix:
Improved the device exception handling so that errors are correctly propagated to compression clients, thus preventing the progressive failure of the compression engine, and stopping the offload to software compression (which was driving up the CPU).
552139-3 : ASM limitation in the pattern matching matrix builtup
Solution Article: K61834804
Component: Application Security Manager
Symptoms:
The signature configuration is not building up upon adding new signatures. This can look like a configuration change is not finishing, or if it does, it may result in crashes when the Enforcer starts up resulting in constant startups.
Conditions:
Too many signatures are configured with custom signatures. The exact number varies (depending on the signature) but hundreds of signatures may be enough to trigger it.
Impact:
Configuration change doesn't finish or crashes in the ASM startup (which results in constant startups of the system).
Workaround:
Workarounds are possible only in a custom signature scenario, only using fewer signatures or by removing unused signatures.
Fix:
Fixed a limitation in the attack signature engine.
551927-3 : ePVA snoop header's transform vlan should be set properly under asymmetric routing condition
Component: TMOS
Symptoms:
On ePVA capable platform with fastl4 profile and asymetric routing on client side, ltm sends packets to the client with wrong vlan/correct mac address (or correct vlan and wrong mac-address) and undecremented ttl.
Conditions:
fastl4 profile and asymetric routing on client side
Impact:
Return traffic could use the wrong vlan
Workaround:
none
Fix:
Use the nexthop VLAN for ePVA transformation for offloaded flow when available, instead of the incoming VLAN
551767-2 : GTM server 'Virtual Server Score' not showing correctly in TMSH stats
Solution Article: K03432500
Component: Global Traffic Manager (DNS)
Symptoms:
GTM server 'Virtual Server Score' is not showing correct values in TMSH stats. Instead, stats shows zero value.
Conditions:
You have a virtual server configured with a non-zero score.
Impact:
tmsh show gtm server server-name detail lists 'Virtual Server Score' as zero. Note that there is no impact to actual load balancing decisions. Those decisions take into account the configured score. This is an issue only with showing the correct information and stats.
Workaround:
None.
Fix:
TMSH now shows the correct value for 'Virtual Server Score' when you have a virtual server configured with a non-zero score.
551764-1 : [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform
Solution Article: K14954742
Component: Access Policy Manager
Symptoms:
Successful execution of an Access Policy will result in the client receiving a HTTP status 500 error response when clientless mode is set. This error response is generated by APMD. This is a regression condition that occurs when the fix for bug 374067 is included.
Conditions:
-- The system has the fix for bug 374067.
-- Clientless mode is enabled.
-- BIG-IP platform is chassis platform.
-- The administrator does not override the Access Policy response with iRule command.
Impact:
Client receives an invalid response.
Workaround:
None.
Fix:
Upon successful execution of the Access Policy in clientless mode, the request is forwarded to the configured backend as needed.
551742-1 : Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades
Component: TMOS
Symptoms:
In rare occurrences, BIG-IP hardware is susceptible to parity errors due to unknown source. This bug mitigates parity errors that occur in the SOURCE_VP table of the switch hardware, indicated with the following message in the ltm log:
Sep 15 12:12:12 info bcm56xxd[8066]: 012c0016:6: _soc_xgs3_mem_dma: SOURCE_VP.ipipe0 failed(NAK)
Conditions:
This occurs only on the BIG-IP 10000s/10200v/10250v platforms, and on the VIPRION B4300/B4340N and B2250 blades. The exact trigger of the parity error is unknown at this time.
Impact:
This impacts several series of BIG-IP products with hardware parity error mitigation capabilities.
Workaround:
Rebooting BIG-IP hardware should clear issues caused by hardware parity errors.
Fix:
A hardware parity error issue has been fixed.
551661-3 : Monitor with send/receive string containing double-quote may fail to load.
Component: TMOS
Symptoms:
When a monitor string contains contains \" (backslash double-quote) but does not contain a character that requires quoting, one level of escaping is lost at each save/load.
Note: Re-loading a config happens during licensing. If you decide to upgrade, first verify that you have an escaped quote in the monitor string. If you do, remove the re-licensing step from your MOP (Method of Procedure). The failure message for reloading the license with an escaped quote appears similar to the following example:
Monitor monitor_1 parameter contains unescaped " escape with backslash.
Conditions:
If the string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Monitors are marked down due to expected string not matching or incorrect send string. Potential load failure.
Workaround:
You can use either of the following workarounds:
-- Modify the content the BIG-IP system retrieves from the web server for the purposes of health monitoring, so that double quotes are not necessary.
-- Use an external monitor instead.
Fix:
If the monitor send-recv strings contain a double-quote ", character, the system now adds quotes to the input.
If a configuration contains '/"', does not reload the license before upgrade.
551481-4 : 'tmsh show net cmetrics' reports bandwidth = 0
Component: TMOS
Symptoms:
'tmsh show net cmetrics' reports bandwidth = 0
Conditions:
tcp profile enables cmetrics-cache.
connection involves at least 4 rtt updates.
Impact:
User cannot view cmetrics data.
Workaround:
For 12.0.0 and later, you can get this data using the ROUTE::bandwidth iRule. For earlier versions, there is no workaround.
Fix:
Properly compute bandwidth with the formula cwnd/rtt.
551349-1 : Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★
Solution Article: K80203854
Component: TMOS
Symptoms:
A monitor destination address in the form of *:port (IPv4) is converted to *.port when upgrading from 10.2.4 to 11.5.x.
Conditions:
A monitor exists with a non-explicit address and explicit port on a BIG-IP system running 10.2.4. Then upgrade to 11.5.x (or install 10.2.4 ucs)
Impact:
Monitors appears to function normally but they will have the wrong format in the config file.
Workaround:
None.
Fix:
Determine if non-explicit (*) address is ipv4 or ipv6 based on next character to be parsed.
551287-3 : Multiple LibTIFF vulnerabilities
Solution Article: K16715
551260-3 : When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated
Component: Access Policy Manager
Symptoms:
When BIG-IP is used as SAML Service Provider, and IdP-Connectors Single Sign On Service URL contains ampersand (&),
part of the URL may be truncated when user is redirected to IdP for authentication.
Conditions:
All conditions must be true:
- BIG-IP is used as SAML Service Provider
- Single Sign On Service URL property of IdP connector contains ampersand, e.g. https://idp.f5.com/saml/idp/profile/redirectorpost/sso?a=b&foo=bar
- User performs SP initiated SSO
Impact:
The query part of the redirect URL after ampersand will be lost when user is redirected to SSO URL with Authentication Request.
Fix:
Redirect URL is no longer truncated after ampersand sign.
551208-3 : Nokia alarms are not deleted due to the outdated alert_nokia.conf.
Component: TMOS
Symptoms:
Some of the log messages watched by alertd changed between BIG-IP software versions 10.x to versions 11.x/12.x. However, the /etc/alertd/alert_nokia.conf file has not been updated accordingly.
Conditions:
Running versions 11.x/12.x and receiving targeted messages that match the 10.x regex key fields. This occurs when the Nokia snmp alarms are enabled. See K15435 at https://support.f5.com/csp/#/article/K15435
Impact:
Matching the specific fields in the log message fails, so the corresponding alarm is not deleted from the nokia_alarm table. This might cause SNMP alerts to not be broadcast in Nokia-specific environments.
Workaround:
None.
Fix:
The log messages watched by alertd and appearing in alert_nokia.conf now match each clear event key to its corresponding error definition, so alerts are recorded correctly.
551189-2 : Modifying an HTTP cookie value via the HTTP::cookie iRule API may yield to incorrect HTTP header data
Component: Local Traffic Manager
Symptoms:
Upon repeatedly modifying the same HTTP cookie value (in the Set-Cookie header) within an iRule attached to a virtual server, the HTTP::cookie API may produce stale HTTP header data (e.g. HTTP Set-Cookie header and/or other HTTP headers).
Conditions:
LTM Virtual Server handling HTTP traffic, with iRule attached which modifies a given HTTP cookie value through the HTTP::cookie API, on ingress and/or egress traffic (through the HTTP_REQUEST and/or HTTP_RESPONSE events). An example use-case for producing the error would be encrypting and decrypting HTTP cookies via an iRule.
Impact:
Repeatedly altering the same HTTP cookie value in an iRule, via the HTTP::cookie API, may yield to an HTTP request/response with inconsistent HTTP header data, including but not limited to the Set-Cookie HTTP header.
Workaround:
None.
551010-3 : Crash on unexpected WAM storage queue state
Component: WebAccelerator
Symptoms:
In rare circumstances WAM may enter an unexpected queue state and crash.
Conditions:
WAM configured on virtual with request queuing enabled
Impact:
Crash
Workaround:
none
Fix:
Gracefully recover from unexpected WAM storage queue state
550782-2 : Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit
Component: Local Traffic Manager
Symptoms:
RRSIG present when not asked for, and RRSIG and AD drop from response upon expiration from the cache.
Conditions:
If standard DNS requests are made against a Validating Resolver DNS cache that points to a second BIG-IP which in turn contains a wideip in a signed zone
Impact:
RRSIG present when not asked for, and RRSIG and AD drop from response upon expiration from the cache
Workaround:
N/A
Fix:
Update message encoding to depend on client DO bit.
550694 : LCD display stops updating and Status LED turns/blinks Amber
Solution Article: K60222549
Component: TMOS
Symptoms:
The LCD display may stop updating and the Status LED may turn Amber and begin blinking on BIG-IP 2000, 4000, 5000, 7000, or 10000-series appliances.
Conditions:
The Status LED turns Amber if the LED/LCD module stops receiving updates from the BIG-IP host, and begins blinking Amber if the LED/LCD module does not receive updates from the BIG-IP host for three minutes or longer.
This condition may occur if data transfers between the BIG-IP host and the LED/LCD module over the connecting USB bus becomes stalled.
Due to changes in BIG-IP v11.5.0 and later, the frequency and likelihood of this condition is greatly reduced, but may still occur under rare conditions.
Impact:
When this condition occurs, the front-panel LCD display does not display the current BIG-IP host status, and the Status LED blinks Amber. There is no impact to BIG-IP host operations, and no disruption to traffic.
Workaround:
This condition can be cleared by either of the following actions:
1. Press one of the buttons on the LCD display to navigate the LCD menus.
2. Issue the following command at the BIG-IP host console:
/sbin/lsusb -v -d 0451:3410.
Either action generates USB traffic, which triggers recovery from the USB stalled transfer condition.
Fix:
Auto-recovery from a USB stalled-transfer condition has been implemented, which prevents the Status LED from blinking Amber on BIG-IP 2000, 4000, 5000, 7000, 10000 or 12000-series appliances.
550689-3 : Resolver H.ROOT-SERVERS.NET Address Change
Component: Local Traffic Manager
Symptoms:
The IPv4 and IPv6 addresses for H.ROOT-SERVERS.NET are changing on December 1st 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53). The old addresses will be good for 6 months after the change, and then the IPv4 address will go completely offline, and the IPv6 address is subject to go offline as well. More details http://h.root-servers.org/renumber.html
Conditions:
DNS Resolver uses hard-coded root hints for H.ROOT-SERVERS.NET.
Impact:
Incorrect address for a root-server means no response to that query.
Workaround:
There are 12 other root-servers that also provide answers to TLD queries, so this is cosmetic, but the addresses still need to be updated to respond to the change.
Fix:
Updated H.ROOT-SERVERS.NET to reflect the new IPv4 and IPv6 addresses taking effect December 1st, 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53).
For more information, see H-Root will change its addresses on 1 December 2015, available here: http://h.root-servers.org/renumber.html.
550596-2 : RESOLV::lookup iRule command vulnerability CVE-2016-6876
Solution Article: K52638558
550536-4 : Incorrect information/text (in French) is displayed when the Edge Client is launched
Component: Access Policy Manager
Symptoms:
Incorrect information/text (in French) is displayed when the Edge Client is launched.
Conditions:
Edge client is used in French locale.
Impact:
User sees grammatically incorrect text in French. This is a cosmetic error that has no impact on system functionality.
Workaround:
None.
Fix:
The correct information/text (in French) is now displayed when the Edge Client is launched.
550434-4 : Diameter connection may stall if server closes connection before CER/CEA handshake completes
Component: Service Provider
Symptoms:
Serverside connection stalls. Connection is not torn down and packets are not forwarded to serverside.
Conditions:
Selected pool member closes (via FIN) connection before sending CEA as part of Diameter handshake.
Impact:
Connection stalls until handshake timeout and then it is reset.
Workaround:
none
Fix:
Serverside diameter connections will be immediately reset if FIN is received before CEA (Capabilities-Exchange-Answer).
549971-3 : Some changes to virtual servers' profile lists may cause secondary blades to restart
Component: TMOS
Symptoms:
If a virtual server's ip-protocol is not set, then some changes to the list of attached profiles may cause a validation error on secondary blades. This will cause those blades to restart.
Conditions:
This may happen in some cases when changing the list of profiles attached to a virtual server, but does not happen if 'ip-protocol' was explicitly set by the user.
Impact:
mcpd will restart on secondary blades. This will cause most other daemons on those blades to restart as well, including the TMM. Traffic will be lost.
Workaround:
You should explicitly set the ip-protocol when changing the profiles of a virtual server. Then this bug will not occur.
Fix:
If a virtual server's ip-protocol was not set, then some changes to the list of attached profiles would cause a validation error on secondary blades. This would cause those blades to restart. This issue has been fixed.
549868-2 : 10G interoperability issues reported following Cisco Nexus switch version upgrade.
Solution Article: K48629034
Component: Local Traffic Manager
Symptoms:
10G link issues reported with VIPRION B2250, B4300 blades and BIG-IP 10x00 appliances connected to Cisco Nexus switches.
Conditions:
Issues reported after version upgrade on Cisco switch to version 7.0(5)N1(1).
Impact:
The links might not come up.
Workaround:
Toggling the SFP+ interfaces reportedly usually restores link.
Fix:
The BIG-IP system's 10G link now consistently becomes active when it is connected to other switches.
549588-3 : EAM memory leak when cookiemap is destroyed without deleting Cookie object in it
Component: Access Policy Manager
Symptoms:
EAM memory growing and OOM kills EAM process under memory pressure.
Conditions:
This occurs when using access management such as Oracle Access Manager, when an authentication request is redirected to IDP (redirect URL is present) with cookies present, memory can grow unbounded.
Impact:
EAM memory usage increases and OOM kills EAM process if the system is under memory pressure.
Workaround:
No Workaround
Fix:
EAM memory usage no longer grows. Cookie objects are deleted prior to deleting cookieMap from obAction destructor.
549543-2 : DSR rejects return traffic for monitoring the server
Solution Article: K37436054
Component: TMOS
Symptoms:
System DB variable 'tm.monitorencap' controls whether the server monitor traffic is encapsulated inside DSR tunnel. If it is set to 'enable', monitor traffic is encapsulated, and return traffic is without the tunnel encapsulation. In such a case, the return traffic is not mapped to the original monitor flow, and gets rejected/lost.
Conditions:
System DB variable 'tm.monitorencap' is set to 'enable', and DSR server pool is monitored.
Impact:
Monitor traffic gets lost, and server pool is marked down.
Workaround:
None.
Fix:
The DSR tunnel flow now sets the correct underlying network interface, so that the return monitor flow can match the originating flow, which results in the DSR monitor working as expected.
549406-3 : Destination route-domain specified in the SOCKS profile
Solution Article: K63010180
Component: Local Traffic Manager
Symptoms:
The SOCKS profile route-domain setting is supposed to control which route domain is used for destination addresses. It is currently used to identify the listener/tunnel interface to use when forwarding the traffic, but does not set the route domain on the destination address used by the proxy to determine how to forward the traffic.
Conditions:
When the virtual server receives a SOCKS request and the route-domain is not the default (0).
Impact:
SOCKS connection fails immediately and the system returns the following message to the client: Results(V5): General SOCKS server failure (1). Traffic is forwarded correctly only when the destination is route-domain 0. Other route domains might result in error messages and possible failed traffic.
Workaround:
Use a destination route-domain of 0 when working with the SOCKS profile.
Fix:
The system now uses the destination route-domain specified in the SOCKS profile. This allows the SOCKS profile to work correctly when the destination is not in route-domain 0.
549329-2 : L7 mirrored ACK from standby to active box can cause tmm core on active
Solution Article: K02020031
Component: Local Traffic Manager
Symptoms:
A spurious ACK sent to the standby unit will be mirrored over to the active unit for processing. If a matching connection on the active has not been fully initialized, tmm will crash.
Conditions:
HA active-standby configuration setup for L7 packet mirroring.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.
549086-3 : Windows 10 is not detected when Firefox is used
Component: Access Policy Manager
Symptoms:
Windows 10 is not detected when the Firefox browser is used.
Conditions:
Windows 10 and Firefox (at least versions 40 and 41).
Impact:
The Client OS agent chooses an incorrect branch. Network Access might be disabled for such a client.
Workaround:
There is no workaround.
Fix:
Now Windows 10 is properly detected with the Firefox browser.
549023 : warning: Failed to find EUDs★
Component: TMOS
Symptoms:
There are normal circumstances where the system does not yet have a diagnostics package installed. Even though it is normal, a warning log message is emitted for this condition.
Conditions:
This occurs on newly formatted installations prior to version 11.5.4.
Impact:
Even though this is logged at the warning level, lack of an EUD can indicate a normal condition on new installations.
Workaround:
ignore the warning
Fix:
If the system cannot find the EUD it will now be logged at the info level.
548680-3 : TMM may core when reconfiguring iApps that make use of iRules with procedures.
Component: Local Traffic Manager
Symptoms:
TMM may core when reconfiguring iApps that make extensive use of iRules with procedures.
Conditions:
During the reconfiguration of more than one iApp by switching templates, prior and new templates to contain iRules with procedures of the same name.
After the second or later reconfiguration TMM may core.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Modify iApp template to generate procedures that have a unique name per iApp.
Fix:
TMM no longer cores when reconfiguring more than one iApp that contains iRule procedures of the same name.
548583-5 : TMM crashes on standby device with re-mirrored SIP monitor flows.
Component: Local Traffic Manager
Symptoms:
Occasionally, the standby system with a SIP monitor crashes in a configuration where the active system contains a forwarding virtual server with a wildcard IP address and port, with connection mirroring enabled.
Conditions:
This occurs on an active-standby setup in which there is an L4 forwarding virtual server or SNAT listener configuration with a wildcard IP address and port, and with connection mirroring enabled. Also, the standby has a SIP monitor configured.
Impact:
Packets that are sent by the SIP monitor on the standby get routed back to the active unit (possibly due to a routing loop) and are then sent to the standby because of the wildcard mirrored configuration. tmm on standby might crash. When the crash occurs, the standby system posts the following assert and crashes: tmm failed assertion, non-zero ha_unit required for mirrored flow.
Workaround:
-- If a routing or switching loop is the reason the packets come back to the active unit, then the routing issues can be eliminated.
-- The mirroring of the wildcard virtual server or SNAT listener can be disabled.
Fix:
TMM no longer crashes on standby device with re-mirrored SIP monitor flows.
548563-3 : Transparent Cache Messages Only Updated with DO-bit True
Component: Local Traffic Manager
Symptoms:
When a transparent cache stores a message with DNSSEC OK (DO) bit TRUE and its TTL expires, the message is only updated when a new message arrives with DO-bit TRUE.
Conditions:
Running a DNS transparent cache with clients requesting DNSSEC messages.
Impact:
When the DO-bit TRUE's cached message TTL expires, the general impact is DO-bit FALSE queries will be proxied until the message cache is updated with DO-bit TRUE.
Workaround:
None.
Fix:
The message cache is updated regardless of DO-bit state after TTL expiration. However, the cache prefers DO-bit TRUE messages, and will update the cached message if a newer one arrives with DNSSEC OK.
548385-1 : iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results
Solution Article: K25231211
Component: TMOS
Symptoms:
If the active folder is not same as the folder in which the query is being run, and the corresponding key/cert extension is not present in the name of the key/certificate file, the query result returns incorrect results.
Conditions:
This occurs when iControl calls that query key/cert from parent folder, and the name is missing the extension.
Impact:
The query result returns incorrect results.
Workaround:
You can use one of the following workarounds:
-- Change the filename to include the extension.
-- Change to the folder containing the iControl call you are executing.
Fix:
The system now correctly loads key/cert/csr/crl files without an extension, so iControl calls that query those files from parent folder, now return correct results.
548268-3 : Disabling an interface on a blade does not change media to NONE
Component: TMOS
Symptoms:
When an interface on a blade in a chassis is disabled, it's media does not get reported as NONE and the link on the other end stays UP.
Conditions:
Disabling an interface on a blade within a chassis.
Impact:
Media on the disabled interface is not reported as NONE and link on partner end is UP.
Workaround:
none
Fix:
fixed
548053-1 : User with 'Application Editor' role set cannot modify 'Description' field using the GUI.
Solution Article: K33462128
Component: TMOS
Symptoms:
User with 'Application Editor' role set cannot modify 'Description' field using the GUI.
Conditions:
Users with a role of Application Editor.
Impact:
Cannot modify 'Description' field using the GUI.
Workaround:
User with 'Application Editor' roles can modify 'Description' fields using tmsh.
Fix:
User with 'Application Editor' role can now modify 'Description' field using the GUI.
547942 : SNMP ipAdEntAddr indicates floating vlan IP rather than local IP
Component: TMOS
Symptoms:
An SNMP query response for ipAdEntAddr would sometimes return floating IPs rather than local IPs. This was due to the supporting software returning the first found IP address for a given vlan.
Conditions:
Problem started after upgrading to v11.5.1 Eng-HF7, from v10.2.4.
The same problem can happen on freshly installed 11.5.x as well.
Impact:
No impact to BIG-IP services, but the returned information to the SNMP query is sometimes incorrect.
Workaround:
None.
547815-2 : Potential DNS Transparent Cache Memory Leak
Solution Article: K57983796
Component: Local Traffic Manager
Symptoms:
When a transparent cache is populated with messages where the DNSSEC OK-bit is true, and a query with that bit true, arrives at or after the expiration of the message TTL, the system leaks all subsequent queries with DNSSEC OK set to false, up through the TTL of that message.
Conditions:
Running a DNS transparent cache with clients requesting DNSSEC messages.
Impact:
A few hundred bytes can leak on each clientside query, leading to a massive leak over a short period of time.
Workaround:
Disable DNSSEC on all cached messages by disabling DNSSEC on pool members.
Fix:
This release fixes a potential DNS transparent cache memory leak.
547732-3 : TMM may core on using SSL::disable on an already established serverside connection
Component: Local Traffic Manager
Symptoms:
TMM process may crash if the SSL::disable iRule command is used on a serverside with a connection that has already established SSL.
Conditions:
Use of the 'SSL::disable serverside' iRule command on a serverside connection that has already established SSL
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use SSL::disable on an event where the serverside SSL connection is already established.
Fix:
TMM no longer cores on using SSL::disable on an already established serverside connection, it will now log a warning Connection error: hud_ssl_handler:605: disable profile (80)
547537-4 : TMM core due to iSession tunnel assertion failure
Component: Wan Optimization Manager
Symptoms:
TMM core due to "valid isession pcb" assertion failure in isession_dedup_admin.c.
Conditions:
Deduplication endpoint recovery occurs on a BIG-IP that has duplication is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
none
Fix:
An iSession tunnel initialization defect has been corrected.
547532-6 : Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades
Component: TMOS
Symptoms:
Error messages similar to this are present in the ltm log:
-- err mcpd[9369]: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.
-- err mcpd[9369]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.
Conditions:
A chassis-based system with multiple blades. This can occur a few different ways:
- A monitor is attached to an object that is configured in a partition that uses a non-default route domain, but the address of the monitor is explicitly using the default route domain (e.g. %0).
- A monitor defined in the Common partition is attached to an object from a partition where the default route domain is different.
Impact:
Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades. mcpd restarts.
Workaround:
There are two possible workarounds:
-- Move the monitor to the /Common/ partition and do not specify %0 in the Alias Address.
-- Do not use monitors from other partitions where the default route domain is different.
Fix:
The complete state for addresses on the primary blade is propagated to secondary blades.
547047-1 : Older cli-tools unsupported by AWS
Solution Article: K31076445
Component: TMOS
Symptoms:
Older EC2 tools stopped working in some AWS regions.
Conditions:
This can happen in some AWS regions.
Impact:
BIG-IP high availability configurations may stop working in some AWS regions.
Workaround:
None.
Fix:
F5 Networks added the latest available version (1.7.5.1) of EC2 tools in this release/hotfix.
547000-3 : Enforcer application might crash on XML traffic when out of memory
Solution Article: K47219203
Component: Application Security Manager
Symptoms:
Enforcer application might crash on XML traffic when out of memory.
Conditions:
This occurs when the system is out of memory.
Impact:
The BIG-IP system might temporarily fail to process traffic.
Workaround:
None.
Fix:
This release fixes a scenario where the system might crash when the XML parser ran out of memory.
546747-4 : SSL connections may fail with a handshake failure when the ClientHello is sent in multiple packets
Solution Article: K72042050
Component: Local Traffic Manager
Symptoms:
Sometimes BIG-IP system responds with a fatal-handshake alert and closes the SSL session for a new connection when a ClientHello record is split between two or more packets.
If SSL debug logging is enabled, the system logs an error such as the following:
01260009:7: Connection error: ssl_hs_rxhello:6210: ClientHello contains extra data (47).
Note: For information on SSL debug logging, see SOL15292: Troubleshooting SSL/TLS handshake failures at https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15292.html.
Conditions:
This occurs when a SSL ClientHello record is split across multiple TCP segments, and the last segment is relatively small.
Impact:
SSL connections fail to complete with a handshake failure.
Workaround:
No workaround.
Fix:
SSL handshakes no longer fails to complete when the ClientHello is split across multiple TCP segments, and the last segment is relatively small.
546640-1 : tmsh show gtm persist <filter option> does not filter correctly
Component: Global Traffic Manager (DNS)
Symptoms:
Following commands fail to return results even if there are matching records:
# tmsh show gtm persist level wideip
# tmsh show gtm persist target-type pool-member
Conditions:
This only happens when running the tmsh commands listed in the Symptoms.
Impact:
It is not possible to get a granular detail for persist stats.
Workaround:
Use GUI.
Fix:
Filters for the tmsh show gtm persist command now apply the filters correctly.
546410-1 : Configuration may fail to load when upgrading from version 10.x.★
Solution Article: K02151433
Component: TMOS
Symptoms:
After upgrade from 10.x to 11.5.3 HF2, configuration fails to load with the following error:
01070734:3: Configuration error: Invalid primary key on monitor_param object () - not a full path 2.
Conditions:
Configuration contains a user-created monitor (A) that inherits from user-created monitor (B). Monitor A appears first within the configuration files and monitor B does not have a 'destination' attribute.
Impact:
Configuration fails to load.
Workaround:
Re-order monitors such that Monitor B appears first, or add a 'destination' attribute (i.e., 'destination *:*') to monitor B.
Fix:
10.x upgrade now completes successfully, even when parent monitors appear later in the monitor list, or when there is no destination attribute in the child monitor.
546260-1 : TMM can crash if using the v6rd profile
Component: TMOS
Symptoms:
TMM might crash intermittently when traffic is sent through v6rd profile-configured tunnels.
Conditions:
Specific conditions required for encountering this issue are not well understood.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed root cause of TMM core related to the v6rd profile, so this issue no longer occurs.
546080-4 : Path sanitization for iControl REST worker
Solution Article: K99998454
545821 : Idle timeout changes to five seconds when using PVA full or Assisted acceleration.
Component: Local Traffic Manager
Symptoms:
When FastL4 performs hardware acceleration during the TCP handshake, the FastL4 handshake timeout is not updated to match the profile timeout value after the connection is established.
Conditions:
Accelerated, established TCP flows with no traffic for more than five seconds.
Impact:
TCP flows in the established state are dropped if they have more than five seconds of inactivity.
Workaround:
Disable embedded Packet Velocity Acceleration (ePVA) acceleration.
Fix:
Once the TCP connection reaches established state, the idle timeout is set to the value found in the associated profile. By default the profile timeout value is 300 seconds.
545786-2 : Privilege escalation vulnerability CVE-2015-7393
Solution Article: K75136237
545762-1 : CVE-2015-7394
Solution Article: K17407
545745-3 : Enabling tmm.verbose mode produces messages that can be mistaken for errors.
Component: TMOS
Symptoms:
When tmm first starts, the system logs multiple messages containing the words "error:" and "best_error:" in the tmm log files when tmm.verbose is enabled, and hardware accelerators are present.
Conditions:
Must have an accelerator device, and enable tmm.verbose logging.
Impact:
The system posts messages that could be mistaken for errors. For example: en: 1, clkf: 13, pll_MHz: 650, ddr_hertz: 650000000, error: 17000000, best_error: 667000000. These are not errors, and may be safely ignored.
Workaround:
Ignore the lines with format similar to the following:
en: 1, clkf: 13, pll_MHz: 650, ddr_hertz: 650000000, error: 17000000, best_error: 667000000
Fix:
The cosmetic messages containing 'err' and 'best err' are no longer posted on initial tmm startup when tmm.verbose logging on hardware accelerated devices.
545704-3 : TMM might core when using HTTP::header in a serverside event
Component: Local Traffic Manager
Symptoms:
In certain circumstances TMM might core when using an HTTP iRule command in a HTTP_REQUEST_SEND serverside event.
Conditions:
- iRule with an HTTP command in a serverside event prior to the serverside being completely established, such as HTTP_REQUEST_SEND.
- OneConnect configured on the virtual server.
Impact:
The command might either return invalid value or lead to a condition where TMM might core.
Workaround:
Use the {clientside} Tcl command to execute on the client side.
Alternatively, you might use the HTTP_REQUEST_RELEASE event for HTTP inspection/modification on the server-side.
Fix:
TMM no longer cores when using HTTP iRule commands on the server-side of the HTTP_REQUEST_SEND event.
545450-2 : Log activation/deactivation of TM.TCPMemoryPressure
Component: Local Traffic Manager
Symptoms:
The TCP memory pressure feature allows packets to be randomly dropped when the TMM is running low on available memory. The issue is that these packets are dropped silently.
Conditions:
TM.TCPMemoryPressure set to "enable".
Impact:
Packets are dropped, where the cause of the drop cannot be easily determined.
Fix:
Logging added in /var/log/ltm for activation and deactivation of TCP memory pressure. The deactivation message also includes the number of packets and bytes dropped.
545263-2 : Add SSL maximum aggregate active handshakes per profile and per global
Component: Local Traffic Manager
Symptoms:
There is no limit to the number of active SSL handshakes on one BIG-IP system. With many calls, memory can be exhausted and cause system problems.
Conditions:
When the BIG-IP system has too many active SSL handshakes.
Impact:
The memory and/or CPU can be exhausted.
Workaround:
None.
Fix:
Added limitation for active SSL handshakes to prevent CPU and memory exhaustion. There is a new db variable 'tmm.ssl.maxactivehandshakes' that limits the total number of active SSL handshakes. By default this variable is set to '0', which means no limit.
Behavior Change:
There is a new db variable 'tmm.ssl.maxactivehandshakes', which limits the total number of active SSL handshakes. By default this variable is set to '0', which means no limit.
544992-2 : Virtual server profile changes are ignored if it has /Common/remotedesktop and /Common/vdi assigned (Citrix/Vmware View iApp)
Component: Access Policy Manager
Symptoms:
Changes to the profiles that are assigned to a virtual server are ignored if the /Common/remotedesktop and /Common/vdi profiles are already assigned to it. Some iApps that F5 provides to create Citrix or VMware View configurations assign those profiles to a virtual server.
Conditions:
/Common/remotedesktop and /Common/vdi profiles are assigned to a virtual server.
Impact:
Changes to the profiles assigned to a virtual server (adding a new new profile, deleting a profile, changing existing profiles) have no effect until either of these occurs: The /Common/vdi profile is removed from the virtual server or tmm is restarted.
Workaround:
Use tmsh to remove /Common/vdi from the profiles for the virtual server.
(There is no option in the GUI that allows you to do this.)
Fix:
The /Common/remotedesktop and /Common/vdi profiles can be assigned to a virtual server without affecting other profiles.
544980-1 : BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle.
Component: TMOS
Symptoms:
The size of /var volume is 500 MB instead of 3 GB for BETTER and BEST license bundles.
Conditions:
BIG-IP VE BETTER and BEST vm_bundle images.
Impact:
Not enough space in /var.
Workaround:
In the current volume:
1. Modify global_attributes file.
* The global_attributes file is located at /shared/.tmi_config, so modify global_attributes file by using vi command.
From:
{"TMI_VOLUME_FIX_VAR_MIB":"500","TMI_VOLUME_FIX_CONFIG_MIB":"500"}
To:
{"TMI_VOLUME_FIX_VAR_MIB":"3000","TMI_VOLUME_FIX_CONFIG_MIB":"500"}
2. Install version.
3. Modify global_attributes file to back original value.
4. Switchboot to newly installed volume.
5. To change /var to 3 GB and from tmsh, run the following command:
modify /sys disk directory /var new-size 3145728
6. Reboot.
Fix:
BIG-IP Virtual Edition now has 3GB of disk space for the /var software partition when deploying from OVA for the Better or Best license bundle
544913-2 : tmm core while logging from TMM during failover
Solution Article: K17322
Component: TMOS
Symptoms:
TMM crash and coredump while logging to remote logging server when an HA failover occurs.
Conditions:
The problem might occur when:
1. A log message is created as the result of errors that can occur during log-connection establishment.
2. An error occurs while attempting to connect to the remote logging server.
3. The Primary HA member fails over. The crash occurs on the HA member which was the Primary member prior to the failover.
Impact:
TMM runs out of stack and dumps core. Stack trace shows recursion in errdefs. The system cannot function under these conditions. This is an issue that might occur anytime logs are generated when managing resources that are also used by the logging system itself.
Workaround:
Two possible workarounds are available:
1) Create a log filter specifically for message-id :1010235: that either discards or directs such messages to local syslogs.
2) If the problem occurs on TMM startup, disable and then re-enable the corresponding log source once the TMM starts up.
Fix:
Logging recursion no longer occurs in TMM during failover while the system is attempting to connect to the remote logging server.
544831 : ASM REST: PATCH to custom signature set's attackTypeReference are ignored
Component: Application Security Manager
Symptoms:
When trying to update filter/attackTypeReference for a User-Defined Filter-Based Signature Set (/mgmt/tm/asm/signature-set/<ID>), the PATCH call completes successfully, but the change never occurred.
Conditions:
Using the REST API, a user tries to update filter/attackTypeReference for a User-Defined Filter-Based Signature Set (/mgmt/tm/asm/signature-set/<ID>)
Impact:
The PATCH call completes successfully, but the change never occurred. This may result in the Signature Set not containing the expected signatures.
Workaround:
The bug only exists via the REST API, the GUI can be used to change this value.
Fix:
The attackTypeReference field is now correctly updated using a REST PATCH.
544481-4 : IPSEC Tunnel fails for more than one minute randomly.
Component: TMOS
Symptoms:
IPsec IKEv1: DPD ACK may be dropped when excessive DPD message exchange. This causes the IPsec tunnel to fail.
Conditions:
Excessive DPD message exchange.
Impact:
Connection resets.
Workaround:
None.
Fix:
Excessive DPD message exchange no longer causes the IPsec tunnel to fail.
544375-2 : Unable to load certificate/key pair
Component: Local Traffic Manager
Symptoms:
After creating SSL profile, 'could not load key/certificate file' appears in /var/log/ltm with profile name. Unable to connect to virtual with SSL profile.
Conditions:
Certificate uses sha1WithRSA or dsaWithSHA1_2 signature algorithm.
Impact:
Unable to load certificate.
Workaround:
None.
Fix:
Can now load certificates with sha1WithRSA or dsaWithSHA1_2 signature algorithm.
544325-2 : BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable).
Solution Article: K83161025
Component: Local Traffic Manager
Symptoms:
A BIG-IP UDP virtual server may not send an ICMP Destination Unreachable message Code 3 (port unreachable). As a result of this issue, you may encounter the following symptoms:
-- Client applications may not respond or appear to hang.
-- When attempting to troubleshoot the connectivity issue from remote devices, no ICMP diagnostic data is available from the BIG-IP system.
Conditions:
This issue occurs when the following condition is met: All pool members for the UDP virtual server are unavailable.
Impact:
In versions 11.3.0 through 11.4.1, the system silently drops the request. In versions 11.5.0 and later, the system sends back the ICMP message with type 13 ('administratively filtered').
Workaround:
None.
Fix:
LTM now sends back an ICMP Destination Unreachable message Code 3 (port unreachable), which is expected behavior.
Behavior Change:
In version 11.2.1 and earlier, the system responded to a request with an ICMP packet containing the type code 'port unreach' when a UDP virtual server pool member was down due to no available pool members. For the same scenario in versions 11.3.0 through 11.4.1, the system sends no ICMP packet. In versions 11.5.0 through this hotfix/release, the system sends an ICMP packet containing the 'administratively filtered' type code for the same scenario.
In this hotfix/release, the 11.2.1 behavior is restored. In this case, the system responds with an ICMP packet containing the type code set to 'port unreach'.
544028-3 : Verified Accept counter 'verified_accept_connections' might underflow.
Solution Article: K21131221
Component: Local Traffic Manager
Symptoms:
Verified Accept counter 'verified_accept_connections' might underflow.
Conditions:
When the verified accept setting on a TCP profile is changed for an active virtual server.
Impact:
When the counter underflows, new connections on any verified-accept enabled virtual server are dropped. The counter will never recover.
Workaround:
Avoid changing the verified accept setting on a TCP profile for an active virtual server.
Fix:
This release corrects the issue in which the Verified Accept counter 'verified_accept_connections' might underflow.
543993-4 : Serverside connections may fail to detach when using the HTTP and OneConnect profiles
Component: Local Traffic Manager
Symptoms:
Serverside connection does not detach when using OneConnect profile
Conditions:
An HTTP/1.1 response without Content-Length header is received in response to an HTTP/1.0 HEAD request
Impact:
HTTP requests on the same connection are not LB'ed across pool members.
Workaround:
Remove OneConnect profile
Fix:
Ensure serverside detachment when handling HTTP responses to HEAD requests.
543220-3 : Global traffic statistics does not include PVA statistics
Solution Article: K12153351
Component: Local Traffic Manager
Symptoms:
Global traffic statistics shown in the GUI and in TMSH are not correct.
Conditions:
Hardware acceleration enabled.
Impact:
Statistics discrepancy in global traffic statistics.
Workaround:
None.
Fix:
Global traffic statistics now includes the correct PVA statistics in the GUI and in TMSH.
542898 : Virtual Edition: Disk partition /var shows 100% after live install to 12.0.0
Component: TMOS
Symptoms:
After installing a new Virtual Edition software instance and booting into it, disk partition /var shows 100%
Conditions:
Virtual Edition only
Impact:
System is generally un-usable; applications cannot operate without space in /var.
Workaround:
1) reboot into the previous software location
2) delete the new software location that is non-functional
3) remove this file:
/shared/.tmi_config/global_attributes
4) install the new software again.
Fix:
after applying the fix, subsequent operations that install new software will size the /var filesystem appropriately.
542860-5 : TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event
Component: TMOS
Symptoms:
TMM can crash when IPsec SA's are deleted using TMSH or racoonctl utility during HA Active to Standby or vice versa.
Conditions:
During the HA Active to standby or vice versa event, Use of TMSH or racoonctl utility to delete IPsec SA's can cause TMM crash. This is a race condition and can occur rarely.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Running TMSH command or racoonctl utility to delete IPsec SA's during HA Active to Standby or vice versa event does not result in TMM crash and IPsec SA's will be deleted as per the request.
542742-3 : SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).
Solution Article: K07038540
Component: TMOS
Symptoms:
SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).
Conditions:
Querying the OIDs.
Impact:
Unable to monitor the moving averages of the current connection counts as they return 0.
Workaround:
There is no known workaround.
Fix:
SNMP now reports valid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).
542654 : bigd may experience a heartbeat failure when tcp-half-open monitors are used
Solution Article: K52195938
Component: Local Traffic Manager
Symptoms:
bigd generates a core file and restarts. The system writes a message to /var/log/ltm that is similar to the following: notice sod[6504]: 01140029:5: HA daemon_heartbeat bigd fails action is restart.
Conditions:
tcp-half-open monitors are in use.
Impact:
bigd restarts and there is an interruption in monitoring.
Workaround:
There is no workaround, but this has been seen extremely rarely.
542511-1 : 'Unhandled keyword ()' error message in GUI and/or various ASM logs
Solution Article: K97242554
Component: Application Security Manager
Symptoms:
'Unhandled keyword ()' error message may appear in 'Session Awareness Tracking' GUI page and/or various ASM logs, such as: learning manager log, asm config server log, main asm log.
In the case of learning manager, it causes a crash of the latter. Learning manager process is then restarted ~15 seconds later.
Conditions:
ASM provisioned.
Session Awareness Tracking is enabled.
Impact:
Uninformative errors in 'Session Awareness Tracking' GUI page and/or various ASM logs, such as: learning manager log, asm config server log, main asm log.
Learning manager process restart.
Workaround:
None.
Fix:
Learning manager now handles the 'Unhandled keyword ()' exception in a graceful manner and does not crash.
542320 : no login name may appear when running ssh commands through management port
Component: TMOS
Symptoms:
ssh root@mgmt_port_ip_address "bash -cl 'tmsh show sys sof'" displays "logname: no login name"
Conditions:
ssh root@mgmt_port_ip_address "bash -cl 'tmsh show sys sof'" displays "logname: no login name"
Impact:
Display issue
Fix:
Properly display login name
542314-7 : TCP vulnerability - CVE-2015-8099
Solution Article: K35358312
542097-6 : Update to RHEL6 kernel
Component: TMOS
Symptoms:
Rare race condition between two (or more) threads operating on the same buffer_head/journal_head may cause a kernel panic
Conditions:
Running RHEL6 kernel under heavy disk load, more likely on a vCMP host
Impact:
Unexpected machine reboot causing loss of service
Workaround:
None.
Fix:
Redhat provided an update to RHEL6.7
F5 backported to RHEL6.4, 6.5:
jbd2: Fix oops in jbd2_journal_remove_journal_head()
jbd: Fix oops in journal_remove_journal_head()
542009-3 : tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message.
Solution Article: K01162427
Component: Local Traffic Manager
Symptoms:
tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message. You might notice the following in /var/log/ltm prior to the core:
notice MPI stream: connection to node nodedadress expired for reason: Internal error (bad magic) (mpi_proxy.c:664)
Conditions:
This is an internal condition related to TMMs passing messages between each other. The cause of the invalid internal message is unknown.
Impact:
tmm might loop, using 100% of CPU, and eventually get killed by sod.
Workaround:
None.
Fix:
tmm no longer loops and gets killed by sod when the system tries to process an invalid MPI message.
541622-3 : APD/APMD Crashes While Verifying CAPTCHA
Component: Access Policy Manager
Symptoms:
APD (pre v12.0.0) or APMD (v12.0.0) crashes in libcurl function when verifying CAPTCHA
Conditions:
This issue shows up when multiple sessions are being verified for CAPTCHA at SimpleLogonPageAgent.
Impact:
Authentication service will be disrupted until APD/APMD is up again.
Fix:
Create one cURL session for each user session that requires CAPTCHA verification
541549-3 : AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.
Component: TMOS
Symptoms:
The default settings of an AMI is not to delete an attached volume of an instance when the instance is terminated. This results in extra effort to delete a volume manually after terminating the instance. If not done always, the orphaned volume causes extra bills.
Conditions:
A BIG-IP VE is launched from an AMI in the marketplace.
Impact:
Volumes attached to BIG-IP VE instances will be deleted automatically when the instance is terminated. This option is set to be default now. If you want to keep a volume even after terminating a BIG-IP VE instance, you will have to set it to not be deleted upon termination during instance launch in AWS console.
Workaround:
None.
Fix:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.
Behavior Change:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.
541316-5 : Unexpected transition from Forced Offline to Standby to Active
Solution Article: K41175594
Component: TMOS
Symptoms:
If a BIG-IP configuration is reset to default, and then restored from a saved UCS that was taken while the system was Forced Offline, the system will be restored to the Forced Offline state, but the state may not persist across reboots.
Conditions:
Restore a saved UCS that was created while the BIG-IP system was Forced Offline.
Impact:
System may unexpectedly go Active after a reboot.
Workaround:
None.
Fix:
Device forced offline remains forced offline after restoring a UCS and rebooting.
541231-1 : Resolution of multiple curl vulnerabilities
Solution Article: K16704 K16707
541156-3 : Network Access clients experience delays when resolving a host
Component: Access Policy Manager
Symptoms:
The DNS Relay proxy for Network Access clients operating in split-tunnel mode intercepts a client's DNS request for a non-matching host and will forward it to the client's local DNS server. If the client contains multiple NICs, one containing a down or invalid DNS server, this could cause a delay in resolving the host.
Conditions:
Network Access with the DNS Relay Proxy configured
A client machine has multiple NICs
One of the NICs has an invalid or down DNS server configured
Client attempts to resolve a host not matching the Network Access policy
Impact:
Clients will experience unusual delays (10+ seconds) when resolving hosts.
Workaround:
Clients can check their system setup and remove the affected interfaces that contain an invalid DNS server (virtual machine network adapters are becoming increasingly common and can exhibit this), or they can ensure that they are mapped only to valid DNS servers that can resolve the host.
Fix:
The DNS Relay proxy will now avoid sending DNS requests to down DNS servers for DNS requests that do not match the Network Access policy while Network Access is connected.
541134-3 : HTTP/HTTPS monitors transmit unexpected data to monitored node.
Solution Article: K51114681
Component: Local Traffic Manager
Symptoms:
HTTP/HTTPS) monitors send unexpected data (crlfcrlf) after completion of TCP and/or SSL handshake.
Conditions:
HTTP/HTTPS monitor with a send attribute set to 'none'. HTTP/HTTPS monitors with a 'none' send string should complete the TCP handshake(+SSL handshake) and then close the connection without sending any data.
Impact:
A monitor configured with a 'none' send string sends a 4-byte string, \r\n\r\n (crlfcrlf), after completing the handshake. This is ignored by the monitored node, which might cause it to be marked down.
Workaround:
None.
Fix:
HTTP/HTTPS monitor no longer transmits any L7 data when send attribute is set to 'none'.
541126-1 : Safenet connection may fail on restarting pkcs11d or HSM reboot or if the connection to HSM is lost and then resumed
Component: Local Traffic Manager
Symptoms:
netHSM usage may fail for Safenet users with error message in the ltm log similar to the following:
warning tmm1[11930]: 01260009:4: Connection error: ssl_hs_vfy_sign_srvkeyxchg:9678: sign_srvkeyxchg (80).
info tmm1[11930]: 01260013:6: SSL Handshake failed for TCP 10.10.0.1:59513 -> 10.10.1.150:20001.
warning pkcs11d[12005]: 01680022:4: Crypto operation [2] failed.
crit tmm1[11930]: 01260010:2: FIPS acceleration device failure: fips_poll_completed_reqs: req: 56 status: 0x1 : Cancel.
Conditions:
This may happen for any of the following conditions:
-- Restart pkcs11d without starting tmm immediately after.
-- Network connection between the BIG-IP and HSM is interrupted and then restored.
-- HSM is rebooted without being followed by a restart to pkcs11d and tmm.
Impact:
SSL handshake failure with a message similar to the following:
SSL Handshake failed for TCP 10.10.0.1:59513 -> 10.10.1.150:20001.
Workaround:
For Safenet, always restart tmm after restarting pkcs11d. To do so, run the following commands:
bigstart restart pkcs11d
bigstart restart tmm
When the networking to HSM is restored or after a HSM reboot, always run the following commands:
bigstart restart pkcs11d
bigstart restart tmm
Fix:
After restarting pkcs11d, Safenet connections no longer fails with the message 'cannot locate key'.
540996-4 : Monitors with a send attribute set to 'none' are lost on save
Component: TMOS
Symptoms:
Monitors that have a send, recv, or recv-disable attribute set to 'none' are lost on configuration save.
Impact:
Monitor may send unexpected string.
Workaround:
None.
Fix:
Monitor send, recv, and recv-disable attributes now retains a 'none' value on configuration save.
540893-3 : Unevenly loaded tmms while using syncookies may cause occasional spurious connection resets.
Component: Local Traffic Manager
Symptoms:
Flows for a syncookie-enabled listener might occasionally receive a RST after responding correctly to a syncookie challenge.
Conditions:
-- Fast Flow Forwarding is enabled.
-- At least one tmm thread is heavily loaded but has not reached its syncookie thresholds, while at least one tmm thread is less heavily loaded but has met its syncookie threshold.
Impact:
Occasional clients take an incorrect path and have their valid syncookie ACKs rejected with a TCP RST and must retry.
Workaround:
Set db variable tmm.ffwd.enable = false.
Doing this may modestly reduce peak performance on CPU bound loads.
Fix:
Fixed occasional RST in response to valid syncookie ACKs when under uneven load.
540849-4 : BIND vulnerability CVE-2015-5986
Solution Article: K17227
540846-4 : BIND vulnerability CVE-2015-5722
Solution Article: K17181
540778 : Multiple SIGSEGV with core and failover with no logged indicator
Component: Access Policy Manager
Symptoms:
A multimodule HA pair under high load fails over.
Conditions:
This can occur with multiple modules configured (AFM, ASM, APM, GTM, LTM) and high concurrent load.
Impact:
Instability in HA.
Workaround:
None.
Fix:
Fix to free memory with same length as used for alloc using umem_alloc.
540767-1 : SNMP vulnerability CVE-2015-5621
Solution Article: K17378
540638 : GUI Device Management Overview to display device_trust_group
Component: TMOS
Symptoms:
The Device Management Overview page is displaying a blank page in the Device Groups panel.
Conditions:
No special condition is required.
Impact:
The Device Management Overview page does not display any information. This might be especially confusing when devices are not in sync.
Workaround:
None.
Fix:
Device Management Overview page now displays the device and device group details in the Device Groups panel.
540576-2 : big3d may fail to install on systems configured with an SSH banner
Solution Article: K29095826
Component: Global Traffic Manager (DNS)
Symptoms:
When a BIG-IP system is configured to display a banner at SSH login, big3d_install may be unable to update the big3d daemon on that device.
Conditions:
sshd banner enabled.
Impact:
big3d_install fails to install big3d on the target remote BIG-IP system.
Workaround:
1. Disable the SSH banner on the target device:
tmsh modify /sys sshd banner disabled.
2. Add the target:
bigip_add target_name.
3. Re-enable the SSH banner:
tmsh modify /sys sshd banner enabled.
Fix:
big3d now installs correctly on systems configured with an SSH banner.
540571-4 : TMM cores when multicast address is set as destination IP via iRules and LSN is configured
Component: Carrier-Grade NAT
Symptoms:
TMM may core when an iRule changes the destination address of a connection to use a multicast address such as 224.0.0.1. When the BIG-IP system looks up the route, it returns an internal route with no interface designed for use with multicast traffic. LSN expects to find an interface and crashes when it attempts to use the non-existent interface.
Conditions:
- CGNAT enabled and LSN pools configured on active virtual server that accepts traffic.
- On the same virtual server, an iRule is configured that changes the destination IP to a multicast address in the 224.0.0.0/24 network.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There are two workarounds: -- Remove the offending iRule that is sending traffic to the 224.0.0.0/24 network. -- Prevent traffic from using that destination in the iRule.
Fix:
TMM no longer cores when multicast address is set as destination IP via iRules and LSN is configured. Now, the system fails connections when the route's IFC is null, which is correct behavior.
540568-4 : TMM core due to SIGSEGV
Component: Local Traffic Manager
Symptoms:
TMM may core due to a SIGSEGV.
Conditions:
Occurs rarely. Specific conditions unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed an intermittent tmm core related to Bug 540571.
540484-4 : "show sys pptp-call-info" command can cause tmm crash
Solution Article: K04005785
Component: Carrier-Grade NAT
Symptoms:
Core when "show sys pptp-call-info" is called.
Conditions:
On BIG-IP with fastl4 virtual server forwarding PPTP GRE traffic, TMSH "show sys pptp-call-info" command can cause crash in TMM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not issue "show sys pptp-call-info" command on BIG-IP forwarding PPTP GRE traffic.
Fix:
Fixed crash from incorrectly matching PPTP ALG traffic in forwarding fastl4 virtual server.
540473-5 : peer/clientside/serverside script with parking command may cause tmm to core.
Component: Local Traffic Manager
Symptoms:
When the peer/clientside/serverside iRule contains parking commands, or in NTLM profiles (which utilize parking commands), tmm might core upon connection reuse.
Conditions:
1. The iRule used in peer/clientside/serverside contains a parking command.
2. The connection is reused. This might occur in OneConnect configurations, for example.
In configurations that do not have parking iRule commands, this issue might also occur when the NTLM profile is in use, as the NTLM profile also utilizes parking. Note: The NTLM profile might be deployed automatically if you are using a SharePoint iApp.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use parking commands in cases where the system might reuse the connection. If the issue occurs with the NTLM profile, do not use the NTLM profile, if possible.
Fix:
When the peer/clientside/serverside iRule contains parking commands, or when using NTLM profiles that utilize parking commands, tmm no longer cores upon connection reuse.
540424-1 : ASM REST: DESC modifier for $orderby option does not affect results
Component: Application Security Manager
Symptoms:
Collections returned from the REST API can be sorted by a field from the $orderby ODATA parameter. The default sort order is ascending, but it is meant to allow a "DESC" modified to sort in descending order. The "DESC" modifier has no effect on the sort order.
Conditions:
ASM REST API is used to retrieve a collection with the elements sorted by a field's value in descending order.
Impact:
The collection is always returned in ascending sort order even if it descending order was requested.
Workaround:
None.
Fix:
The DESC operator is now honored for the $orderby ODATA parameter on ASM REST API requests.
540390-1 : ASM REST: Attack Signature Update cannot roll back to older attack signatures
Component: Application Security Manager
Symptoms:
There is no way to roll back to an older attack signature update using the REST interface
Conditions:
REST is used to manage Attack Signature Updates on a BIG-IP device, and an older version than the currently installed file is desired to be installed.
Impact:
REST clients have no way to fully manage Attack Signature Updates for the BIG-IP
Workaround:
The GUI can be used to roll back to an earlier version
Fix:
The REST API now includes support for the "allowOlderTimestamp" field to the update-signatures task in order to allow rolling back to an older attack signature update using the REST interface.
POST https://<host>/mgmt/tm/asm/tasks/update-signatures/
{
"allowOlderTimestamp": true,
<Rest of body as usual>
}
540213-4 : mcpd will continually restart on newly inserted secondary blades when certain configuration exists on the primary
Component: Local Traffic Manager
Symptoms:
When a secondary blade's mcpd starts up, it may continually restart, failing to load, when the primary blade has a certain configuration. The easiest way to reproduce this is to insert a new blade into an existing running cluster.
This will happen when a link local IPv4 self IP is in use and the DB variable config.allow.rfc3927 is set to disabled (which is the default).
It is not possible to create such self IPs unless the DB variable is first enabled, the object is created, and then the DB variable is disabled.
In certain scenarios a secondary blade mcpd may go into a restart loop when receiving the configuration from the primary blade if ipv4 link local SelfIP addresses are in use enabled by DBKey config.allow.rfc3927.
Conditions:
This happens only on MCP startup on secondary blades, when a link local IPv4 self IP is configured, and when the DB variable config.allow.rfc3927 is set to disabled (which is the default).
Impact:
Secondary blade will not become part of the cluster and will not be able to process traffic. Continual log messages will show up on existing blades announcing that mcpd is continually restarting.
Workaround:
Enable the config.allow.rfc3927 DB variable on the primary to suspend this validation.
Fix:
When a link local IPv4 self IP is in use and the DB variable config.allow.rfc3927 is set to disabled (which is the default), mcpd would previously fail to start on a newly inserted secondary blade. This no longer occurs.
540174-2 : CVE updates from https://rhn.redhat.com/errata/RHSA-2015-1623.html
Solution Article: K17307 K17309
540018-3 : Multiple Linux Kernel Vulnerabilities
Solution Article: K16429 K15685 K15912
539923-2 : BIG-IP APM access logs vulnerability CVE-2016-1497
Solution Article: K31925518
539832-2 : Zebos: extended community attributes are exchanged incorrectly in BGP updates.
Component: TMOS
Symptoms:
1. BGP is not sending extended community attributes in BGP Updates to its neighbors in versions prior to 11.6.0.
2. BGP is unable to accept new BGP UPDATE messages that contain extended communities from its neighbors in version 11.6.0 and later.
3. On the sending neighbor, the route-map is reapplied to the prefix every time the connection is torn down by the neighbor, resulting in an ever increasing extended community list.
Conditions:
Configure BGP extended community attribute.
Impact:
Loss of/incorrect info related to extended community attribute.
Workaround:
None.
Fix:
The BGP extended community attributes now work as expected.
539822-1 : tmm may leak connflow and memory on vCMP guest.
Component: TMOS
Symptoms:
tmm may leak connflow and memory on vCMP guests.
Conditions:
This occurs on a vCMP guest when only one tmm is provisioned on the blade.
Impact:
tmm leaks memory and might eventually crash from an out-of-memory condition.
Workaround:
Provision more than one tmm.
Fix:
tmm no longer leaks connflows and memory on vCMP guests when only one tmm is provisioned.
539784-2 : HA daemon_heartbeat mcpd fails on load sys config
Component: TMOS
Symptoms:
A particular stage of validation can take longer than the ha-daemon heartbeat interval, and while nothing is actually wrong, the system responds as if there is an unresponsive daemon, so the system restarts it.
Conditions:
iRules must be present in the configuration that the system is loading.
Impact:
MCPd restarts.
Workaround:
On the BIG-IP system, run the command: tmsh mod sys daemon-ha mcpd heartbeat disabled.
Fix:
Added additional heartbeats during validation, so HA daemon_heartbeat mcpd no longer fails on load sys config.
539466-3 : Cannot use self-link URI in iControl REST calls with gtm topology
Component: Global Traffic Manager (DNS)
Symptoms:
The self-link URI cannot be used in iControl REST calls with gtm topology.
Conditions:
User issues iControl REST commands for gtm topology that include the self-link URI.
Impact:
The given command is not executed and the system posts the following error message: "Topologies must specify both regions: ldns: server:".
Workaround:
Do not use the self-link in iControl REST commands with gtm topology.
Fix:
You can now use self-link URI in gtm topology-related iControl REST commands.
Be sure to format the gtm topology OID string using the following rules:
1) Use only a single space between each item in the topology string.
2) Use a fully-pathed name for datacenter, isp, region, and pool objects.
For example:
"ldns: subnet 11.11.11.0/24 server: datacenter /Common/DC"
539270-2 : A specific NTLM client fails to authenticate with BIG-IP
Component: Access Policy Manager
Symptoms:
Specific NTLM client (such as Android Lync 2013) fails to authenticate with BIG-IP as it sends a particular NTLMSSP_NEGOTIATE which BIG-IP was not able to parse properly and throws an error. This effectively stops the authentication process, and this particular client never completes the authentication.
Conditions:
Specific NTLM client. It is not clear whether this issues affect a particular version of Android Lync 2013 or a particular Android version.
Impact:
Cannot complete the authentication, hence, not allowed to access protected resources.
Workaround:
No workaround exists for the affected clients.
Fix:
The BIG-IP system now processes NTLM requests for affected Lync clients, and users of the client are able to authenticate.
539229-4 : EAM core while using Oracle Access Manager
Component: Access Policy Manager
Symptoms:
Authentication with Oracle Access Manager can result in an exception while checking whether authentication is required. This is an intermittent issue.
Conditions:
This event can be triggered while using the Oracle Access Manager.
Impact:
An unhandled exception will cause EAM to core and possible access outage.
Workaround:
No workaround
Fix:
EAM handles exceptions gracefully during the authentication process when Oracle Access Manager is used.
539130-7 : bigd may crash due to a heartbeat timeout
Solution Article: K70695033
Component: Local Traffic Manager
Symptoms:
bigd crashes and generates a core file.
The system logs entries in /var/log/ltm that are similar to the following: sod[5853]: 01140029:5: HA daemon_heartbeat bigd fails action is restart.
This issue is more likely to occur if /var/log/ltm contains entries similar to the following: info bigd[5947]: reap_child: child process PID = 9198 exited with signal = 9.
Conditions:
External monitors that run for a long time and are killed by the next iteration of the monitor. For example, the LTM external monitor 'sample_monitor' contains logic to kill a running monitor if it runs too long.
Impact:
bigd crashes and generates a core file. Monitoring is interrupted.
Workaround:
None.
Fix:
External monitors that run for a long time and are killed by the next iteration of the monitor now recover without bigd crashing and generating a core file.
Behavior Change:
bigd now logs child process exit messages in /var/log/bigdlog (so bigd.debug must be enabled) rather than in /var/log/ltm. This allows the logging to be controllable.
Successful command exits are also logged for completeness since this the log messages only appears when debugging is enabled.
539125-1 : SNMP: ifXTable walk should produce the available counter values instead of zero
Component: TMOS
Symptoms:
The SNMP ifXTable is presenting zeros for attributes hc_in_multicast_pkts and hc_out_multicast_pkts. However, this data is available on the Big-IP and should be presented.
Conditions:
snmpwalk the ifTable and the ifXTable. The ifTable shows Counter32 values for attributes in_multicast_pkts and out_multicast_pkts, but the ifXTable shows zeros for the Counter64 equivalent attributes hc_in_multicast_pkts and hc_out_multicast_pkts (except for vlans, which are correct).
Impact:
Inability to characterize/view counts for the above-referenced multicast packets via SNMP.
Fix:
The snmp walk described in the Symptom/Known issues field gives meaningful results after application of this hotfix.
539013-2 : DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases
Component: Access Policy Manager
Symptoms:
DNS resolution stops working on a Microsoft Windows 10 desktop when the VPN connection is established.
Conditions:
This occurs when the client system meets all of the following conditions:
- Running BIG-IP software version Hotfix-BIGIP-11.5.3.1.47.167-HF1-ENG.iso.
- Running Microsoft Windows version 10.
- Has multiple NICs and one of them is in the disconnected state, with a statically assigned IPv4 configuration.
Impact:
User cannot access resources by DNS name.
Workaround:
Disable disconnected NICs that have a statically assigned IPv4 configuration.
Fix:
After VPN connection has been established, DNS resolution works, in the case of a Windows 10 desktop with multiple NICs and one of them is in a disconnected state and has a statically assigned IPv4 configuration.
538761-1 : scriptd may core when MCP connection is lost
Component: TMOS
Symptoms:
Scriptd loses MCP connection may cause scriptd to core.
Conditions:
Unknown, Only known to reproduce in an F5 internal test.
Impact:
None known.
Fix:
A possible case of scriptd dumping core has been fixed.
538708-2 : TMM may apply SYN cookie validation to packets before generating any SYN cookies
Component: Local Traffic Manager
Symptoms:
SYN cookie validation is applied when SYN cookies are not active
Conditions:
Internal TMM clock has overflowed and is near 0
ACK packet has been received that does not match an existing connection flow
Impact:
Validation can be applied to a listener/proxy that does not support SYN cookies which can lead to a tmm core.
Fix:
SYN cookie validation will not be applied if SYN cookies have not been activated.
538603-3 : TMM core file on pool member down with rate limit configured
Solution Article: K03383492
Component: Local Traffic Manager
Symptoms:
TMM may produce a core file when attempting to retry to calculate the rate-limit on a pool member that has gone down.
Conditions:
This occurs when the following conditions are met:
- service-down-action reselect.
- rate limit specified.
- traffic load balanced to pool members.
- traffic is over the rate for all pool members.
- all pool members go down.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove rate-limit configuration.
Fix:
TMM no longer produces a core file when attempting to retry to calculate the rate-limit on a pool member that has gone down.
538255-2 : SSL handshakes on 4200/2200 can cause TMM cores.
Component: Local Traffic Manager
Symptoms:
When processing SSL handshakes in the crypto acceleration hardware, a BIG-IP 2000 or 4000 platform might experience a TMM core.
Conditions:
This can occur when processing SSL handshakes in the crypto acceleration hardware. The issue is very unlikely to be seen other than on BIG-IP version 11.6.0 HF5 or on version 12.0.0 base install.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
The crypto acceleration hardware driver for the 2200/4200 has been fixed to avoid memory corruption.
538195-5 : Incremental Manual sync does not allow overwrite of 'newer' ASM config
Component: Application Security Manager
Symptoms:
ASM Sync was designed to only request the ASM portion of the configuration if it recognizes that a peer has a newer configuration.
This precluded the ability to 'roll back' changes on a device by pushing from the peer that still has the older configuration.
Conditions:
Devices are set up in an Incremental Manual Sync ASM-enabled group.
Impact:
User is unable to 'roll back' changes on a device by pushing from the peer that has an older configuration.
Workaround:
Make a spurious change on the device that has an older configuration and then push the changes to the peer.
Fix:
Older ASM configurations can now be pushed to a peer in an incremental sync manual device group.
538133-1 : Only one action per sensor is displayed in sensor_limit_table and system_check
Component: TMOS
Symptoms:
A list of sensors is displayed in the sensor_limit_table or by the system_check utility, with the actions taken when the sensor data exceeds its defined limit. On the affected versions, each sensor item is displayed only once, even if multiple limits and actions are defined for the sensor. Additional limits and actions defined for the sensor are not displayed.
Conditions:
This problem occurs when the affected version of the BIG-IP software is running on the following hardware platforms:
BIG-IP 2000-/4000-/5000-/7000-/10000-/12000-series appliances and VIPRION B2100, B2150, B2250 blades.
Impact:
The system does not show the complete set of defined sensor limits and corresponding BIG-IP system actions when there are multiple limits and actions defined. Only one action is displayed for each sensor.
The system_check utility will only evaluate sensor measurements against limits that appear in its sensor limit tables. Missing sensor limits will not be evaluated, and corresponding alerts will not be issued.
Workaround:
None.
Fix:
The system now shows a list of sensors in the sensor_limit_table or by the system_check utility, with the actions taken when the sensor data exceeds its defined limit.
537988-3 : Buffer overflow for large session messages
Solution Article: K76135297
Component: Local Traffic Manager
Symptoms:
System with multiple blades may crash when when configured with functionality that utilizes SessionDB.
Conditions:
On a multi-blade machine, send an MPI message larger than 64K between blades (typically a session message).
Impact:
Core or potential data corruption.
Workaround:
None.
Fix:
There is no longer a buffer overflow for large session messages.
537964-3 : Monitor instances may not get deleted during configuration merge load
Solution Article: K17388
Component: Local Traffic Manager
Symptoms:
After performing a configuration merge load (for example, "tmsh load sys config merge ...") that changes an existing pool's monitor, old monitor instances may not get deleted.
This can result in a system generating monitor requests that are no longer part of the configuration. It can also result in the system logging messages such as the following:
err mcpd[8793]: 01070712:3: Caught configuration exception (0), Can't find monitor rule: 42.
Conditions:
Pools with monitors configured must exist. The merge load must replace the pool's monitor.
Impact:
Multiple monitor instances may be active on some pool members. This may result in incorrect monitoring status.
Workaround:
Once a system is affected by this issue, the misbehavior can be resolved by doing the following:
1. Save and re-load the configuration to correct the incorrect information in mcpd:
tmsh save sys config partitions all && tmsh load sys config partitions all
2. Restart bigd:
On an appliance:
bigstart restart bigd
On a chassis:
clsh bigstart restart bigd
Fix:
Ensure that all relevant monitor instances are deleted when replacing a pool's monitor.
537614-2 : Machine certificate checker fails to use Machine cert check service if Windows has certain display languages
Component: Access Policy Manager
Symptoms:
Machine certificate checker agent fails to use machine certificate checker service for Windows if it has certain display language, for example Polish.
In failed case logs contain:
2015-08-04,18:37:59:042, 924,756,, 1, , 330, CCertCheckCtrl::CheckPrivateKey, EXCEPTION caught: CCertCheckCtrl::CheckPrivateKey - EXCEPTION
2015-08-04,18:38:00:618, 924,756,, 1, \RPCConnector.cpp, 85, UCredMgrService::RpcConnect, EXCEPTION - Failed to set binding handle's authentication, authorization and security QOS info (RPC_STATUS: 1332)
2015-08-04,18:38:00:618, 924,756,, 1, \RPCConnector.cpp, 88, RPCConnector::Connect, EXCEPTION caught: UCredMgrService::RpcConnect - EXCEPTION
2015-08-04,18:38:00:618, 924,756,, 1, \MCClient.h, 86, MCClient::Verify, Failed to perform PRC-call:error=1702
Conditions:
Windows with non-english display language
Machine certificate checker is supposed to use Machine Certificate Checker service
Impact:
Machine certificate checker cannot be passed using Machine cert service.
Workaround:
Switch display language to English.
Fix:
Machine certificate checker service works now with a display language other than English.
537553-3 : tmm might crash after modifying virtual server SSL profiles in SNI configuration
Component: Local Traffic Manager
Symptoms:
Modifying a Secure Sockets Layer (SSL) profile associated with a virtual server may result in the Traffic Management Microkernel (TMM) producing a core file. As a result of this issue, you may encounter one or more of the following symptoms:
-- BIG-IP system sends an invalid memory access segmentation fault (SIGSEGV) or floating point error (SIGFPE), signal to TMM, resulting in a stack trace that appears in the /var/log/tmm file.
-- TMM restarts and produces a core file in the /shared/core directory.
-- The BIG-IP system generates an assertion failure panic string in the /var/log/tmm file that appears similar to the following example:
panic: ../kern/umem.c:3881: Assertion "valid type" failed
Conditions:
1. LTM virtual server is configured with multiple SSL profiles, one of which is the default SNI profile.
2. A configuration change is made that affects the virtual server. Among others:
-- Configuration is reloaded either manually or automatically after config sync.
-- Change is made to any of the SSL profiles configured on the virtual server.
-- SSL profiles are added or removed from the virtual server profile list.
-- Change is made to the virtual server.
-- Virtual server is deleted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Making SSL profile configuration changes now completes successfully.
537435-4 : Monpd might core if asking for export report by email while monpd is terminating
Component: Application Visibility and Reporting
Symptoms:
Core file is created by monpd if you try to export a report by email while monpd is terminating.
Conditions:
Very rare case that can happen if user asks to export report by email in the middle of monpd's graceful termination (due to restart or other reason) will cause core dump (not graceful termination).
Impact:
None
Workaround:
Fixed to code to avoid this behavior.
Fix:
Exporting a report by email in the middle of monpd's graceful termination (due to restart or other reason) will no longer cause a core dump.
537326-4 : NAT available in DNS section but config load fails with standalone license
Component: Local Traffic Manager
Symptoms:
config load fails with error:
01070356:3: NAT feature not licensed.
Unexpected Error: Loading configuration process failed.
Conditions:
A NAT object is created for GTM/LC standalone license box.
Impact:
config fails to load.
Workaround:
none.
Fix:
Configuration loading no longer fails with a NAT in DNS section.
537227-6 : EdgeClient may crash if special Network Access configuration is used
Component: Access Policy Manager
Symptoms:
EdgeClient crashes during connect or disconnect process. Exact time may differ from time to time.
Conditions:
EdgeClient may crash if Network Access contains configuration which includes:
Full-tunnel
Allow DHCP or Allow Local subnets is used
There is a proxy between client and APM
Impact:
EdgeClient crashes prevent Access Network to work
Workaround:
Remove on of conditions causing crash to happen
Fix:
BIG-IP Edge Client now correctly processes particular Network Access configurations.
537000-3 : Installation of Edge Client can cause Windows 10 crash in some cases
Component: Access Policy Manager
Symptoms:
connecting to an APM box which has support for Windows 10 can cause the OS to crash. After reboot the next attempt will be successful
Conditions:
- Windows 10
- APM box supporting Windows 10
- user installed F5 VPN driver from an APM box, not supporting Windows 10
Impact:
User can lose some data
Workaround:
Before connecting old VPN driver instances must be manually removed using Device Manager
Fix:
Installation of BIG-IP Edge Client on Windows 10 does not cause system crash anymore.
536939-1 : Secondary blade may restart services if configuration elements are deleted using a * wildcard.
Component: TMOS
Symptoms:
In certain situations a chassis based system with more than one working blade may encounter service restart on the secondary blade.
Conditions:
- Chassis system with 2 or more working blades.
- Configuration to be deleted via tmsh using a wildcard. For instance: tmsh delete ltm virtual test*
Impact:
Services will restart on the secondary blade.
Workaround:
Do not use * wildcards with tmsh when deleting configuration elements on a chassis system.
Fix:
Services no longer restart on a secondary blade when deleting configuration elements via tmsh using a * wildcard.
536868-2 : Packet Sizing Issues after Receipt of PMTU
Component: Local Traffic Manager
Symptoms:
TCP sends IP fragments in spite of PMTU message.
Conditions:
BIG-IP has received an ICMP PMTU message.
Impact:
IP fragmentation.
Workaround:
Set the MSS in the TCP profile sufficiently low to avoid inducing ICMP messages in the future.
Fix:
Properly process ICMP packets.
536746-2 : LTM : Virtual Address List page uses LTM : Nodes List search filter.
Solution Article: K88051173
Component: TMOS
Symptoms:
LTM : Virtual Address List page doesn't have it's own filter but uses other object's filter like Node list or Access policy.
Conditions:
Specifying a search filter on the Nodes page and then navigating to the Virtual Address page.
Impact:
Displays an empty virtual server list or only the virtual address matching the node addresses.
Workaround:
Remove the filter on the LTM : Nodes List before viewing the LTM : Virtual Address List.
Fix:
Specifying a search filter on LTM : Nodes List no longer affects the output on LTM : Virtual Address List.
Virtual Address List now has its own fixed, general filter, and is not affected by filter settings on any other object.
536690-1 : Occasional host-tmm connections within a chassis will fail (affects APM processes trying to connect to a tmm)
Solution Article: K82591051
Component: Local Traffic Manager
Symptoms:
When using features that require a process on the host to connect to a specific tmm within a chassis, those connections sometimes fail. This can result in improper behavior of the feature, such as failure to create sessions in APM.
Conditions:
Using a module and feature that requires host-tmm communication within a chassis.
Impact:
Possible service failure, such as disallowing entry to APM.
Workaround:
None.
Fix:
Host-to-tmm connections within a chassis no longer fail.
536683-1 : tmm crashes on "ACCESS::session data set -secure" in iRule
Component: Access Policy Manager
Symptoms:
You encounter a tmm crash when your configuration contains an iRule that uses "ACCESS::session data set -secure"
Conditions:
Use of "ACCESS::session data set -secure" in an iRule
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a crash related to the "ACCESS::session data set -secure" command
536575-2 : Session variable report can be blank in many cases
Component: Access Policy Manager
Symptoms:
For an access policy that includes On-Demand Cert Auth, Dynamic ACL, Per-App VPN, and other components, the Session Variable Report output can be blank.
Conditions:
On-Demand Cert Auth in an access policy.
DACL in access policy.
Per-App VPN access policy.
probably others.
Impact:
The Session Variable report is empty.
Workaround:
Check the session variable using command sessiondump.
Fix:
For an access policy that includes On-Demand Cert Auth, Dynamic ACL, or Per-App VPN, the Session Variable Report now shows session variables correctly.
536563-4 : Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.
Component: Local Traffic Manager
Symptoms:
Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets.
Conditions:
This occurs when the existing connection is closing while waiting on an ACK to the last FIN.
Impact:
Unexpected RSTs (Clientside).
Workaround:
None.
536481-8 : F5 TCP vulnerability CVE-2015-8240
Solution Article: K06223540
536191-3 : Transparent inherited TCP monitors may fail on loading configuration
Component: Local Traffic Manager
Symptoms:
LTM monitor configuration may fail to reload from disk if the monitor name occurs alphabetically prior to the inherited-from monitor.
Conditions:
Monitor A inheriting from Monitor B, where both monitors are of type 'transparent'.
Impact:
Configuration from disk fails to load. System posts an error message similar to the following: 1070045:3: Monitor /Common/test1 type cannot have transparent attribute.
Unexpected Error: Loading configuration process failed.
Workaround:
Rename monitors so they occur in the required alphabetical order to support inheritance.
Fix:
Transparent inherited TCP monitors no longer fail on loading configuration.
535806-4 : Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE
Component: TMOS
Symptoms:
Not enough free disk space for live install of 12.0.0.
Conditions:
Initial install of BIG-IP VE GOOD 11.5.3. Upgrade to 12.0.0
Impact:
Unable to install 12.0.0 on 2nd slot.
Workaround:
Grow the virtual disk before installing 12.0.0.
Fix:
Increased the size of virtual disk so that there is enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE.
535544-7 : Enhancement: ltm virtual translate-port, translate-address are not listed if they are enabled
Component: TMOS
Symptoms:
Consider the listing of the ltm virtual vsach below.
The translate-port, translate-address properties are not listed. This implies that these properties are set to their default value of true. tmsh does not list default values. In case these are set to false, they will be listed.
(tmos)# list ltm virtual
ltm virtual vsach {
destination 1.1.1.1:http
mask 255.255.255.255
profiles {
fastL4 { }
}
source 0.0.0.0/0
vs-index 3
}
Conditions:
Presence of a ltm virtual in the configuration with its destination port any (ex: x.y.z.w:any) and translate-port enabled. When listing this ltm virtual the translate-port, translate-address are not displayed.
Impact:
Cannot know the actual value of virtual::translate-port, translate-address attributes until the workaround is applied.
Workaround:
Explicitly list the property
(tmos)# list ltm virtual sach translate-port
ltm virtual vsach {
translate-port enabled
}
Fix:
Post change the above mentioned properties will always be listed, irrespective if they have default value or not.
535246 : Table values are not correctly cleaned and can occupy entire disk space.
Solution Article: K17493
Component: Application Visibility and Reporting
Symptoms:
AVR data in MySQL might grow to fill all disk space.
Conditions:
This might occur when DNS table receives a large number of entries that are not being evicted when they are no longer needed.
Impact:
MySQL stops responding. Site might experience down time due to full disk.
Workaround:
If monitoring disk space and AVR data takes more than 70% of the space, reset AVR data by running the following commands sequentially: -- touch /var/avr/init_avrdb. -- bigstart restart monpd.
Fix:
In this release, the system handles AVR data in MySQL so that database size no longer grows beyond a certain point.
535188-5 : Response Pages custom content with \n instead of \r\n on policy import.
Component: Application Security Manager
Symptoms:
After importing policy with custom content on the Default Response Page, new lines are changed from \r\n to \n and it shouldn’t.
Conditions:
1. Create New Policy.
2. Go to Security : Application Security : Policy : Response Pages
3. On Default Response Page, change Response Type to 'Custom Response'.
4. Add 'Enters' to the 'Response Body' and save it.
(for example:
<html><head><title>Request Rejected</title></head><body>The requested URL was rejected.
Please consult with your administrator.<br><br>Your support
ID is: <%TS.request.ID()%></body></html>).
5. View the REST state of the response page and see that the new lines presented by '\r\n'.
6. Export the policy to XML.
7. Import the policy back (replace the old policy).
8. Now the 'new lines' in the content of the response page presented by '\n' instead of '\r\n'.
Impact:
After importing policy with custom content on Default Response Page, new lines are changed from \r\n to \n and it shouldn't.
Workaround:
In GUI, Go to Security : Application Security : Policy : Response Pages, remove and add the 'Enters' and
click on 'Save' for the default response page.
Fix:
After importing a policy with custom content on the Default Response Page, new lines are no longer changed from \r\n.
534824-2 : Incorrect key/certificate when creating clientSSL profile and modifying key/cert in the same transaction.
Solution Article: K02954921
Component: TMOS
Symptoms:
Creating clientSSL profile and modifying key and/or certificate in the same transaction causes the profile to be created with incorrect key and/or certificate. This has impact on clientSSL profile creation using iApp.
Conditions:
- Start a transaction.
- Create a clientSSL profile and mention any desired 'defaults-from'profile.
- Modify key and/or cert
- End transaction
Or
Use iApp for creating clientSSL profile with key/cert different from the defaults.
Impact:
clientSSL profile is created with the wrong key/cert.
Workaround:
None.
Fix:
The issue has been fixed so that the right key/cert is associated with the clientSSL profile when transactions or iApps are used.
534804-3 : TMM may core with rate limiting enabled and service-down-action reselect on poolmembers
Component: Local Traffic Manager
Symptoms:
TMM may produce a core file when calculating the rate limit in certain circumstances.
Conditions:
VIP/pool configuration contains:
- Pool configured with
+ Action On Service Down is set to Reselect
- Pool members configured with
+ Connection Rate Limit is set
If all pool members go down, this can trigger the core
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove rate limit configuration.
Fix:
TMM no longer cores in certain conditions with rate limiting and service-down-action reselect on poolmembers
534795-6 : Swapping VLAN names in config results in switch daemon core and restart.
Component: Local Traffic Manager
Symptoms:
Changing names of configured VLANs directly in the configuration file and reloading results in a bcm56xxd switch daemon core and restart.
Conditions:
Applies to all switch based platforms, when modifying the VLAN names directly in the configuration file and reloading.
Impact:
Switch daemon drops core, restarts, and reconfigures the switch.
Workaround:
First delete any existing VLANs, and then recreate then with new names.
Fix:
Add additional protection and error logging for VLAN-name- and VLAN-ID-lookup failures in the switch daemon.
534755-2 : Deleting APM virtual server produces ERR_NOT_FOUND error
Component: Access Policy Manager
Symptoms:
When a APM virtual server is deleted on the active, the following error message will be seen in the APM log on the standby.
"Failed to delete profile stats namespaces"
Conditions:
This issue happens when a APM virtual is deleted on the active and the change is subsequently synced to the standby
Impact:
There is no functional impact.
Fix:
Access Filter now ignores the ERR_NOT_FOUND error when deleting the profile stats namespace.
534633-1 : OpenSSH vulnerability CVE-2015-5600
Solution Article: K17113
534630-3 : Upgrade BIND to address CVE 2015-5477
Solution Article: K16909
534582-3 : HA configuration may fail over when standby has only base configuration loaded.
Solution Article: K10397582
Component: TMOS
Symptoms:
The active unit may fail over when only the base configuration is loaded on a standby system, and HA communications in the HA configuration is interrupted.
Conditions:
Only base configuration loaded on standby and HA communications are disrupted.
Impact:
Potential site outage.
Workaround:
Configure HA to use multiple network interfaces. Avoid loading only the base configuration on HA configurations.
Fix:
HA configuration no longer fails over when a standby system has only the base configuration loaded.
534458-4 : SIP monitor marks down member if response has different whitespace in header fields.
Solution Article: K17196
Component: Local Traffic Manager
Symptoms:
In certain circumstances the SIP monitor may incorrectly mark a SIP pool member down. This is due to the comparison the monitor makes of the standard header fields in the SIP monitor request to the response.
Conditions:
SIP monitor and response differ in the use of whitespace in the header fields, for example, 'field:value' and 'field: value'.
Impact:
Unable to monitor the SIP pool member accurately using the standard SIP monitor because the pool member will be marked down.
Workaround:
Use other types of monitors, e.g., UDP.
Fix:
SIP monitor now correctly processes monitor responses when the use of whitespace in header fields differ.
534246-4 : rest_uuid should be calculated from the actual values inserted to the entity
Component: Application Security Manager
Symptoms:
BIG-IP computes the case-sensitive rest_uuid values for HTTP headers but stores the headers as case-insensitive.
Conditions:
This is an example:
1. Go to Security>>Application Security>>Headers>>HTTP Headers.
2. Choose 'Custom...' for the name of the header.
3. Create a custom header as follows use name 'Abc' with Capital letter.
4. Remember the ID generated in the JSON element.
5. Delete the header.
6. Create a new custom header and use the name 'abc'.
Actual Results:
The ID of 'abc' and the ID of 'Abc' are different.
Impact:
Two identical normalized values may have different rest_uuid.
Workaround:
N/A
Fix:
The REST "id" field is now calculated from the actual values inserted to the entity, and not on the user-input values.
534111-2 : [SSL] Config sync problems when modifying cert in default client-ssl profile
Component: Local Traffic Manager
Symptoms:
Config sync problems after modifying cert in default client-ssl profile when the profile is already active and in use on members in a high availability configuration.
Conditions:
Modify cert in default client-ssl profile and perform a config sync operation.
Impact:
After config sync, units in the sync group have different cert/key settings for client-ssl profiles. You can see this in the inherit-certkeychain setting, which changes from 'true' to 'false' after syncing the configuration with the changed default value.
Workaround:
1. Remove client-ssl definitions from bigip.conf on each unit.
2. Reload the config.
3. Synchronize the config.
Fix:
The system now correctly syncs the default client-ssl profile that was modified with a new cert and key, so the active and standby unit configurations now have the correct cert/key settings after config sync.
534052-5 : VLAN failsafe triggering on standby leaks memory
Solution Article: K17150
Component: Local Traffic Manager
Symptoms:
Memory is leaked when VLAN failsafe is active and sending ICMP probes.
Conditions:
VLAN failsafe active and sending ICMP probes on standby and configured with failsafe-action failover.
Impact:
Memory leak causing aggressive sweeper and eventually TMM crash on standby.
Workaround:
None.
Fix:
Memory is no longer leaked when VLAN failsafe is active and sending ICMP probes.
534021-1 : HA on AWS uses default AWS endpoint (EC2_URL).
Component: TMOS
Symptoms:
HA doesn't work on Government clouds on AWS.
Conditions:
AWS endpoints for government clouds are different compared to their public offerings. Amazon recommendation is to construct the end-point (EC2_URL) dynamically based on: [<service name>.<region>.<services/domain>] construct.
Impact:
HA doesn't work on Government clouds on AWS.
Workaround:
EC2 endpoint can be constructed dynamically by:
- Query EC2 Metadata service for <DOMAIN> name (curl http://169.254.169.254/latest/meta-data/services/domain)
- Read the instance <REGION> from /shared/vadc/aws/iid-document
- Declare global variable EC2_URL by using above two values in following format:
export EC2_URL="http://ec2.<REGION>.<DOMAIN>"
Fix:
BIG-IP HA on AWS dynamically constructs the EC2 service endpoint based on the domain-name and region attached with the running instance.
533966-4 : Double loopback nexthop release might cause TMM core.
Component: Local Traffic Manager
Symptoms:
TMM might restart after logging an 'Assertion "nexthop ref valid" failed' message.
Conditions:
Traffic is sent from one tmm to a tunnel in another tmm, but the tunnel does not exist.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
There is no longer a TMM crash due to an extra loopback nexthop release.
533826-4 : SNMP Memory Leak on a VIPRION system.
Component: TMOS
Symptoms:
The snmpd image increases in size on a VIPRION system.
Conditions:
Run continuous snmpbulkwalk operations.
Impact:
The snmpd image increases, and might eventually result in a crash. The ltm log might contain an error message similar to the following: err mcpd[7061]: 01071087:3: Killed process for snmpd as current count of messages (965505855) keeps building.
Workaround:
To reset the memory usage and stop the snmpd daemon from coring, run the following command: bigstart restart snmpd.
Fix:
The snmpd image no longer increases in size on a VIPRION system processor.
533820-3 : DNS Cache response missing additional section
Component: Local Traffic Manager
Symptoms:
Resolver cache lookups are missing authority and additional sections.
Conditions:
Resolver cache lookups could be missing the authority and additional sections for A and AAAA queries if the DO bit is also not set.
Impact:
If the requesting client needs the information that would normally be included in the authority or additional sections, it would have to make additional queries to acquire that data.
Workaround:
none
Fix:
The resolver cache now correctly includes the information available for the authority and additional sections if the information is available.
533813-2 : Internal Virtual Server in partition fails to load from saved config
Component: TMOS
Symptoms:
Loading a successfully configured internal Virtual Server from the config fails with the following message:
-- 01070712:3: Values (/part2/0.0.0.0%2) specified for Virtual Server (/part2/ICAP_request): foreign key index (name_FK) do not point at an item that exists in the database.
Conditions:
This occurs when the following conditions are met:
-- You are running a BIG-IP system with no configuration.
-- You have created an external VLAN with an interface.
-- You have created a non-default route domain, and associated it with a newly created VLAN.
-- You have created a virtual server, and configured a pool in a partition other than /Common.
-- You have saved the configuration.
Here is an example of how this might occur. Run the following commands.
- tmsh
- create net vlan external interfaces add { 1.2 }
- create net route-domain 2 vlans add { external }
- create auth partition part2 default-route-domain 2
- cd ../part2
- create ltm pool icap_pool members add { 10.10.10.10:8080 }
- create ltm virtual ICAP_request destination 0.0.0.0:0 mask 0.0.0.0 internal ip-protocol tcp profiles add { tcp } pool icap_pool
- save sys config
- load sys config partitions all verify.
Impact:
The operation creates a virtual server but cannot load it from saved config.
Workaround:
To work around this issue, you can use the Common partition to complete the configuration.
Fix:
You can now configure an internal virtual server in a partition and load the config successfully.
533808-2 : Unable to create new rule for virtual server if order is set to "before"/"after"
Component: Advanced Firewall Manager
Symptoms:
Not able to create a new rule for virtual server when the order is set to "before"/"after".
Conditions:
Happens only when the order is set to "before"/"after"
Impact:
Unable to create a new rule from the virtual server page
533723-7 : [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag.
Component: Access Policy Manager
Symptoms:
The client-side HTML rewriter rewrites content within the "textarea" tag.
Conditions:
Web-application dynamically creates HTML content on the client side that contains the textarea tag.
Impact:
Web-application misfunction is possible.
Workaround:
There is no workaround at this time
Fix:
Content rewriting is suppressed on the client side for the textarea tag.
533658-3 : DNS decision logging can trigger TMM crash
Component: Global Traffic Manager (DNS)
Symptoms:
Applying load balance decision logging to the DNS profile can cause TMM to crash when a query is load balanced to a last resort pool that is unavailable.
Conditions:
-- DNS logging is enabled and log profile set on the DNS profile.
-- A Wide IP is configured with a last resort pool.
-- The last resort pool is unavailable.
-- A query is load balanced to the last resort pool.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable decision logging for the DNS profile, or discontinue use of the last resort pool feature.
Fix:
DNS decision logging no longer causse TMM to crash when a last resort pool is configured for a Wide IP, that last resort pool is unavailable, and a query is load balanced to that last resort pool.
533562-5 : Memory leak in CGNAT can result in crash
Solution Article: K15320373
Component: Carrier-Grade NAT
Symptoms:
tmm leaks cmp memory, resulting in crash.
'tmctl memory_usage_stat' reports very high cmp memory utilization.
Conditions:
Configure hairpin mode or inbound connection handling set to automatic.
Impact:
BIG-IP system might run out of memory and crash.
Workaround:
Avoid hairpin mode or inbound connection handling set to automatic.
Fix:
Fixed CGNAT memory leak that occurred when configured for hairpin mode or when inbound connection handling is set to automatic.
533480-4 : qkview crash
Solution Article: K43353404
Component: TMOS
Symptoms:
Qkview may crash or hang. You might see this error message in /var/log/ltm:
err mcpd[8003]: 0107134e:3: Failed while making snapshot:
(Failed to link files existing(/config/filestore/files_d/Common_d/...
Conditions:
Changing large configurations while running qkview or missing files from the /config/filestore/files_d/Common_d/external_monitor_d directory can cause qkview to crash or hang.
Impact:
You will be unable to generate a qkview file for support.
Workaround:
Make sure any iControl scripts that are making changes are allowed to complete.
If you deleted any external monitor files from /config/filestore/files_d/Common_d, restore the external-monitor file and re-run qkview.
Fix:
The system now handles running qkview while creating 20,000 or more pools or removing an external monitor from the /config/filestore/files_d/Common_d/external_monitor_d directory, so these conditions no longer cause qkview crash or hang issues.
533458-2 : Insufficient data for determining cause of HSB lockup.
Component: TMOS
Symptoms:
When an HSB lockup occurs only the HSB registers are dumped into the TMM log files for diagnosing the failure. There is no core file containing stats and the state of the HSB driver when the failure occurred to help diagnose the failure.
Conditions:
When an HSB lockup occurs.
Impact:
There is limited data is available for root cause analysis.
Workaround:
None.
Fix:
On HSB lockup, the system now generate a core file, which contains stats and the state of the HSB driver when the failure occurred to help diagnose the failure.
533413-3 : CVE updates from https://rhn.redhat.com/errata/RHSA-2015-1221.html
Solution Article: K51518670
533388-8 : tmm crash with assert "resume on different script"
Component: Local Traffic Manager
Symptoms:
In a rare race condition involving stalled server-side TCP connections on which a RST is received and a asynchronously executing client-side iRule for event CLIENT_CLOSED the tmm can crash with assert "resume on different script".
Conditions:
The conditions under which this assert/crash is triggered are hard to reproduce.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid asynchronously executing CLIENT_CLOSED iRules (e.g. those that use 'after' or 'table' or 'session' commands - this is not an exhaustive list).
Fix:
tmm no longer crashes with assert "resume on different script"
533336-1 : Display 'description' for port list members
Component: Advanced Firewall Manager
Symptoms:
Descriptions for port list's members are not displayed in GUI
Conditions:
Create a port list with 'description' set for its members (using tmsh).
When the portlist list page is accessed from GUI, the description set for the members (on tmsh) is not displayed.
Impact:
Users will not be able to see the description
Workaround:
Use tmsh to view the description for portlist members on tmsh
Fix:
Descriptions for port list members are now displayed in the GUI.
533257-1 : tmsh config file merge may fail when AFM security log profile is present in merged file
Component: TMOS
Symptoms:
A config file merge into an existing config may fail with "unknown-property" message.
Conditions:
This can occur when you are doing a config file merge. The error encountered was with a parameter called "built-in enabled".
Impact:
All releases and modules are affected.
Workaround:
The offending parameter may be deleted from the merge file, however this may result in the value for the deleted parameter not set correctly in the existing config.
Fix:
Fixed a problem with tmsh config file merge failing when AFM security log profile is present in merged file.
533156-2 : CVE-2015-6546
Solution Article: K17386
533098 : Traffic capture filter not catching all relevant transactions
Solution Article: K68715215
Component: Application Visibility and Reporting
Symptoms:
The traffic capture filter does not catch all relevant transactions.
Conditions:
When a traffic capture filter is set.
Impact:
Not all relevant transactions are captured.
Fix:
The traffic capture filter now catches all relevant transactions.
532799-4 : Static Link route to /32 pool member can end using dst broadcast MAC
Solution Article: K14551525
Component: Local Traffic Manager
Symptoms:
After assigning a static route to a node on a specific VLAN, ARPs are no longer generated, and all traffic to the node uses a broadcast (ff:ff:ff:ff:ff:ff) MAC.
Conditions:
Static VLAN route to a poolmember/node with a /32 mask.
Impact:
This can cause the monitors to fail and the poolmember/node to be marked down.
Workaround:
Use a non /32 mask or use a gateway route instead.
Fix:
The BIG-IP system now correctly uses ARP to determine the destination MAC of a host routed via a /32 vlan route.
532761-1 : APM fails to handle compressed ICA file in integration mode
Component: Access Policy Manager
Symptoms:
Citrix application or desktop cannot be started in integration mode with Citrix StoreFront 3.0
Conditions:
APM is configured for StoreFront 3.0 proxy and HTTP compression is enabled on the StoreFront server.
Impact:
Citrix application or desktop cannot be started.
Fix:
Now APM supports Citrix StoreFront 3.0 in integration mode with HTTP compression enabled on the StoreFront server.
532685-5 : PAC file download errors disconnect the tunnel
Component: Access Policy Manager
Symptoms:
Any failure to download PAC file is treated as fatal error. If edge client fails to download PAC file VPN connection cannot be established.
Conditions:
-PAC file cannot be downloaded by edge client
Impact:
Tunnel disconnects in case of PAC file download errors.
Workaround:
Fix infrastructure issues that result in PAC file download failure
Fix:
PAC file download and merging issues were considered critical before and Edge Client disconnects the tunnel. This behavior is controlled by a new setting called "Ignore PAC download error" on BIG-IP now.
Behavior Change:
PAC file download and merging issues were considered critical before and BIG-IP Edge Client disconnects the tunnel. This behavior is controlled by a new setting called "Ignore PAC download error" on BIG-IP now.
532559-2 : Upgrade fails to 11.5.0 and later if 'defaults-from none' is under profile '/Common/clientssl'.
Component: TMOS
Symptoms:
If the client-ssl profile is /Common/clientssl, its parent profile is supposed to be /Common/clientssl. But the configuration could potentially use 'defaults-from none'.
Conditions:
This condition could be caused by executing the following command when generating the configuration.
'tmsh modify ltm profile client-ssl clientssl defaults-from none'
Impact:
The upgrade fails after booting into the new release, during the config loading phase. This occurs because the script extracts the line 'defaults-from none' and treats 'none' as its parent profile.
Workaround:
Edit the configuration prior to upgrading, changing the defaults-from value on the client-ssl profile to the name of that profile.
Fix:
Upgrade no longer fails if 'defaults-from none' is under profile '/Common/clientssl'.
532522-4 : CVE-2015-1793
Solution Article: K16937
532394-1 : Client to log value of "SearchList" registry key.
Component: Access Policy Manager
Symptoms:
n/a
Conditions:
Windows user connecting and disconnecting network access connection to BIG-IP APM server.
Impact:
n/a
Workaround:
n/a
Fix:
To provide better traceability, APM client creates log entry each time F5 software reads or writes "SearchList" or "SearchList_F5_BACKUP_VALUE" registry keys.
532340-2 : When FormBased SSO or SAML SSO are configured, tmm may restart at startup
Component: Access Policy Manager
Symptoms:
Under unlikely circumstances, tmm threads may run into synchronization issue at startup initialization, causing BIG-IP Failover
Conditions:
- SAML SSO or Form Based SSO are configured.
- TMM is in process of starting (during reboot or for any other reason).
Impact:
Impact is BIG-IP will failover at start time.
If tmm has successfully started - no further impact will be observed.
Workaround:
Remove Form Based SSO, and SAML objects from configuration.
Fix:
A thread synchronization issue that caused tmm startup issues has been fixed.
532107-5 : [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted
Solution Article: K16716213
Component: Local Traffic Manager
Symptoms:
If RTT value for nameserver cache reached the maximum value as 120000, even after executing 'delete ltm dns cache nameserver', BIG-IP still keeps the past maximum RTT value.
Conditions:
The RTT for the nameserver cache reached the maximum value of 120000.
Impact:
This can cause dns response failure.
Workaround:
Change size for nameserver-cache-count to reset the nameserver cache.
# tmsh modify /ltm dns cache resolver my_dns_cache nameserver-cache-count 16536
Fix:
Maximum RTT value for nameserver cache is now deleted when the nameserver cache is deleted, which is correct behavior.
532096-3 : Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used
Component: Access Policy Manager
Symptoms:
Machine Certificate Checker (client side) is not backward compatible with BIG-IP 11.4.1 and earlier when MatchFQDN rule is used
Conditions:
Machine Certificate checker agent uses MatchFQDN rule in Access Policy of BIG-IP version 11.4.1 and earlier.
New BIG-IP Edge Client (version greater than 11.4.1) is used against old BIG-IP.
Impact:
Machine Certificate checker agent may fail. Policy goes wrong way.
Fix:
Fixed issue causing Machine Certificate checker agent backward incompatibility.
532030-2 : ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI
Component: Application Security Manager
Symptoms:
When importing a policy that utilizes a custom signature set, ASM checks whether that signature set is already exists on the system. If it does not exist, then it creates a new set.
When a set is created via REST it does not correctly set an internal field that does get set via creation by the GUI or XML import.
This causes unexpected behavior and extra signatures being created when a REST client, such as BIG-IQ, attempts to co-ordinate changes across devices utilizing import via XML and REST calls.
Conditions:
A Custom filter-based signature set is created by the GUI and then attached to a security policy.
The security is exported in XML format.
On a different device an identical signature set is created via REST.
The security policy is then imported on that device.
Impact:
Extraneous signature sets are created, and false differences appear with regards to which signature sets are attached to which policies across multiple devices.
Workaround:
As a workaround, custom filter-based signature sets should be created only via REST or only via GUI across multiple devices.
Fix:
Custom filter-based signature sets created using REST or the Configuration utility now have the same internal settings and match for XML security policy export/import.
531986-2 : Hourly AWS VE license breaks after reboot with default tmm route/gateway.
Component: TMOS
Symptoms:
In AWS Hourly instances, if a default gateway is added, the hourly license may fail, causing BIG-IP to fail to come up to a running state. Error messages will resemble the following:
Jul 6 19:26:14 ip-10-0-0-104 err mcpd[22186]: 01070734:3: Configuration error: MCPProcessor::check_initialization:
Jul 6 19:26:17 ip-10-0-0-104 err mcpd[22186]: 010717ff:3: [Licensing]: Failure in establishing instance identity.
Conditions:
Hourly instance in AWS with default tmm route added.
Impact:
BIG-IP VE will fail to fully start, rendering the instance unusable.
Workaround:
Temporary removal of default tmm route resolves this problem. The tmm route can be added back once MCPD is in the running state.
Fix:
The problem with default tmm route breaking Hourly licenses has been resolved. The default tmm route no longer affects the license check on Hourly billing Virtual Edition.
531983-4 : [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added
Component: Access Policy Manager
Symptoms:
Routing table is not updated correctly in connected state when new adapter is added to the system.
Conditions:
SSL VPN tunnel is established and new adapter is added to the system. For example, Wi-Fi connected when tunnel is established already over Ethernet adapter.
Impact:
Routing table might be corrupted.
Workaround:
Restart OS X.
Fix:
Routing table now updates correctly when new adapter is added to the system while SSL VPN tunnel is already established over an network adapter.
531979-4 : SSL version in the record layer of ClientHello is not set to be the lowest supported version.
Component: Local Traffic Manager
Symptoms:
In the ClientHello message, the system is now setting the SSL version in the record layer to be the same as version value of ClientHello message, which is the highest SSL version now supported.
Although RFC 5246 appendix E.1 does not give specific advice on how to set the TLS versions, the de facto standard used by all major browsers and TLS stacks is to set the ClientHello as follows:
SSL Record:
Content Type: Handshake (22)
Version: $LOWEST_VERSION
Handshake Record:
Handshake Type: Client Hello (1)
Version: $HIGHEST_VERSION
The BIG-IP system implementation tells the SSL peer that the system supports only SSL versions from the $HIGHEST_VERSION through the $HIGHEST_VERSION instead of from the $LOWEST_VERSION through the $HIGHEST_VERSION, which effectively limits the range of SSL versions the system can negotiate with the SSL peer.
Conditions:
This issue occurs when the highest SSL version that the BIG-IP system supports does not fall into the range that an SSL peer supports.
For example, with SSL peer support configured for TLS1.0 or TLS1.1, if the BIG-IP system sets the highest SSL version to be TLS1.2, then there will be no version that the SSL peer thinks they have in common, and SSL handshake fails.
Impact:
SSL handshake fails.
Workaround:
There is no workaround for this issue.
Fix:
The SSL version in the record layer of ClientHello is now set to be the lowest supported version, which eliminates that issue that occurred when the highest SSL version that the BIG-IP system supports did not fall into the range that an SSL peer supports.
531883-3 : Windows 10 App Store VPN Client must be detected by BIG-IP APM
Component: Access Policy Manager
Symptoms:
Windows 10 App Store VPN Client is not detected by BIG-IP APM out of the box via client type agent
Conditions:
Windows 10 App Store VPN Client, BIG-IP APM , client type agent
Impact:
Windows 10 App Store VPN Client is not detected by BIG-IP APM out of the box
Fix:
Windows 10 App Store VPN Client is now detected by BIG-IP APM out of the box using the Client Type agent.
531809-1 : FTP/SMTP traffic related bd crash
Component: Application Security Manager
Symptoms:
Protocol Security: The Enforcer may crash upon FTP or SMTP traffic using remote logging.
Conditions:
FTP/SMTP traffic and remote logging assigned. Crash happens on a rare occasion.
Impact:
bd crash, traffic disturbance.
Workaround:
Remove the remote logging from FTP/SMTP.
Fix:
Protocol Security: The Enforcer no longer crashes upon FTP or SMTP traffic using remote logging.
531576-2 : TMM vulnerability CVE-2016-7476
Solution Article: K87416818
531526-1 : Missing entry in SQL table leads to misleading ASM reports
Solution Article: K17560
Component: Application Visibility and Reporting
Symptoms:
Some reports of ASM violations were generated with missing activity.
Conditions:
When there are many entities to report and some are getting aggregated, then the aggregated activity was not reported.
Impact:
Misleading reports of ASM activity.
Workaround:
None.
Fix:
Aggregated activity is now reported even when there are many entities to report and some are aggregated.
531483-1 : Copy profile might end up with error
Component: Access Policy Manager
Symptoms:
Copy profile might end up with error about two items are sharing the same agent
Conditions:
Very rare - long policy names, similar name parts
Impact:
Minor - you would need to choose different name for new policy
Fix:
Issue resolved.
530963-3 : BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms
Component: Local Traffic Manager
Symptoms:
The BIG-IP does not verify every byte in the Finished message of an TLS handshake but does properly validate the MAC of the Finished message.
Conditions:
* The BIG-IP platform contains a Cavium SSL accelerator card but the affected TLS connection is not accelerated by the Cavium SSL accelerator card.
The following list some examples when a TLS connection is not accelerated by the Cavium card:
* The ciphers used by the TLS connection are not fully accelerated in the Cavium card. For more information about ciphers that are fully hardware accelerated, refer to SOL13213: SSL ciphers that are fully hardware accelerated on BIG-IP platforms (11.x)
* The BIG-IP platform does not contain a Cavium SSL accelerator card. The following list the BIG-IP platforms that do not contain a Cavium SSL accelerator card:
* BIG-IP 2000 platforms
* BIG-IP 4000 platforms
* BIG-IP Virtual Edition
Impact:
F5 believes the reported behavior does not have security implications at this time.
Workaround:
None.
Fix:
BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms.
530952-4 : MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'
Component: Application Visibility and Reporting
Symptoms:
MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'. Errors in monpd.log similar to the following:
[DB::mysql_query_safe, query failed] Error (error number 1615) executing SQL string ...
Conditions:
This is due to a MySql bug. For information, see 'Prepared-Statement fails when MySQL-Server under load', available here: http://bugs.mysql.com/bug.php?id=42041
Impact:
Monpd loses functionality
Workaround:
Restart monpd.
Fix:
Error number 1615, 'Prepared statement needs to be re-prepared', no longer occurs in the monpd.log.
530903-5 : HA pair in a typical Active/Standby configuration becomes Active/Active after a software upgrade★
Component: TMOS
Symptoms:
HA pair should remain in active/standby state after the software upgrade but instead goes into an active/active state.
Conditions:
Occurs in an active/standby HA pair which has a medium size configuration of pools and virtual servers (at least 30 objects total). The standby device is upgraded first and then it is rebooted. After reboot, the HA pair goes into an Active/Active state. Upgrades to 11.5.0 through 11.5.3 as well as to 11.6.0 are impacted.
Impact:
Active/Standby configuration is lost.
Workaround:
Reconfigure the HA pair back to active/standby.
Fix:
HA pair in a typical Active/Standby configuration now remain Active/Standby after a software upgrade.
530865-1 : AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists)
Component: Advanced Firewall Manager
Symptoms:
Due to a related change in AFM ACL handling, global and route domain rule's were being logged (incorrectly) by the virtual server's AFM log profile (if it exists).
This is incorrect since the behavior has always been that Global and Route Domain AFM rule logging is controlled by global-network log profile only.
Conditions:
Global or Route Domain AFM ACL rule matches and logging is enabled. Also, the matched virtual server has a logging profile attached to it.
Impact:
This causes a regression (and inadvertent change in behavior) for Global and Route Domain AFM rule logging.
Workaround:
None
Fix:
With the fix, global and route domain AFM rule logging is controlled by global-network log profile (as has been the case since inception).
530829-2 : UDP traffic sent to the host may leak memory under certain conditions.
Solution Article: K00032124
530812-5 : Legacy DAG algorithm reuses high source port numbers frequently
Component: Local Traffic Manager
Symptoms:
A service on a pool member will receive connections frequently with a source port number above 65400, especially when the incoming connections to the Virtual IP listener are generated by test tools that increment their source port numbers sequentially. This could lead to premature SNAT port exhaustion, if SNAT is also being used.
Conditions:
The issue appears to be limited to the legacy DAG algorithm on the VIPRION PB100 and PB200 blades. All supported versions of BIG-IP will exhibit this issue on this hardware when this DAG algorithm is used. The problem is not exhibited when the incoming sessions' source port numbers have a reasonable amount of entropy (as one would normally see with real Internet traffic); however, the use of test tools, or even intentional malicious traffic may cause this issue to be seen.
Impact:
The issue could result in resource contention (such as SNAT pool port exhaustion), or problems with the pool member services distinguishing between sessions. A notable exception: Port reuse before TIME_WAIT expires is specifically NOT an impact of this issue.
Workaround:
To work around SNAT pool port exhaustion, increase the pool size, or change to auto-map. An iRule may be used to help pool member services better distinguish incoming sessions.
Fix:
The software emulation of the legacy DAG algorithm used on VIPRION PB100 and PB200 has been updated to more evenly distribute the source port numbers of sessions arriving at pool member services.
530795-1 : In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system may send ICMP messages that contain an incorrect tcp seq ack number in the embedded msg body.
Conditions:
FastL4 TCP virtual servers. Syncookie mode.
Impact:
The TCP connflow might be aborted if an ICMP message (such as More fragment) is received.
Workaround:
None.
Fix:
The BIG-IP system sends correct SEQ and ACK number in ICMP messages.
530769 : F5 SFP+ module becomes unpopulated after mcpd is restarted in a clustered environment.
Component: Local Traffic Manager
Symptoms:
When MCPD restarts on one of the B2100 blades, trunk interfaces on the blade are not coming up.
Conditions:
MCPD restarts in a clustered environment (chassis).
Impact:
TMM will not process traffic on the blade where mcpd restarted.
Workaround:
Restart tmm (bigstart restart tmm) on the blade that shows the interface down.
Fix:
Fixed in corrections for bug 502443-9.
530761-4 : TMM crash in DNS processing on a TCP virtual
Component: Local Traffic Manager
Symptoms:
TMM can crash while processing DNS requests on a TCP virtual server.
Conditions:
A TCP DNS virtual server combined with a DNS iRule that suspends and a client that closes its connection before receiving a response to its DNS request.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
While no true workaround exists, the situation can be avoiding by removing any one of the conditions above.
Fix:
TMM now properly handles DNS requests through a TCP virtual where the client closes the connection during iRule processing.
530697-3 : Windows Phone 10 platform detection
Component: Access Policy Manager
Symptoms:
Windows Phone 10 platform is not currently detected
Conditions:
Windows Phone 10 platform , BIG-IP APM system
Impact:
Windows Phone 10 platform is not detected correctly by BIG-IP
Fix:
Windows Phone 10 platform is detected correctly now.
530622-2 : EAM plugin uses high memory when serving very high concurrent user load
Component: Access Policy Manager
Symptoms:
EAM plugin cannot sustain high concurrent user load and will be killed by memory monitors. EAM is cored and restarted. Any requests coming during restart will not be served.
Conditions:
This issue was found internally during in stress testing and was reported externally when experiencing high concurrent user load.
Impact:
As a result, EAM cored and restarted; users cannot authenticate during process restart.
Workaround:
No workaround.
Fix:
There was a memory usage issue in the EAM plugin. This issue is fixed.
530598-2 : Some Session Tracking data points are lost on TMM restart
Component: Application Security Manager
Symptoms:
Session Tracking data points, that are added by ASM upon traffic, based on Session Tracking thresholds configuration, are lost when TMM restarts.
Conditions:
ASM Provisioned.
Session Tracking feature is ON.
Impact:
Session Tracking data points may be added by ASM upon traffic.
These are data points with action 'Block-All'.
These data points are lost when TMM restarts.
Workaround:
None.
Fix:
This release fixes the Session Tracking data points persistence, so that the 'Block-All' Session Tracking data points, which are added by ASM upon traffic, are not lost when TMM restarts.
530530-4 : tmsh sys log filter is displayed in UTC time
Component: TMOS
Symptoms:
When using the time-based log filters hour, minute, and second, tmsh returns results based on UTC time.
Conditions:
Use range filter for 'tmsh show sys log' in either of the following ways:
Filter logs by hour.
Filter logs for less than 8 hours.
Impact:
tmsh does not filter the log correctly with 'range' filter.
Workaround:
Calculate the difference between the local BIG-IP system time and UTC, or change the system time to UTC.
530505-2 : IP fragments can cause TMM to crash when packet filtering is enabled
Component: Local Traffic Manager
Symptoms:
TMM can crash when an IP fragment is received and packet filtering is enabled.
Conditions:
This issue can occur when packet filtering is enabled and an IP fragment is received on the non-owning TMM.
To determine if packet filtering is enabled, then the packetfilter setting can be queried by using the 'tmsh list sys db packetfilter' command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable packet filtering.
Fix:
When packet filtering is enabled and an IP fragment is received on the non-owning TMM, TMM forwards the IP fragment without issue.
530356-1 : Some AVR tables that hold ASM statistics are not being backed up in upgrade process.
Component: Application Visibility and Reporting
Symptoms:
Some AVR tables that hold ASM statistics are not being backed up in the upgrade process when upgrading to a new version with ASM data present in AVR stat tables.
Conditions:
Upgrading to new version.
Impact:
Some ASM data is lost after upgrade.
Workaround:
None.
Fix:
The system now correctly backs up AVR tables that hold ASM statistics that were previously not backed up when upgrading to a new version.
530242-4 : SPDAG on VIPRION B2250 blades might cause traffic imbalance among TMMs
Solution Article: K08654415
Component: TMOS
Symptoms:
When SPDAG is turned on VIPRION B2250 blades, the traffic imbalance among TMMs might be observed.
Conditions:
Enable SPDAG on VIPRION B2250 blades.
Impact:
The traffic imbalance can lower the throughput of VIPRION B2250 blades.
Workaround:
Adding or removing B2250 blades might mitigate the imbalance.
If you are running BIG-IP versions 11.6.1 or 11.6.1 HF1, add the following to /config/tmm_init.tcl file: dag::use_p8_sp_hash yes
Fix:
A new DAG hash is added for SPDAG on VIPRION B2250 blades, which can resolve the SPDAG traffic imbalance. The new DAG hash can be turned on by setting tmm tcl variable, dag::use_p8_sp_hash, to yes.
Add the following to /config/tmm_init.tcl file: dag::use_p8_sp_hash yes
530133 : Support for New Platform: BIG-IP 10350 FIPS
Component: TMOS
Symptoms:
Support for New Platform: BIG-IP 10350 FIPS, effective in 11.5.4 HF1
Conditions:
This details the new platform name.
Impact:
This is an added platform. There is no impact to the product.
Workaround:
None needed.
Fix:
This release provides support for New Platform: BIG-IP 10350 FIPS. You can find more information in Platform Guide: 10000 Series, available here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/pg-10200v.html.
Behavior Change:
This release provides support for New Platform: BIG-IP 10350 FIPS. You can find more information in Platform Guide: 10000 Series, available here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/pg-10200v.html.
530122 : Improvements in building hotfix images for hypervisors.
Component: TMOS
Symptoms:
The name of HF/EHF ISOs changed recently and the filter used to locate them needs to change.
Conditions:
Building hotfix images for hypervisors.
Impact:
There are issues providing bundled images.
Workaround:
None.
Fix:
This release provides improvements for building hotfix images for hypervisors.
530109-1 : OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
Component: Access Policy Manager
Symptoms:
OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
Conditions:
-- User certificate has AIA configured.
-- Option 'Ignore AIA' is unchecked.
-- APM is configured.
Impact:
OCSP auth might fail as wrong URL is used.
Workaround:
1. Clean URL field.
2. Uncheck option 'Ignore AIA'.
Fix:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. This is correct behavior.
Behavior Change:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. To use the configured URL, the 'Ignore AIA' setting has to be checked.
529977-4 : OSPF may not process updates to redistributed routes
Component: TMOS
Symptoms:
When routes redistributed into OSPF are rapidly added and removed, OSPF may not reflect all of the updates in its LSA database.
Conditions:
External routes, such as kernel or static, redistributed into OSPF being rapidly added and removed. This my happen when using Route Health Injection and enabling/disabling a virtual address.
Impact:
The OSPF may have stale or missing LSAs for redistributed routes.
Workaround:
Identify the OSPF process ID for the affected route domain using "ps | grep ospfd" and terminate it using the kill command.
This disrupts dynamic routing using OSPF.
Fix:
The OSPF LSA database correctly reflects the state of redistributed routes after rapid updates.
529920-6 : Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit
Component: Local Traffic Manager
Symptoms:
TMM crashes on the standby unit.
Conditions:
This is a standby-only failure. Connection mirroring on a OneConnect virtual server can lead to a TMM crash during connection establishment.
Impact:
TMM restarts, and the standby is not available for failover. When the standby unit comes back up it does not have the mirrored flows from the active unit, so failover results in loss of those connection flows.
Workaround:
None.
Fix:
Connection mirroring on a OneConnect virtual server now successfully recovers from a TMM crash during connection establishment, so no mirrored connection flows are lost.
529903-2 : Incorrect reports on multi-bladed systems
Component: Application Visibility and Reporting
Symptoms:
Reports on multi-bladed systems might contain incorrect data, if the blades are active at different times, and do not share the same level of history. A report appears on a different time range than expected.
Conditions:
Example:
A setup with 3 blades, and 2 are down while the active 1 receives traffic for a full day. Later the 2 down blades go up. The resulting report for 'last day' contains data only for the previous hour, even though traffic has been passing through it for the last day.
Impact:
Report not as expected.
Workaround:
None.
Fix:
Reports on multi-bladed systems are now displayed correctly even when the blades are active at different times, and do not share the same level of history.
529900-4 : AVR missing some configuration changes in multiblade system
Solution Article: K88373692
Component: Application Visibility and Reporting
Symptoms:
Some DB variables affect the behavior of AVR, but if they are modified in a multiblade system, then not all blades will be aware of the change, which later leads to errors in functionality.
Conditions:
Multiblade system, having one of the following changes:
1. New primary blade is selected.
2. Change to AVR max number of entities in the DB.
Impact:
Data might not be loaded into the DB, or not be queried correctly.
Workaround:
Restart of monpd solves the problem.
Fix:
Configuration changes in multiblade systems are now treated correctly.
529899-3 : Installation may fail with the error "(Storage modification process conflict.)".★
Component: Local Traffic Manager
Symptoms:
On chassis, installation may fail with the error "(Storage modification process conflict.)".
Conditions:
This happens when deleting a boot location and then quickly installing new software to that boot location.
Impact:
Minimal; the installation can be restarted.
Workaround:
Delete the failed volume and restart the installation.
Fix:
On chassis, there was one possible case where the installation would occasionally fail with the error "(Storage modification process conflict.)". This case has been fixed.
529610-4 : On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db
Solution Article: K32565535
Component: Application Security Manager
Symptoms:
When session tracking actions are enabled in ASM policy, an HTTP request may be blocked based on HTTP session or username and illegal traffic that has been sent from this session. The blocked request is reported in the security events log, but there is no option to release the username using the Configuration utility.
Conditions:
High availability (HA) setup, and ASM with Session tracking actions enabled.
Impact:
Usernames and HTTP sessions are blocked by ASM without an option to release them from the Configuration utility.
Workaround:
Stop and start tmm on all devices in the HA group by running the following commands:
-- bigstart stop tmm
-- bigstart start tmm
Fix:
Using the Configuration utility, BIG-IP system administrators can now release blocked usernames and sessions. This is done on the Session Tracking Status screen.
529524-5 : IPsec IKEv1 connectivity issues
Solution Article: K15345631
Component: TMOS
Symptoms:
IPsec IKEv1 tunnels do not come up and IKE negotiations is not initiated/ or does not complete.
Conditions:
1. Configure the BIG-IP system with IPsec IKEv1 tunnel.
2. Send traffic to match the selectors, and it fails. Although it may succeed intermittently.
The following chassis scenario might also cause the issue:
1. Configure the VIPRION chassis with IPsec IKEv1 tunnel.
2. Send traffic to match the selectors, and the intended traffic is secured. IPsec IKEv1 tunnels are established.
3. Perform bigstart restart on the secondary blade.
4. Observe Traffic does not pass, and shows IKE negotiation failures.
Impact:
IPsec IKEv1 tunnels do not get established and the intended traffic is not secured. Traffic does not pass, and shows IKE negotiation failures.
Workaround:
There is a workaround for the chassis platform: Perform bigstart restart of tmm on all blades. There is no workaround for non-chassis platforms.
Fix:
BIG-IP systems and VIPRION platforms now successfully establish IPsec IKEv1 tunnels and secure and pass the intended traffic.
529509-4 : BIND Vulnerability CVE-2015-4620
Solution Article: K16912
529484-3 : Virtual Edition Kernel Panic under load
Component: TMOS
Symptoms:
Virtual Edition instances may crash with a kernel panic under heavy traffic load.
Conditions:
Virtual Edition instances passing 10 Gbps of traffic on interfaces that support LRO.
Impact:
When the issue occurs the Virtual Edition instance will reboot.
Workaround:
Disable LRO on the underlying hypervisor, if possible.
Fix:
Virtual Edition instances now stays active when instances passing 10 Gbps of traffic on interfaces that support LRO.
529460-5 : Short HTTP monitor responses can incorrectly mark virtual servers down.
Solution Article: K17209
Component: Global Traffic Manager (DNS)
Symptoms:
Despite successful probe response, BIG-IP DNS marks virtual server down.
Conditions:
HTTP server sends HTTP response that is shorter than 64 bytes.
Impact:
Virtual servers are incorrectly marked down.
Workaround:
Modify server response or use a TCP monitor.
Fix:
BIG-IP DNS HTTP/1.x monitor probe now requires 17, rather than 64 bytes of response payload, so HTTP monitor responses HTTP response that is shorter than 64 bytes no longer incorrectly mark virtual servers down.
529392-3 : Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script
Component: Access Policy Manager
Symptoms:
Windows 10 and Internet Explorer 11 is not determined in case of DIRECT rule is used to connect to BIG-IP in proxy autoconfig script configured locally.
Conditions:
Local proxy autoconfig scrip, DIRECT rule for BIG-IP virtual server, Internet Explorer 11.
Impact:
Internet Explorer 11 is not detected properly.
Fix:
Internet Explorer 11 on Microsoft Windows 10 is detected correctly now if local proxy autoconfig script is configured with DIRECT rule for BIG-IP.
529141-4 : Upgrade from 10.x fails on valid clientssl profile with BIGpipe parsing error★
Solution Article: K95285012
Component: TMOS
Symptoms:
Upgrade from 10.x fails with the error 'emerg load_config_files: '/usr/libexec/bigpipe load' - failed. -- BIGpipe parsing error (/config/bigpipe/bigip.conf Line 67): 012e0020:3: The requested item (myclientssl {) is invalid (profile_arg ` show ` list ` edit ` delete ` stats reset) for 'profile'."
Conditions:
Attempting to upgrade from 10.x to 11.6.1 or specific 11.5.3 and 11.5.4 engineering hotfixes with custom Certificate and Key in the clientssl profile.
Impact:
Unable to upgrade successfully and BIG-IP will be inoperative. You will be unable to log into the BIG-IP GUI. The error signature in /var/log/ltm will exist, and /config/bigip.conf will probably not exist.
Workaround:
Delete the following line from all ssl profiles in /config/bigpipe/bigip.conf: inherit-certkeychain false.
To complete the upgrade, run the following command: /usr/libexec/bigpipe load.
After config load is successful, run the following command:
tmsh save sys config && tmsh load sys config.
Fix:
Upgrade from 10.x now completes successfully with a valid clientssl profile, and produces no BIGpipe parsing error.
528955-2 : TMM may core when using Request Adapt profile
Component: Service Provider
Symptoms:
tmm core file
Conditions:
Serverside connection is detached after processing HTTP response
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Cleaned up invalid references in Adapt component after serverside connection detachment
528881-5 : NAT names with spaces in them do not upgrade properly★
Component: TMOS
Symptoms:
When upgrading to an affected version, if a NAT has a name with spaces in it, the upgraded configuration does not load.
Conditions:
The BIG-IP system must be configured with NATs that have spaces in their names. When an upgrade is performed to 11.5.0 through 11.5.3 or to 11.6.0 this can be triggered.
Impact:
The configuration does not load on the upgraded system.
Workaround:
Remove spaces in NAT names before upgrading. Specifically: the initial letter must be a letter, underscore ( _ ), or forward slash ( / ), and subsequent characters may be letters, numbers, periods ( . ), hyphens ( - ), underscores ( _ ), or forward slashes ( / ).
Fix:
NAT names with spaces in them now upgrade properly.
528808-2 : Source NAT translation doesn't work when APM is disabled using iRule
Component: Access Policy Manager
Symptoms:
Source NAT translation does not happen and server-side connection fails.
Conditions:
ACCESS::disable iRule is added to the virtual server.
Impact:
Proxy's server-side connection fails.
Workaround:
Do not use the ACCESS::disable iRule command.
Fix:
Restore the source address translation correctly even if an iRule has disabled APM.
528739-5 : DNS Cache might use cached data from ADDITIONAL sections in ANSWER responses.
Solution Article: K47320953
Component: Local Traffic Manager
Symptoms:
DNS Caching might use cached data from ADDITIONAL sections of previous lookups in the ANSWER section of responses.
Conditions:
This occurs when using DNS Caching.
Impact:
The data from the ADDITIONAL section might be used in the ANSWER section of DNS responses. The data might be stale or incorrect.
Workaround:
None.
Fix:
The DNS Cache now correctly ignores data from the ADDITIONAL section when constructing the ANSWER section.
528734-1 : TCP keeps retransmitting when ICMP Destination Unreachable-Fragmentation Required messages are received.
Solution Article: K04711825
Component: Local Traffic Manager
Symptoms:
In a Standard virtual server, a data segment will be retransmitted when an ICMP Type 3, Code 4, message with an MTU (greater than or equal to 0) is received. The retransmission occurs until there are no ICMP Type 3, Code 4 messages, a connection times out, or an ACK is received.
Conditions:
Router or client sends ICMP frag messages with random MTU values. It can be increasing, decreasing, same, or 0 MTU.
Impact:
Packets might fill up the pipe and cause a minor outage.
Workaround:
None.
Fix:
TCP drops the second or later ICMP Type 3, Code 4 message. If the second packet is a valid ICMP packet, the downstream router will send another ICMP Type 3, Code 4 message.
528726-2 : AD/LDAP cache size reduced
Component: Access Policy Manager
Symptoms:
When AD or LDAP Query module built a group cache, that cache contained an unnecessary attribute that was never used.
Conditions:
AD/LDAP Query module is configured with option that requires building of a local group cache.
Impact:
apd process size grows significantly after group cache is built. If several different caches are maintained at the same time, the process size can hit the 4 GB limit.
Fix:
Removed an unnecessary attribute from cache. As a result, the group cache size and APD process size have been reduced.
528675-3 : BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired
Component: Access Policy Manager
Symptoms:
Edge Client can stuck in "disconnecting..." state if connected through with captive portal session and captive portal session expired. This happens when BIG-IP EDGE client keep HTTP connection to captive portal probe URL alive.
Conditions:
BIG-IP EDGE Client for Windows connecting to BIG-IP APM on network with active captive portal.
Captive portal session expired before user terminate active Network Access connection.
Impact:
When user run into this condition BIG-IP EDGE client for Windows cannot connect to BIG-IP APM server without restart.
Workaround:
User can exit and restart BIG-IP EDGE client.
Fix:
Captive portal detection request modified to properly close HTTP connection.
528548-1 : @import "url" is not recognized by client-side CSS patcher
Component: Access Policy Manager
Symptoms:
Not rewriten links from CSS.
Conditions:
CSS which contains:
@import "url"
or
@import 'url'
Impact:
Unmangled requests resulting in error and customer confusion. Wrong rendering of pages.
Workaround:
Custom iRule can be used. No general workaround exists.
Fix:
Fixed CSS rewriting for:
@import "URL"
and
@import 'URL'
528498-2 : Recently-manufactured hardware may not be identified with the correct model name and SNMP OID
Component: TMOS
Symptoms:
The model names and corresponding SNMP OIDs of BIG-IP and VIPRION hardware may not be identified correctly.
1. Under the 'tmsh show sys hardware' command, the 'Type' field under 'System Information' may show the alphanumeric Platform Identifier (e.g., C113) instead of the BIG-IP/VIPRION model name (e.g., 4200v).
2. The SNMP sysObjectID OID (1.3.6.1.2.1.1.2.0) may show a value of 'F5-BIGIP-SYSTEM-MIB::unknown' instead of the model-specific identifier.
Conditions:
This problem may occur when running older BIG-IP software releases on BIG-IP or VIPRION hardware platforms that were manufactured after the BIG-IP software release.
Each BIG-IP software release contains a database used to map platform hardware part numbers to BIG-IP or VIPRION model names.
If a BIG-IP or VIPRION hardware platform is manufactured after this BIG-IP software release, this new hardware may contain updates that result in a minor revision to its platform hardware part number.
If this revised platform hardware part number is not found in the database included in the BIG-IP software release, its corresponding model name cannot be determined.
The SNMP sysObjectID OID value is based on the resolved model name. If the model name cannot be determined, the SNMP sysObjectID OID returns 'F5-BIGIP-SYSTEM-MIB::unknown'.
Impact:
Unable to identify recently-manufactured BIG-IP or VIPRION hardware platforms.
Workaround:
1. Identify the hardware platform by its Platform ID, and correlate this to the Platform Name using SOL9476: The F5 hardware/software compatibility matrix at https://support.f5.com/kb/en-us/solutions/public/9000/400/sol9476.html.
2. Query the SNMP F5-BIGIP-SYSTEM-MIB::sysPlatformInfoName.0 object to obtain the hardware identifier, and correlate this to the Platform Name (e.g., from the 'Platform support' in the appropriate BIG-IP software Release Notes).
Fix:
BIG-IP software correctly identifies recently-manufactured BIG-IP or VIPRION hardware platforms with the correct model name and SNMP sysObjectID OID.
528432-1 : Control plane CPU usage reported too high
Component: Local Traffic Manager
Symptoms:
The system CPU usage is reported as the higher of the data plane averaqe and the control plane average. In certain cases, the control plane average was being calculated at about double.
Conditions:
When the data plane CPU usage was lower than the control plane CPU usage. This can occur when there is little client traffic flowing through the BIG-IP but the control plane is busy, say installing software.
Impact:
Typically, since client traffic drives data plane CPU usage, control plane CPU usage is less than data plane CPU usage at normal client loads.
Workaround:
This can safely be ignored at low data plane usage and will not be evident when data plane usage increases.
Fix:
The calculation of the control plane CPU usage no longer includes other CPUs.
528407-6 : TMM may core with invalid lasthop pool configuration
Solution Article: K72235143
Component: Local Traffic Manager
Symptoms:
In certain circumstances, TMM may core if the unit is configured with an invalid, non-local lasthop pool,
Conditions:
1) BIG-IP system with VIP and lasthop pool with non-local pool member.
2) Sys db tm.lhpnomemberaction set to 2.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure lasthop pool to use local members/addresses.
Fix:
TMM no longer cores with an invalid lasthop pool configuration.
528276-6 : The device management daemon can crash with a malloc error
Solution Article: K39167163
Component: TMOS
Symptoms:
The device management daemon can core if a timeout condition occurs during an iControl query. The daemon recovers and proceeds with the operation.
Conditions:
A timeout can occur during an iControl query and in some instances this can cause a core.
Impact:
The daemon crashes and recovers.
Workaround:
This issue has no workaround at this time.
Fix:
The device management daemon no longer causes a crash when a timeout condition occurs during an iControl query.
528198-1 : reject in iRule event FLOW_INIT may not respond with a RST
Component: Local Traffic Manager
Symptoms:
reject in iRule event FLOW_INIT currently does not respond with a RST
Conditions:
iRule on a tcp virtual IP which has reject in FLOW_INIT event.
Impact:
RST is not sent
Workaround:
If licensed/provisioned for AFM, "ACL::action reset" can be an option.
Fix:
TMM now correctly sends RST when reject is executed in an FLOW_INIT event of an iRule.
528188-4 : Packet filters are by-passed for some fragmented ICMP echo requests to a virtual address
Component: Local Traffic Manager
Symptoms:
A packet filter is in place to block ICMP traffic to a virtual address, but the virtual address responds to ICMP echo requests.
Conditions:
A packet filter is in place to block ICMP echo request traffic to a virtual address, and a fragmented ICMP echo request is received by the BIG-IP system. If the ICMP echo request needs to be forwarded to another tmm, the packet-filter is not honored.
Impact:
Traffic is not blocked despite the existence of a packet-filter rule.
Workaround:
Use AFM rather than packet-filter. Note: This may require additional licensing.
Fix:
When a packet filter is in place to block ICMP echo request traffic to a virtual address, and a fragmented ICMP echo request is received by the BIG-IP system, the packet filter is now honored.
528139-4 : Windows 8 client may not be able to renew DHCP lease
Component: Access Policy Manager
Symptoms:
VPN disconnects after the DHCP lease expires.
Conditions:
BIG-IP Edge Client is running on Windows 8.
"Allow access to local DHCP servers" is checked in Network Access settings.
Impact:
VPN may disconnect and user must connect to VPN again.
ipconfig /renew will not work.
Workaround:
DCHP Lease timeout is automatic and works properly. Also, end users can first run ipconfig /release and then ipconfig /renew to manually renew a lease.
Fix:
DHCP lease can now be renewed correctly.
528071-2 : ASM periodic updates (cron) write errors to log
Component: Application Security Manager
Symptoms:
ASM periodic updates (run via cron) write errors to log when ASM is not provisioned.
Conditions:
ASM is not provisioned.
Impact:
Errors appears in ASM logs.
Fix:
Errors no longer appear in ASM logs when ASM is not provisioned.
528007-5 : Memory leak in ssl
Component: Local Traffic Manager
Symptoms:
An intermittent memory leak was encountered in SSL
Conditions:
This can occur under certain conditions when using Client SSL profiles
Impact:
The amount of memory leaked is quite small, but over time enough memory would leak that TMM would have to reboot.
Workaround:
none
Fix:
An intermittent memory leak in SSL was fixed
527826-1 : IP Intelligence update failed: Missing SSL certificate★
Solution Article: K31622556
Component: Local Traffic Manager
Symptoms:
IP Intelligence is failing the update due to missing certificate. You will see these errors in /var/log/ltm:
err iprepd[5600]: 015c0004:3: Certificate verification error: 20
err iprepd[5600]: 015c0004:3: nSendReceiveSsl failed SSL handshake
The certificate of vector.brightcloud.com was changed recently.
Conditions:
This is seen when attempting to update the IP Intelligence database.
Impact:
IP Intelligence database will not update.
Workaround:
Add the new brightcloud certificate to the end of the chain.
Fix:
This release contains an updated certificate chain.
527799-10 : OpenSSL library in APM clients updated to resolve multiple vulnerabilities
Solution Article: K16674 K16915 K16914
527742-1 : The inherit-certkeychain field of a clientSSL profile is not synchronized correctly on a standby BIG-IP system
Solution Article: K15550890
Component: Local Traffic Manager
Symptoms:
When creating a clientSSL profile at the active BIG-IP system, its inherit-certkeychain field is true by default, however, it appears to be false on the standby BIG-IP system.
Conditions:
BIG-IP systems are deployed as high-availability (HA) configuration.
Impact:
All units in an HA configuration should have the same configuration and the same behavior. Mismatching units in the HA configuration might lead to unexpected mismatching behavior.
Workaround:
None.
Fix:
With the fix, the inherit-certkeychain field of a newly created client SSL profile is set correctly on a standby BIG-IP system.
527649-1 : Upgrade sets client/server SSL profiles Ciphers field to DEFAULT if upgraded cipherstring effectively contains no ciphersuites.★
Component: Local Traffic Manager
Symptoms:
Upgrade sets client/server SSL profiles Ciphers field to DEFAULT if the upgraded cipherstring would effectively contain no ciphersuites.
Conditions:
This is relevant when the following conditions are met:
* Upgrading to version 12.0.0.
* Client/server SSL profile is configured with the COMPAT keyword.
Impact:
The system changes 'COMPAT' to 'DEFAULT'. Upgrade posts a warning similar to the following:
WARNING: ciphers in clientssl profile TheProfile has been reset to DEFAULT from MD5.
This occurs because the BIG-IP software version 12.0.0 COMPAT set is empty by default. To prevent security issues and upgrade failures due to an empty ciphersuite, the upgrade operation replaces 'COMPAT' with 'DEFAULT'.
This is not considered a software defect, but instead assists users with maintenance of ciphersuites. It is expected that some legacy ciphersuites will be removed from default sets in major releases of BIG-IP system software, which might require user action to account for this change.
Workaround:
Because the upgrade script replaces the configured cipherstring, you should determine whether 'DEFAULT' is a suitable set of ciphersuites, and make necessary adjustments. For more information, see SOL13156: SSL ciphers used in the default SSL profiles (11.x - 12.x), available here: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html.
Best practice recommends periodic review of the enabled cipherstrings that are considered secure, since these change over time. Such a review should prevent future occurrence of the condition.
527639-5 : CVE-2015-1791 : OpenSSL Vulnerability
Solution Article: K16914
527638-5 : OpenSSL vulnerability CVE-2015-1792
Solution Article: K16915
527637-5 : PKCS #7 vulnerability CVE-2015-1790
Solution Article: K16898
527633-5 : OpenSSL vulnerability CVE-2015-1789
Solution Article: K16913
527630-2 : CVE-2015-1788 : OpenSSL Vulnerability
Solution Article: K16938
527563-5 : Kernel Vulnerabilities
Solution Article: K17458 K16819 K17551 K17543 K17241
527431-2 : Db variable to specify audit forwarder port
Component: TMOS
Symptoms:
You can specify an audit forwarding destination for RADIUS or TACACS accounting using sys db config.auditing.forward.destination but cannot specify a custom port.
Conditions:
This is encountered if you want to use a port other than the default TCP port 49 for TACACS+ or port 1813 for RADIUS
Impact:
Unable to configure a custom port other than the default.
Fix:
The sys db config.auditing.forward.destination db variable can now have the IP address and port specified.
For more information on RADIUS or TACACS+ accounting, see SOL13762: Configuring remote RADIUS or TACACS+ accounting at https://support.f5.com/kb/en-us/solutions/public/13000/700/sol13762
527168-3 : In GUI System :: Users : Authentication TACACS+ ports have max value of 32768 instead of 65535
Component: TMOS
Symptoms:
In the GUI, the System :: Users : Authentication TACACS+ ports have max value of 32768 instead of 65535.
Conditions:
1. Go to System :: Users : Authentication and click 'Change'.
2. For 'User Directory' choose 'Remote - TACACS+'.
3. Try to add a server with port greater than 32768 and click Create.
4. The maximum value allowed is 32768 instead of 65535.
Impact:
TACACS+ servers with port greater than 32768 cannot be created or modified using the GUI.
Workaround:
Use tmsh to modify these servers.
Fix:
In GUI System :: Users : Authentication TACACS+ ports now the have correct max value of 65535.
527145-3 : On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
Solution Article: K53232218
Component: TMOS
Symptoms:
Occasionally SOD core dumps on shutdown during memory cleanup.
Conditions:
System shutdown. Cannot reproduce the issue reliably, so conditions for the crash are unknown.
Impact:
Minimal additional impact on services because a shutdown was already in process.
Workaround:
None.
Fix:
Daemon no longer cores on shutdown due to internal processing error.
527027-3 : DNSSEC Unsigned Delegations Respond with Parent Zone Information
Component: Local Traffic Manager
Symptoms:
When a DNSSEC zone has an unsigned delegation to a child zone, responses to the queries on the unsigned child zone do not include proper delegation records.
Conditions:
A DNSSEC zone configured on BIG-IP for a zone that delegates to an unsigned child zone.
Impact:
DNSSEC tools are unable to verify that the child subdomain is properly delegated to an insecure authoritative name server.
Workaround:
None
Fix:
Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.
527024-2 : DNSSEC Unsigned Delegations Respond with Parent Zone Information
Component: Local Traffic Manager
Symptoms:
When a DNSSEC zone has an unsigned delegation to a child zone, responses to the queries on the unsigned child zone do not include proper delegation records.
Conditions:
A DNSSEC zone configured on BIG-IP for a zone that delegates to an unsigned child zone.
Impact:
DNSSEC tools are unable to verify that the child subdomain is properly delegated to an insecure authoritative name server.
Workaround:
None
Fix:
Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.
527021-2 : BIG-IQ iApp statistics corrected for empty pool use cases
Component: TMOS
Symptoms:
BIG-IQ statistics gathering fails for HTTP iApps. The stats are collected periodically by an iCall script. A bug in the script causes a failure when the pool member count = 0.
Conditions:
The virtual has an empty pool (a common use case in SDN).
Impact:
Causes out-of-memory errors in scriptd.
Fix:
BIG-IP iApps now correctly provide statistics to BIG-IQ in empty-pool use cases.
527011-4 : Intermittent lost connections with no errors on external interfaces
Component: Local Traffic Manager
Symptoms:
Intermittent lost connections to virtual servers or pool nodes with no observable errors on external interfaces.
Errors are observed on internal interfaces using 'tmos show net interface -hidden'
Conditions:
Normal operation. This can occur on BIG-IP 8950, 11000, and 11050 platforms.
Impact:
Lost connections
Workaround:
None.
Fix:
An issue with intermittent lost connections with no errors on the external interface has been corrected.
526974-5 : Data-group member records map empty strings to 'none'.
Component: TMOS
Symptoms:
When empty string is applied to a data-group member record, it is being converted to 'none'.
Conditions:
Record type is string.
Impact:
Data-group records data is set to string 'none', literally, even though user input an empty string ''.
Workaround:
None.
Fix:
Data-group member records no longer map empty strings to 'none'.
526856-2 : "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency
Component: Application Security Manager
Symptoms:
"Use of uninitialized value" appears as a warning rarely upon UCS installation due to ASM signature inconsistency.
Conditions:
UCS file is installed with internal ASM signature inconsistency.
Impact:
"Use of uninitialized value" warning appears in output.
Fix:
"Use of uninitialized value" warning no longer appears upon UCS install.
526833 : Reverse Proxy produces JS error: 'is_firefox' is undefined
Component: Access Policy Manager
Symptoms:
Web application does not work. There is error in JS console: 'is_firefox' is undefined
Conditions:
Web application is running through Portal Access
Impact:
Web sites does not work
Fix:
Error is fixed. Web applications work through Portal Access.
526817-6 : snmpd core due to mcpd message timer thread not exiting
Component: TMOS
Symptoms:
snmpd might occasionally experience a thread deadlock conditions and would be restarted (with a core dump) by sod.
Conditions:
This can occur during a SNMP configuration change.
Impact:
snmpd occasionally becomes unresponsive for the duration of the configured snmpd heartbeat timeout.
Workaround:
After a SNMP configuration change on the BIG-IP system, the deadlock timing issue can avoided by manually restarting snmpd.
Fix:
snmpd no longer becomes unresponsive for the duration of the configured snmpd heartbeat timeout during configuration changes.
526810-8 : Crypto accelerator queue timeout is now adjustable
Component: Local Traffic Manager
Symptoms:
In order to diagnose crypto queue stuck errors, the timeout value for stuck crypto accelerator queues may now be adjusted using the crypto.queue.timeout DB variable.
The timeout value may be specified in milliseconds using the crypto.queue.timeout DB variable. The default value is 100 milliseconds.
Conditions:
This is only needed if you are getting errors in /var/log/ltm with this signature: crit tmm1[9829]: 01010025:2: Device error: crypto codec qa-crypto0-1 queue is stuck.
Impact:
Adjusting the queue timeout may help in certain configurations where SSL acceleration is the performance bottleneck.
Fix:
The crypto accelerator queue timeout may now be specified in milliseconds using the crypto.queue.timeout DB variable.
526754-3 : F5unistaller.exe crashes during uninstall
Component: Access Policy Manager
Symptoms:
f5unistaller.exe crashes, dmp points to a double free in SGetRegistryAsString function
Conditions:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\*\DisplayName contains 0 length data
Impact:
f5unistaller crashes
Workaround:
Using the crash dump created. PD can determine the value of * from there if data is placed into the DisplayName key - it will no longer trigger this defect
526699-5 : TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port.
Solution Article: K40555016
Component: Global Traffic Manager (DNS)
Symptoms:
A BIG-IP DNS system configured with an iRule that makes use of the command nodes_up in its ip_address :: port version might lead to a crash.
Conditions:
- BIG-IP DNS iRule processing traffic with nodes_up IP/Port command.
- IP/Port references an invalid LTM virtual server.
- Client sends requests to the BIG-IP DNS wide IP.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Specify correct IP/Port in the nodes_up iRule command
Fix:
TMM no longer crashes when using an incorrect IP/Port in a nodes_up BIG-IP DNS iRule.
526637-1 : tmm crash with APM clientless mode
Component: Access Policy Manager
Symptoms:
A condition that occurs when using APM in clientless mode can cause a rare tmm crash
Conditions:
Only occurs on 11.5 and later, and while using clientless mode 3. This crash has been very difficult to reproduce.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
none
Fix:
tmm will no longer crash in APM clientless mode; it now sends a reset.
526617-2 : TMM crash when logging a matched ACL entry with IP protocol set to 255
Component: Access Policy Manager
Symptoms:
When TMM finds a matching ACL entry while enforcing the ACL, and that ACL entry is configured to produce a log entry as well, and the IP protocol for that packet is 255, then TMM crashes.
Conditions:
1. Log is enabled for that ACL entry.
2. IP protocol is set to 255
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable ACL logging
Fix:
TMM no longer crashes when logging a matching ACL entry for IP datagram with protocol set to 255.
526578-2 : Network Access client proxy settings are not applied on German Windows
Component: Access Policy Manager
Symptoms:
Network Access client proxy settings are not applied on German Windows with Internet Explorer 10 under obscure conditions.
If APM address is not in the Trusted Sites List, then this issue has good reproducibility.
Windows shows empty fields in proxy settings UI of Internet Explorer.
Conditions:
Client machine has Windows with German localization.
Client machine has Internet Explorer 10.
APM is not in trusted sites list or other obscure conditions.
Impact:
Network Access works in unexpected way: client ignores proxy settings.
Workaround:
Run IE under administrator
Update to IE11
Fix:
Now proxy settings are correctly applied on client machine with German localization and Internet Explorer 10. However, Windows still shows empty fields in proxy settings GUI of Internet Explorer.
526514-2 : Open redirect via SSO_ORIG_URI parameter in multi-domain SSO
Solution Article: K26738102
526492-3 : DNS resolution fails for Static and Optimized Tunnels on Windows 10
Component: Access Policy Manager
Symptoms:
When Static and Optimized Tunnels are used on Windows 10 desktop, accessing a backend server by hostname will fail.
Conditions:
1. Windows 10 desktop
2. Static or Optimized Tunnels are used
Impact:
No access to backend servers using hostnames.
Workaround:
none
Fix:
DNS resolution is successful for static and optimized tunnels on Microsoft Windows 10.
526419-2 : Deleting an iApp service may fail
Component: TMOS
Symptoms:
Deleting an iApp service may fail with an error message like this:
01070712:3: Can't load node: 839 type: 4
Conditions:
Unknown.
Impact:
You can't delete an iApp.
Workaround:
Save the configuration. Edit the relevant configuration file to remove the iApp service. Reload the configuration.
Fix:
Deleting an iApp service formerly could fail with an error message like this:
01070712:3: Can't load node: 839 type: 4
This is no longer possible.
526367-2 : tmm crash
Component: Local Traffic Manager
Symptoms:
tmm cores and restarts
Conditions:
It is not known what causes this, but it is related to use of DTLS in the serverssl profile.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm crash related to dtls.
526295-4 : BIG-IP crashes in debug mode when using PEM iRule to create session with calling-station-id and called-station-id
Component: Policy Enforcement Manager
Symptoms:
When using a PEM iRule to create a session with calling-station-id and called-station-id, the BIG-IP system will crash in debug mode.
Conditions:
1. PEM is provisioned.
2. BIG-IP system is running in debug mode.
3. PEM iRule is used to create session with calling-station-id and called-station-id.
Impact:
The BIG-IP system crashes.
Workaround:
Creating PEM sessions with iRules that do not have calling-station-id and called-station-id. And add the two attributes using separately using PEM info iRule
Fix:
With the fix, the problematic iRule is now working as expected and does not cause any crash.
526275-2 : VMware View RSA/RADIUS two factor authentication fails
Component: Access Policy Manager
Symptoms:
VMware View client fails to authenticate with APM configured for RSA/RADIUS two factor authentication.
Conditions:
APM is configured for VMWare View proxy with RSA or RADIUS two factor authentication and VMware View client is used.
Impact:
User sees a confusing error message.
Workaround:
Click "OK" on an error message "The username or password is not correct. Please try again.". Enter valid AD credentials and login again.
Fix:
Now APM correctly handles VMware View RSA/RADIUS two factor authentication.
526162-6 : TMM crashes with SIGABRT
Solution Article: K52335623
Component: Application Security Manager
Symptoms:
TMM crashes with SIGABRT (sod crashes the tmm). This error appears in the LTM logs:
HA daemon_heartbeat tmm fails action is go offline down links and restart
Conditions:
IP reputation is turned on, and the IP reputation database is reloaded.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
This release fixes a rare scenario where TMM was halted when the IP reputation daemon was loading a new IP reputation database.
526084-1 : Windows 10 platform detection for BIG-IP EDGE Client
Component: Access Policy Manager
Symptoms:
The session.client.platform variable contains "Win8.1" for BIG-IP Edge Client on Windows 10.
Conditions:
n/a
Impact:
n/a
Workaround:
n/a
Fix:
BIG-IP APM was enhanced to report session.client.platform session variable for BIG-IP Edge Client on Windows 10.
525958-10 : TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop.
Component: Local Traffic Manager
Symptoms:
In a specific combination of events TMM may core.
Conditions:
This occurs when the following conditions are met:
- Load balancing a flow to an ip_tuple (e.g., the Tcl 'node' command).
- That address is not directly connected.
- The matched route is a gateway pool that contains a pool member that is not reachable.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure correct routing to all destinations with reachable next hops.
Fix:
TMM no longer cores when load balancing to a node's IP address in iRule, routed towards an unreachable nexthop.
525920 : VPE fails to display access policy
Component: Access Policy Manager
Symptoms:
VPE fails to display access policy
Server request for 'vpeDialogue' is failed: Request status=500
Conditions:
Always for certain HF
Impact:
Error message is displayed and VPE does not work
Workaround:
No workaround, software upgrade needed
Fix:
Functionality restored
525708-2 : AVR reports of last year are missing the last month data
Solution Article: K17555
Component: Application Visibility and Reporting
Symptoms:
Reports are missing the latest data collected for them. Each report-type is missing a different portion of the data which is relative to the report-type. This issue becomes very noticeable when creating long-term reports. For example, a 'last-year' report might omit the last month data, 'last-month' report might omit the last week data, and so on.
Conditions:
Every report that is done on a long history time range.
Impact:
The presented data can be confusing and misleading.
Fix:
A new data aggregation mechanism was inserted, so that all reports include activity up to the last hour.
There is an option to make it available even for the last 5 minutes, although that might lead to too much CPU and disk load every 5 minutes.
There is also an option to turn off this new aggregation mechanism if you are not interested in accurate long-history reports, and the aggregation task that takes place once an hour is too heavy for this machine.
525595-1 : Memory leak of inbound sockets in restjavad.
Solution Article: K38134424
Component: Device Management
Symptoms:
restjavad might run out of memory due to inactive sockets piling up in memory. The symptom will be 'Out of memory' messages in the /var/logrestjavad.0.log and any new rest calls will fail. The URL that fails is random.
Conditions:
Occurs after a few hours of use.
Impact:
Memory leak of inbound sockets in restjavad. restjavad becomes inoperative.
Workaround:
Restart restjavad with the following command:
bigstart restart restjavad.
Note: You can run the command periodically from a cron script.
Fix:
Inbound sockets in restjavad no longer causes a memory leak.
525562-2 : Debug TMM Crashes During Initialization
Component: Access Policy Manager
Symptoms:
Debug version of TMM (tmm.debug) generates core file and fails to start up.
Conditions:
This issue happens when running debug version of TMM on a multi-blade chassis/vCMP.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Revert to use default version of TMM (tmm.default)
Fix:
Removed unnecessary debug assert statements from TMM.
525478-3 : Requests for deflate encoding of gzip documents may crash TMM
Solution Article: K80413728
Component: WebAccelerator
Symptoms:
When searching for documents in the gzip cache, if a document has been cached with gzip encoding but a non-deflate compression method (i.e., CM != 0x08) and the client has requested deflate compression, TMM may crash.
Conditions:
-- WAM/AAM enabled on VIP.
-- HTTP compression enabled on VIP.
-- Document served with gzip encoding and non-deflate compression.
-- Document has entered the gzip cache.
-- Client HTTP request specifies deflate encoding.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure that only the deflate method is used in gzip-compressed documents that will be cached by WAM/AAM. With most web servers this is the default behavior and cannot be changed.
Alternatively, remove the 'Accept-Encoding: deflate' header using an iRule so that no clients can request deflate encoding.
Fix:
Correctly handles requests for deflate compression of cached gzip documents with non-deflate compression methods.
525429-13 : DTLS renegotiation sequence number compatibility
Component: Access Policy Manager
Symptoms:
OpenSSL library was modified to keep it compatible with RFC 6347 complaint DTLS server renegotiation sequence number implementation.
Conditions:
The old OpenSSL library is not compatible with RFC6347, the new OpenSSL library is modified to be compatible with RFC6347.
The current APM client is compatible with old OpenSSL library, not the new OpenSSL library.
Impact:
The current APM client is not compatible with new OpenSSL libary.
Fix:
The APM client is now compatible with both the old and new OpenSSL library.
525384-3 : Networks Access PAC file now can be located on SMB share
Component: Access Policy Manager
Symptoms:
Network Access web components or Edge Client fail to download PAC file if it is located on SMB share as
file:////pac.file.hoster.local/config.pac.
Conditions:
Network Access with Client Proxy Settings Enabled,
PAC file path is set to somewhere on SMB share.
Impact:
Impossible to configure Network Access with PAC file located on SMB share.
Workaround:
Put PAC file to HTTP server, configure Network Access accordingly.
Fix:
Now Network Access components can obtain PAC file from SMB share.
525322-6 : Executing tmsh clientssl-proxy cached-certs crashes tmm
Component: Local Traffic Manager
Symptoms:
tmm crash while executing "tmsh clientssl-proxy cached-certs" command
Conditions:
ssl forward proxy virtual with a clientssl profile name longer than 32 characters which includes the partition name as well. (/Common/<profilename> -> has length more than 32 chars).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Keep the profile name lengths less than 32 chars, or do not run the command until fixed.
Fix:
The "tmsh clientssl-proxy cached-certs" command will now run successfully with profile name lengths longer than 32 characters.
525232-10 : PHP vulnerability CVE-2015-4024
Solution Article: K16826
524960-5 : 'forward' command does not work if virtual server has attached pool
Solution Article: K17434
Component: Local Traffic Manager
Symptoms:
The iRule 'forward' command does not result in connections being routed to the proper destination if the virtual server has an attached pool.
Conditions:
Virtual server with:
- Pool.
- iRule that issues 'forward' commands.
Impact:
Connections are routed to pool member instead of destination determined by network routes.
Workaround:
Remove pool assigned to virtual server and select the pool using an iRule with a 'pool' command when 'forward' command is not issued.
Fix:
'forward' command releases previously selected pool member to enabled connection to be routed based on packet destination, as expected.
524909-3 : Windows info agent could not be passed from Windows 10
Component: Access Policy Manager
Symptoms:
APM endpoint check action "Windows Info agent" was not able to detect Windows 10 clients.
Conditions:
n/a
Impact:
n/a
Workaround:
n/a
Fix:
Now BIG-IP APM support Windows Info action on Windows 10 clients.
524756-1 : APM Log is filled with errors about failing to add/delete session entry
Component: Access Policy Manager
Symptoms:
APM log is filled with the following error when the issue occurs:
May 21 16:34:16 BIG-IP4013mgmt err tmm2[20158]: 01490558:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND)
Conditions:
If a session times out before it completes policy evaluation, APM will still attempt to delete its marker from the established session namespace and, hence, results in ERR_NOT_FOUND error
Impact:
There is no functional impact. However, APM log may become useless if the volume of the error is big.
Fix:
Access Filter now skips session marker deletion if the timed-out session is not in established state.
524748 : PCCD optimization for IP address range
Component: Advanced Firewall Manager
Symptoms:
Pccd blob size grow too big with large scale policy configuration. Which cause slow compilation and serialization.
Conditions:
large scale policy configuration.
Impact:
Slow compilation/serialization and large pccd blob.
Workaround:
N/A
Fix:
With PCCD ip address range optimization, PCCD will reduce it's compilation/serialization time and blob size.
524666-2 : DNS licensed rate limits might be unintentionally activated.
Component: Local Traffic Manager
Symptoms:
DNS licensed rate limits might be unintentionally activated.
Conditions:
This might occur with a license in which DNS services is unlimited, but BIG-IP DNS (formerly GTM) is limited.
Impact:
DNS licensed rate limits might be unintentionally activated. Rate counters will activate, even though rates are unlimited, which unnecessarily uses CPU cycles. Also, features that indirectly look at rate flags such as hardware DNS, might deactivate improperly even though rates are unlimited.
Workaround:
None.
Fix:
DNS licensed rate limits are now handled as expected.
524641-4 : Wildcard NAPTR record after deleting the NAPTR records
Solution Article: K11504283
Component: Local Traffic Manager
Symptoms:
There is a dns query issue when adding/deleting a NAPTR record through the Zonerunner.
Conditions:
After deleting a specific NAPTR record, the previously added wildcard NAPTR record will fail for wildcard dig queries and the system does not show the correct subdomains.
Impact:
Wildcard NAPTR record call fails after deleting the NAPTR records.
Workaround:
None.
Fix:
Wildcard NAPTR record call now completes successfully after deleting the NAPTR records.
524606-2 : SElinux violations prevent cpcfg from touching /service/mcpd/forceload
Component: TMOS
Symptoms:
'cpcfg' fails when copying configurations to an adjacent boot location.
Conditions:
11.5.3 and 11.6.0 installed on two boot locations
Impact:
'cpcfg' cannot be used
Workaround:
re-install software to target volume. configuration will be properly rolled forward as final step in software installation
Fix:
Corrected parameter count mismatch
524490-7 : Excessive output for tmsh show running-config
Solution Article: K17364
Component: TMOS
Symptoms:
The tmsh show running-config displays many default configuration items. Although the output does display the user-configuration items as expected, it is not expected to include default configuration items in the output.
Conditions:
tmsh show sys running-config.
Impact:
The presence of excessive default configuration items makes the tmsh show running-config output parsing difficult.
Workaround:
None.
Fix:
tmsh show sys running-config shows minimal default configuration.
524428-2 : Adding multiple signature sets concurrently via REST
Component: Application Security Manager
Symptoms:
Adding multiple ASM signature sets concurrently in REST actions causes deadlock.
Conditions:
Multiple ASM signature sets are added concurrently using REST.
Impact:
Some signature set REST add actions will fail due to deadlock.
Workaround:
Wait until signature set add action has completed in REST before issuing the next add.
Fix:
Multiple signature sets can be added concurrently using REST.
524333-5 : iControl command pkcs12_import_from_file_v2 may fail if httpd is restarted or session times out.
Solution Article: K55005622
Component: TMOS
Symptoms:
When pkcs12_import_from_file_v2 is used immediately after httpd is restarted, or when pkcs12_import_from_file_v2 is used after the session-timeout period, an 'Internal error' response is received.
This issue is not seen if another iControl call is made and pkcs12_import_from_file_v2 is tried after that.
Conditions:
pkcs12_import_from_file_v2 is used immediately after httpd is restarted, or when pkcs12_import_from_file_v2 is used after the session-timeout period.
Impact:
iControl command may fail if httpd is restarted or session times out.
Workaround:
None.
Fix:
iControl command pkcs12_import_from_file_v2 now completes successfully if httpd is restarted or session times out.
524326-3 : Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips
Component: TMOS
Symptoms:
Current configuration validation will allow a user to delete the last (only remaining) IP address on a GTM server. However, since a GTM server cannot be created/loaded without at least one IP address, the configuration will fail to load.
Conditions:
User has deleted the last IP address on a GTM server.
Impact:
Configuration load will fail. If the GTMs are in a sync group, this will also break sync because the config change cannot be loaded by any GTM.
Workaround:
User must either delete the server from the config if it has no more valid IPs, or must add at least one IP to the server's IP address list.
Fix:
Extended MCPD validation to ensure any deleted GTM link/GTM server addresses do not leave parent objects without addresses.
524300-1 : The MOS boot process appears to hang.
Solution Article: K71003856
Component: TMOS
Symptoms:
When a BIG-IP 2000 series or BIG-IP 4000 series device is booted into MOS (either manually or as a result of a user running the image2disk utility), the MOS boot process appears to hang. In reality, MOS boots successfully, but loses its connection to the BIG-IP system's serial console.
Conditions:
A BIG-IP 2000 series or BIG-IP 4000 series device with a MOS version older than 2.8.9 - 587.0 is booted from MOS.
Impact:
If you booted into MOS manually, you cannot carry out the tasks that you had set out to do. You must reset the device (either physically or via the AOM menu) to recover it.
If the system booted into MOS automatically (as a result of a user running the image2disk utility to perform a clean installation), the installation completes successfully and the system reboots correctly at the end of the installation. However, you cannot see and follow the re-imaging process because of this issue. In this case, you can watch the (seemingly hung) serial console until the system reboots by itself.
Workaround:
You can work around this issue by performing a temporary installation of BIG-IP version 12.0.0 to a new boot slot.
No further action is required. This temporary installation of BIG-IP version 12.0.0 can be deleted once completed.
This temporary installation of version 12.0.0 has the effect of upgrading MOS to a version which resolves this issue.
Fix:
A BIG-IP 2000 series or BIG-IP 4000 series device with a MOS version older than 2.8.9 - 587.0 is booted from MOS now retains its connection to the serial console.
524281-1 : Error updating daemon ha heartbeat
Component: TMOS
Symptoms:
During shutdown you see the following error in /var/log/ltm: err vcmpd[8590]: 01510004:3: Error updating daemon ha heartbeat: VcmpdHeartbeat.cpp:251 error 0x01140031
Conditions:
This issue applies only on shutdown if the shutdown takes a long time.
Impact:
Error messages are displayed, but as long as this is occurring only on shutdown this means that vcmpd is unable to communicate with sod, which has already shut down.
Fix:
vcmpd will now only log "Error updating daemon ha heartbeat" if the system is not shutting down.
524279-4 : CVE-2015-4000: TLS vulnerability
Solution Article: K16674
524126-3 : The DB variable provision.tomcat.extramb is cleared on first boot.★
Solution Article: K02142351
Component: TMOS
Symptoms:
You are unable to get to the GUI after upgrading to 11.5.x or 11.6.x from a prior version. The DB variable provision.tomcat.extramb is 0 (zero) after upgrading using a configuration with the variable set to a non-zero value.
Conditions:
The DB variable provision.tomcat.extramb set to a value other than 0 before installing.
Impact:
The DB value is not rolled forward, so the GUI gets less than expected amount of memory.
Workaround:
After the first boot, set the DB variable provision.tomcat.extramb to the desired amount or restore the saved UCS at /var/local/ucs/config.ucs.
Fix:
The DB variable provision.tomcat.extramb now retains the specified value when rolling forward a configuration.
524004-2 : Adding multiple signatures concurrently via REST
Component: Application Security Manager
Symptoms:
Adding multiple ASM signatures concurrently in REST actions causes deadlock.
Conditions:
Multiple ASM signatures are added concurrently using REST.
Impact:
Some signature REST add actions will fail due to deadlock.
Workaround:
Wait until signature add action has completed in REST before issuing the next add.
Fix:
Multiple signatures can be added concurrently using REST.
523922-6 : Session entries may timeout prematurely on some TMMs
Component: TMOS
Symptoms:
In certain scenarios, session entries may not be refreshed when the TMM that owns the entry is used to process the connection.
Conditions:
When the TMM owning the session entry is a different one to the TMM handling the connection and the entry is retrieved, for example via irule, "session lookup uie"; the timeout will be extended.
When the TMM owning the entry and the one handling the connection is the same, then the entry may not have its timeout changed and lead to premature removal.
Impact:
Different TMMs may behave differently and cause confusion when using the session table.
Workaround:
None
Fix:
Session table entries now consistently get their timeout values touched in all scenarios.
523867-2 : 'warning: Failed to find EUDs' message during formatting installation
Component: TMOS
Symptoms:
The following message may appear on the console:
warning: Failed to find EUDs
warning: Failed to get volume id for EUD
Conditions:
This warning occurs during a formatting installation.
Impact:
No impact. The message was intended to be logged at the 'info' level.
Workaround:
N/A
Fix:
The 'warning: Failed to find EUDs' diagnostic message during installation has been changed from a warning to info
523863-1 : istats help not clear for negative increment
Component: TMOS
Symptoms:
The help for the istats command line tool was not clear on how to specify a negative increment for a gauge iStat.
Conditions:
Try to increment a gauge iStat by a negative amount using the istats command line tool.
Impact:
Bash shell would print a cryptic error and the help did not clarify how to make it work
Workaround:
Research bash shell options for the cryptic error.
Fix:
The help for the istats command line was augmented to clearly state that the double-dash option should be specified before the negative number.
523854-4 : TCP reset with RTSP Too Big error when streaming interleaved data
Solution Article: K35305250
Component: Service Provider
Symptoms:
RTSP connection containing interleaved streams is aborted mid-stream, causing loss of data. This occurs when there is packet loss and retransmission due to an unreliable connection. A RST is sent by BIG-IP with cause "Too big".
There is an RTSP profile parameter Maximum Header Size. When the RTSP filter receives a burst of reassembled stream data that exceeds this size, it aborts with that RST cause. When this parameter is raised above the value of parameter Maximum Queued Data, that parameter is exceeded and the RST cause is "Hudfilter abort". When both parameters are raised much higher, an abort is less likely, but can still occur with cause "Out of memory" (which is a false report as the system is not out of memory).
Conditions:
RTSP profile configured.
Interleaved stream.
Packet retransmissions due to an unreliable connection.
Impact:
RTSP traffic is interrupted or dropped
TCP session is reset with a cause of "Too Big" or "Hudfilter abort".
Workaround:
Set both the Maximum Header Size and Maximum Queued Data values to a value greater than 64 KB. This reduces the likelihood of failure, but is only a partial workaround.
Fix:
RTSP interleaved traffic passes reliably, even over an unreliable connection experiencing packet retransmission.
523642-4 : Power Supply status reported incorrectly after LBH reset
Component: TMOS
Symptoms:
On BIG-IP appliances with the Backplane Micro-Controller Hybrid (LBH) type of Always-On-Management device, Power Supply status reporting and enumeration may function incorrectly if the LBH resets due to a watchdog reboot or other cause.
Conditions:
This may occur on BIG-IP 2000-/4000-series, BIG-IP 5000-/7000-series, and BIG-IP 10000-/12000-series platforms.
Impact:
Resets of the LBH device occur very rarely.
When this issue occurs, the status reporting and enumeration of appliance power supplies may be inaccurate.
Errors may be reported when attempting to obtain sensor values from non-present power supplies.
Power supply presence, status and identification may be reported incorrectly following power supply removal or reinsertion.
Workaround:
To work around this issue and restore correct reporting of power supply status, you can restart the chmand process. To do so, perform the following procedure:
Impact of workaround: Restarting the chmand process also restarts core BIG-IP system daemons such as TMM. Running this procedure interrupts traffic processing.
1.Log in to the BIG-IP command line.
2.To restart the chmand process, type the following command:
bigstart restart chmand.
Fix:
Power Supply status is now reported correctly after LBH reset.
523527-10 : Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.★
Solution Article: K43121346
Component: TMOS
Symptoms:
If you are directly upgrading from version 10.x to version 11.2.0 or later with a working dynamic routing protocols configuration may encounter that the routing protocol is disabled on upgrade to 11.2.0 or later.
Conditions:
- Upgrade from 10.x to 11.2.0 or later.
- Routing protocol enabled in tmrouted dbkeys.
- No route domain 0 (zero) (RD0) configuration, that is defaults of all VLANs in RD0, no comment, leading to no existing configuration in bigip_base.conf
Impact:
Routing protocol information is missing from RD0, ZebOS is not running (although configured).
Workaround:
There are several workarounds to this issue:
- Causing the RD0 configuration to exist by adding a comment to the 10.x description field and saving prior to upgrade.
- Re-adding the routing protocol to the RD0 configuration after the upgrade.
- Perform an intermediate upgrade from 10.x to 11.0.0 or 11.1.0 prior to upgrading to an 11.2.0 or later version.
Fix:
Routing protocols are now correctly configured on Route Domain 0 (zero) (RD0) after upgrade to version 11.2.0 or later.
523513-5 : COMPRESS::enable keeps compression enabled for a subsequent HTTP request.
Component: Local Traffic Manager
Symptoms:
COMPRESS::enable keeps compression enabled for a subsequent HTTP request.
The response for the first HTTP request enables the compression, but it is not used since the payload is empty. For the second HTTP request (whose URI indicates that it is not supposed to be compressed), the system still compresses the response because the first request did not disable compression.
Conditions:
Subsequent HTTP requests in the same TCP connection.
- First HTTP response contains empty payload and enabling the compression.
- Second HTTP response still gets compressed.
Impact:
Unintended compression for subsequent HTTP responses.
Workaround:
Disable compression in the else case manually in the iRule using COMPRESS::disable.
Fix:
Compression is now disabled after an HTTP response with empty payload for iRule-based enabling.
523471-3 : pkcs11d core when connecting to SafeNet HSM
Component: Local Traffic Manager
Symptoms:
Very occasionally, using the SafeNet hardware security module (HSM) results in a pkcs11d core.
Conditions:
This occurs when the SafeNet HSM is used. Because of the rare and intermittent nature of the issue, other required conditions are not known.
Impact:
pkcs11d cores, and HSM-based SSL traffic fails. This occurs as a result of the SafeNet library. It is not a BIG-IP system-specific issue.
Workaround:
None.
Fix:
The SafeNet library has been updated, and pkcs11d no longer cores intermittently.
523465-1 : Log an error message when firewall rule serialization fails due to maximum blob limit being hit.
Component: Advanced Firewall Manager
Symptoms:
Prior to fix, if AFM rule serialization fails due to OOM condition in pktclass-daemon, it's not identifiable if the failure is due to Out of Memory condition or the Max Blob limit being reached. Both the errors were logged as OOM in /var/log/ltm
Conditions:
AFM rule serialization fails due to max blob limit
Impact:
Hard to isolate the problem that serialization failed due to max blob limit
Workaround:
None
Fix:
With the fix, AFM rule serialization failure due to max blob limit is logged appropriately in /var/log/ltm making it easier to identify the cause of the failure.
523434-5 : mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object
Solution Article: K85242410
Component: TMOS
Symptoms:
mcpd on secondary blades may restart and log an error of the following form: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_http_virtual_data_source) object ID (44). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_http_virtual_data_source status:13)... failed validation with error 17237812.
Conditions:
The exact conditions under which this occurs are not well understood. The immediately triggering event is a change in the cluster's primary blade.
Impact:
All services on an affected blade restart.
Workaround:
None.
Fix:
mcpd on secondary blades may restart and log an sflow_http_virtual_data_source error after a change in the cluster's primary blade.
523431-1 : Windows Cache and Session Control cannot support a period in the access profile name
Component: Access Policy Manager
Symptoms:
An access profile name containing a period will not work when using Windows Cache and Session Control. For example '/Common/test.profile' will not work. When evaluating the access policy, an end-user will be redirected to an error page.
Conditions:
Applies to any APM with Windows Cache and Session Control.
Impact:
Access Profile names cannot include a dot.
Invalid name: '/Common/profile.name'
Valid name: '/Common/profile_name'
Fix:
One of the PHP files for cache control has a regex that looks for invalid access profile names. This regex had previously flagged any profile name with a period to be invalid. The regex has been updated to allow periods.
523390-1 : Minor memory leak on IdP when SLO is configured on bound SP connectors.
Component: Access Policy Manager
Symptoms:
Several bytes of memory are leaked when SAML SSO is executed on BIG-IP system, configured as an Identity Provider (IdP), when the Service Provider (SP) connector has single logout (SLO) configured.
Conditions:
BIG-IP is used as Identity Provider, and SLO is configured for bound SP Connector.
Impact:
Several bytes of memory are leaked.
Workaround:
To work around the problem, disable SLO on SP connectors.
Fix:
Fixed memory leaks in SAML Identity Provider (IdP) when when SLO is configured in a Service Provider (SP) connector.
523329 : When BIG-IP is used as SAML Identity Provider(IdP), TMM may restart under certain conditions.
Component: Access Policy Manager
Symptoms:
TMM may restart
Conditions:
- BIG-IP is used as IdP.
- Client or Service Provider sends a number of specific invalid requests to BIG-IP
Impact:
TMM is not available while restarting
Fix:
Issue where TMM would restart as a result of invalid user request is now fixed.
523327-3 : In very rare cases Machine Certificate service may fail to find private key
Component: Access Policy Manager
Symptoms:
Non-elevated client component is able to find certificate but not the key, while machine cert service/F5 Elevation Helper fails to find certificate.
f5certhelper.txt (helper) or logterminal.txt (in windows\temp folder for service) contains:
1, , 0, , EXCEPTION - CCertInfo::FindCertificateInStore: CertFindCertificateInStore failed with error code: 80092004
Conditions:
IE/Edge Client is not running under Admin user.
Special certificate is used.
Impact:
User fails to pass access policy.
Workaround:
Run IE/BIG-IP Edge Client under administrator.
Fix:
Now both service and elevation helper can find those specific certificates.
523261-2 : ASM REST: MCP Persistence is not triggered via REST actions
Component: Application Security Manager
Symptoms:
Some REST calls that affect Security policies should be persistent to BIG-IP config files after their completion (create, delete, association to virtual servers, and changing language encoding), but are not.
Conditions:
REST API is being used to manage Security Policies.
Impact:
If the device is restarted configuration may be lost.
Workaround:
Any other action that will persist configuration (like an ASM config change through the GUI, or any LTM configuration change).
Fix:
Configuration is now correctly persisted when required after ASM REST actions.
523260-2 : Apply Policy finishes with coapi_query failure displayed
Solution Article: K52028045
Component: Application Security Manager
Symptoms:
GUI actions to apply policy appear to fail with an error message regarding coapi_query.
Conditions:
Unknown.
Impact:
The policy is correctly applied locally, the coapi_query error message occurs after the commit.
This error, however, prevents correct behavior for device group synchronization of the change.
Workaround:
Use REST API to apply the policy:
POST https://<MGMT_IP>/mgmt/tm/asm/tasks/apply-policy
{
"policy": {
"fullPath": "/Common/<POLICY_NAME>"
}
}
Fix:
This release fixes an error that intermittently caused the Apply Policy action to fail.
523222-7 : Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.
Component: Access Policy Manager
Symptoms:
Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.
If an access policy has Redirect ending, the Citrix HTML5 client will fail to start with HTTP 400 error.
Conditions:
Citrix Storefront configured in integration mode through APM.
Impact:
HTML5 client not usable for this sort of integration
Fix:
Fixed Citrix HTML5 handling code so that it works fine with the Redirect endings in access policies.
523201-1 : Expired files are not cleaned up after receiving an ASM Manual Synchronization
Component: Application Security Manager
Symptoms:
If a device only receives full ASM sync files from its peers, it never performs cleanup of files that are no longer needed.
Conditions:
An ASM manual synchronization device group is being used.
Impact:
May eventually lead to disk space exhaustion.
Workaround:
None.
Fix:
Files are now correctly cleaned up after loading a new configuration.
523125-1 : Disabling/enabling blades in cluster can result in inconsistent failover state
Solution Article: K17350
Component: TMOS
Symptoms:
Not all blades in the cluster agree about the high availability (HA) status.
Conditions:
Disabling and enabling blades in a chassis that is configured to use HA Groups can sometimes result in a blade staying in standby even though the other blades in the chassis have gone active.
Impact:
When the blades disagree about active/standby state, traffic might be disrupted.
Workaround:
None.
Fix:
Disabling/enabling blades in cluster no longer results in inconsistent failover state.
523079-1 : Merged may crash when file descriptors exhausted
Component: Local Traffic Manager
Symptoms:
The merged daemon crashes.
Conditions:
The limit on file descriptors is exceeded.
Impact:
Merged crashes leaving a core file. The collection of system stats and merging of blade stats will not work until merged restarts.
Workaround:
Monitor the system file descriptor use and avoid exceeding the limit.
Fix:
Fixed a crash bug in Merged.
523032-5 : qemu-kvm VENOM vulnerability CVE-2015-3456
Solution Article: K16620
522871-4 : [TMSH] nested wildcard deletion will delete all the objects (matched or not matched)
Solution Article: K13764703
Component: TMOS
Symptoms:
Nested wildcard deletion deletes all of the objects (matched or not matched).
Conditions:
Use deletion in a nested TMSH command. For example:
tmsh modify gtm server GTM1 virtual-servers delete {f*}
This deletes all virtual servers even if none of the servers match. The same issue applies to pool members.
Impact:
All objects are deleted, instead of those targeted for delete.
Workaround:
None.
Fix:
Nested wildcard deletion now deletes matched objects only.
522837-3 : MCPD can core as a result of another component shutting down prematurely
Component: TMOS
Symptoms:
During a small window of opportunity, mcpd can core if it is told to restart. This often occurs when another component has failed.
Conditions:
This issue generally occurs when another component has a problem which then initiates an mcpd restart.
Impact:
An mcpd core file is generated during shutdown, and it may initially appear as if mcpd coring was the cause of the restart.
Workaround:
None.
Fix:
Ensured that connections are not deleted twice when shutting down, so mcpd no longer cores.
522791-1 : HTML rewriting on client might leave 'style' attribute unrewritten.
Solution Article: K45123459
Component: Access Policy Manager
Symptoms:
In some cases, the 'style' attribute of HTML tag containing CSS styles is not rewritten.
Conditions:
This happens when HTML is added to a page using document.write or assignment to innerHTML.
Impact:
Images added with inline CSS styles are not displayed.
Direct requests to the backend are sent from browser.
Workaround:
Use an iRule to rewrite the 'style' attribute before adding HTML to the page.
Fix:
The HTML 'style' attribute is correctly rewritten for any tag.
522784-3 : After restart, system remains in the INOPERATIVE state
Component: Local Traffic Manager
Symptoms:
After restarting, it is normal for the system to remain in some state other than "Green/Active" for a few minutes while the system daemons complete their initialization.
During this time the following advanced shell command may produce one or more lines of output:
# bigstart status | grep waiting
However, if this condition persists for more than five minutes after access to the root shell via the management interface is available, then you may be experiencing this defect.
Conditions:
BIG-IP versions 11.5.x, 11.6.x or 12.0.x that have received the fix for bug 502443 but *not* 522784, may experience this issue. There are no officially supported BIG-IP releases that have this condition.
Impact:
As long as the system remains in the INOPERATIVE state, neither LTM nor ASM will function.
Workaround:
In order to work around this problem, de-provision ASM.
Fix:
Resolves a deadlock at startup, when LTM and ASM are provisioned, that may occur as a result of the fix for 502443.
522304-1 : Some password policy changes are not reflected in /etc/shadow when synced in a CMI device group
Component: TMOS
Symptoms:
Some password policy settings (maximum and minimum durations, expiration warning) are reflected in /etc/shadow when a user's password is changed. In a CMI device group, changes to password policy are correctly synced, but the settings reflected in /etc/shadow are not.
Conditions:
CMI device group configured; maximum or minimum duration, or expiration warning, settings of password policy are used; user password is changed.
Impact:
Password policy may not be enforced consistently across all devices.
Workaround:
None.
522231-2 : TMM may crash when a client resets a connection
Component: WebAccelerator
Symptoms:
When a client resets a connection while AAM is preparing to serve a response from cache TMM may crash causing failover and restart of AAM. A profile on a virtual from another BIG-IP module (other than AAM and LTM) may contribute to the issue.
Conditions:
1) AAM must be provisioned.
2) A response to the requested URL must be cached and fresh.
3) Client resets a connection immediately after the request is done and the response has not started to serve.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Install the fix.
Fix:
Fix removes the condition when AAM starts to serve the response to the already aborting connection.
522147-1 : 'tmsh load sys config' fails after key conversion to FIPS using web GUI
Component: Local Traffic Manager
Symptoms:
Web GUI does not save config after key conversion to FIPS
Conditions:
On a Cavium-FIPS BIG-IP, create a normal key and then covert to FIPS using web GUI
Impact:
'tmsh load sys config' fails
Workaround:
Two possible workarounds:
1) Run 'tmsh save sys config' after the key conversion to FIPS using web GUI
2) Convert normal key to FIPS using tmsh instead of web GUI
Fix:
Web GUI is now fixed to properly save config after key conversion to FIPS
521835-1 : [Policy Sync] Connectivity profile with a customized logo fails
Component: Access Policy Manager
Symptoms:
Policy sync failed with a customized logo in connectivity profile.
Conditions:
Configure a customized logo on the connectivity profile.
Associate the profile with the access profile through a virtual server.
Start a policy sync.
Impact:
Policy Sync fails.
Workaround:
Keep the default logo for connectivity profile. After syncing to target, customize directly on the devices.
Fix:
A user can include a customized logo in a connectivity profile and sync it.
521813-3 : Cluster is removed from HA group on restart
Component: Local Traffic Manager
Symptoms:
When the system is rebooted (or "bigstart restart" is executed), any HA groups with clusters in them will have those clusters removed.
Conditions:
Chassis-based system with an ha-group and ha-group-cluster configured. All blades have to reboot, since if a single blade is rebooted it pulls the running-config from the primary slot.
Impact:
HA cluster configuration is missing every time all the blades are rebooted.
Fix:
Reverted changes made for ID481611.
521774-2 : Traceroute and ICMP errors may be blocked by AFM policy
Solution Article: K17420
Component: Local Traffic Manager
Symptoms:
ICMP error packets for existing connections can be blocked by AFM policy. Diagnostics that use ICMP error messages, such as traceroute, may fail to display information beyond the AFM device.
Conditions:
The AFM policy has a rule to drop or reject that can match the IP header of ICMP messages going from a router IP address back to the client or server IP address that sent the original packet.
Impact:
Network diagnostics such as traceroute through an AFM device will not display information from routers between the AFM device and the destination IP address.
Workaround:
If possible and allowed, create an AFM rule matching the affected ICMP packets with an action of accept-decisively.
521773-1 : Memory leak in Portal Access
Solution Article: K10105099
Component: Access Policy Manager
Symptoms:
Memory consumption of "rewrite.*" processes is growing constantly.
On manually taken core file, result of following command is large (more than 100000).
zcat <core-file.gz> | strings -n 15 | grep "^/f5-w-" | wc -l
Conditions:
Memory leaks in cases when POST request content could be modified by Portal Access (for example, xml).
Impact:
Rewrite processes may use all available memory on the box and then cause 'Out of memory' condition and failover.
Workaround:
This issue has no workaround at this time.
Fix:
Fixed a memory leak of request urls in rewrite plug-in.
521711-3 : HTTP closes connection if client sends non-keepalive request and server responds with 200 OK on One-Connect enabled virtual
Solution Article: K14555354
Component: Local Traffic Manager
Symptoms:
If the client sends a non-keepalive CONNECT request (in HTTP 1.0 with no Connection header, in 1.1 with Connection: close) to a OneConnect-enabled virtual server, HTTP forces the connection closed by sending FIN on both client and server flows, even if the server responds with a 200. If the connect is successful, HTTP should leave flows open regardless of the HTTP headers.
Conditions:
- HTTP and OneConnect profiles are attached to the virtual server.
- Client sends a non-keepalive CONNECT request (either 1.0/no-Connection-Header request or 1.1/'Connection: close' header.
- Server responds to the CONNECT request with successful 200 OK.
Impact:
HTTP adds a Connection: close header when responding to the client after a successful response is received from the server. In addition, HTTP closes the connection by sending FIN on both client and server flows. If the server responds to the CONNECT request with 200 OK, the connection should remain open.
Workaround:
You can use the following iRule to work around this issue:
when HTTP_REQUEST {
if { [HTTP::method] eq "CONNECT" } {
HTTP::disable
}
}
Fix:
HTTP now keeps the connection open if client sends a non-keepalive request and server responds with 200 OK on One-Connect enabled virtual. This is correct behavior.
521556-2 : Assertion "valid pcb" in TCP4 with ICAP adaptation
Component: Service Provider
Symptoms:
TMM crashes with assertion "valid pcb" in tcp4.c
Conditions:
Virtual server with request-adapt or response-adapt profile.
Congested client or TCP small window (flow-control is active).
Multiple HTTP requests in a single client connection.
More likely with iRules that park.
Impact:
Intermittent crash under load. Traffic disrupted while tmm restarts.
Fix:
Assertion "valid pcb" does not occur.
521548-5 : Possible crash in SPDY
Component: Local Traffic Manager
Symptoms:
In very rare circumstances related to SPDY protocol handling together with a compression profile a crash may occur.
Conditions:
This is very rare and the exact circumstances are unclear, It involves SPDY, a compression profile and a congested client connection and a stream being reset by the browser (using a RST_STREAM frame).
Impact:
Very rarely a crash may occur.
Workaround:
Don't apply the compression profile.
Fix:
A sporadic crash when using SPDY together with a compression profile no longer occurs.
521538-3 : Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known
Solution Article: K08025400
Component: Local Traffic Manager
Symptoms:
After failover of an L4 flow that is using keep-alive, the keep-alive transmissions do not resume after traffic has flowed through the BIG-IP system.
Conditions:
Using HA mirroring of L4 connections, with keep-alive enabled on the profile for TCP. After a failover, there was traffic before the flow timed out, then the traffic becomes idle. If there is no traffic after failover, the correct sequence numbers are unknown, then this is expected behavior: the flow times out due to inactivity. If there is traffic after failover, the correct TCP sequence numbers are known; if there is traffic after failover, and then the flow becomes idle, keep-alive transmissions should resume.
Impact:
Flows after failover with TCP keep-alive age out and expire even if traffic is available to set the sequence numbers. Depending on the configuration options, subsequent packets may reset or transparently create a new flow (if TCP loose initiation is enabled).
Workaround:
None.
Fix:
Keep-alive transmissions now resume after failover of flows on an L4 virtual, when the sequence number is known
521522-2 : Traceroute through BIG-IP may display destination IP address at BIG-IP hop
Solution Article: K21981142
Component: Local Traffic Manager
Symptoms:
When performing traceroute through a BIG-IP device, the traceroute utility may display the destination IP in place of the hop where BIG-IP is located, instead of a Self IP address of the BIG-IP device at that hop.
Conditions:
No return route for the client IP address exists on the BIG-IP device.
Impact:
There is no impact to the performance of traffic through the BIG-IP device. The impact occurs only when reading and interpreting the results of a traceroute utility.
Workaround:
If possible and allowed, add route entry for the traceroute client subnet.
Fix:
Traceroute through BIG-IP now displays a Self IP address of the BIG-IP device at that hop. This is correct behavior.
521506-3 : Network Access doesn't restore loopback route on multi-homed machine
Component: Access Policy Manager
Symptoms:
Network Access on Windows doesn't restore loopback route for one adapter on multi-homed (Ethernet + Wi-Fi) machine.
Conditions:
This issue happens if:
1. Network Access was established via Ethernet
2. Ethernet cable was unplugged
3. Network Access reconnects using Wi-Fi
4. Ethernet cable is plugged in back
Impact:
Minor routing issues may occur if one special loopback is removed. To restore this route affected adapter should be disabled and enabled.
Fix:
Fixed issues causing improper routing table management.
521455-5 : Images transcoded to WebP format delivered to Edge browser
Solution Article: K16963
Component: WebAccelerator
Symptoms:
The Microsoft Edge browser does not support, and cannot render WebP format images. The AAM image optimization framework improperly classifies the Edge browser as being capable of supporting WebP and delivers WebP-transcoded images to such clients.
Conditions:
The AAM system's image optimization as well as the "optimize for client" setting must both be enabled, and the associated acceleration policy and application associated with one or more virtual servers.
Impact:
Some images will fail to render on the Edge browser.
Workaround:
Disable the "optimize for client" attribute in the applicable policies' acceleration assembly settings.
Fix:
Transcoded WebP images are no longer served to the Edge browser.
By default, transcoded JPEG-XR is also no longer served to the Edge browser, but the db variable ccdb.allow.edge.jpegxr may be used to override this.
521408-2 : Incorrect configuration in BigTCP Virtual servers can lead to TMM core
Component: Local Traffic Manager
Symptoms:
An incorrect configuration on an irule associated to a BigTCP virtual server can lead to TMM to core.
Conditions:
The following circumstances are needed:
- BigTCP Virtual server
- FastL4 profile with syncookies enabled.
- Invalid iRule that will fail to execute, on LB_FAILED
- Syncookie currently activated in that moment.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Correct or remove the irule event and coring will no longer occur.
Fix:
TMM now correctly handles the specific scenario to no longer core.
521336-1 : pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core
Component: Local Traffic Manager
Symptoms:
The retry of pkcs11d initialization might post misleading error messages and eventually result in a pkcs11d core.
Conditions:
When pkcs11d retries to wait for other services such as tmm or mcpd.
Impact:
After the system reboots, the /var/log/ltm shows initialize errors and the /var/log/daemon.log shows pkcs11_initialize messages: -- err pkcs11d[6247]: 01680002:3: Pkcs11 Initialize error (this is misleading; pkcs11d is actually retrying). -- err pkcs11d[6247]: Nethsm: pkcs11_initialize C_GetSlotList error 0x00000000, number of slots 0.
Workaround:
Retry pkcs11d restart when tmm and mcpd are both ready.
Fix:
The retry of pkcs11d initialization no longer posts misleading error messages when pkcs11d retries to wait for other services such as tmm or mcpd.
521183-3 : Upgrade from 11.2.x (or earlier) to 11.5.x/11.6.x can fail when an active DoS profile exists with 'Prevention Duration' set to a value less than 5★
Component: Application Security Manager
Symptoms:
Upgrade fails with this error:
---------------------
The de-escalation period can be either zero or greater than or equal to the escalation period
---------------------
Conditions:
-- ASM is provisioned.
-- Active DoS profile exists with 'Prevention Duration' set to a value less than 5.
Impact:
Upgrade fails with this error:
---------------------
The de-escalation period can be either zero or greater than or equal to the escalation period
---------------------
Workaround:
Set the 'Prevention Duration' to at least 'Maximum 5 seconds' in all active DoS profiles.
Fix:
This release fixes the upgrade process to work with active DoS profiles that have the 'Prevention Duration' setting set to a value less than 5.
521144-7 : Network failover packets on the management interface sometimes have an incorrect source-IP
Solution Article: K16799
Component: TMOS
Symptoms:
After reboot, network failover packets might be transmitted with an internal source address, on the 127/8 network.
Conditions:
This problem might occur if the members of a device service clustering (DSC)/high availability (HA) device group have management ports on different IP networks, so that a management-route is necessary for them to communicate.
Impact:
If there are intervening firewalls or routers that drop packets with improper/unroutable source addresses, then the members of the device group cannot communicate on this channel.
Workaround:
Remove the management-route from tmsh, and add a static route to the Linux kernel routing table. For example:
# tmsh delete sys management-route 10.208.101.0/24
# tmsh save sys config
# echo "10.208.101.0/24 via 10.208.102.254 dev eth0" > /etc/sysconfig/network-scripts/route-eth0
# reboot
Fix:
Network failover packets on the management interface now have the correct source-IP when device service clustering (DSC)/high availability (HA) device group have management ports on different IP networks, so that a management-route is necessary for them to communicate.
521036-4 : Dynamic ARP entry may replace a static entry in non-primary TMM instances.
Component: Local Traffic Manager
Symptoms:
In a very rare occasion, a dynamic ARP entry may replace a static entry in non-primary TMM instances. When the BIG-IP system attempts to send packets to an address, "tmsh show net arp" lists two entries for the address: one static and the other shows up as "incomplete" status.
Conditions:
The issue is due to a very rare race condition, and the BIG-IP system is configured with a static ARP entry.
Impact:
The issue may impact traffic flow if traffic goes through non-primary TMM instances.
Workaround:
There is no workaround but the issue is very rare to occur.
Fix:
Dynamic ARP entry no longer replaces a static entry in non-primary TMM instances.
520924-3 : Restricted roles for custom monitor creation
Solution Article: K00265182
520796-2 : High ASCII characters availability for policy encoding
Component: Application Security Manager
Symptoms:
High ASCII characters are not available, for any policy encoding, in any of the character sets except 'Headers : Character Set'.
Conditions:
ASM is provisioned.
Impact:
High ASCII characters are not available, for any policy encoding, in any of the character sets except 'Headers : Character Set'.
Workaround:
none
Fix:
High ASCII characters are now available, for the relevant policy encodings, in all character sets.
520705-4 : Edge client contains multiple duplicate entries in server list
Component: Access Policy Manager
Symptoms:
Edge client contains multiple duplicate entries in the server list.
Conditions:
Edge client with duplicate entries in connectivity profile.
Impact:
Edge client shows duplicate entries.
Workaround:
Do not create duplicate entries in connectivity profile
Fix:
BIG-IP Edge Client for Mac doesn't show duplicate entries in the servers list.
Behavior Change:
BIG-IP Edge Client for Mac no longer shows duplicate entries in the servers list.
520642-2 : Rewrite plugin should check length of Flash files and tags
Component: Access Policy Manager
Symptoms:
Portal Access Flash patcher could crash or apply incorrect modifications on some malformed Flash files.
Conditions:
This occurs when a Flash file is truncated or contains incorrect length value in file or tag headers.
Impact:
It may cause a crash and restart of Portal Access services.
Fix:
Rewrite plugin now correctly processes Adobe Flash files with invalid length in file or tag header.
520640-1 : The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method.
Solution Article: K31002924
Component: TMOS
Symptoms:
Using the string returned in the options_seq field by the iControl Management.Zone.get_zone method in the Management.Zone.set_zone_option method can result in an 'Invalid zone option syntax...' error.
Conditions:
Use of the string returned by the iControl Management.Zone.get_zone method in the Management.Zone.set_zone_option() method.
Impact:
Strings returned in the options_seq field by the iControl Management.Zone.get_zone method cannot be used in the Management.Zone.set_zone_option() method unless they are reformatted consistent with the format expected by the Management.Zone.set_zone_option() method.
Workaround:
Use the GUI to set the zone options. Alternatively, modify the strings returned in the options_seq field by the iControl Management.Zone.get_zone method to a format consistent with those expected by the Management.Zone.set_zone_option() method. For example, modify options_seq to have each option as a single string (rather than the masters string, which is returned as 3 separate options strings).
Fix:
The iControl Management.Zone.get_zone_v2() method returns a value in the options_seq field in a format that is consistent with the format expected by the Management.Zone.set_zone_option() method.
520604-6 : Route domain creation may fail if simultaneously creating and modifying a route domain
Solution Article: K52431550
Component: Local Traffic Manager
Symptoms:
Failure trying to create and modify a route domain in a single operation.
Conditions:
Performing create and modify operations in the same transactions, as can be done using tmsh and iControl.
Impact:
Transaction fails. Even though an ID is passed in with the create method, the system posts an error similar to the following: 01070734:3: Configuration error: route-domain Name /Common/test_rd_200 is non-numeric, so an ID must be specified.
Workaround:
Perform create and modify operations in different transactions.
Fix:
Fixed a scenario where route domain creation might fail when using create and modify in the same transaction.
520585-1 : Changing Security Policy Application Language Is Not Validated or Propagated Properly
Component: Application Security Manager
Symptoms:
After changing the Application Language for a Security Policy and pushing the changes over a manual sync device group, the device group's status immediately returns to "Changes Pending".
Additionally calls through the REST interface erroneously allowed a client to change the language for a policy where it was already set.
Conditions:
A Security Policy was set to "Auto-Detect" the Application Language, and then set to a specific encoding.
Or an application language is already set and is changed through the REST API.
Issue is seen most prominently in a device group when ASM sync is enabled on a Manual Sync Failover Group
Impact:
1) The change to encoding is not seen if looking at the result in tmsh.
2) In a manual sync group, after the change has been pushed to its peers, the change is correctly written to the MCP configuration when it is loaded. This appears as a new pending change from the peer device, and the device group appears out of sync again.
Workaround:
Push another sync from the peer to the original device.
Fix:
Changes to Language encoding are now validated and propagated correctly.
520540-2 : Specific iRule commands may generate a core file
Component: Local Traffic Manager
Symptoms:
Accessing the information within a HTTP Authorization header via the HTTP::username, HTTP::password (or other method), may cause the TMM to generate a core file on some requests.
Conditions:
iRule that makes use of the HTTP::username, HTTP::password commands, or the sflow feature.
Impact:
Traffic disrupted while TMM generates a core file.
Workaround:
Modify iRule to manually truncate the size of the HTTP Authorization header.
Fix:
HTTP::username, HTTP::password iRule commands, and the sflow feature no longer generate a core file.
520466-3 : Ability to edit iCall scripts is removed from resource administrator role
Solution Article: K16728
520413-12 : TMM may crash when using woodside congestion control
Component: Local Traffic Manager
Symptoms:
In certainly configurations using woodside congestion control, TMM may crash
Conditions:
Woodside congestion control along with multiple profile options enabled and certain traffic may cause an issue where tmm may crash.
Impact:
TMM may crash causing a failover event
Workaround:
Switching from woodside to illinois congestion control avoids issue.
Fix:
Woodside congestion control along with multiple profile options enabled and certain traffic no longer causes an issue where tmm may core.
520408-1 : TMM ASSERTs due to subkey_record field corruption in the SessionDB.
Component: TMOS
Symptoms:
TMM ASSERTs on 'Subkey is a subkey' in the SessionDB when releasing a record.
Conditions:
This is a rarely encountered issue that might require SAML traffic.
Impact:
TMM ASSERTS, and the system stops passing traffic.
Workaround:
None.
520405-2 : tmm restart due to oversubscribed DNS resolver
Component: Local Traffic Manager
Symptoms:
A max-concurrent-queries configuration setting significantly above default can lead to a situation that causes tmm to restart in certain traffic loads.
Conditions:
DNS cache resolver configured with max-concurrent-queries setting significantly above default.
Impact:
tmm is restarted.
Workaround:
Set the max-concurrent-queries configuration value closer to default.
Fix:
A max-concurrent-queries configuration setting significantly above default no longer leads to a situation that causes tmm to restart in certain traffic loads.
520390-2 : Reuse existing option is ignored for smtp servers
Component: Access Policy Manager
Symptoms:
If policy is imported with reuse existing objects option and there is appropriate SMTP server, the newly imported policy would create and use a new one instead reusing the existing one.
Conditions:
Always
Impact:
Minor - easy to fix after import
Workaround:
Open assignment and reuse existing SMTP server, then delete old one.
Fix:
Reuse existing option works properly for SMTP servers.
520380-4 : save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory
Solution Article: K41313442
Component: TMOS
Symptoms:
Unit demonstrates behaviors consistent with out-of-memory condition. 'top' and 'ps' may show multiple tmsh processes waiting to run.
Conditions:
Enable auto-sync and save-on-auto-sync.
Impact:
Low memory condition may result in system instability.
Workaround:
None.
Fix:
Enabled auto-sync and save-on-auto-sync no longer causes out-of-memory condition.
520298-1 : Java applet does not work
Component: Access Policy Manager
Symptoms:
Web applications may work incorrectly through Portal Access if they use Java applets.
Conditions:
Website uses Java applet that is loaded with deprecated <applet> HTML tag.
Impact:
Websites can't use Java applets.
Fix:
Java applets now work correctly through Portal Access.
520280-2 : Perl Core After Apply Policy Action
Component: Application Security Manager
Symptoms:
Apply policy causes a perl core
Further apply policy do not work
Conditions:
ASM provisioned.
LTM provisioned.
An ASM policy exists that is referenced by an LTM (L7) policy which is not assigned to any LTM virtual server.
Impact:
Apply policy causes a perl core and ASM config event dispatcher crash.
ASM config event dispatcher then is not restarted and remains down.
Further apply policy do not work.
Workaround:
Make sure that if an ASM policy exists that is referenced by an LTM (L7) policy then such LTM (L7) policy is assigned to some LTM virtual server.
one can create a dummy LTM virtual server for that purpose.
Fix:
Perl no longer cores and crashes ASM config event dispatcher in the case of an apply policy to an ASM policy that is referenced by an LTM (L7) policy which is not assigned to any LTM virtual server.
520205-2 : Rewrite plugin could crash on malformed ActionScript 3 block in Flash file
Component: Access Policy Manager
Symptoms:
The rewrite plugin crashes. The following log message is in the log:
../fm_patchers/abc/abcScanner.cpp:70: void abc::abcScanner::has(size_t): Assertion `GetRemaining() >= (ssize_t)l' failed.
Conditions:
Input file is truncated or contains invalid bytecode instructions at the end of doabc/doabcdefine tag.
Impact:
Portal Access services restart.
Fix:
Rewrite plugin no longer crashes on truncated or malformed Adobe Flash files with incorrect ActionScript 3 method body blocks.
520145-2 : [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy
Component: Access Policy Manager
Symptoms:
Policy sync fails with out-of-memory error on target device with big and complex policy.
Conditions:
Profile of big size, for example, excessive use of ACL resource.
Impact:
Policy Sync fails.
Fix:
APM allows a user to sync a large and complex policy.
520118-3 : Duplicate server entries in Server List.
Component: Access Policy Manager
Symptoms:
There are multiple entries in the server list, possibly with different connection strings.
Conditions:
Client ends up with duplicate entries in the server list if it connects to different virtual servers that have the same aliases in the connectivity profile.
Impact:
Duplicate server entries in Server List.
Workaround:
Avoid duplicate aliases across connectivity profiles on servers that client connects to.
Fix:
Single entry in the server list.
520088-1 : Citrix HTML5 Receiver does not properly display initial tour and icons
Component: Access Policy Manager
Symptoms:
When trying to connect with Citrix HTML5 Receiver, the initial tour screen does not display properly.
Conditions:
APM is configured for Citrix replacement mode and Citrix HTML5 Receiver client 1.4-1.6 is used.
Impact:
Issues with GUI user experience. User is presented with an improperly formatted page without icons.
Workaround:
1. Open /config/bigip.conf for edit.
2. Replace 'content-type text/plain' with 'content-type text/css' in HTML5Client(.*).css sections.
3. Replace 'content-type text/plain' with 'content-type text/javascript' in HTML5Client(.*).js sections/
4. Save the file.
5. From the console, type the following command: tmsh load sys config.
Fix:
Now APM correctly sets content type of CSS and JavaScript files when configuring Citrix HTML5 client bundle.
520038-2 : Added/updated signatures are added to certain corrupted Manual user-defined sets.
Component: Application Security Manager
Symptoms:
Signature set may contain signatures which are not supposed to be part of the set.
Conditions:
Corrupted manual user-defined signature sets can no longer be created after the fix for Bug 441075. However, pre-existing corrupted manual sets will not be corrected by roll-forward/upgrade from a version prior to the fix.
Impact:
Requests may get blocked due to attack signatures which are actually not supposed to be in the policy.
Workaround:
As a workaround, to prevent signatures from being added to these Signature Sets in the future, use the following SQL:
----------------------------------------------------------------------
DELETE FROM PLC.NEGSIG_SET_FILTERS where set_id in (SELECT set_id FROM PLC.NEGSIG_SETS where flg_is_manual = 1)
----------------------------------------------------------------------
Alternatively, delete the affected Signature Set and re-create as manual.
Fix:
Pre-existing, corrupted, user-defined (manual) signature sets are now corrected after upgrading from an older version.
519966-1 : APM "Session Variables" report shows user passwords in plain text
Component: Access Policy Manager
Symptoms:
APM Session Variables report shows user passwords in plain text.
Conditions:
Has password session variable.
Impact:
It is not safe to show users' password in plain text.
Fix:
APM Session Variables report masks user passwords, displaying ************ instead.
519877-3 : External pluggable module interfaces not disabled correctly.
Component: TMOS
Symptoms:
External pluggable module interface may show link UP status, when administratively disabled.
Conditions:
Disable any external pluggable module interface that is connected to an enabled peer interface.
Impact:
Disabled external pluggable module interface may link UP and potentially pass traffic.
Fix:
Software fix prevents disabled external pluggable module interface from being re-enabled, as a result of periodic linkscan operations.
519864-2 : Memory leak on L7 Dynamic ACL
Component: Access Policy Manager
Symptoms:
There is a memory leak on Dynamic ACL with regard for HTTP related configuration such as HTTP host name, and HTTP URI path in ACL entry. The leaks occurs for every session as these entries are generated per session bases.
Conditions:
This occurs when using L7 Dynamic Access Control Lists.
Impact:
TMM memory usage increases.
Workaround:
Use static ACL whenever possible.
Fix:
L7 Dynamic ACL is no longer leaking memory.
519746-2 : ICMP errors may reset FastL4 connections unexpectedly
Component: Local Traffic Manager
Symptoms:
FastL4 connections may be reset when receiving an ICMP packet
Conditions:
ICMP packet with an embedded TCP packet is received on an ePVA accelerated flow
Impact:
Connection is reset
Fix:
TCP sequence numbers embedded in an ICMP packet are no longer validated on ePVA accelerated flows.
519510-4 : Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware
Solution Article: K17164
Component: TMOS
Symptoms:
TCP throughput might be severely impacted for traffic traversing a tagged VLAN and BCM57800/BCM57810 NIC on BIG-IP VEs.
The 'rxbadsum' counts increase as received LRO'd traffic is ignored by TMM.
Conditions:
1. Traffic traverses a tagged VLAN.
2. This issue might be related to systems using Broadcom BCM57800 or BCM57810 NICs. However in general, the required condition is reception of packets with VLAN header are received in uNIC driver.
Impact:
Potential throughput drop during a high volume of data transfer.
Workaround:
You can use either of the following workarounds:
1. Avoid using tagged VLANs.
2. Run the following commands on the ESX hypervisor to disable LRO/GRO system-wide, followed by a reboot.
-- esxcli system settings advanced set -o /Net/Vmxnet2HwLRO -i 0.
-- esxcli system settings advanced set -o /Net/Vmxnet3HwLRO -i 0.
-- esxcli system settings advanced set -o /Net/Vmxnet2SwLRO -i 0.
-- esxcli system settings advanced set -o /Net/Vmxnet3SwLRO -i 0.
-- esxcli system settings advanced set -o /Net/VmxnetSwLROSL -i 0.
Fix:
Change in L4 packet header offset, resulting from VLAN header insertion, is being accounted for to verify checksum.
519415-4 : apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual )
Component: Access Policy Manager
Symptoms:
If you want to change timeout values for server-side initiated flows inside Network Access tunnels, ephemeral listeners ignore irules.
There seems to be a workaround for this through tmsh (not ui) by attaching iRules (related-rules) to main virtual that gets run on ephemeral listeners. (These ephemeral listeners are created by Network Access tunnels for lease-pool IPs.) The command for this is (for example):
tmsh modify ltm virtual vs_dtls related-rules { idle_time }
The problem here was APM Network Access used to ignore the related-rules on main virtual and the rules weren't triggered.
Conditions:
APM Network access use case.
Impact:
Related rules on main virtual are not applied to ephmeral listeners; (these ephemeral listeners are created by Network Access tunnels for lease-pool IPs).
Workaround:
none.
Fix:
iRules get executed on Ephemeral listeners.
519252-1 : SIP statistics upgrade★
Component: Application Visibility and Reporting
Symptoms:
SIP data is lost when upgrading.
Conditions:
Collect SIP data,
Upgrade to newer version (from 11.5.0 to 12.0.0 or beyond).
Impact:
SIP data is lost.
Fix:
After upgrading from version 11.5.3 and later, collected SIP statistics are now moved to the new version.
519217-2 : tmm crash: valid proxy
Solution Article: K89004553
Component: Local Traffic Manager
Symptoms:
tmm might crash in extremely rare circumstances when a virtual server is used during an update. Standard process is for virtual servers to be unavailable until the configuration update is complete; there are extremely rare circumstances when it is possible for a connection to use a virtual server before it is ready.
Conditions:
This requires that traffic is running during a configuration update, including a config sync from an HA peer. There must be a virtual server or configuration that uses a second virtual server while traffic is running: these include vip-on-vip using iRules and WAM prefetch, but might include other internal conditions.
Impact:
Traffic disruption, possible failover to another device if HA is configured. If using keepalive or other means to keep the connection alive, then a long amount of time might pass between the creation of the invalid flow and any impact from the error.
Workaround:
None.
Fix:
If a virtual server is used during an update (that is, before the virtual server is ready), an error message is now posted to tmm log files, and a small amount of memory is used each time this message is logged.
519216-3 : Abnormally high CPU utilization from external SSL/OpenSSL monitors
Component: TMOS
Symptoms:
The BIG-IP system may experience high CPU utilization when SSL/OpenSSL monitors are used to obtain availability status for 30 or more pool members.
Conditions:
External SSL monitors using OpenSSL. This includes but is not limited to EAV, ldap, sip, soap, firepass, snmpdca, real-server, wmi, virtual-location.
Builtin monitors are not affected, e.g., https, inband.
Impact:
High CPU utilization reported with potential performance degradation.
Workaround:
To work around this issue, you can use a different type of monitor to obtain pool member availability status.
Impact of workaround: Performing the recommended workaround should not have a negative impact on your system.
Fix:
The CPU utilization is reduced when SSL/OpenSSL monitors are used to obtain availability status for 30 or more pool members.
519198-2 : [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user
Component: Access Policy Manager
Symptoms:
Failed to sync a policy in non-Common partition as a non-default admin user.
Conditions:
Log in as different admin user than the default "admin".
Sync a policy that was created in a non-Common partition..
Impact:
Policy Sync fails
Workaround:
Log in as default "admin" user.
Fix:
APM allows a user to log in as any admin user to sync policy in any partition.
519081-6 : Cannot use tmsh to load valid configuration created using the GUI.
Component: TMOS
Symptoms:
Cannot use tmsh to load a valid configuration created using the GUI.
Conditions:
This occurs with the following configuration: 1) Configure server with :* members. 2) Configure member-specific gateway-icmp monitor for the :* member. 3) Assign any L4/7 monitor at the server level. (http/tcp, etc., with the default '*:*' destination in the monitor).
Impact:
Although the configuration is valid, it fails to load with error: err iqsyncer[16456]: 011ae104:3: Gtm config sync result from local mcpd: result { result_code 17237538 result_message '01070622:3: The monitor /Common/my-tcp-half has a wildcard destination service and cannot be associated with a node that has a zero service.' }
Workaround:
Remove the parent TCP monitor.
Fix:
The server configuration of :* members now loads without error using tmsh.
519068-2 : device trust setup can require restart of devmgmtd
Component: TMOS
Symptoms:
Depending on the order of operations, the device trust might enter a state in which the device trust connections between devices are continuously reset and messaging about self-signed certificates.
Conditions:
This occurs when devices are being added to and deleted from the device trust.
Impact:
This prevents devices from being able to communicate with each other. The device trust goes to Disconnected and cannot synchronize.
Workaround:
A restart of the devmgmtd daemon clears any stale cached information that it has. However, the administrator may still need to reset the device trust (remove devices from the trust and re-add them).
Fix:
The system now correctly resets device trust when devices are being added to and deleted from the device trust.
519059-2 : [PA] - Failing to properly patch webapp link, link not working
Component: Access Policy Manager
Symptoms:
Any attribute URL in a HTML content is rewritten as "javascript:location=..." if is <base> tag is situated before the tag with the attribute, a content hint is not set in the HTML rules for the attribute and it's not the cookieless mode.
Conditions:
Webapp link is not properly patched.
Impact:
Rewritten links are not accessible.
Fix:
WebApp links are now properly rewritten.
519053-4 : Request is forwarded truncated to the server after answering challenge on a big request
Component: Application Security Manager
Symptoms:
Large requests (over 5K) arrive truncated to the server when web scraping bot detection is enabled, or a brute force/session opening attack is ongoing with client-side mitigation.
Conditions:
The request size is between 5k-10k.
Web scraping bot detection is turned on, or a brute force/session opening attack is ongoing with client-side mitigation.
Impact:
The client side challenge mechanism causes a truncation of the request forwarded to the server. Only the first 5k of the request arrives to the server.
Workaround:
Change the internal parameter size max_raw_request_len to 10000.
Fix:
The system's client-side challenge mechanism no longer truncates large requests (those over 5K) forwarded to the server.
519022-1 : Upgrade process fails to convert ASM predefined scheduled-reports.★
Solution Article: K01334306
Component: Application Visibility and Reporting
Symptoms:
Upgrade from versions prior to 11.5 fail, if the scheduled report is using the predefined settings named: Top alerted and blocked policies.
Conditions:
There is a scheduled report that is using the predefined settings named: Top alerted and blocked policies. It can be triggered on upgrade to versions prior to 11.5.4, 11.6.1, and 12.0.0
Impact:
Upgrade process fails.
Workaround:
None.
Fix:
A scheduled report using the predefined settings named: 'Top alerted and blocked policies' no longer causes upgrades from versions prior to 11.5 to fail. The upgrade process now renames the predefined report-type to the correct one and thus the upgrade process does not fail anymore.
518981-1 : RADIUS accounting STOP message may not include long class attributes
Component: Access Policy Manager
Symptoms:
The class attribute should be sent back to RADIUS server unmodified.
However, if the RADIUS server is configured to send lots of long class attributes, the BIG-IP system might drop them when sending accounting stop message.
Conditions:
The BIG-IP system is configured with an Access Policy that contains RADIUS Acct agent. The
RADIUS server is configured to send class attributes with total size of greater than 512bytes.
Impact:
RADIUS Accounting server doesn't receive STOP message when user session is over.
Fix:
Previously, the BIG-IP system would not send an accounting stop message if class attributes were more than 512 bytes total size. Now, BIG-IP system sends the accounting stop message, but does not include class attributes.
518583-3 : Network Access on disconnect restores redundant default route after looped network roaming for Windows clients
Component: Access Policy Manager
Symptoms:
Windows Network Access restores redundant default route if client roaming from networks in loop e.g.:
NetworkA -> NetworkB -> NetworkA.
Conditions:
* Connect NIC to NetworkA
* Connect to VPN
* Roam to another wifi network SSID (NetworkB)
* Roam back to the original wifi SSID in step #1 (NetworkA)
Impact:
Incorrect default route may cause routing issues on client machine if metric of interfaces connected to NetworkB is lower than metric of interfaces connected to NetworkA
Workaround:
N/A
Fix:
Fixed issue causing redundant default route under described conditions.
518550-5 : Incorrect value of form action attribute inside 'onsubmit' event handler in some cases
Component: Access Policy Manager
Symptoms:
Incorrect value of 'action' form attribute may be used inside 'onsubmit' event handlers if original 'action' is an absolute path.
Conditions:
HTML form with absolute path in 'action' attribute;
'onsubmit' event handler for this form.
Impact:
Web application may work incorrectly.
Workaround:
There is no general workaround. But if 'action' value can be converted to relative path or to full URL (with host), this can be done using iRule.
Fix:
Now value of form 'action' attribute is correct inside event handlers.
518283-4 : Cookie rewrite mangles 'Set-Cookie' headers
Solution Article: K16524
Component: TMOS
Symptoms:
'Set-Cookie' headers are syntactically invalid.
Conditions:
Rewrite profile and 'Set-Cookie' header has 'Expires' attribute before 'Path' attribute.
Impact:
'Set-Cookie' headers in the client side become syntactically invalid (two 'Path' values that can be contradictory, plus a broken 'Expires' string).
Workaround:
Put the 'Path' attribute before 'Expires' attribute.
Fix:
The 'Expires' attribute is now properly parsed.
518275-3 : The BIG-IP system may stop the normal processing of SSL traffic and dump a TMM core file
Solution Article: K48042976
518260-4 : Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message
Component: Access Policy Manager
Symptoms:
NTLMSSP_TARGET_INFO flag is set on NTLMSSP_CHALLENGE message that is generated by ECA, although Target Info attribute itself is included. Certain NTLM clients may ignore the target info attribute due to this issue, and fall back to use NTLM v1 authentication. With ActiveDirectory default configuration this is not an issue. However, if you had specifically required NTLMv2 in your policy, then the authentication will never succeed due to mismatch of the protocol.
Conditions:
This occurs when NTLMv2 is set to required and NTLMv1 is denied in your ActiveDirectory policy.
Impact:
Users cannot authenticate.
Fix:
NTLM client that depends on NTLMSSP_TARGET_INFO flag can complete NTLM authentication using NTLMv2 protocol.
518086-1 : Safenet HSM Traffic failure after system reboot/switchover
Component: Local Traffic Manager
Symptoms:
SafeNet hardware security module (HSM) Traffic failure after system reboot/switchover.
Conditions:
Restart of services on primary or secondary blade.
Impact:
Now traffic will fail. There will be no pkcs11 connection on new primary blade.
Workaround:
The workaround is to restart pkcs11d on the secondary blade.
Fix:
Wait and try SafeNet hardware security module (HSM) communication when MCPD is fully loaded.
518039-2 : BIG-IQ iApp statistics corrected for partition use cases
Component: TMOS
Symptoms:
When the f5.http iApp is deployed in a partition, the icall script fails to get stats because it assumes the application is in /Common.
Conditions:
iApps are running in an administrative partition.
Impact:
BIG-IQ fails to get statistics from iApps running on BIG-IP.
Fix:
Certain iApps deployed by BIG-IQ now provide statistics.
518020-10 : Improved handling of certain HTTP types.
Solution Article: K16672
Component: Local Traffic Manager
Symptoms:
Improperly formatted HTTP connection through BIG-IP may cause the connection to hang and eventually timeout.
Conditions:
If the HTTP version token in the request is improperly crafted, BIG-IP ends up treating the request as HTTP 0.9. Hence any data after the first CRLF is held back by BIG-IP due to pipeline handling, and is not passed to the backend server.
If the backend server is Apache or IIS, this improperly crafted HTTP request line causes the request to be treated as 1.1, and both the servers wait for the Host header and CRLFs. Since no data is forthcoming, the connection hangs and the backend servers timeout the connection a few seconds later.
F5 Networks would like to acknowledge Eitan Caspi, Security Researcher of Liacom Systems, Israel for bringing this to our attention.
Impact:
This has the potential to exhaust the number of connections at the backend.
Workaround:
Mitigations:
1) iRule that can drop the connections after a specified amount of idle time.
2) iRule to validate the request line in an iRule and fix it.
3) Tuning of profile timeouts
4) ASM prevents this issue.
Fix:
This release has improved handling of certain HTTP types, so that an HTTP request with a version token that is not properly crafted is no longer treated as HTTP 0.9. This has the effect of all of the request data being forwarded to the backend.
517988-1 : TMM may crash if access profile is updated while connections are active
Component: Access Policy Manager
Symptoms:
The BIG-IP system has a virtual server with an access profile. There is live traffic using that virtual. If the access profile is updated, enforcement of certain behaviors on the live traffic may end up accessing stale profile data, and result in a crash.
Conditions:
If an access profile is attached to a virtual server, and the profile is updated while the virtual has active connections.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
(These are untested...)
Without HA, (1) disable virtuals using access profile, (2) delete any active connections on the virtuals, (3) update access profile, and, (4) enable virtuals.
With HA, (1) update access profile on standby, (2) failover to the standby, and (3) sync the configuration.
Fix:
Upon access profile update, cleanup of the previous profile data is deferred until there are no active connections referencing it.
517872-2 : Include proxy hostname in logs in case of name resolution failure
Component: Access Policy Manager
Symptoms:
It's hard to troubleshoot cases when proxy name resolution failure happens.
Conditions:
Troubleshooting is required in proxy name resolution area.
Impact:
Network Engineer has problems with identifying root cause.
Fix:
Now proxy hostname is printed to logfile when resolution fails.
517790-11 : When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped
Component: Local Traffic Manager
Symptoms:
Non-HTTP traffic can have the server-side send data outside the usual request-response pairing. (Either before a request, or extra data after a response is complete.)
If so, HTTP will reject the connection as the server state is now unknown. However, if HTTP is acting as a Transparent proxy, switching to pass-through mode and disabling HTTP may be a better course of action.
Conditions:
Non-HTTP data sent to the server-side not belonging to a response.
Impact:
Banner protocols, where the a server will respond before seeing any data will not pass through the Transparent HTTP proxy.
Non-HTTP protocols that start with a pseudo-HTTP response, followed by extra data will reject the connection when the extra data is seen.
Workaround:
It may be possible to use HTTP::disable to disable the HTTP filter when some signature of the non-HTTP protocol is seen.
Fix:
The transparent HTTP profile's passthrough-pipeline option now allows unexpected server-side ingress to switch the Transparent HTTP proxy into pass-through mode.
517714-2 : logd core near end of its life cycle
Component: TMOS
Symptoms:
logd can core on shutdown.
Conditions:
Forcing shutdown of logd
Impact:
logd does not shut down gracefully.
Workaround:
N/A
Fix:
This is seen when forcing shutdown of logd only.
517613-2 : ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps
Component: Local Traffic Manager
Symptoms:
ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps.
Conditions:
Create a ClientSSL profile (p1) with user-defined key/certificate/chain.
Create another clientSSL profile (p2) with all default fields.
Modify p2 to have the defaults from p1.
Impact:
GUI shows the right key/certificate/chain in p2, whereas tmsh shows p2 to have default key and certificate.
Workaround:
None.
Fix:
ClientSSL profile now has the correct key/certificate/chain when multiple profiles are created with differing key/certificate/chain values.
517590-1 : Pool member not turning 'blue' when monitor removed from pool
Component: Local Traffic Manager
Symptoms:
Pool member's status does not update when a monitor is removed from the pool.
Conditions:
Must have a pool configured with a monitor and pool members
Impact:
Traffic may be routed incorrectly
Workaround:
One may be able to update the pool member status by toggling the pool member's state down and then up again.
Fix:
The pool member's status updates when the pool's monitor is removed.
517582-5 : [GUI] [GTM] Cannot delete Region if attempting to delete another region referenced by a record.
Component: Global Traffic Manager (DNS)
Symptoms:
Cannot delete a region even though it is not referenced by any record.
Conditions:
This occurs after a failed attempt to delete a region that is referenced by a record.
Impact:
Hard to manage topology regions.
Workaround:
Restart mcpd.
Fix:
Can now delete regions after failed deletion.
517580-2 : OPT-0015 on 10000-series appliance may cause bcm56xxd restarts
Solution Article: K16787
Component: TMOS
Symptoms:
Changing configuration (enable/disable/auto-negotiation) on copper SFPs on 10000-series appliance might cause an internal bus to hang. Symptoms are bcm56xxd process restarts, and the interfaces may show as unknown.
Conditions:
Only copper SFPs OPT-0015 on 10000-series appliances exhibit this problem.
Impact:
The bcm56xxd process restarts, and the interfaces may show as unknown.
Workaround:
To work around this issue, follow these steps:
1) Force the system offline.
2) Reboot the system.
3) Release the system's offline status.
Fix:
The bcm56xxd daemon detects a bus problem and resets the bus to recover communications with SFP transceivers.
517564-2 : APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port
Component: Access Policy Manager
Symptoms:
Starting from BIG-IP APM 11.6.0, there is a new feature called LDAP Group Resource Assign agent. The agent relies on a group list that is retrieved at AAA > LDAP Server > Groups configuration page.
AAA LDAP Server fails to update the group list when the backend LDAP server is configured to use a port other than 389 (the default port).
Conditions:
Backend LDAP server is configured to use a non-default port (a port other than 389).
LDAP Group Resource Assign agent is added to an Access Policy.
Impact:
It is impossible to update group list from LDAP server.
LDAP Group Resource Assign agent does not provide a list of LDAP groups for easy configuration.
Fix:
LDAP groups can now be retrieved from an LDAP server that uses a non-default port (a port other than 389).
517556-2 : DNSSEC unsigned referral response is improperly formatted
Component: Local Traffic Manager
Symptoms:
When DNSSEC signs an unsigned referral response, the contained NSEC3 resource record has an empty type bitmap. Type bitmap should contain an NS type.
Conditions:
DNSSEC processing an unsigned referral response from DNS server.
Impact:
DNSSEC referral response is not RFC compliant.
Workaround:
None.
Fix:
NS type added to NSEC3 type bitmap, so that DNSSEC unsigned referral response is properly formatted.
517510-5 : HTTP monitor might add extra CR/LF pairs to HTTP body when supplied
Component: Local Traffic Manager
Symptoms:
When supplying HTTP containing body text to the HTTP monitor, the system might append extra CR/LF pairs to the end.
Conditions:
HTTP monitor with text specifying HTTP body text.
Impact:
This may cause malformed POST or PUT messages.
Workaround:
Limited work-around entails providing an alternative HTTP health check that does not require PUTting or POSTing a body.
Fix:
The HTTP monitor has been fixed to avoid adding additional CR/LF pairs, except for the case where only headers are supplied and there are insufficient CR/LF supplied to terminate the headers.
517465-3 : tmm crash with ssl
Component: Local Traffic Manager
Symptoms:
Under some rare conditions, a problem with SSL might cause TMM to crash.
Conditions:
An SSL alert is sent during the SSL handshake.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None known
Fix:
A tmm crash related to alerts during a SSL handshake failure has been fixed.
517456-2 : Resetting virtual server stat increments cur_conns stat in clientssl profile
Solution Article: K00254480
Component: Local Traffic Manager
Symptoms:
When there are active connections on the virtual server, resetting its virtual server stat through tmsh reset-stats ltm virtual virtual_name, doubles the client ssl profile cur_conns/cur_native_conns/cur_compat_conns.
Conditions:
- SSL virtual server.
- Active connections on the virtual server.
- Virtual server stat reset which active connections are occurring.
Impact:
Invalid statistics values on the client ssl profile stats.
Workaround:
None.
Fix:
Resetting virtual server stats no longer increments cur_conns stat in clientssl profile, which is correct behavior.
517441-4 : apd may crash when RADIUS accounting message is greater than 2K
Component: Access Policy Manager
Symptoms:
If the RADIUS Acct agent is configured for an access policy, and there are a lot of attributes with total size greater than 2K, apd may crash.
Conditions:
RADIUS Acct agent is configured and an AP
with numerous attributes in RADIUS Acct request
Impact:
service becomes unavailable while restarting apd process
Fix:
The maximum size of RADIUS packet is now set to 4K (RFC2865).
If the total size of attributes is greater than 4K, the packet will be truncated to 4K.
517388-6 : Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs.
Component: TMOS
Symptoms:
The system recognizes and displays to the user a few relative distinguished names (RDNs): division name, state name, locality name, organization name, country name, and common name.
Conditions:
RDNs other than those in the subject/issuer are not parsed correctly.
Impact:
Parsing the DN (for subject or issuer) might combine fields that result in RDN values that are longer than allowed. This causes issues when trying to store these in Enterprise Manager (EM) database.
Workaround:
None.
Fix:
All relative distinguished names (RDNs) are now parsed as expected. Previously, the system correctly parsed RDNs for division name, state name, locality name, organization name, country name, and common name. Now, the system correctly parses all RDNs.
517282-6 : The DNS monitor may delay marking an object down or never mark it down
Solution Article: K63316585
Component: Local Traffic Manager
Symptoms:
The DNS monitor may not mark an object down within the monitor timeout period or may never mark the object down.
Conditions:
A DNS monitor with no configured recv string and the monitor receives an ICMP error other than port unreachable.
Impact:
The DNS monitor may not mark an object down within the monitor timeout period or may never mark the object down.
Workaround:
Supply an appropriate recv string to the monitor definition:
tmsh modify ltm monitor dns mydns recv 10.1.1.1
Or add another monitor to the object:
tmsh modify ltm pool dnspool monitor min 2 of { mydns gateway_icmp }
Fix:
DNS monitor should mark server down when getting ICMP admin prohibited error. This is correct behavior.
517209-6 : tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable
Solution Article: K81807474
Component: TMOS
Symptoms:
The tmsh save sys config file /var/tmp or /shared/tmp or a relative path to these directories (for example, /config/../shared/tmp) saves the scf with the specified real path. However, since the /var/tmp directory is used internally by BIG-IP daemons, some functionality may be rendered unusable till the /var/tmp symlink to /shared/tmp is restored.
Conditions:
Saving the sys config file /var/tmp or /shared/tmp (or a relative patch to one of these directories).
Impact:
Some system functionality may be rendered unusable.
Workaround:
Use the following commands to delete the scf and restore the symlink and reset the permissions of the /shared/tmp directory:
-- rm -f /var/tmp
-- ln -s /shared/tmp /var/
-- chmod 01777 /shared/tmp
-- bigstart restart
Fix:
The /var/tmp or /shared/tmp are now invalid paths for the tmsh save sys config file command.
517146-2 : Log ID 01490538 may be truncated
Component: Access Policy Manager
Symptoms:
Log ID 01490538 may appear truncated in /var/log/apm. It is supposed to say "Configuration snapshot deleted by Access".
Conditions:
Access profile snapshots are timing out and being deleted by the system.
Impact:
Most likely just corrupted log messages. A very slight chance of a crash, due to the string terminator being written to the wrong location in memory.
Workaround:
No workaround.
Fix:
Log ID 01450538 prints correctly to /var/log/apm now.
517124-6 : HTTP::retry incorrectly converts its input
Component: Local Traffic Manager
Symptoms:
The HTTP::retry iRule converts its input into UTF8. If the input is a bytearray using some other locale, then bytes with the high-bit set may be corrupted.
The resulting corrupted request will then be sent to the server as the retried request.
Conditions:
The input to HTTP::retry is a TCL bytearray rather than a TCL string. The output from some commands i.e. HTTP::payload is a bytearray. Strings are in the UTF8 format, Bytearrays are not.
Impact:
Non-ascii characters may be corrupted when HTTP::retry is used.
Fix:
The HTTP::retry command no longer corrupts input that isn't in the UTF8 format.
517020-4 : SNMP requests fail and subsnmpd reports that it has been terminated.
Component: TMOS
Symptoms:
After an unspecified period of time, SNMP requests fail and subsnmpd reports that it has been terminated.
Conditions:
SNMP polls sent to a system start to fail after a few days, until subsnmpd is restarted. When in the failed state, you can determine the status of subsnmpd by running the following command: tmsh show sys services. Here is an example of the status when the system is in this state: subsnmpd run (pid 4649) 26 days, got TERM.
Impact:
Loss of snmp data set to a client. The /var/log/snmpd.log contains numerous messages similar to the following: Received broken packet. Closing session. The /var/log/sflow_agent.log contains numerous messages similar to the following: AgentX session to master agent attempted to be re-opened.
Workaround:
Restart subsnmpd using the following command: bigstart restart subsnmpd.
Fix:
SNMP requests handling has been improved to ensure that requests no longer fail after a number of days.
517013-2 : CSS minification can on occasion remove necessary whitespace
Component: WebAccelerator
Symptoms:
CSS minification can on occasion remove necessary whitespace.
Example of incorrectly minified content:
//Comment1 @import url("http://example.com/test.jpeg");
becomes
//Comment1@import url("http://example.com/test.jpeg");
Conditions:
This occurs when using minification on CSS.
Impact:
CSS minification might remove necessary whitespace.
Workaround:
Disable minification on CSS.
Fix:
Fixed an issue which was causing removal of necessary whitespaces in CSS minification.
516995-8 : NAT traffic group inheritance does not sync across devices
Component: TMOS
Symptoms:
When a NAT object is created, and its inherited-traffic-group property is set, this property does not sync to other devices.
Conditions:
This is relevant for any setup with multiple devices in a CMI failover device group.
Impact:
The inherited-traffic-group property must be manually maintained on all devices.
Workaround:
Enable the 'full sync' option instead of using incremental sync.
Fix:
NAT traffic group inheritance now syncs across devices using incremental sync.
516841-3 : Unable to log out of the GUI in IE8
Component: TMOS
Symptoms:
"Log out" button doesn't work in Microsoft Internet Explorer version 8 (IE8).
Conditions:
This occurs when clicking the "Log out" button in the GUI while using IE8.
Impact:
You cannot log out with the "Log out" button
Workaround:
Close and reopen IE8.
Fix:
You can now log out with the "Log out" button in Microsoft Internet Explorer version 8 (IE8).
516839-7 : Add client type detection for Microsoft Edge browser
Component: Access Policy Manager
Symptoms:
Microsoft Edge browser cannot be detected by Client Type action item agent in access policy.
Conditions:
Microsoft Edge browser, Client Type action item agent in access policy on BIG-IP APM.
Impact:
Microsoft Edge browser is not detected by Client Type action item and the webtop might not display properly or might display resources that are not supported.
Fix:
Improvement: Microsoft Edge browser is now detected properly and only supported resources are shown on the webtop now. All components that require ActiveX are not supported.
516816-2 : RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.
Component: Local Traffic Manager
Symptoms:
RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.
Conditions:
The key cert pair type matches one of the following combinations:
1. RSA key/DSA-signed cert.
2. RSA key/ECDSA-signed cert.
Impact:
When this kind of key/cert pair is configured in a Client SSL profile that is used by a virtual server, the SSL handshake to the virtual server fails.
Workaround:
Do not use this kind of 'hybrid' key/cert pair in the Client SSL profile. Instead, use the combination such as RSA key/RSA-signed cert, EC key/ECDSA-signed cert, or DSA key/DSA-signed cert.
Fix:
An RSA key with DSA-signed or ECDSA-signed cert no longer fails the SSL handshake. You can now configure those in the Client SSL profile and the SSL handshake completes as expected.
516685-1 : ZoneRunner might fail to load valid zone files.
Component: Global Traffic Manager (DNS)
Symptoms:
ZoneRunner might fail to load valid zone files which contain two or more consecutive lines which are $TTL directives, blank lines, comment-only lines, or some combination of the above.
Conditions:
DNS : Zones : Zonerunner : Zone List: Create. Select 'Load from File' in Records Creation Method.
Impact:
The user cannot load a zone file via the GUI.
Workaround:
Workaround 1: Remove consecutive blank lines, and comment-only lines from the zone file before uploading it to the GUI. Specify the domain in the line following any $ directive lines before uploading the zone file to the GUI.
Workaround 2: 1. Freeze zones, stop zrd. 2. Copy zone file from donor GTM to new GTM. 3. Check and adjust chown of zone file. 4. Start zrd, thaw zones. 5. Restart named.
Fix:
ZoneRunner now successfully loads zone files that contain $TTL directives, blank lines, comment-only lines, or some combination of the above.
516680-1 : ZoneRunner might fail when loading valid zone files.
Component: Global Traffic Manager (DNS)
Symptoms:
ZoneRunner might fail to load valid zone files which contain two or more consecutive lines which are $TTL directives, blank lines, comment-only lines, or some combination of the above.
Conditions:
DNS : Zones : Zonerunner : Zone List: Create. Select 'Load from File' in Records Creation Method.
Impact:
The user cannot load a zone file via the GUI.
Workaround:
Workaround 1: Remove consecutive blank lines, and comment-only lines from the zone file before uploading it to the GUI. Specify the domain in the line following any $ directive lines before uploading the zone file to the GUI.
Workaround 2: 1. Freeze zones, stop zrd. 2. Copy zone file from donor GTM to new GTM. 3. Check and adjust chown of zone file. 4. Start zrd, thaw zones. 5. Restart named.
Fix:
ZoneRunner will no longer crash when parsing zone files containing $TTL directives, blank lines, comment-only lines, or some combination of the above.
516669-2 : Rarely occurring SOD core causes failover.
Solution Article: K34602919
Component: TMOS
Symptoms:
Spontaneous failover occurs rarely due to a SOD core dump.
Conditions:
Cannot reproduce the issue reliably, so conditions for the crash are unknown.
Impact:
When SOD cores, all traffic groups fail over to another device. Non-mirrored flows will be interrupted.
Workaround:
None.
Fix:
Errors in handling memory have been fixed to prevent allocation failure.
516618-4 : glibc vulnerability CVE-2013-7424
Solution Article: K16472
516598-6 : Multiple TCP keepalive timers for same Fast L4 flow
Solution Article: K82721850
Component: Local Traffic Manager
Symptoms:
Multiple TCP keepalive timers for same Fast L4 flow.
Conditions:
Fast L4 profile with TCP Keepalive option enabled.
Impact:
TMM core.
Workaround:
Disable TCP Keepalive option from the Fast L4 profile.
Fix:
Prevent starting multiple TCP keepalive timer for the same fastL4 flow
516540-2 : devmgmtd file object leak
Component: TMOS
Symptoms:
Under certain circumstances, devmgmtd might leak file descriptors.
Conditions:
This might occur when attempting to add a device to trust by specifying a hostname instead of an IP address, where this hostname is not valid.
Impact:
devmgmtd may restart, logging an error that it has 'too many open files'. Although the failed reaction is correct (restarting because there is an existing error condition), the system presents an error message that does not indicate the issue.
Workaround:
None.
Fix:
devmgmtd no longer leaks file descriptors in a certain error path (which would sometimes cause it to dump core).
516523-1 : Full ASM Config Sync was happening too often in a Full Sync Auto-Sync Device Group
Component: Application Security Manager
Symptoms:
ASM is only supposed to request a Full Sync if there has been a Manual Full Sync request, or if an incremental / auto sync indicates that the state is inconsistent with that of its peers.
The system was mistakenly requesting a Full Sync on every config change in an Auto-Sync, Full Sync group even when it was in a consistent state.
Conditions:
A Device Group is configured with Auto-Sync, Full Sync, and ASM enabled.
Impact:
Noise on the network, extra CPU usage, Policy Builder restarting on receiving peer.
Workaround:
Disable "Full Sync" on the device group
Fix:
The system no longer requests a Full ASM Configuration Sync on every full auto sync in a device group.
516522-2 : After upgrade from any pre-11.4.x to 11.4.x through 12.0.0, the configured redirect URL location is empty.★
Solution Article: K04420402
Component: Application Security Manager
Symptoms:
After upgrade from any pre-11.4.x to 11.4.x through 12.0.0, the configured redirect URL location is empty.
Conditions:
1) ASM is provisioned and there is a redirect URL configured on any pre-11.4.x.
2) Upgrade to 11.4.x, 11.5.3, or 11.6.0. This does not occur in 11.5.4, 11.6.1, or 12.0.0 and beyond.
Impact:
The configured redirect URL location is empty.
Workaround:
None.
Fix:
The configured redirect URL location is now preserved after upgrade from any pre-11.4.x to 11.4.x through 12.0.0.
516462-3 : Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines
Component: Access Policy Manager
Symptoms:
Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines.
Conditions:
Client Windows machine roams between different networks (Wi-Fi or Ethernet) when the BIG-IP system has configured split-tunneling.
Impact:
Excluded address space routes are not applied.
Fix:
Fixed reason causing this issue; now excluded address routes are applied correctly even if a client machine roams between different networks.
516432-4 : DTLS may send corrupted records when the DB variable tmm.ssl.dtlsmaxcrs is not the default value 1.
Solution Article: K21467711
Component: Local Traffic Manager
Symptoms:
DTLS may send corrupted records when the DB variable tmm.ssl.dtlsmaxcrs is not the default value 1.
Conditions:
When DB variable tmm.ssl.dtlsmaxcrs is not 1.
Impact:
DTLS sends corrupted record.
Workaround:
Set tmm.ssl.dtlsmaxcrs to 1.
Fix:
DTLS no longer sends corrupted records when DB variable tmm.ssl.dtlsmaxcrs is not default value 1.
516322-5 : The BIG-IP system may erroneously remove an iApp association from the virtual server.
Component: TMOS
Symptoms:
The BIG-IP system may erroneously remove an iApp association from the virtual server.
Conditions:
This might occur when merging configurations in tmsh, in iControl when using Management.ChangeControl.put_config, and during incremental sync when the iApp is modified, but there is no modification to the virtual server.
There are two sets of conditions under which this issue might occur:
1. iApp, virtual server, and persistence profile are configured and associated prior to merge.
2. - High availability pair defined over a Device Group with Incremental Sync specified (that is, Full Sync is disabled).
- iApp with one or more virtual servers deployed on one or more peers.
- iApp is reconfigured on one of the peers with no modification of the Virtual Server configuration.
- Config sync to a peer unit.
Impact:
This removes iApp association with the virtual server.
Workaround:
To work around this issue, you should add the affected virtual server name to the list of commands during the merge process.
For example, you should add ltm virtual server iApp-test_vs { } to the tmsh merge script during the merge process:
cli admin-partitions { update-partition Common } ltm persistence source-addr /Common/put-config-test { app-service none defaults-from /Common/source_addr mirror enabled timeout 300 } ltm virtual iApp-test_vs { }
Fix:
Modifying a persistence profile while updating a partition during a merge config no longer disassociates the iApp from the virtual server.
516320-5 : TMM may have a CPU spike if match cross persist is used.
Component: Local Traffic Manager
Symptoms:
TMM may have a CPU spike.
A few(very few) connections may fail.
Conditions:
1) Match cross persist is used.
2) Long idle time out makes the symptom worse.
3) Persist HA makes the symptom worse.
Impact:
TMM may have a CPU spike.
A few(very few) connections may fail.
Workaround:
Avoid using match across persist.
Fix:
Match across persistence no longer causes CPU spike.
516219-2 : User failed to get profile license in VIPRION 4800 chassis if slot 1 is not enabled
Component: Access Policy Manager
Symptoms:
Connection is reset when user tries to log on to an APM virtual server. APM log shows ERR_NOT_FOUND while getting profile license.
Conditions:
The issue happens if slot 1 in a VIPRION 4800 chassis is not occupied or is occupied but not enabled.
Impact:
User logon failure.
Workaround:
Detach APM access profile from the virtual server and then reattach it.
Fix:
Access policies now work properly in VIPRION 4800 with no slot1.
516184 : IKEv1 for IPsec does not work when VLAN cmp-hash is set to non-default values
Component: TMOS
Symptoms:
When the cmp-hash of the VLAN interface used by IKEv1 is set to non-default values (dst-ip or src-ip) for load-balancing IKEv1 traffic purposes; IKEv1 will fail.
Conditions:
The VLAN interface used for IKEv1 traffic sets its cmp-hash value to non-default values.
Impact:
IPsec does not work.
Workaround:
Set the cmp-hash value of the VLAN interface for IKEv1 traffic to "default".
Fix:
IKEv1 can re-establish its IKE SAs after the VLAN with IKEv1 traffic changes its cmp-hash setting (currently available options are "default, src-ip, dst-ip).
516075-5 : Linux command line client fails with on-demand cert
Component: Access Policy Manager
Symptoms:
Linux command line client fails with On-Demand Cert Auth.
Conditions:
End user needs to be running Linux command line client and the On-Demand Cert Auth agent.
Impact:
Depending upon the access policy, the user might fail to log in and establish a Network Access connection.
Workaround:
none
Fix:
Linux command line client works with On-Demand Cert Auth now.
516057-5 : Assertion 'valid proxy' can occur after a configuration change with active IVS flows.
Component: Service Provider
Symptoms:
When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), and a new connection is initiated during the update, the TMM can assert 'valid proxy' and crash.
If there were are no preexisting active connections, the assertion does not occur, but connections initiated during the configuration update might be in a bad state and cause unpredictable effects.
Conditions:
1. Active flows exist on an internal virtual server (IVS). Necessary to trigger the assertion.
2. A configuration update or sync affecting that IVS is in
progress.
3. A new connection is initiated to that IVS during the update.
Impact:
This is intermittent and rarely encountered. When all preexisting connection flows on this IVS tear down, a 'valid proxy' assertion can trigger and cause a TMM crash and restart, resulting in lost connections across the BIG-IP system or blade. New IVS connection flows initiated during the configuration update might be in a bad state and exhibit unpredictable effects, even if there is no crash.
Workaround:
Try to avoid configuration changes affecting any IVS while connections are active. This is intermittent so most likely will not manifest, even with active connections.
Fix:
When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), new connections fail and log an error message indicating that the IVS is not ready for connections. If the connections are to an ICAP server, the BIG-IP system performs the service-down-action configured in the request-adapt or response-adapt profile of the virtual server that attempted to initiate the connection. There are no assertions or unpredictable effects. Any new connections that failed for this reason may be retried after the configuration update is complete.
515943-1 : "Session variables" report may show empty if session variable value contains non-English characters
Component: Access Policy Manager
Symptoms:
"Session variables" report may show empty if session variable value contains non-English characters
Conditions:
For active session only.
Impact:
User cannot see the Session Variable information for active session.
Workaround:
Use English characters for network configuration, such as host name, user name...
Fix:
"Session variables" report shows correct information for any language characters.
515915-3 : Server side timewait close state causes long establishment under port reuse
Solution Article: K47804233
Component: Local Traffic Manager
Symptoms:
When the server TCP connection is under timewait closing state, if a new client connection is initiated toward the server under the BIG-IP SYN-Cookie mode, the server respond with ACK instead of SYN+ACK for the SYN received.
The BIG-IP system drops this ACK and retransmit the SYN, till timeout occurs.
Conditions:
-- FastL4 is under SYN-Cookie mode.
-- The previous server connection is under time wait close state.
-- New client connection is reusing the port to get to the same server TCP connection.
Impact:
Longer establishment time and retry.
Workaround:
None.
Fix:
When ACK is received instead of SYN+ACK in this case, the system resets the server side to quick recovery, ensuring a quick recovery.
515797-2 : Using qos_score command in RULE_INIT event causes TMM crash
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes when the iRule with qos_score command in RULE_INIT event is added to a wide IP.
Conditions:
Configured iRule with qos_score command in RULE_INIT event that is added to a wide IP.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Mitigation: Do not use qos_score command in RULE_INIT event.
Fix:
qos_score command is disallowed in RULE_INIT event.
515759-2 : Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time
Solution Article: K92401129
Component: Local Traffic Manager
Symptoms:
tmm memory growth over time.
Conditions:
Conditions leading to this issue include: one or more virtual servers, NATs, SNATs, or LSNs with more than four VLANS in a vlan allow or vlan deny list.
Impact:
tmm memory usage can grow over time eventually causing memory exhaustion.
Workaround:
Mitigation: Minimize the number of VLANs in the VLAN list for virtual servers, NATs, SNATs and LSNs. Minimize the number of configurations changes to Self-IPs, virtual servers, NATs, SNATs and LSNs.
Fix:
Configuration objects with more than four vlans in vlan list no longer causes memory utilization to increase over time.
515736-5 : LSN pool with small port range may not use all ports
Component: Carrier-Grade NAT
Symptoms:
When LSN pool port range is small, some ports may not be used for translation.
Conditions:
LSN pool port range is small.
Impact:
Even though free ports are available, they are not used for translation and the connection fails
Workaround:
Set the LSN pool port range to default value of 1025 - 65535
515728-4 : Repeated BD cores.
Component: Application Security Manager
Symptoms:
The bd process crashes and produces a core file in the /var/core directory.
Conditions:
It is not known what conditions trigger the crash.
Impact:
Traffic disrupted while bd restarts.
Fix:
Fixed a bd core related to tcl processing
515667-6 : Unique truncated SNMP OIDs.
Component: TMOS
Symptoms:
When a BIG-IP generates SNMP OID-required truncation in order to stay within the OID max length limit of 128, the truncated OID is not always consistent or unique.
Conditions:
An SNMP table has a unique index (key) consisting of one or more table attributes of various types. String type index attributes with values lengths approaching or exceeding 128 characters expose this truncation issue.
Impact:
SNMP get, get-next, and set commands might fail or even operate on incorrect data when the target OID is not consistent or unique.
Workaround:
The long string values triggering this issue are typically identified as user-supplied names that were introduced as part of BIG-IP configuration. Often these names can be reconfigured to a shorter length.
Fix:
Truncated OIDs are now appended with a unique check-sum value that remains unchanged from one query to the next.
515646-9 : TMM core when multiple PPTP calls from the same client
Solution Article: K17339
Component: Carrier-Grade NAT
Symptoms:
TMM can core when there are multiple PPTP calls arrive from the same client.
Conditions:
PPTP ALG virtual server with CGNAT.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores when multiple PPTP calls arrives from the same client.
515482-6 : Multiple teardown conditions can cause crash
Solution Article: K93258439
Component: Local Traffic Manager
Symptoms:
When iRules direct the teardown of a TCP connection after some delay, another event might tear down the connection during the delay. When the iRule-directed abort finally arrives, the system crashes.
Conditions:
(1) An iRule or other cross-layer message can trigger a ABORT after teardown.
(2) The TCP profile has settings that invoke the correct TCP implementation:
(a) 11.5.x: mptcp is enabled
(b) 11.6.x: mptcp, rate-pace, or tail-loss-probe are enabled, OR TCP uses Vegas, Illinois, Woodside, CHD, CDG, Cubic, or Westwood congestion control.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Suspend iRules with this behavior.
Fix:
When receiving ABORT commands, TCP catches cases where the connection is already closed.
515345-4 : NTP Vulnerability
Solution Article: K16505
515322-2 : Intermittent TMM core when using DNS cache with forward zones
Component: Local Traffic Manager
Symptoms:
TMM can intermittently crash when using the DNS cache resolver.
Conditions:
When a cache configuration is "removed" there are conditions where a refcount is not properly managed that would lead to memory being deleted before the last user is done with it.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
TMM will no longer intermittently core when using the DNS cache resolver.
515187 : Certain ICMP packets are evaluated twice against Global and Route Domain ACL rules.
Component: Advanced Firewall Manager
Symptoms:
Certain ICMP packets (such as ICMPv6 Destination Unreachable) match twice against Global and Route-Domain ACL rules.
Conditions:
AFM provisioned and licensed.
Create a Global and/or Route Domain ACL policy with a rule matching ICMP traffic. Send ICMP packet such as Destination Unreachable.
Impact:
Global and Route-Domain ACL rules are evaluated twice under conditions specified above. This causes the rule counters to be incremented by 2 (instead of 1) and may cause double logging if enabled.
Workaround:
None
Fix:
ICMP traffic is now evaluated only once against Global and Route-Domain ACL rules.
515139-4 : Active FTP session with inherit profile and address translation disabled may not decrement pool member current connections statistics
Solution Article: K17067
Component: Local Traffic Manager
Symptoms:
Current connections seen in the poolmember statistics via tmsh might show a non-decremented number over time.
Conditions:
This occurs when the following conditions are met: - FTP virtual server with address translate disabled. - FTP profile with inherit parent profile. - Active FTP session. Running the command: tmsh show ltm pool pool_name.
Impact:
The current connections statistics value does not decrement upon data connection closure. While this is primarily cosmetic, it might impact connections when used in combination with limit calculations.
Workaround:
Disable inherit parent profile in the FTP profile.
Fix:
The BIG-IP system now correctly represents the pool current connections in the specific configuration combination.
515112-2 : Delayed ehash initialization causes crash when memory is fragmented.
Component: Advanced Firewall Manager
Symptoms:
When first using a new feature (fpm, firewall) under memory fragmentation conditions, if the feature uses an ehash table, TMM may crash.
Conditions:
Severe memory fragmentation, where contiguous allocations are not satisfied, combined with initial use of a new feature.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Utilize all features shortly after TMM comes up, so all initial allocations are performed.
Fix:
Certain allocations are no longer delayed. Delayed allocations which fail retry with smaller sizes, possibly reducing performance.
515072-7 : Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased
Solution Article: K17101
Component: Local Traffic Manager
Symptoms:
When a virtual server has priority groups and connection limit configured, if the connection limit is reached and is increased while the member is limited, then subsequent connections will be reset rather than allowed.
Conditions:
Using priority groups and a non-zero connection limit, with one of the following load balancing methods: least-connections-member, least-sessions, ratio-member, ratio-least-connections-member, ratio-session. The issue occurs when the connection limit is adjusted higher when the connection limit is reached on the high-priority pool.
Impact:
New connections are reset without being able to send traffic.
Workaround:
If it is feasible to adjust the priorities, adjust the connection limit to its initial value, and adjust the priority groups so that the traffic currently on the limited pool drains out. When the pool has no connections, increase the limit to restore the correct priorities.
Fix:
Make pool member eligible for load balancing if its not connection limited after modifying its connection limit.
515033-1 : [ZRD] A memory leak in zrd
Component: Global Traffic Manager (DNS)
Symptoms:
Memory leaks for zrd when performing wide IP alias updating.
Conditions:
When an add, modification, or deletion of a GTM Wide IP Alias is made through the GUI or tmsh, there is a small memory leak in zrd. Although this memory leak is small for any one change, it could be noticeable after hundreds or thousands of changes when viewing memory consumption through 'top' or other tools.
Impact:
Memory leak after multiple wide IP alias create/update operations.
Workaround:
If the zrd memory usage is negatively impacting system performance, you can restart zrd and clear out the memory usage by running the command: bigstart restart zrd.
Fix:
Memory no longer leaks for zrd when performing wide IP alias updating.
515030-2 : [ZRD] A memory leak in Zrd
Solution Article: K74820030
Component: Global Traffic Manager (DNS)
Symptoms:
Memory leaks for zrd when performing multiple wide IP alias updating.
Conditions:
When an add, modification, or deletion of a GTM Wide IP Alias is made through the GUI or tmsh there is a small memory leak in zrd. This memory leak is not significant for any one change, but it might become noticeable after hundreds or thousands of changes when viewing memory consumption through 'top' or other tools.
Impact:
Memory leak after multiple wide IP alias updates.
Workaround:
Although there is no workaround, you can mitigate potential system performance impacts by restarting zrd, which clears out the memory usage. To do so, run the command: bigstart restart zrd.
Fix:
Memory no longer leaks in zrd when performing multiple wide IP alias updating.
514912-2 : Portal Access scripts had not been inserted into HTML page in some cases
Component: Access Policy Manager
Symptoms:
If HTML page contains forms with absolute action paths, Portal Access scripts must be inserted into this page. But if there are no other reasons to include them, these scripts were not included.
Conditions:
HTML page which consists of the form with absolute action path, for instance:
<form action='/cgi-bin/a.gci">
</form>
Impact:
The form can not be submitted because browser fires JavaScript error.
Workaround:
It is possible to use iRule to insert Portal Access scripts into rewritten HTML page.
Fix:
Now Portal Access scripts are inserted into HTML page if it contains forms with absolute action path.
514844-3 : Fluctuating/inconsistent number of health monitors for pool member
Solution Article: K17099
Component: TMOS
Symptoms:
The Local Traffic :: Pools :: pool_name :: Members :: pool_member_name displays an inconsistent and fluctuating number of health monitors for a pool member.
Conditions:
This occurs if you are using partitions (i.e., folders) and route domains, and use the GUI to display the health monitors for a pool member.
Impact:
Cannot determine the correct number health monitors for pool member correctly. For example, given a pool which was assigned two health monitors, sometimes the screen will display two health monitors, one or none at all.
Workaround:
Use tmsh to display the health monitors for a pool member.
Fix:
The system now displays the correct number of health monitors for pool members for configurations containing administrative partitions and route domains.
514785-3 : TMM crash when processing AAM-optimized video URLs
Component: WebAccelerator
Symptoms:
TMM might crash when processing HTTP requests for certain types of AAM-optimized videos.
Conditions:
AAM-enabled VIP with video optimization and IBR enabled by AAM policy.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable AAM processing of AAM-optimized video URLs.
Fix:
TMM no longer crashes when processing HTTP requests for certain types of AAM-optimized videos.
514731-4 : GTM Fails to change GTM server with IPv4 'Address Translation enabled
Solution Article: K17100
Component: Global Traffic Manager (DNS)
Symptoms:
Using the GUI when adding an IPv4 address translation, GTM fails to change GTM server that has IPv4 'Address Translation' enabled.
Conditions:
This occurs when using the GUI to add an IPv4 translated address that alphabetically or numerically precedes an existing IPv4 translated address. For example, there is an Address: 192.168.10.12 and Translation: 10.26.10.12, and you add IP address 11.12.10.12.
Impact:
GTM server property cannot be updated. When updating GTM server properties, the system posts errors such as the following: 01020037:3: The requested GTM IP (192.168.10.11 /Common/LTM64) already exists.
Workaround:
Use tmsh to make these types of changes.
Fix:
Using the GUI when adding an IPv4 address translation, GTM now successfully changes GTM server that has IPv4 'Address Translation' enabled.
514729-1 : 10.2.1 system with SSL profile specifying ciphers 'DEFAULT:!HIGH:!MEDIUM' fails to upgrade to 11.5.1, 11.5.2, 11.5.3, or 11.6.0.
Component: Local Traffic Manager
Symptoms:
SSL ciphers 'DEFAULT:!HIGH:!MEDIUM' is allowed in 10.2.1 but will prevent a config from loading in 11.5.1, 11.5.2, 11.5.3, or 11.6.0.
This cipher specification is not relevant for software versions 11.5.1, 11.5.2, 11.5.3, or 11.6.0, because all the DEFAULT ciphers fall within HIGH and MEDIUM ciphers. Turning off HIGH and MEDIUM effectively leaves the system with no ciphers to select from.
This is the DEFAULT for 11.5.1.
!SSLv2:!SSLv3:!MD5:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4
Conditions:
This issue occurs when a 10.2.1 system with an SSL profile specifying ciphers 'DEFAULT:!HIGH:!MEDIUM' is used on a system running version 11.5.1, 11.5.2, 11.5.3, or 11.6.0, either by upgrading, or by manual UCS installation.
This is an example of such a profile.
profile serverssl serverssl-low_encryption {
defaults from serverssl
ciphers "DEFAULT:!HIGH:!MEDIUM"
}
Impact:
Upon reboot into version 11.5.1, 11.5.2, 11.5.3, or 11.6.0, or upon load of a UCS from 10.2.1, the configuration fails to load.
The operation fails with an error similar to the following.
01070311:3: Ciphers list <list>' for profile <profile name> denies all clients
Workaround:
Search for this cipher 'DEFAULT:!HIGH:!MEDIUM' and modify before upgrading. For information about what value to use, see SOL13156: SSL ciphers used in the default SSL profiles (11.x - 12.x), available here: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html.
514726-5 : Server-side DSR tunnel flow never expires
Solution Article: K17144
Component: TMOS
Symptoms:
TMM cores and memory exhaustion using Direct Server Return (DSR). DSR establishes a one-way tunnel between the BIG-IP system and the back-end servers using the clients' IP addresses as the tunnel local-address on the BIG-IP system. These flows never expire.
Conditions:
BIG-IP virtual servers using DSR tunnels to send client traffic to the server.
Impact:
Server-side DSR tunnel flow never expires. Because the DSR tunnels use client's IP address as the tunnel local-address and the server's IP address as the tunnel remote-address, a single DSR setup might introduce as many tunnels as the clients' requests. When these tunnels do not expire, the BIG-IP system memory resource might be used up eventually, causing TMM cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Individual DSR tunnels are removed after the corresponding client's user flows expire.
514724-4 : crypto-failsafe fail condition not cleared when crypto device restored
Component: TMOS
Symptoms:
A BIG-IP system may not clear a crypto-failsafe condition after recovering from a cryptographic hardware lockup.
As a result of this issue, you may encounter one or more of the following symptoms:
The output of the tmsh show sys ha-status command appears similar to the following example:
-------------------------------------------------------------------------------
Sys::HA Status
Slot Feature Key Action Fail
-------------------------------------------------------------------------------
1 crypto-failsafe cn-crypto-11 failover yes
In the /var/log/ltm file, you observe messages similar to the following examples:
-- crit tmm[9184]: 01010025:2: Device error: crypto codec cn-crypto-0 queue is stuck.
-- notice sod[8874]: 01140029:5: HA crypto_failsafe_t cn-crypto-0 fails action is failover.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP platform uses internal cryptographic hardware (such as, for vCMP, a Nitrox Lite SSL hardware accelerator card) or external cryptographic hardware (such as SafeNet/Thales hardware security module (HSM)).
-- The cryptographic hardware fails and subsequently recovers.
Impact:
If the crypto-failsafe action is to fail over, you will be unable to activate the BIG-IP system even after the cryptographic hardware recovers.
Workaround:
To restore the crypto-failsafe high availability (HA) fail status, restart tmm by issuing the following command: bigstart restart tmm.
Note: On VIPRION platforms, this command must be run on the appropriate blade.
Fix:
The system now allows the crypto device to be restored and not keep the crypto-failsafe HA status in the fail state.
514651 : db variable to disable rate-tracker
Component: Advanced Firewall Manager
Symptoms:
Rate-tracker can't be disabled.
Conditions:
Internal F5 testing determined certain use cases had rate-tracker enabled when expecting the ability to disable the functionality.
Impact:
If you want to disable rate-tracker you are unable to do so.
Workaround:
None.
Fix:
Added db variable (dos.globalsflimit) to disable rate-tracker.
514604-2 : Nexthop object can be freed while still referenced by another structure
Component: Local Traffic Manager
Symptoms:
Use after free of the Nexthop object may cause memory corruption or tmm core.
Conditions:
This can happen if the proxy connection takes some time to complete, creating a large enough time window where the nexthop object might be freed.
Impact:
The BIG-IP system might crash. This is a very timing/memory-usage dependent issue that is rarely encountered.
Workaround:
None.
Fix:
Management of nexthop object reference counting is more consistent.
514450-2 : VXLAN: Remote MAC address movement does not trigger ARL updates across TMMs.
Component: TMOS
Symptoms:
In a VXLAN tunnel, a remote MAC address movement from one endpoint to another does not trigger ARL updates across all TMMs. As a result, some TMMs may contain stale ARL entries which can impact traffic forwarding. Also, when using 'tmsh show net fdb tunnel', there is a duplicated MAC address associated with different endpoints in the same tunnel.
Conditions:
When a remote MAC address is moved from one endpoint to another. For example, when a BIG-IP system in an HA setup configured with a masquerading MAC address changes its state from 'standby' to 'active'.
Impact:
This issue could impact traffic forwarding in VXLAN tunnels.
Workaround:
Although there is no complete workaround, you can mitigate the situation by making sure that the network is properly configured so that every device uses a unique MAC address. For example, in a network with an HA setup, try not to use masquerading MAC addresses.
Fix:
This version of software more consistently handles the condition of a remote MAC address being moved from one endpoint to another.
514419-7 : TMM core when viewing connection table
Component: Local Traffic Manager
Symptoms:
In very rare conditions tmm may core on viewing the connection table.
Conditions:
This occurs only when a configuration meets all of the following conditions: - A NAT. - An AFM reject rule for ICMP. The user views the connection table on the system.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not view the connection table when this configuration combination exists.
Fix:
TMM no longer cores when viewing the connection table.
514313-3 : Logging profile configuration is updated unnecessarily
Solution Article: K00884154
Component: Application Security Manager
Symptoms:
Logging profile configuration is updated in the ASM data plane unnecessarily, due to changes in pool member state.
Conditions:
Pool member state changes frequently.
Impact:
Unnecessary logging profile configuration updates are sent to ASM data plane.
Fix:
Logging profile configuration is updated in the ASM data plane only when it is modified, and not unnecessarily.
514266 : Change firewall rules with ip-protocol ICMP and ICMP type 0, code 0 cause pccd crash
Component: Advanced Firewall Manager
Symptoms:
Change firewall rules with ip-protocol ICMP and ICMP type 0, code 0 cause pccd crash
Conditions:
Firewall rules with ip-protocol ICMP and type 0, code 0 are configured and then modified.
Impact:
pccd abort.
Fix:
Handled the insertion and deletion of icmp type 0/code 0 entries correctly when compiling the firewall rules.
514246-6 : connflow_precise_check_begin does not check for NULL
Component: Local Traffic Manager
Symptoms:
Currently connflow_precise_check_begin does not check for NULL for its parameters while hudproxy has plenty of places where it calls connflow_precise_check_begin with NULL.
Conditions:
Connection Rate Limit is configured
Impact:
This leads to NULL pointer dereference and subsequent tmm crash
Workaround:
This issue has no workaround at this time.
Fix:
Fix NULL pointer dereference in connflow_precise_check_begin
514236-2 : [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses
Component: Global Traffic Manager (DNS)
Symptoms:
IP addresses associated with a BIG-IP DNS server object may not be viewable from the Configuration utility.
Conditions:
This issue occurs when all of the following conditions are met:
-- You use the Configuration utility to create a BIG-IP DNS server object with one or more IP addresses.
-- You then use the Configuration utility to add one or more IP addresses to a BIG-IP DNS server object.
-- You use the Traffic Management Shell (tmsh) to add one or more additional IP addresses to the BIG-IP GTM server object.
-- From the Configuration utility, you navigate to DNS :: GSLB :: Servers :: [BIG-IP DNS Server Name] and then view the BIG-IP DNS server object IP addresses in the Address List box.
Impact:
Only the BIG-IP GTM server object IP addresses that are added from the tmsh utility display in the Configuration utility. After tmsh modifies the BIG-IP DNS server by adding another IP address, the GUI fails to show those IP addresses previously added using the GUI.
Workaround:
Use tmsh to create and modify IP addresses on BIG-IP DNS servers. Or use only the Configuration utility or only the tmsh utility to create and modify BIG-IP GTM server object IP addresses.
Fix:
GUI now adds the partition prefix to device-name for BIG-IP DNS Server IP addresses, so IP addresses associated with a BIG-IP DNS server object are now viewable from the Configuration utility.
514220-2 : New iOS-based VPN client may fail to create IPv6 VPN tunnels
Component: Access Policy Manager
Symptoms:
Newer iOS-based VPN client does not provide MAC address during IPCP negotiation. This prevents the IPv6 VPN tunnel from getting established.
Conditions:
It affects only iOS-based IPv6 VPN connection requests.
Impact:
This impacts only IPv6 VPN tunnel requests from iOS-based devices.
Workaround:
None.
Fix:
Newer iOS-based VPN clients can successfully create IPv6 VPN tunnels.
514108-7 : TSO packet initialization failure due to out-of-memory condition.
Component: Local Traffic Manager
Symptoms:
TCP Segmentation Offload (TSO) packet initialization failure due to out-of-memory condition with the message: packet is locked by a driver.
Conditions:
This is related to tmm running out of memory while configured with TSO, on BIG-IP or VIPRION platforms which implement the HSB (High Speed Bridge) device in hardware.
This problem may occur on all currently-supported BIG-IP or VIPRION platforms EXCEPT the following:
BIG-IP 2000-/4000-series appliances.
BIG-IP 1600, 3600 appliances.
Impact:
TMM posts the assert message: packet is locked by a driver, then crashes.
Workaround:
Disable TSO (for more information, see SOL15609: Overview of TCP Segmentation Offload, available here: https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15609.html):
To enable or disable TSO functionality, you can use the following command syntax:
tmsh modify sys db tm.tcpsegmentationoffload value <enable | disable>
Note: After modifying the tm.tcpsegmentationoffload database variable, you must restart the TMM daemon by running the bigstart restart tmm command. Restarting TMM temporarily interrupts traffic processing. F5 recommends running this command only during a maintenance window.
Fix:
TCP Segmentation Offload (TSO) packet is now cleared correctly with no packet-locked message.
514061-1 : False positive scenario causes SMTP transactions to hang and eventually reset.
Solution Article: K17562
Component: Application Security Manager
Symptoms:
Upon specific SMTP traffic, connection hangs and eventually resets.
Conditions:
SMTP profile with 'protocol security' turned on is attached to the virtual server, and the response is processed in bulk.
Impact:
Connection hangs and eventually resets.
Workaround:
None.
Fix:
This release fixes a scenario in which SMTP transactions were hanging and blocked upon specific traffic.
513974-4 : Transaction validation errors on object references
Solution Article: K16691
Component: TMOS
Symptoms:
MCP validation error when adding/removing reference and adding/deleting an object in the same transaction.
Conditions:
During device group config sync, iControl transactions, and tmsh operations. For example, delete and create the same virtual server and specify a profile/VLAN, or remove a profile from a virtual server and then delete the profile in the same transaction.
Impact:
Validation error. The system posts an error similar to the following: transaction failed: 01020066:3: The requested virtual server profile (/Common/vs1 /Common/http1) already exists in partition Common. When deleting, the message is: 01020036:3: The requested virtual server profile (/Common/vs1 http1) was not found.
Workaround:
The removal of the object reference must be done in a separate transaction. For example, if you want to delete a profile that is being used, create one transaction removing it from virtual servers, then a second transaction deleting the profile.
Fix:
The system now supports adding/removing a reference and the object in a single transaction.
513969-2 : UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running
Component: Access Policy Manager
Symptoms:
UAC prompt is shown for machine cert check for non-limited users, even if Machine Cert Check service is running on client Windows machine.
Conditions:
Current user is non-limited.
Machine Cert Check service is running.
User tries to pass Access Policy.
Impact:
Non-limited user has to press 'ok' in UAC window.
Fix:
Now Machine Certificate Check service is used for certificate verification even for non-limited users.
513953-2 : RADIUS Auth/Acct might fail if server response size is more than 2K
Solution Article: K17122
Component: Access Policy Manager
Symptoms:
RADIUS authentication or accounting fails when a response from the backend server is bigger than 2048 bytes
Conditions:
Response from backend server is bigger than 2048 bytes
Impact:
RADIUS Auth/Acct agent failed.
Fix:
Now RADIUS Auth and RADIUS Acct agents can successfully parse packets of sizes up to 4K, which is the maximum allowed RADIUS packet size. At the moment the BIG-IP system does not support RADIUS packet fragmentation.
513916-4 : String iStat rollup not consistent with multiple blades
Solution Article: K80955340
Component: TMOS
Symptoms:
An iStat of type string does not merge consistently in a multi-bladed chassis, so the value read on different blades at the same time may differ.
Conditions:
The iStat must be of type string, and the chassis must have multiple blades.
Impact:
The value of the iStat after the merge differs on different blades.
Workaround:
Use clsh to write the string iStat value to all blades together.
Fix:
The rollup of strings is based on a timestamp of the last update, but this value was not preserved through the first level of merge so the second level done on each blade was arbitrary. Now, the value is preserved, so the iStat value for multiple blades is correct.
513706-3 : Incorrect metric restoration on Network Access on disconnect (Windows)
Solution Article: K16958
Component: Access Policy Manager
Symptoms:
The metric after Network Access disconnect differs from metric before Network Access for default route.
Conditions:
Using Network Access on Windows systems.
Impact:
A multi-home environment might experience routing issues after disconnecting Network Access, for example, by default traffic might go through Wi-Fi instead of wired networks.
Workaround:
Disable and enable the network adapter.
Fix:
Fixed an issue causing incorrect metric restoration on Network Access on disconnect.
513649-3 : Transaction validation errors on object references
Component: TMOS
Symptoms:
If certain objects are deleted then created within the same transaction, transaction errors might occur.
Conditions:
This is exclusive to transactions either via iControl, tmsh cli transaction, or a device group config sync. An object must be deleted and re-created in the same transaction. The object that was deleted must have configured references to other objects. For example, a virtual server can reference a profile or a VLAN. If it does, and there is a virtual server delete-and-create operation in the same transaction, mcpd fails to clean up the join reference on delete and complains when it tries to recreate it.
Impact:
Unnecessary mcpd validation failure. The system posts an error message similar to the following: 01020066:3: The requested virtual server profile (/Common/vs1 /Common/tcp) already exists in partition Common.
Workaround:
If a user needs to delete and re-create an object, perform the delete in one transaction and the create in a subsequent transaction.
Fix:
Attempts to delete and recreate objects within the same transaction now complete successfully.
513581 : Occasional TMM crash when HTTP payload is scanned through SWG
Component: Access Policy Manager
Symptoms:
TMM core might occur when SWG is provisioned and content scanning is enabled. TMM restarts automatically after the core occurs.
Conditions:
When the BIG-IP system is provisioned with SWG and content is scanned through SWG.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable content scanning in SWG as workaround.
Fix:
The timer associated with SWG content scanning is now removed properly so TMM no longer crashes.
513565-3 : AFM Kill-on-the-fly does not re-evaluate existing flows against any Virtual/SelfIP ACL policies if a Global or Route-Domain rule action is modified from Accept-Decisively to Accept.
Component: Advanced Firewall Manager
Symptoms:
Existing flows are not re-evaluated against Virtual Server AFM policies in Kill-on-the-fly if a previous Global or Route Domain AFM rule with action = Accept Decisively is modified to action = Accept.
Conditions:
AFM provisioned and licensed.
Have a Global AFM (or route domain) rule with action = Accept Decisive and also have a virtual server AFM rule.
Initial flow will be allowed due to global AFM rule action being Accept-decisively and will not be matched against Virtual Server Rule.
Now, modify the global AFM rule action to Accept. This should trigger Kill-on-the-fly to re-evaluate all existing flows against AFM policies.
Impact:
Existing flows bypass Virtual Server AFM Policy match evaluation in the sweeper under the conditions specified above.
Workaround:
None
Fix:
With this fix, existing flows will be evaluated against virtual server ACL policy if a previous Global or Route Domain AFM rule with action = Accept Decisively is modified to action = Accept.
513530-3 : Connections might be reset when using SSL::disable and enable command
Component: Local Traffic Manager
Symptoms:
Enable/disable of SSL filter in quick succession might cause connection reset.
Conditions:
SSL filter is disabled then quickly re-enabled.
Impact:
Connection is unexpectedly reset/lost.
Workaround:
Do not re-enable SSL filter immediately after disabling it.
Fix:
SSL::disable command no longer incorrectly flags a connection as disabled when enable/disable SSL filter in quick succession.
513454-2 : An snmpwalk with a large configuration can take too long, causing snmpd or mcpd restarts
Component: TMOS
Symptoms:
The snmpwalk will fail and the mcpd daemon could be restarted.
Conditions:
The configuration must be large so that the number of configured items related to the snmpwalk are in the tens of thousands.
Impact:
Failure to read SNMP data, mcpd restart and temporary loss of service.
Workaround:
Spread the configuration among more BIG-IPs or avoid running snmpwalks.
Fix:
Cache internal query data to optimize statistical queries.
513403-3 : TMM asserts when certain ICMP packets (e.g multicast echo) are classified by AFM and match rules at Global and Route Domain context with logging enabled for these rules and also log-translations is enabled in AFM Logging configuration.
Solution Article: K16490
Component: Advanced Firewall Manager
Symptoms:
TMM asserts when certain ICMP packets are classified by AFM and match rules at the Global and Route Domain context with logging and log-translations enabled.
Conditions:
This might occur in the following configurations: -- AFM Rule Logging is enabled and Log Translations is enabled in Log Profile, -- Server side AVR Statistics collection is enabled under Security :: Reporting. -- Certain ICMP packets (such as multicast ICMP echo) are classified and match AFM rules at Global and Route Domain contexts.
Impact:
TMM crashes (assert). Traffic disrupted while tmm restarts.
Workaround:
Disabling log-translations in AFM Logging Profile configuration can prevent the TMM crash for these types of ICMP packets.
Fix:
TMM crash (assert) for certain ICMP packets when classified by AFM and logging is enabled with log-translations has been fixed.
513382-2 : Resolution of multiple OpenSSL vulnerabilities
Solution Article: K16317
513319-7 : Incorrect of failing sideband connections from within iRule may leak memory
Component: Local Traffic Manager
Symptoms:
When using sideband connections within iRules, the internal TMM memory structures might leak if the sideband destination is not reachable (routing, etc.).
Conditions:
Unreachable sideband destination that lead to failures of the sideband connection creation, e.g. destination is not reachable via routing.
Impact:
Gradual memory usage in TMM, which can lead to aggressive memory sweeper and eventual failover/outage. This might manifest in gradual increment of TMM memory usage in graphs, particularly, the following: -- High number of connfails in tmctl sb_stats. -- High number of allocated memory in tmctl sb_cache.
Workaround:
Correct possible reachability issues to the sideband destination.
Fix:
TMM no longer leaks memory when the sideband destination is unreachable.
513294-1 : LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances
Component: TMOS
Symptoms:
The following issues may be observed on BIG-IP 5000-/7000-series appliances:
1. When a system shuts down due to a over temperature condition, the name of the sensor that triggered the shutdown does not display.
2. Unable to configure AOM IP address using the DHCP Menu Option, with the system responding with the message: Error: Failed to configure AOM management port.
3. TMOS may log a critical alarm for the 0.9 volt sensor even though the voltage is in the nominal range.
Conditions:
BIG-IP 5000-/7000-series appliances with LBH firmware versions prior to v3.07 may experience each of the above issues under the following corresponding conditions:
1. Over temperature, thermal shutdown.
2. When trying to configure an IP address for AOM using the N - Configure AOM network option.
3. When the host is powered off using the AOM menu, the LBH will detect an under voltage condition for all non-standby voltage rails.
Impact:
The impacts of these issues are:
1. The user cannot determine which sensor triggered the thermal shutdown.
2. Unable to configure the AOM address using DHCP.
3. There will be a single ltm log message indicating this critical alarm, however the voltage reported in the log message will be in the nominal range.
Workaround:
Corresponding workarounds include:
1. None.
2. None.
3. Do not power cycle the host with the AOM menu. This error does not occur with an AC power cycle.
Fix:
LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances now works as expected.
513288-2 : Management traffic from nodes being health monitored might cause health monitors to fail.
Component: Local Traffic Manager
Symptoms:
Management traffic from nodes being health monitored might cause health monitors to fail.
Conditions:
Health monitor checking node_ip:port where 1024 is less than or equal to port, which is less than 65536. Node periodically connects back to management service on self IP (e.g., iControl, GUI, SSH).
Impact:
Traffic is not sent to the node while the monitor is failing.
Workaround:
None.
Fix:
Management traffic from nodes being health monitored no longer causes health monitors to fail.
513283 : Mac Edge Client doesnt send client data if access policy expired
Component: Access Policy Manager
Symptoms:
If an access policy expires (for example, if a user took too long to enter password ) then BIG-IP Edge Client displays a new page with link "Start a New session". Clicking this link causes Edge Client for Mac to be detected as browser by BIG-IP APM.
Conditions:
Edge Client in use, access policy expires.
Impact:
Edge Client is detected as browser.
Workaround:
Click disconnect button and Connect buttons on Edge Client.
Fix:
APM no longer detects BIG-IP Edge Client for Mac as a browser when a user clicks "Start a New session" on access policy expired page.
513243-5 : Improper processing of crypto error condition might cause memory issues.
Solution Article: K17561
Component: Local Traffic Manager
Symptoms:
Improper processing of a crypto error condition might cause memory issues.
Conditions:
Error when processing certain crypto commands.
Impact:
The error might cause TMM to crash.
Workaround:
None.
Fix:
If certain crypto commands return an error, but memory is allocated successfully, the system now completes the operation as expected.
513213-4 : FastL4 connection may get RSTs in case of hardware syncookie enabled.
Component: Local Traffic Manager
Symptoms:
Occasionally, ACK is sent to server without SYN, connection get RST.
Conditions:
1) FastL4 virtual server.
2) Hardware syncookie enabled.
3) Might more commonly occur with forwarding virtual servers.
4) Often happens when egress router has ARP timeout.
Impact:
Some connections will be dropped.
Workaround:
Configure a static ARP to all neighbors (routers) to avoid most issues.
Fix:
An issue with hardware syncookies and FastL4 connections has been resolved.
513201-5 : Edge client is missing localization of some English text in Japanese locale
Component: Access Policy Manager
Symptoms:
Edge Client is missing localization of some English text in Japanese locale.
Conditions:
Edge Client in Japanese locale
Impact:
Edge Client shows some text in english
Fix:
BIG-IP Edge Client is correctly localized for Japanese locale.
513165-1 : SAML Service Provider generated SLO requests do not contain 'SessionIndex' attribute
Component: Access Policy Manager
Symptoms:
When the BIG-IP system is used as SAML Service Provider, and SP-initiated Single Logout (SLO) is executed, the SLO request message does not contain the 'SessionIndex' attribute'. As a result, the external IdP might not be able to terminate the user's session.
Conditions:
BIG-IP is configured as SP. SLO is initiated by SP.
Impact:
External IdP may not be able to terminate user's session.
Fix:
SAML Service Provider generated SLO requests contain needed attributes
513151-7 : VIPRION B2150 blades show up as unknown when SNMP queries the OID sysObjectID.
Component: TMOS
Symptoms:
VIPRION B2150 blades with SSD show up as unknown when SNMP queries the OID sysObjectID.
Conditions:
SNMP queries the OID sysObjectID.
Impact:
You cannot identify any VIPRION B2150 blades with SDD using SNMP.
Workaround:
None.
Fix:
Added new SNMP OID for VIPRION B2150 blades with SSD.
513098-2 : localdb_mysql_restore.sh failed with exit code
Solution Article: K17180
Component: Access Policy Manager
Symptoms:
In certain scenarios, deleting a dynamic user entry from memory does not clear the entry from the underlying table.
Conditions:
This might occur when a dynamic user record is marked for deletion but has not yet been removed when the dynamic user representing that record is re-authenticated.
Impact:
Over time, the table grows in size due to stale records.
Fix:
Orphaned dynamic user records are now correctly deleted.
513083-2 : d10200: tmm core when using ASM-FPS-AVR-APM-DOS on virtual server.
Component: Access Policy Manager
Symptoms:
When tmm is running out of memory because of overload or other conditions and if APM is configured, tmm could potentially crash.
Conditions:
tmm is already running out of memory
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
This issue has been fixed.
513034-2 : TMM may crash if Fast L4 virtual server has fragmented packets
Solution Article: K17155
512954-1 : ospf6d might leak memory distribute-list is used
Component: TMOS
Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv3 and the Routing Information Base (RIB). The leak may lead to a crash unrelated to memory exhaustion.
Conditions:
OSPFv3 in use with a distribute-list, and LSAs in the database whose prefixes will be filtered by the distribute-list.
Impact:
ospf6d crashes interrupt all dynamic routing using OSPFv3.
Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.
Fix:
ospf6d no longer crashes when a distribute-list is configured.
512687-2 : Policy parameter fields minimumValue and maximumValue do not accept decimal values through REST but accept decimal through GUI
Component: Application Security Manager
Symptoms:
Create security policy named "policy1"
Send POST to
--------------------------
https://<BIG-IP>/mgmt/tm/asm/policies/<asm-policy-uuid>/parameters
--------------------------
with body:
--------------------------
{
"name": "decimal",
"dataType": "decimal",
"maximumValue": 20.1
}
--------------------------
you will get error saying:
--------------------------
"Could not parse/validate the Parameter. Field value for maximumValue must be an integer."
--------------------------
Conditions:
ASM is provisioned.
Impact:
Not able to create a decimal parameter with floating "minimumValue" and "maximumValue" properties using REST API.
Workaround:
None.
Fix:
It is now possible to create a decimal parameter with floating "minimumValue" and "maximumValue" properties using REST API.
512668-2 : ASM REST: Unable to Configure Clickjacking Protection via REST
Component: Application Security Manager
Symptoms:
The REST API for URLs was missing a field for Clickjacking Protection configuration. When trying to configure that 'Rendering in Frames' should only be allowed from a single URL, there is no field to specify that URL.
Conditions:
REST API is being used to configure Clickjacking Protection for URLs.
Impact:
A REST API client is unable to correctly configure protection that is meant to be allowed only from a specified URL.
Workaround:
Configure via the GUI instead of REST.
Fix:
This release adds the missing field for REST to specify the 'only-from' clickjacking URL: 'allowRenderingInFramesOnlyFrom'.
512618-2 : Continuous "Invalid sadb message" upon issuing "racoonctl -l show-sa esp"
Component: TMOS
Symptoms:
Racoonctl utility is not designed to display large number of SA's and it will display "Invalid sadb message" continuously.
Conditions:
If the system has large number of IPsec SA's.
Impact:
Continuous "Invalid sadb message" will be displayed upon issuing "racoonctl -l show-sa esp" and racoonctl utility will not work.
Workaround:
Use TMSH instead. "tmsh show net ipsec ipsec-sa" will provide more accurate IPsec security association information.
Fix:
This changes should provide a user to retrieve SA's based on specific addresses using racoonctl utility.
512609-2 : Firewall rules specifying wildcard IPv6 addresses match IPv4 addresses
Component: Advanced Firewall Manager
Symptoms:
A Firewall Rule with Src/Dst = ::/0 (or 0::0/0) matches any IPv6 traffic which is correct, but also matches any IPv4 traffic which is incorrect.
Conditions:
Network Firewall Rule with wildcard IPv6 source or destination address ::0 or 0::0/0.
Impact:
IPv4 traffic will match.
Workaround:
None
Fix:
A Firewall Rule with Src/Dst = ::/0 (or 0::0/0) no longer incorrectly matches any IPv4 traffic.
512490-10 : Increased latency during connection setup when using FastL4 profile and connection mirroring.
Component: Local Traffic Manager
Symptoms:
Connection setup when using FastL4 profile and connection mirroring takes longer than previous versions.
Conditions:
FastL4 profile with connection mirroring.
Impact:
Slight delay during connection setup.
Workaround:
Disable tm.fastl4_ack_mirror. Optionally, enable tm.fastl4_mirroring_taciturn for signal to noise ratio improvements. This helps resolve connection setup latency.
Fix:
Disable Nagle algorithm on TCP/HA profile to improve performance.
512485-2 : Forwarding of flooded VXLAN-encapsulated unicast frames may introduce additional forwarding
Component: TMOS
Symptoms:
In VXLAN overlays, unicast frames are flooded (via multicast or unicast replication) when the destination MAC address is known and the remote endpoint is unknown. Upon receiving a flooded unicast frame, the BIG-IP system might forward the frame again to yet another endpoint. Eventually an additional L2 hop might be introduced between the sender and the receiver. This applies to both the multicast and the multipoint (unicast replication) configurations of VXLAN.
Conditions:
This affects deployments with three or more VXLAN endpoints.
Impact:
The introduction of an additional hop adds unnecessary latency.
Fix:
In this release, the system does no L2 forwarding of encapsulated frames received from one endpoint and destined to another within the same overlay (VXLAN VNI/Tunnel), so no extra hop is added.
512383-4 : Hardware flow stats are not consistently cleared during fastl4 flow teardown.
Solution Article: K68275911
Component: Local Traffic Manager
Symptoms:
The PVA stat curr_pva_assist_conn is not being updated properly for certain Fast L4 flows.
Conditions:
1) Fast L4 virtual server.
2) PVA-acceleration enabled.
This occurs when the connection flow is not created because UDP traffic arrives at an undefined port on the virtual server. The curr_pva_assist_conn value is incremented though there are no active PVA flows.
This can also occur when LTM gets ICMP unreachable messages from the serverside.
Impact:
Stats counts for Fast L4 virtual server, curr_pva_assist_conn value and 'Current SYN Cache', show invalid counts. If the hardware SYN cookie protection is on, the SYN cookie protection may be activated when it is not supposed to.
Workaround:
None.
Fix:
Stats counts for Fast L4 virtual server, curr_pva_assist_conn value and 'Current SYN Cache', now show the correct counts.
512345-6 : Dynamic user record removed from memcache but remains in MySQL
Solution Article: K17380
Component: Access Policy Manager
Symptoms:
When the system fetches a dynamic user record from MySQL and places the record into memcache, the record might remain there in an unmodified state for ten days.
Conditions:
This occurs when a dynamic user record is removed from memcache but remains in MySQL, due to an intermittent race condition between apmd/memcache and localdbmgr.
Impact:
Dynamic user, if locked out, remains in memcache for ten days. During this interval, the dynamic user record is unusable.
Workaround:
The Admin can remove the user by deleting the associated memcache record.
Fix:
Now APM handles the condition in which a dynamic user record is removed from memcache but remains in MySQL due to an intermittent race condition between apmd/memcache and localdbmgr.
512245 : Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname
Component: Access Policy Manager
Symptoms:
Machine certificate agent checker on client might extract wrong certificate based on LocalHostName if it is not same as hostname. Machine certificate agent checker might fail.
Conditions:
BIG-IP APM with machine certificate agent.
Impact:
Machine certificate check might fail
Fix:
Machine Cert Auth agent passes on OS X 10.8 and OS X 10.9.
512148-7 : Self IP address cannot be deleted when its VLAN is associated with static route
Solution Article: K17154
Component: Local Traffic Manager
Symptoms:
A self IP address cannot be deleted when its VLAN is associated with a static route
Conditions:
The self IP address' VLAN is associated with a static route.
Impact:
Self IP address cannot be deleted.
Workaround:
Temporarily remove the static route entries, delete the self IP, and then add the static route entries again.
Fix:
A self IP now can be deleted even when its VLAN is associated with a static route, as long as at least one self IP exists on that VLAN. If the static route is IPv4, then an IPv6 self IP does not meet the requirement, and vice versa.
512119-3 : Improved UDP DNS packet truncation
Component: Local Traffic Manager
Symptoms:
UDP responses from the DNS cache were not truncated properly. This is primarily seen in DNS tools, such as dig or Wireshark that would mark the response as malformed. Regular resolver clients handled the responses correctly noting the tc bit in the response header.
Conditions:
UDP DNS responses larger than the size requested by the client, typically 512 bytes.
Impact:
Packets may be flagged as malformed by DNS packet analyzers. There are no known issues with regular DNS client resolvers.
Workaround:
None
Fix:
The DNS Cache now properly fills in response data and handles truncation as expected.
512062 : A db variable to disable verification of SCTP checksum when ingress packet checksum is zero
Solution Article: K21528300
Component: Local Traffic Manager
Symptoms:
BIG-IP system drops SCTP INIT multi-homing message with checksum 0x00000000.
Conditions:
This occurs when the SCTP packet's verification tag is 0x00000000 and the checksum also is 0x00000000.
Impact:
System drops these SCTP packets.
Workaround:
None.
Fix:
Added a db variable to disable verification of SCTP checksum when ingress packet's checksum is zero. The current default behavior is not changed if this db variable is not enabled.
512054-4 : CGNAT SIP ALG - RTP connection not created after INVITE
Solution Article: K17135
Component: Service Provider
Symptoms:
The client has no audio when it makes a call.
Conditions:
This occurs when a client initiates a call with a CSeqID value greater than 64 KB.
Impact:
The BIG-IP system fails to create a media channel for audio/video traffic.
Workaround:
None.
Fix:
The BIG-IP system now correctly creates a media channel for audio/video traffic when the CSeqID value greater than 64 KB.
511985-2 : Large numbers of ERR_UNKNOWN appearing in the logs
Component: Local Traffic Manager
Symptoms:
There are times when LTM Policy subsystem attempts to execute particular actions, which fail and result in LTM Policy writing an error to the logs with an error type of ERR_UNKNOWN.
Conditions:
While not limited only to the ASM module, this has been observed when ASM is active and experiencing high traffic volumes. The logging of ERR_UNKNOWN occurs when filters and plug-ins experience failures (such as out of memory) and react by initiating a reset of the connection. When these filters and plug-ins return an error to LTM Policy, LTM Policy logs ERR_UNKNOWN, as it should.
Impact:
This is a case of unnecessary logging, and there is no adverse effect other than a higher-than-normal amount of logging.
Workaround:
None.
Fix:
Before logging ERR_UNKNOWN, LTM Policy now checks to see whether a filter or plug-in has marked the connection to be reset. If the connection is about to be reset, then ERR_UNKNOWN is not logged.
511961-2 : BIG-IP Edge Client does not display logon page for FirePass
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client cannot display FirePass logon page: "Connecting..." status; instead, Edge Client displays blank pages. As a result, clients cannot use the latest BIG-IP Edge Client for Mac with FirePass.
Conditions:
Firepass and APM-supplied build of BIG-IP Edge Client for Mac.
Impact:
User cannot log in to Firepass if using BIG-IP Edge Client for Mac.
Workaround:
Update to latest client
Fix:
Clients using the BIG-IP Edge Client for Mac supplied with this APM release can continue to log in and do not get stuck at a "Connecting..." screen.
511893 : Client connection timeout after clicking Log In to Access Policy Manager on a Chassis
Component: Access Policy Manager
Symptoms:
Clients connecting via Edge Client or Network Access to Access Policy Manager running on a chassis will experience a connection timeout after clicking Log In
Conditions:
1. Two or more blades chassis with APM provisioned
2. Create Portal Access/NA. start > logon page > portal resource (portal webtop, resource)> Allow.
3. Create access session using browser.
Impact:
Access session never finishes and browser does not render portal.
Workaround:
None
Fix:
BIG-IP Access Policy Manager running on a chassis will correctly process the client's Log In command.
511854-3 : Rewriting URLs at client side does not rewrite multi-line URLs
Solution Article: K85408112
Component: Access Policy Manager
Symptoms:
Exception posted when rewriting multi-line URLs on the client side.
Conditions:
Using multi-line URLs in client-side JavaScript code.
Impact:
Web-application logic might not work as expected. The system might post a message similar to the following: Unable to get property '2' of undefined or null reference.
Workaround:
None.
Fix:
This release fixes client-side URL rewriting for multi-line URLs.
511818-5 : Support RSASSA-PSS signature algorithm in server SSL certificate
Component: Local Traffic Manager
Symptoms:
The SSL handshake will fail if the certificate configured in client SSL profile cert-key-chain is signed by RSASSA-PSS.
Conditions:
A certificate with signature algorithm RSASSA-PSS is used in client SSL profile.
Impact:
SSL handshake between the client and BIG-IP SSL will fail.
Workaround:
Don't use certificate with signature algorithm: rsassaPss.
Fix:
SSL handshake will succeed when using a certificate signed by RSASSA-PSS in the client SSL profile.
Behavior Change:
Before the change: SSL handshake would fail if the certificate configured in the client SSL profile cert-key-chain was signed by RSASSA-PSS. The system does not support a certificate with RSASSA-PSS signature algorithm.
After the change: SSL handshake will succeed when using a certificate signed by RSASSA-PSS in the client SSL profile.
This doesn't fix the case when the client auth. has PSS in the X.509 cert chain neither add PSS support to the TLS portion (only to "our" X.509 server cert chain).
511651-2 : CVE-2015-5058: Performance improvement in packet processing.
Solution Article: K17047
511648-3 : On standby TMM can core when active system sends leasepool HA commands to standby device
Solution Article: K16959
Component: Access Policy Manager
Symptoms:
On standby system TMM can core after it comes up when the active system sends leasepool HA commands to the standby device.
Conditions:
This occurs on standby systems when the active system sends it leasepool HA commands.
Impact:
Traffic disrupted while tmm restarts.
Fix:
On a standby system, TMM no longer cores after it comes up when an active system sends leasepool HA commands to the standby device.
511559-6 : Virtual Address advertised while unavailable
Component: TMOS
Symptoms:
An unavailable virtual address is advertised after a load sys config.
Conditions:
The configuration contains a virtual-address with 'enabled' set to 'yes', 'route-advertisement' set to 'enabled', and the 'server-scope' set to 'any'. The BIG-IP system already has the same virtual-address configured with 'server-scope' as 'any'.
Impact:
Routes appear available on the route table when they are not, which might result in traffic being routed to unavailable servers.
Workaround:
Modify the virtual-address' 'server-scope' from the current value to another value and then back to the original value.
Fix:
Virtual address status is updated after load, so no unavailable virtual address is advertised.
511534-2 : A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load,
Solution Article: K44288136
Component: WebAccelerator
Symptoms:
When loading an AAM policy, the tmm compiles the rules to an internal structure that is efficient for execution. Some conditions however may cause this process to take too long and the tmm gets halted before the system has finished compiling the policy.
Conditions:
The compilation time increases dramatically when regular expressions are used on more than one or 2 operands.
Since you can have conditions on many different path-segments (e.g. the 1st, 2nd, 3rd, etc), using regular expression on path-segments are a likely way to trigger this condition.
Impact:
The compilation time increases dramatically when regular expressions are used on more than one or two operands.
Since conditions might exist on many different path-segments (e.g., the 1st, 2nd, 3rd, etc.), using regular expression on path-segments is a likely way to trigger this condition.
Workaround:
None.
Fix:
Now, you can prevent AAM policy compilation from taking too long by turning the regular expression into plain matches using the '\' character to escape those symbols that turn a string into a regular expression. For example, previously, 'favicon.ico' was treated as a regular expression because '.' means 'any character'. Now the user can specify 'favicon\\.ico' (double '\' required by tmsh), which causes the '.' to mean the period character, thus avoiding the (unintended) regular expression.
511517-8 : Request Logging profile cannot be configured with HTTP transparent profile
Solution Article: K17111
Component: Local Traffic Manager
Symptoms:
Cannot configure both a Request Logging profile and an HTTP transparent profile on the same virtual server.
Conditions:
HTTP transparent profile is attached to a virtual server.
Impact:
Request Logging profile cannot be configured on the same virtual server.
Fix:
The system now supports a simultaneously configuring both a Request Logging profile and an HTTP transparent profile on a single virtual server.
511478-1 : Possible TMM crash when evaluating expression for per-request policy agents.
Component: Access Policy Manager
Symptoms:
TMM might crash when evaluating expressions in per-request policy agents and possible loss of service.
Conditions:
APM is licensed and per-request policy is attached to the virtual. Per-request policy have agents which have configured expressions.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove expressions from agent in per-request policy.
Fix:
Applied a different mechanism to evaluation agent's expression to fix this possible crash.
511477 : Manage ASM security policies from BIG-IQ
Component: Application Security Manager
Symptoms:
Certain aspects of ASM Security Policies on BIG-IP 11.5.2 could not be managed by BIG-IQ Security.
Conditions:
New ASM security policies can now be created by BIG-IQ version 4.5. Currently it's disabled by default, and can be turned on by changing the rest_api_extensions option to "1" on the Advanced Configuration/System Variables page in the ASM GUI, and then restarting httpd.
Impact:
BIG-IQ Security cannot effectively manage ASM on BIG-IP 11.5.2.
Workaround:
None.
511441-2 : Memory leak on request Cookie header longer than 1024 bytes
Solution Article: K17564
Component: Access Policy Manager
Symptoms:
Memory leak on request Cookie header longer than 1024 bytes.
Conditions:
Client is sending 'Cookie' request header with more than 1024 bytes of data to APM Portal Access host.
Impact:
Memory used by 'rewrite' process keeps increasing and leads to 'out of memory' logs and possibly failover.
Fix:
Portal Access no longer leaks memory on large Cookie request headers from the client.
511406 : Pagination issue on firewall policy rules page
Solution Article: K16421
Component: Advanced Firewall Manager
Symptoms:
Firewall policy rules page shows only the first 100 rules in the policy.
Conditions:
This is an issue when there are more than 100 rules configured in a policy.
Impact:
User is only able to see the first 100 rules in the policy
Fix:
Firewall policy rules page is now able to view more than 100 rules.
511332-1 : Cannot view Pools list by Address
Solution Article: K35266322
Component: TMOS
Symptoms:
You cannot view Pools page after attempting to sort Nodes by the Address column.
Conditions:
User sorts by the Address column on the Nodes page and then navigates to the Pools page. The system posts the error: General database error retrieving information. This error persists until you either delete the JSESSIONID cookie or navigate back to the Nodes page and sort by Name.
Impact:
Receive error navigating to the Pools page in this case.
Workaround:
Use one of the following workarounds: (1) Delete the JSESSIONID cookie. (2) Sort by Name on the Node page before navigating to the Pools page.
Fix:
Correct the cookie name to avoid naming conflicts between node list page and pool list page.
511326-3 : SIP SUBSCRIBE message not forwarded by BIG-IP when configured as SIP ALG with translation.
Solution Article: K24410405
Component: Service Provider
Symptoms:
The BIG-IP system does not forward messages when configured as SIP ALG with translation.
Conditions:
The BIG-IP system is configured as SIP ALG with translation, and the subscriber sends a SUBSCRIBE message to receive a notification.
Impact:
The Subscriber does not receive any notification regarding the subscribed events.
Workaround:
None.
Fix:
The BIG-IP system now correctly forwards messages when configured as SIP ALG with translation.
511145-2 : IPsec Policy Link not functional.
Component: TMOS
Symptoms:
The IPsec Policy Link on the Network :: IPsec :: Traffic Selectors :: List page is not functional.
Conditions:
IPsec Traffic Selectors configured.
Impact:
Inability to manage IPsec via the GUI.
Workaround:
Use the main navigation menu on the left of the screen to go to Network :: IPsec :: Traffic Selectors :: List, and select the desired IPsec Policy.
Fix:
The IPsec Policy Link on the Network :: IPsec :: Traffic Selectors :: List page now functions as expected.
511130-2 : TMM core due to invalid memory access while handling CMP acknowledgement
Component: Local Traffic Manager
Symptoms:
Rarely, TMM might core due to invalid memory access while handling a CMP acknowledgement.
Conditions:
Memory is not validated before handling a CMP acknowledgement.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Memory is now validated before handling a CMP acknowledgement.
511064-2 : Repeated install/uninstall of policy with usage monitoring stops after second time
Solution Article: K17108
Component: Policy Enforcement Manager
Symptoms:
Usage monitoring as required by the policy stops working.
Conditions:
Policy configured with usage monitoring is installed/uninstalled multiple times within a session.
Impact:
Usage reporting stops working.
Workaround:
None.
Fix:
The system now correctly handles the case in which a policy with usage monitoring is installed and removed multiple times.
511057-7 : Config sync fails after changing monitor in iApp
Solution Article: K60014038
Component: Local Traffic Manager
Symptoms:
Unable to modify a pool monitor and delete it in the same transaction.
Conditions:
A pool must have the monitor associated with it before the tmsh transaction, and must be the same as the monitor being deleted in the transaction.
Impact:
Unable to submit multiple changes in a single transaction.
Workaround:
Modify the pool monitor and delete it in separate transactions.
Fix:
Monitor modification and deletion can now happen in the same transaction.
511029 : "selfLink" for ASM Policy was incorrect for iControl REST
Component: Application Security Manager
Symptoms:
After using iControl REST to assign a policy to a virtual server, the JSON response had an incorrect selfLink for the policy.
Conditions:
Using iControl REST to assign a policy to a virtual server.
Impact:
API Clients depending on the correct selfLink being returned may experience issue.
Workaround:
None.
Fix:
Previously, if you used iControl REST to assign a policy to a virtual server, the JSON response had an incorrect selfLink for the policy. This issue has been fixed.
510979-2 : Password-less SSH access after tmsh load of UCS may require password after install.
Component: TMOS
Symptoms:
Should an account such as admin have password-less SSH access, after loading the UCS config or doing a live install and moving the config, SSH access no longer works without a password.
Conditions:
User has .ssh/authorized_keys file owned with uid=0.
Impact:
tmsh load sys ucs config replaces the uid ownership of /home/user_name/.ssh/authorized_keys incorrectly, which prevents SSH access without passwords.
Workaround:
Create a directory in /var/ssh for each user, move .ssh/authorized_keys there, and then link to the moved file in the ~/.ssh directory. In that case, UCS load affects the link, but not the linked file, so password-less SSH access is maintained.
Note: A UCS file taken after the workaround will not include the file /var/ssh/<username>/authorized_keys. If you have a plan to load the UCS on a different unit, for example, for the purposes of RMA, please save the file individually.
Fix:
Password-less SSH access is now maintained after tmsh load (or install and move config) of UCS.
510921-6 : Database monitors do not support IPv6 nodes
Solution Article: K23548911
Component: Local Traffic Manager
Symptoms:
Unable to monitor IPv6 nodes.
Conditions:
Pool configured with a DB monitor (MySQL, MSSQL, Oracle or Postgres) and IPv6 nodes.
Impact:
IPv6 nodes are reported down and do not receive traffic.
Fix:
Database monitors now support monitoring IPv6 nodes.
510888-8 : [LC] snmp_link monitor is not listed as available when creating link objects
Component: Global Traffic Manager (DNS)
Symptoms:
GUI: snmp_link is not listed from Available monitor list when creating link objects. TMSH: snmp_link is not shown when using TAB to show monitor options when creating link objects.
Conditions:
When creating GTM link objects.
Impact:
Cannot determine whether snmp_link monitor can be used. Must manually input snmp_link to associate snmp_link to a link object.
Workaround:
Through tmsh, manually type snmp_link as monitor when creating link objects.
Fix:
snmp_link monitor is now listed as available when creating link objects.
510828 : Manage ASM security policies from BIG-IQ
Component: Application Security Manager
Symptoms:
Certain aspects of ASM Security Policies on BIG-IP 11.5.2 could not be managed by BIG-IQ Security.
Conditions:
New ASM security policies can now be created by BIG-IQ version 4.5. Currently it's disabled by default, and can be turned on by changing the rest_api_extensions option to "1" on the Advanced Configuration/System Variables page in the ASM GUI, and then restarting httpd.
Impact:
BIG-IQ Security cannot effectively manage ASM on BIG-IP 11.5.2.
Workaround:
None.
Fix:
This is a part of ID 498361.
510818 : Manage ASM security policies from BIG-IQ
Component: Application Security Manager
Symptoms:
Certain aspects of ASM Security Policies on BIG-IP 11.5.2 could not be managed by BIG-IQ Security.
Conditions:
REST shows redirect URL in Response Page in case action type "redirect".
Impact:
BIG-IQ Security cannot effectively manage ASM on BIG-IP 11.5.2.
Workaround:
None.
Fix:
New ASM security policies can now be created by BIG-IQ version 4.5. Currently it's disabled by default, and can be turned on by changing the rest_api_extensions option to "1" on the Advanced Configuration/System Variables page in the ASM GUI, and then restarting httpd.
510720-2 : iRule table command resumption can clear the header buffer before the HTTP command completes
Solution Article: K81614705
Component: Local Traffic Manager
Symptoms:
iRule table command resumption can clear the header buffer before the HTTP command completes.
Conditions:
An HTTP request was attempted with an iRule table command that resumed after parking.
Impact:
Results in a SIGABRT. The header names might intermittently output incorrectly, and report empty names and/or parts of the request line.
Workaround:
This issue has no workaround at this time.
Fix:
iRule resumption after halting now works correctly.
510709-3 : Websso start URI match fails if there are more than 2 start URI's in SSO configuration.
Component: Access Policy Manager
Symptoms:
If more than 2 start URIs are configured, start URI parsing does not work correctly. This results in no start URI match and websso failure.
Conditions:
SSO error happens only if there are more than 2 start URIs configured in the SSO configuration.
Impact:
SSO V1(websso) fails for configured start URI due to start URI mismatch.
Workaround:
No workaround
Fix:
Websso config start URI parsing was wrong when there are multiple lines in start URI configuration. Websso start URI parsing is fixed.
510638-2 : [DNS] Config change in dns cache resolver does not take effect until tmm restart
Solution Article: K37513511
Component: Local Traffic Manager
Symptoms:
Config change in DNS cache resolver does not take effect until tmm restart.
Conditions:
Make changes to LTM DNS cache resolver.
Impact:
Changes made to DNS cache resolver are not in effect until tmm restarts. For example, changes to the DNS cache resolver's parameters Max. Concurrent Queries and Allowed Query Time
do not load into the system until tmm restarts.
Workaround:
Restart tmm after making changes, or create a new DNS cache profile.
Fix:
Config change in DNS cache resolver now take effect immediately and no longer require tmm restart.
510596-5 : Broken DNS resolution on Linux client when "DNS Default Domain Suffix" is empty
Component: Access Policy Manager
Symptoms:
DNS resolution can break for a Linux client when the "DNS Default Domain Suffix" setting is empty in a Network Access configuration in APM.
Conditions:
BIG-IP Edge Gateway, Linux CLI and empty "DNS Default Domain Suffix" in Network Access configuration
Impact:
DNS resolution might not work on Linux
Workaround:
Configure "DNS default domain suffix" in network access configuration
Fix:
DNS resolution on Linux works now even when the "DNS Default Domain Suffix" setting in the Network Access configuration is empty.
510580-3 : Interfaces might be re-enabled unexpectedly when loading a partition
Component: TMOS
Symptoms:
Loading of a set of partitions not including Common might re-enable interfaces that were previously disabled.
Conditions:
Loading of a set of partitions not including Common.
Impact:
Interfaces might be unexpectedly reenabled. (It is expected that 'load sys config partitions { anotherpartition }' will only affect objects in the /anotherpartition folder.)
Workaround:
None.
Fix:
Loading of a set of partitions not including Common no longer re-enables interfaces that were previously disabled.
510559-5 : Add logging to indicate that compression engine is stalled.
Component: TMOS
Symptoms:
Hardware compression slowly and progressively fails to handle compression operations. The system posts the following errors in ltm.log: crit tmm3[14130]: 01010025:2: Device error: n3-compress0 Nitrox 3. If the compression engine stalls, there is no logging-trail to indicate there is a problem.
Conditions:
This occurs when the system encounters errors during hardware compression handling and the compression engine stalls.
Impact:
Compression completely stalls, or CPU can be driven up by software-based compression. No indication of what the issue is.
Workaround:
Disable compression, or select 'software only' compression.
Fix:
Previously, if the compression engine stalled, there would be no logging-trail to indicate there was a problem. This release adds logging and stats for detecting a compression engine stall.
510499-1 : System Crashes after Sync in an ASM-only Device Group.
Solution Article: K17544
Component: Application Security Manager
Symptoms:
System crashes after an ASM Sync in an ASM-only Device Group.
Conditions:
This occurs when the following conditions are met:
1) Two devices with both a full-sync device group, and a sync-only, ASM-enabled device group. Both manual sync groups.
2) Have a policy active on a virtual server on both devices.
3) Deactivate the policy on one device.
4) Push the ASM config from that device to another device.
Impact:
Peer Device is left in an inconsistent state and BD crashes.
Workaround:
None.
Fix:
ASM Configuration Sync now will gracefully handle being unable to deactivate when it conflicts with LTM config.
510459-2 : In some cases Access does not redirect client requests
Component: Access Policy Manager
Symptoms:
A client may receive the following error message upon request: "The requested file could not be found on the server. Please contact system administrator."
Conditions:
Client requests received by Access running on BIG-IP versions 11.4.0 to 11.6.0 may encounter this issue.
Impact:
Client request is not fulfilled and error message received.
Workaround:
None
Fix:
Resolved issue in which clients receive a file not found message from Access due to out of date White List entry in OPSWAT.
510425-7 : DNS Express zone RR type-count statistics are missing in some cases
Solution Article: K28822214
Component: TMOS
Symptoms:
When displaying DNS zone data with multiple instances, if one has no resource record data, the following instance also displays an empty resource record data even there is something to display.
Conditions:
When displaying DNS zone data with multiple instances, and one has no resource record data.
Impact:
Missing Resource Record data when the data is not empty.
Workaround:
Query the specific DNS Zone data instance instead of the 'query all'.
Fix:
DNS Express zone RR type-count statistics now display correctly.
510393-2 : TMM may occasionally restart with a core file when deployed VCMP guests are stopped
Component: TMOS
Symptoms:
VCMP guest shutdown can interfere with execution of the VCMP hypervisor TMM, causing 'Clock advanced' messages and TMM restarts wit corresponding core files.
Conditions:
vCMP guests in state 'deployed' are modified to state 'provisioned' or 'configured', or are deleted entirely. The likelihood of a TMM restart increases with the number of guests that are stopping at the same time.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Shut down vCMP guests one at a time to reduce the likelihood of encountering this issue.
Fix:
Resolved occasional TMM restarts when stopping vCMP guests on 12050 and 10350N appliances
510381-5 : bcm56xxd might core when restarting due to bundling config change.
Component: TMOS
Symptoms:
A race condition exists where bcm56xxd might core while restarting due to a bundling configuration change if it is still processing other config messages from MCP. This affects all platforms that support interface bundling.
Conditions:
Interface bundling change requiring a restart while still processing configuration messages.
Impact:
Unnecessary core file produced since the daemon is restarting anyway.
Workaround:
None.
Fix:
Fixed possible race condition which resulted in a bcm56xxd core.
510287 : Create ASM security policy by BIG-IQ
Component: Application Security Manager
Symptoms:
Certain aspects of ASM Security Policies on BIG-IP 11.5.2 could not be managed by BIG-IQ Security.
Conditions:
New ASM security policies can now be created by BIG-IQ version 4.5. Currently it's disabled by default, and can be turned on by changing the rest_api_extensions option to "1" on the Advanced Configuration/System Variables page in the ASM GUI, and then restarting httpd.
Impact:
BIG-IQ Security cannot effectively manage ASM on BIG-IP 11.5.2.
Workaround:
None.
Fix:
New ASM security policies can now be created by BIG-IQ version 4.5. Currently it's disabled by default, and can be turned on by changing the rest_api_extensions option to "1" on the Advanced Configuration/System Variables page in the ASM GUI, and then restarting httpd.
510264-2 : TMM core associated with smtps profile.
Component: Local Traffic Manager
Symptoms:
tmm can core when the smtps profile is enabled.
Conditions:
This is an intermittent core seen when the smtps profile is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
n/a
Fix:
tmm will no longer core from using the smtps profile.
510226-1 : All descriptions for ports-list's members are flushed after the port-list was updated
Component: Advanced Firewall Manager
Symptoms:
'Description' for port-list entries created from tmsh gets deleted when the corresponding port-list object is updated from GUI.
Conditions:
When a user updates an port-list object with member's description set, it gets deleted.
Impact:
User will lose the description value set for its members.
Workaround:
Not update the port list entry from GUI when its members have a 'description', or use tmsh to update port list
Fix:
Descriptions created for port list members from tmsh no longer get deleted when a user updates the port list object.
510224-1 : All descriptions for address-list members are flushed after the address-list was updated
Component: Advanced Firewall Manager
Symptoms:
'Description' for address-list entries created from tmsh gets deleted when the corresponding address-list object is updated from GUI.
Conditions:
When a user updates an address-list object with member's description set, it gets deleted.
Impact:
User will lose the description value set for its members.
Workaround:
Not update the address list entry from GUI when its members have a 'description.'
Fix:
Descriptions created for address list members from tmsh no longer get deleted when a user updates the address list object.
510164-4 : DNS Express zone RR statistics are correctly reset after zxfrd restart
Solution Article: K53351133
Component: Local Traffic Manager
Symptoms:
After restarting zxfrd, the RR type-count statistics are not correctly reset when doing an incremental zone transfer to the BIG-IP system on DNSX zones with capital letters in their name.
Conditions:
Restart zxfrd, or reboot the BIG-IP system. The RR type-count statistics is reset to 0.
Impact:
DNS Express zone RR type-count statistics are inaccurate after zxfrd restart for DNSX zones with capital letters in their name.
Workaround:
There are two workarounds: -- Remove /var/db/tmmdns.bin and restart zxfrd. -- Recreate the DNSX zone names to use all lowercase.
Fix:
DNS Express zone RR type-count statistics are correctly set after restarting zxfrd.
510162 : potential TMM crash when AFM DoS Sweep & Flood is configured
Component: Advanced Firewall Manager
Symptoms:
TMM could crash and restart.
Conditions:
If you have AFM DoS Sweep & Flood vector configured and incoming traffic at such a rate that this vector is being triggered then there is a possibility of getting this crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not configure the AFM Sweep & Flood DoS vector.
Fix:
Codefix has been checked in to resolve the crash bug.
510119-3 : HSB performance can be suboptimal when transmitting TSO packets.
Component: TMOS
Symptoms:
For heavily fragmented TSO packets, it is possible to populate a high percentage of the HSB's transmit ring.
Conditions:
This can happen when transmitting large fragmented TSO packets.
Impact:
Suboptimal behavior might be seen when transmitting large fragmented TSO packets. There is a rare chance it can lead to a full or stuck transmit ring.
Workaround:
Disable TSO.
509968 : BD crash when a specific configuration change happens
Component: Application Security Manager
Symptoms:
A reconfiguration or security application attaching to a VIP or a new security policy or other big config change followed by a traffic halting/resetting, a shrinking message in the bd.log followed by A BD crash.
Conditions:
Remote logger with "report anomalies" attached to the virtual, a session transaction attack is on-going and a configuration change of the session transaction configuration together with a custom header (for XFF) configuration. This can happen also when adding new web applications to existing virtual server or attaching existing web application to a virtual server while there is a session transaction attack on a virtual server.
Impact:
Traffic halted, a failover and traffic resets. BD will startup with the updated configuration in place.
Workaround:
Don't add security policies or attach security policies to a virtual server or reconfigure security policy or change the session transaction configuration together with the custom header configuration while there is a session transaction attack going on a virtual that has remote logger attached.
Fix:
A crash that happens upon a specific configuration change was fixed.
509956-5 : Improved handling of cookie values inside SWG blocked page.
Component: Access Policy Manager
Symptoms:
Certain components of cookies are not escaped and might negatively impact functionality.
Conditions:
Use of a reject ending in a per-request access policy.
Impact:
Potential disruption of functionality.
Workaround:
None.
Fix:
Improved the way that the system processes cookie values in an SWG blocked page.
509919-1 : Incorrect counter for SelfIP traffic on cluster
Component: Advanced Firewall Manager
Symptoms:
SelfIP traffic is always handled on the primary blade on a cluster and if it's disaggregated to non-primary blade, it gets internally forwarded to the primary blade.
Due to this, AFM was double classifying this traffic (only on cluster) causing incorrect AFM ACL/IPI counts.
Conditions:
SelfIP traffic is disaggregated to non-primary blade on a cluster and AFM is enabled
Impact:
Incorrect AFM ACL/IPI rule counters due to internal forwarding of SelfIP traffic on a cluster from non-primary to primary blade causing AFM to match/classify these packets twice.
Workaround:
None
Fix:
With the fix, self IP traffic on a cluster is counted correctly for AFM ACL/IPI matches.
509782-2 : TSO packets can be dropped with low MTU
Solution Article: K16780
Component: TMOS
Symptoms:
If an interface is configured with a low MTU, it is possible for the system to drop TSO packets. This can be observed looking at the tx_drop_tso_bigpkt stat in the tmm/hsb_internal_fsc table.
Conditions:
The interface is configured with a low MTU, usually 750 or lower. If TMM then attempts to use TSO for a packet, there is a chance this packet will be dropped.
Impact:
Large TSO packets are dropped.
Workaround:
Increase the MTU or disable TSO.
If TSO is not disabled, three related fixes are needed to fully address the issue:
-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:
-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html
Fix:
Three related fixes are needed to fully address the issue:
-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:
-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html
509758-3 : EdgeClient shows incorrect warning message about session expiration
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client shows an incorrect warning message once a network access connection is established.
Conditions:
Access Policy has disabled Maximum Session timeout (set to 0) and
Network Access webtop is used.
Impact:
Versions that have session expiration timeout display all zeroes instead of the timeout value. This is a cosmetic issue that does not indicate incorrect system functionality.
Workaround:
None.
Fix:
Now, the BIG-IP Edge Client does not show an incorrect cosmetic warning message.
509663 : ASM restarts periodically with errors in asm_config_server.log: ASM Config server died unexpectedly
Component: Application Security Manager
Symptoms:
ASM restarts periodically with the following error in the asm_config_server.log: ASM Config server died unexpectedly.
Conditions:
-- ASM provisioned.
-- Running v11.5.2-hf-asm.
Impact:
ASM restarts periodically with the following error in the asm_config_server.log: ASM Config server died unexpectedly.
Workaround:
None.
Fix:
This release fixes a syntax error that caused the system to periodically restart.
509646-6 : Occasional connections reset when using persistence
Component: Local Traffic Manager
Symptoms:
Occasional connections will be reset when using persistence. If tracking reset causes, the reset cause will be "Persist add entry not found."
Conditions:
This occurs only within the first 32 seconds of a tmm receiving traffic after startup. The client request further has to arrive on the exactly correct tmm on a chassis. This does not reproduce on non-chassis devices.
Impact:
Occasional reset connections. After 32 seconds of receiving traffic, the issue abates.
Fix:
Spurious resets of new persistent connections no longer occur.
509600-5 : Global rule association to policy is lost after loading config.
Component: TMOS
Symptoms:
The association of a global rule to a policy appears to be lost after loading a config by directly loading, saving, upgrading, and config syncing. As a result of this issue, you may encounter the following symptom:
After re-enabling a global policy and waiting for an unspecified period of time, you observe that the policy is disabled again.
Conditions:
This occurs when you associate a global rule with a policy, and then initiate an operation that causes config load.
Impact:
Policies are removed from enforcement in the global context.
Workaround:
To work around this issue, you can add back the rules manually, or, if you have not configured a route domain, you can apply route domain rules to Route Domain 0, which is effectively the same as the global rule context when no other route domains are configured.
Impact of workaround: If you have other route domains configured, Route Domain 0 is no longer usable as a global context.
Fix:
The association of a global rule to a policy is now retained after loading a config by directly loading, saving, upgrading, and config syncing.
509504-4 : Excessive time to save/list a firewall rule-list configuration
Solution Article: K17500
Component: TMOS
Symptoms:
A configuration containing a large number of firewall rule-list::rules might take an excessively long time to save. Similarly, excessive times are seen for listing the firewall configuration.
Conditions:
Large number of AFM rules.
Impact:
A long time to save or list the configuration. While this issue was noticed for a firewall rule-list::rules configuration, the same issue might occur for deeply nested configurations.
Fix:
The save and list times for the numerous firewall rules/deeply nested configurations [example: firewall rule-list::rules] is significantly reduced.
509503-3 : tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration
Component: TMOS
Symptoms:
For certain configurations with deeply nested structures in it ex: some of the firewall rule rule-list configuration, requires excessive time for the tmsh load config file merge operation.
Conditions:
Configurations containing deeply nested structures.
Impact:
The time for the merge is significantly more than the time needed for load operation.
Workaround:
If you are affected of long load times during merging a configuration file into existing one, you can instead append the config file to the respective bigip_base.conf or bigip.conf file manually.
Fix:
The tmsh load sys config merge operation performance was optimized. With this optimization the time for merge operation is slightly greater than the load operation.
509490-1 : [IE10]: attachEvent does not work
Component: Access Policy Manager
Symptoms:
Websites are broken in Internet Explorer if they use postMessage to send objects. There could be errors in the JavaScript console.
Conditions:
Web application in Internet Explorer 8, 9 or 10 that uses window.postMessage() and recieves message with handler added through window.attachEvent() working through Portal Access.
Impact:
Web-Application cannot use Window.postMessage() to send data with Portal Access in Internet Explorer.
Workaround:
No
Fix:
The 'onmessage' handler added with window.attachEvent() now correctly recieves data sent through window.postMessage().
509416-4 : Suspended 'after' commands may result in unexpected behaviors
Component: Local Traffic Manager
Symptoms:
Unexpected iRule behavior, crashes or aborts.
Conditions:
Can occur when a virtual server has a OneConnect profile and an iRule using the 'after' command.
Impact:
tmm crash.
Fix:
Connections are ineligible for re-use while there is still a pending, suspended or in-progress 'after' iRule. This is correct behavior.
509310-1 : Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances
Component: Local Traffic Manager
Symptoms:
The egress VxLAN traffic on VIPRION chassis and 5000 series appliances has bad UDP checksum in its outer UDP header. The BIG-IP hardware does not support UDP checksum offload for VxLAN traffic if the outer UDP header is IPv4. The BIG-IP hardware uses UDP destination port 4789 to identify VxLAN traffic.
This occurs when sending UDP traffic with source port 8472 to a VIPRION platform, regardless of VXLAN.
Conditions:
The outer UDP header of egress VxLAN traffic on VIPRION chassis and 5000 series appliances is IPv4 and has destination port equal to 4789 (5000 series) or 8472 (VIPRION).
Impact:
The egress VxLAN traffic is dropped due to bad UDP checksum.
Incoming UDP traffic with source port 8742 is dropped.
Workaround:
Set db variable iptunnel.vxlan.udpport to 0. So the BIG-IP system hardware does not classify UDP destination port equal to 4789 as VxLAN traffic.
Disable HW checksum
Fix:
VIPRION chassis and 5000 series appliances no longer generate bad bad outer IPv4 UDP checksums on egressing VxLAN traffic.
509276-3 : VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on standby device
Component: TMOS
Symptoms:
VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on the standby device.
Conditions:
A VXLAN tunnel with a floating local address on the standby device.
Impact:
Incorrect gratuitous ARPs are generated on the standby device.
Fix:
VXLAN tunnels with floating local addresses no longer generate incorrect gratuitous ARPs on the standby device.
509273-3 : hostagentd consumes memory over time
Component: Device Management
Symptoms:
The hostagentd process on a vCMP host might consume more memory over time.
Conditions:
BIG-IP appliance or VIPRION blade/cluster with vCMP guests.
Impact:
Rarely, the vCMP host might run out of memory.
Workaround:
To work around this issue, you can disable guest health statistic collection on the vCMP host. To do so, perform one of the following procedures:
Option 1: Disabling statistic collection for the tmsh show vcmp health command.
Impact of workaround: This procedure affects values returned by the tmsh show vcmp health stats command.
1. Log in to the command line of the vCMP host appliance or primary blade of the cluster.
2. To disable statistic collection, type the following command:
tmsh modify vcmp guest all capabilities add { stats-isolated-mode }.
3. To restart the hostagentd process, type the following command:
a. On a BIG-IP appliance:
bigstart restart hostagentd.
b. On a blade in a VIPRION cluster:
clsh bigstart restart hostagentd.
Option 2: Disabling the hostagentd process
Impact of workaround: This procedure affects health statistic collection, as well as the ability for guests to install from a host-provided ISO.
1. Log in to the command line of the vCMP host appliance or primary blade of the cluster.
2. To disable the hostagentd process, type the following command:
a. On a BIG-IP appliance:
bigstart stop hostagentd.
b. On a blade in a VIPRION cluster:
clsh bigstart stop hostagentd.
3. To exclude the hostagentd process from starting up after rebooting the system, type the following command:
a. On a BIG-IP appliance:
bigstart disable hostagentd.
b. On a blade in a VIPRION cluster:
clsh bigstart disable hostagentd.
Fix:
Fixed a rare vCMP host memory growth issue.
509120-1 : BIG-IQ 4.5.0 cannot discover version pre-11.5.4 BIG-IP versions due to /tmp removal★
Component: Device Management
Symptoms:
When a BIG-IQ device attempts to discover a BIG-IP system, and during the discovery process the BIG-IQ device attempts to perform a REST framework upgrade on the BIG-IP system, the BIG-IQ device cannot manage the BIG-IP systems.
Conditions:
-- BIG_IQ is version 4.5.0.
-- BIG-IP is version pre-11.5.4.
-- BIG-IQ device attempts to perform a REST framework upgrade on the BIG-IP system.
Impact:
The '/tmp' directory is removed, which causes framework upgrade to fail, which in turn causes the entire discovery process to fail. Users managing 11.5.x BIG-IP systems with a Big-IQ device running version 4.5.0.
Workaround:
None.
Fix:
The framework upgrade and discovery now complete successfully, and the BIG-IP system can be managed using the BIG-IQ device.
509063-1 : Creating or loading guest on cluster with empty slot 1 can result in error
Solution Article: K17015
Component: TMOS
Symptoms:
Creating or loading guest on a cluster on which slot 1 is empty can result in error.
Conditions:
This only occurs on clustered BIG-IP systems when slot 1 is empty (unpopulated) with no 'cores-per-slot' attribute explicitly set.
Impact:
The guest create command fails or the config fails to load, and the system posts the error: Unable to find default core count for guest on this hardware.
Workaround:
Explicitly set the 'cores-per-slot' attribute in the guest create command or in the guest config.
Fix:
Creating or loading a guest config on a clustered BIG-IP with an empty slot 1 no longer results in an error, and the default cores-per-slot value is correctly used for the guests.
508908-2 : Enforcer crash
Component: Application Security Manager
Symptoms:
A bd crash. Connections reset until the system restarts or a failover completes.
Conditions:
A multipart request with specific syntax error.
Impact:
A bd process crash, failover. Will reset connection until the system restarts/ failover finishes.
Workaround:
No workaround
Fix:
An Enforcer crash was fixed.
508719-7 : APM logon page missing title
Solution Article: K22391125
Component: Access Policy Manager
Symptoms:
The title might be missing from a logon page.
Conditions:
Logon page uses field filled with dynamically assigned session variable.
Impact:
No title displays on the logon page.
Workaround:
Modify page logon.inc using customization panel.
*Add function:
function getSoftTokenPrompt()
{
if ( softTokenFieldId != "" && edgeClientSoftTokenSupport()) {
var div = document.getElementById("formHeaderSoftToken");
if (div) {
return div.innerHTML;
}
}
return null;
}
*Replace code:
function OnLoad()
{
var header = document.getElementById("credentials_table_header");
var softTokenHeaderStr = getSoftTokenPrompt();
if ( softTokenHeaderStr ) {
header.innerHTML = softTokenHeaderStr;
}
By:
function OnLoad()
{
var header = document.getElementById("credentials_table_header");
var softTokenHeaderStr = "<? echo $formHeaderSoftToken; ?>"
if ( softTokenFieldId != "" && softTokenHeaderStr != "" && edgeClientSoftTokenSupport()) {
header.innerHTML = softTokenHeaderStr;
} else {
header.innerHTML = "<? echo $formHeader; ?>";
}
* Replace code
<td colspan=2 id="credentials_table_header" ></td>
By
<td colspan=2 id="credentials_table_header" ><? echo $formHeader; ?></td>
* Add code before </body> tag:
<div id="formHeaderSoftToken" style="overflow: hidden; visibility: hidden; height: 0; width: 0;"><? echo $formHeaderSoftToken; ?></div>
Fix:
The title displays on the logon page now.
508716-3 : DNS cache resolver drops chunked TCP responses
Component: Local Traffic Manager
Symptoms:
DNS cache resolver drops chunked TCP responses
Conditions:
If the cache resolver uses TCP to resolve a query, and a nameserver does not include the complete reply in the first TCP segment.
Impact:
The response will be discarded, the connection dropped, and the query retried
Fix:
DNS cache resolver no longer drops chunked TCP responses
508630-3 : The APM client does not clean up DNS search suffixes correctly in some cases
Component: Access Policy Manager
Symptoms:
The APM client does not clean up DNS search suffixes correctly when the DNs suffixes configured on a client contain names configured in an APM Network Access resource.
Conditions:
The problem occurs when a suffix name that is configured in a Network Access resource matches the suffix configured locally on the user's machine.
Impact:
As a result, DNS suffixes are not restored correctly.
Fix:
An additional fix was made to restore DNS suffixes correctly.
508556-2 : CSR missing SAN when renewing cert in GUI
Solution Article: K17035
Component: TMOS
Symptoms:
When using the GUI to renew a CA certificate that contains a subject alternative name (SAN), the SAN field is missing in the generated CSR.
Conditions:
Using the GUI to renew a CA certificate that contains a SAN.
Impact:
The resulting CSR does not contain a SAN value.
Workaround:
Use tmsh. For example: tmsh create sys crypto csr abc key abc.key subject-alternative-name DNS:ddd.nnn.sss common-name cn
Fix:
When using the GUI to renew a CA certificate that contains a subject alternative name (SAN), the SAN field is correctly included in the CSR.
508519-1 : Performance of Policy List screen
Component: Application Security Manager
Symptoms:
There is a performance issue with the Policy List/Import Policy/PCI report configuration utility screens.
Conditions:
20 or more active security policies configured on the system.
Impact:
With 160 active security policies it takes approximately 10 seconds to load the Policy List :: Import Policy :: PCI report configuration utility screens.
Workaround:
There is no workaround at this time.
Fix:
This release fixes a performance issue with the Policy List :: Import Policy :: PCI report configuration utility screens.
508486-1 : TCP connections might stall if initialization fails
Component: Local Traffic Manager
Symptoms:
TCP connections might stall if initialization fails
Conditions:
TCP connections fail to initialize if the tmm hud message queue is full. If these connections are flagged to not expire then they will linger forever.
Impact:
TCP connections that never expire. Increased memory usage. tmm logs containing 'hud queue full' errors.
Fix:
Return status of queued TCP initialization messages allowing cleanup upon failure.
508338-2 : Under rare conditions cookies are enforced as base64 instead of clear text
Component: Application Security Manager
Symptoms:
False positive 'modified domain cookie' violation or false positive 'illegal base64 value' violation created.
Conditions:
No specific conditions. This is a rarely occurring issue.
Impact:
The violation 'illegal base64 value' on a cookie appears on transactions, even for cookies that are not marked as base64 value cookies.
Workaround:
None.
Fix:
This release fixes an issue that rarely caused a false positive illegal base64 value, or false positive modified domain cookie violation.
508337-5 : In Chrome, parent.document.write() from frame may cause errors on pages accessed through Portal Access
Component: Access Policy Manager
Symptoms:
document.write() operation on parent window called from script in frame may cause errors on pages accessed through Portal Access. This issue is specific to Google Chrome browser and derivatives.
Impact:
Web application does not work through Portal Access with Google Chrome browser.
Fix:
Fixed a JavaScript error occurring on call of document.write() on opened document. The issue was happening when accessing pages through Portal Access with Google Chrome browser.
508076-1 : Cannot successfully create a key/cert via tmsh or the GUI of the form name.key1, where extension is in the name.
Component: TMOS
Symptoms:
Unable to create SSL Certificate or Key if the name extension starts with a special extension.
Conditions:
When creating a certificate or key, if the certificate/key name has an extension starts with one of (".key", ".crt", ".csr", ".crl", ".der", ".exp", ".pem"), then the creation will fail.
For example, it is an error to create a key named "test.key1". In this case, the key extension ".key1" starts with ".key".
Impact:
Key creation or Certificate creation will fail.
The following example command will fail with error.
tmsh create sys crypto key test.key1
tmsh create sys crypto cert test.key1 key test.key1.key common-name test
Error: Key management library returned bad status: 02, Not Found
Workaround:
do not create a key or certificate with name extension starts with one of (.key .crt .csr .crl .der .exp .pem).
Fix:
With this fix, certificate/key extension can start with one of these special extensions.
508057-2 : MySQL Vulnerability CVE-2015-0411
Solution Article: K44611310
507919-2 : Updating ASM through iControl REST does not affect CMI sync state
Component: Application Security Manager
Symptoms:
Updates through REST in a manual sync CMI device group do not change the sync status to PENDING.
Conditions:
ASM is configured in a manual sync group and REST API is utilized.
Impact:
Sync status will now be changed after updates through REST in a manual sync CMI device group.
Workaround:
There is no workaround at this time.
Fix:
Sync status is now changed after updates through REST in a manual sync CMI device group.
507905-1 : Saving Policy History during UCS load causes db deadlock/timeout★
Component: Application Security Manager
Symptoms:
Loading a UCS from an older version might cause db timeouts. /var/log/ltm contains errors similar to the followind: DBD::mysql::db do failed: Lock wait timeout exceeded; try restarting transaction at /usr/lib/perl5/site_perl/F5/DbUtils.pm.
Conditions:
-- Devices running different software versions are configured in a device group.
-- A sync operation is triggered from the device running the older version.
-- The device group is in the middle of an upgrade, the newer version being pre-11.6.0 HF5 or pre-11.5.2 HF1.
Impact:
UCS load fails and multiple error messages are logged. This is a rarely occurring issue.
Workaround:
Make sure all BIG-IP systems in a device group are running the same version of the software.
Fix:
This release corrects an intermittent issue where an error state was received during the upgrade of a DSC device group.
507853-10 : MCP may crash while performing a very large chunked query and CPU is highly loaded
Component: TMOS
Symptoms:
MCP crashes while performing a chunked query (such as 'tmsh show sys connection) that returns a large result if a connection to a TMM is severed (due to a zero-window timeout).
Conditions:
CPU is highly loaded.
Impact:
Failover (in a device cluster) or temporary outage (in a standalone system). A core file is generated that has a stack trace that includes a message similar to the following: error reading variable: Cannot access memory at address 0x1.
Workaround:
None.
Fix:
Ensured that MCP no longer crashes when performing a large chunked query and a connection to a TMM is severed.
507842-4 : Patch for BIND Vulnerability CVE-2015-1349
Solution Article: K16356
507782-6 : TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data
Component: Access Policy Manager
Symptoms:
TMM crashes on an attempt to open Citrix connection
Conditions:
Unpatched/malformed ICA file received by the client
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed validation for the input data sent in the ICA connection so that for the invalid/non-patched Address it will reject the connection instead of crashing.
507681-9 : Window.postMessage() does not send objects in IE11
Component: Access Policy Manager
Symptoms:
Websites are broken if they use postMessage to send objects in Internet Explorer 11. There could or could not be error in JavaScript console based on web application.
Conditions:
Web-Application that uses Window.postMessage() with Portal Access working in Internet Explorer 11.
Impact:
Web-Application can't use Window.postMessage() to send non-string data with Portal Access in Internet Explorer 11.
Workaround:
No
Fix:
Window.postMessage() now works in Internet Explorer 11.
507611-1 : On BIG-IP 2000- and 4000-series platforms BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors.
Solution Article: K17151
Component: Local Traffic Manager
Symptoms:
BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors.
Conditions:
BGP, TCP-MD5 on BIG-IP 2000- and 4000-series platforms.
Impact:
BGP session is not established.
Workaround:
Disable TCP-MD5 for neighbor.
Fix:
BGP sessions with TCP MD5 enabled now establish connection to neighbors as expected on BIG-IP 2000- and 4000-series platforms.
507602-4 : Data packet over IPsec tunnel might be looping between cores after rekey if IPsec lifebyte is enabled
Solution Article: K17166
Component: TMOS
Symptoms:
IPsec lifebyte might cause inconsistent Security Association state among different cores. This might cause a memory leak and in some case data packets going through the IPsec tunnel can be looping between cores.
Conditions:
IPsec lifebyte is enabled in IPsec Policy configuration object on BIG-IP system or 3rd party IPsec device.
Impact:
Possible data packets looping and memory leak.
Workaround:
Disable lifebyte on IPsec devices on both end of the IPsec tunnel.
Fix:
IPsec lifebyte functions properly and leaves no inconsistent state on the BIG-IP device after rekey.
507575-3 : An incorrectly formated NAPTR creation via iControl can cause an error.
Component: TMOS
Symptoms:
NAPTR records are somewhat complicated and if an incorrect set of string arguments are passed to iControl, the string parsing can fail and generate unhelpful error messages.
Conditions:
Specifically, it is valid to have empty strings as some of the fields of a NAPTR record.
However, these empty strings must be quoted as empty strings.
An example of a valid empty string parameter
foo.example.com. 19799 IN NAPTR 100 7 "u" "good" "" bar.example.com.
Not quoting the empty parameter (after "good") confuses the parser into thinking that not enough parameters were passed.
This causes a segfault and the error.
Impact:
Potential failure of iControl parsing.
Workaround:
Use quotes around empty strings such as:
foo.example.com. 19799 IN NAPTR 100 7 "u" "good" "" bar.example.com.
Fix:
The string parser has been made tolerant of missing parameters for these records and will now report an error.
507554-2 : Uneven egress traffic distribution on trunk with odd number of members
Solution Article: K13741128
Component: Local Traffic Manager
Symptoms:
If a trunk on a BIG-IP appliance or VIPRION chassis is populated with a number of members that is not a power of 2, the resulting distribution of egress traffic may be noticeably uneven.
For example, in a VIPRION chassis with 3 blades each having 5 ports assigned to the trunk (total of 15 ports), one of the ports on one of the blades may send noticeably more traffic than the other ports.
Conditions:
This problem occurs on the following F5 hardware platforms:
-- BIG-IP 10000-series and 12000-series appliances.
-- VIPRION B4300 and B2250 blades.
Impact:
Sub-optimal distribution of traffic across available trunk ports.
Workaround:
Configure the members of the trunk to always contain a number of members which is a power of 2 (2, 4, 8, 16).
Fix:
Traffic distribution across a trunk with an odd number of members is more even.
507529 : Active crash with assert: tmm failed assertion, non-zero ha_unit required for mirrored flow
Component: Local Traffic Manager
Symptoms:
A blade on the active system crashes in a configuration containing a performance layer 4 virtual server with connection mirroring enabled.
Conditions:
The chassis is configured for network mirroring within cluster.
There is more than one blade installed in the system or vcmp guest.
A virtual server has connection mirroring enabled and is associated with a virtual address that is not assigned a traffic-group (traffic-group is none).
Impact:
When the crash occurs, the blade posts the following assert: 'tmm failed assertion, non-zero ha_unit required for mirrored flow' and crashes. Traffic disrupted while tmm restarts.
Workaround:
Ensure that mirrored virtual servers are utilizing virtual addresses that are associated with a traffic group.
507499-2 : TMM can watchdog under extreme memory pressure.
Component: TMOS
Symptoms:
The TMM can become unresponsive and then be killed by SOD under extreme memory pressure.
Conditions:
Under extremely high memory pressure, linux will page out anything that isn't nailed down, including the shared memory containing the system-wide logging configuration. When this happens, and something in the TMM considers logging, the TMM will be de-scheduled while the linux kernel tries to swap something else out and swap the configuration page back in. Under such conditions, several seconds may go by before the memory can be swapped back in. SOD detects that the TMM is unresponsive and restarts the TMM.
Impact:
The TMM is restarted; flows that can't failover to a backup node are disrupted. If the killed TMM was not the source of the memory pressure, there may not be enough memory for a new TMM instance to come up.
Workaround:
A release that locks the logging configuration into RAM is required to correct the poor response to being out of memory.
Note: this change improves system handling in out-of-memory conditions -- it does NOT address any of the potential sources of the out-of-memory condition.
Fix:
The logging configuration is now locked into RAM.
507487-3 : ZebOS Route not withdrawn when VAddr/VIP down and no default pool
Component: TMOS
Symptoms:
The BIG-IP system continues announcing RHI routes when Virtual Servers and Virtual Addresses are down.
Conditions:
The issue occurs in the following case: -- Have a VIP with pool selection via iRule. -- Configure RHI on the VAddr corresponding to the VIP. -- Down the pools (for example, toggling between HTTP monitor (up) and UDP monitor (down)). -- VIP, VAddr, and pools are red. -- Run the imish command.
Impact:
The kernel route still is announced, which might cause other network devices to be confused on the network status, so the impact varies.
Workaround:
Configure virtual server with default pool instead of iRule.
Fix:
Added validation for virtual server iRule pools.
507461-2 : Net cos config may not persist on HA unit following staggered restart of both HA pairs.
Component: TMOS
Symptoms:
The net cos global-settings may be cleared on a HA unit, as a result of a HA pair configuration sync.
Conditions:
With fully synced pair of HA chassis, restart active chassis blade and then restart standby chassis blade.
Impact:
Portion of cos config information on active chassis blade is missing, resulting in incongruent cos behavior between active and standby.
Workaround:
None.
Fix:
The system no longer resets active net cos settings during device/group HA configuration sync operations.
507331-6 : Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be enabled.
Component: TMOS
Symptoms:
If a saved configuration from an earlier version is used when launching an instance of BIG-IP v11.5.2 on AWS, then SSLv3 may be enabled on the management interface.
Conditions:
Using configuration saved with version 11.5.2 (and earlier) on AWS.
Impact:
There are known security issues with SSLv3 and the BIG-IP software disables it by default with v11.5.2 on AWS. An enabled SSLv3 on the management interface might make the instance open to an attack, so after upgrading, configurations in which SSLv3 is enabled should be disabled before deploying.
Workaround:
Disable SSLv3 as documented here: https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip, and in and in SOL15702: https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15702.html.
Fix:
SSLv3 is no longer enabled after loading a configuration saved with BIG-IP v11.5.2 or earlier, even if SSLv3 was enabled in the original configuration.
507327-2 : Programs that read stats can leak memory on errors reading files
Component: TMOS
Symptoms:
Daemons that read statistics might leak memory over time so the amount of memory they use continues to grow.
Conditions:
There is an error reading a statistics file. For example, permissions on the file or directory prohibit access.
Impact:
Eventually the daemon or system might run out of memory.
Workaround:
Remove anything causing an error reading a stats file such as deleting unneeded files or fixing permissions.
Fix:
A memory leak reading stats has been fixed.
507321-2 : JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields
Component: Access Policy Manager
Symptoms:
If JavaScript application uses user-defined object which contains 'origin', 'source' and 'data' fields with NULL values, any attempt to get these values fires an error.
Conditions:
User-defined JavaScript object with 'origin', 'source' and 'data' fields and with NULL value in any of these fields, for example:
var a = { origin: null , data:null , source:null };
Any attempt to read these values leads to JavaScript error in Portal Access scripts.
Impact:
Web application does not work correctly.
Fix:
Now user-defined JavaScript objects with 'origin', 'source' and 'data' fields may contain any values in these fields.
507318-2 : JS error when sending message from DWA new message form using Chrome
Component: Access Policy Manager
Symptoms:
When using Chrome to send a new message on DWA, a JavaScript 'toString' error occurs.
Conditions:
If user clicks on the Send button on the new message form, then JavaScript errors appear: -- cache-fm.js:5 Uncaught TypeError: Cannot read property 'toString' of undefined
?. -- OpenDocument&Form=l_ScriptFrame&l=en&CR&MX&TS=20140915T180028,72Z&charset=UTF-8&charset=UTF-8&KIC&…:37 Uncaught TypeError: Cannot read property 'EgI' of undefined.
Impact:
The message is sent, but the tab is not closed.
Workaround:
None.
Fix:
When using Chrome to send a new message on DWA, a JavaScript error occurred. The message was sent but the tab did not close. This no longer occurs.
507289-1 : User interface performance of Web Application Security Editor users
Component: Application Security Manager
Symptoms:
Slow GUI performance for Web Application Security Editor users
Conditions:
At least 100 active security policies in the system
Impact:
Most ASM pages takes more than 5 seconds to load for Web Application Security Editor users
Workaround:
There is no workaround at this time.
Fix:
ASM Configuration utility pages load faster than they did previously for Web Application Security Editor users.
507143-2 : Diameter filter may process HUDCTL_ABORT message before processing previously queued events leading to tmm assertion
Solution Article: K17071
Component: Service Provider
Symptoms:
tmm cores due to 'valid pcb' assertion.
Conditions:
This can happen when the Diameter filter:
- Receives and queues HUDCTL_SHUTDOWN event.
- Receives a HUDCTL_ABORT event before HUDCTL_SHUTDOWN has been unqueued.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Diameter filter will now queue HUDCTL_ABORT events to prevent leapfrogging previously queued events.
507127-1 : DNS cache resolver is inserted to a wrong list on creation.
Component: Local Traffic Manager
Symptoms:
When a DNS cache resolver is created, it should be added to the cache resolver linklist. However, it is instead added to an incorrect linklist.
Conditions:
When creating a new DNS cache resolver.
Impact:
Unable to find the DNS cache resolver when search the resolver link list.
Workaround:
None.
Fix:
DNS cache resolver is added to the correct linklist on creation and removed from the correct linklist on deletion.
507116-3 : Web-application issues and/or unexpected exceptions.
Solution Article: K17030
Component: Access Policy Manager
Symptoms:
Web-application issues and/or unexpected exceptions.
Conditions:
Undisclosed conditions related to web-applications.
Impact:
Unexpected web-application functionality.
Workaround:
None.
Fix:
Web-application issues have been fixed.
507109-6 : inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade★
Component: Local Traffic Manager
Symptoms:
The inherit-certkeychain attribute of a child Client SSL profile can unexpectedly change after upgrade.
Conditions:
This issue occurs when all of the following conditions are met:
-- You create a Client SSL profile that does not inherit the certificate, key, and chain certificate settings from the parent profile.
-- You upgrade to BIG-IP 11.5.1 (HF6 or later), 11.5.2, 11.5.3, or 11.6.0.
Impact:
An incorrect cert key chain is used in the profile.
Workaround:
Manually edit bigip.conf to contain the correct value. To do so, add the following line into child client ssl profile:
inherit-certkeychain false
Run the command:
tmsh load sys config
Fix:
The certificate, key, and chain certificate settings in a Client SSL profile no longer change after an upgrade.
506702-2 : TSO can cause rare TMM crash.
Component: Local Traffic Manager
Symptoms:
TSO can cause rare TMM crash.
Conditions:
When TSO is used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TSO no longer causes rare TMM crash.
506557-5 : IBR tags might occasionally be all zeroes.
Solution Article: K45240941
Component: WebAccelerator
Symptoms:
IBR tags might occasionally be all zeroes.
Conditions:
This might occur when requests to OWS to update cached, expired content, receive updated content from OWS that has no Content-Length header and is uncacheable (that is, served with X-WA-Info code S10206).
Impact:
The content hash for that URL can be incorrectly set to all zeroes, causing an incorrect IBR for that item until it is recached.
Workaround:
Avoid the specific preconditions, or disable IBR-TO for the specific content meeting the preconditions.
Fix:
Uncacheable updates from OWS will no longer set IBR tags to zero.
506470 : Reduce pccd OOM probability with port expansion change
Component: Advanced Firewall Manager
Symptoms:
PCCD Blob size grows when applied large rule sets.
Conditions:
when the rule sets contains same ip address but different ports.
Impact:
AFM PCCD
Workaround:
NONE
Fix:
This feature enhances PCCD rule sets with port range which reduces blob size.
506452-1 : Issues with firewall rules configured with a source or destination IPv6 address whose most significant bit is 1
Component: Advanced Firewall Manager
Symptoms:
Sometime the firewall rule matching result is wrong if there are firewall rules configured with source or destination IPv6 address whose most significant bit is 1. Below are some examples of those IPv6 address: dfdf::/128, bbbb://64.
Conditions:
Firewall rules are configured with source or destination IPv6 address whose most significant bit is 1.
Impact:
The firewall rule with those IPv6 addresses may accept or deny packets that do not match the rule.
Fix:
Fixed the firewall rule compilation module to properly handle the processing of those IPv6 addresses whose most significant bit is 1.
506407-1 : Certain upgrade paths to 11.6.x lose the redirect URL configuration for Alternate Response Pages★
Solution Article: K04420402
Component: Application Security Manager
Symptoms:
Redirect Response pages become 'invalid' and lose their redirect URL configuration after upgrade.
Conditions:
1) In 11.2.x a policy existed with a redirect response page where the Response Header had a 'Location' command in it.
2) Policy or device is upgraded to 11.4.x or 11.5.x (pre 11.5.3 HF2)
3) Policy or device is upgraded to 11.6.0 (pre 11.6.0 HF5).
Impact:
The Alternate Response Page is no longer valid and no longer redirects users to the desired URL.
Workaround:
Before upgrade, ensure the redirect URL is correctly configured.
Fix:
Upgrade to 11.6.x now correctly retains redirect URLs for Alternate Response Pages.
506386-1 : Automatic ASM sync group remains stuck in init state when configured from tmsh
Component: Application Security Manager
Symptoms:
When a failover device group (without ASM enabled) is in a fully synchronized state, and then ASM and auto-sync are enabled on the device group through tmsh, the units sit waiting for an 'initial sync' event which never comes. All subsequent sync events are Incremental and never Full.
Conditions:
-- A failover device group (without ASM enabled) is in a fully synchronized state.
-- ASM and auto-sync are enabled on the device group through tmsh.
Impact:
Infrequently, an initial sync event fails after ASM and auto-sync are enabled on a failover device group that does not have ASM enabled.
Workaround:
You can use either of the following workarounds:
-- Configure ASM device sync before the initial sync.
-- Configure ASM device sync using the GUI instead of tmsh.
Fix:
This release fixes an issue that occurred rarely when an initial sync event did not occur after ASM and auto-sync were enabled on a failover device group that did not have ASM enabled.
506355-2 : Importing an XML file without defined entity sections
Component: Application Security Manager
Symptoms:
Importing an XML file without entity sections defined will not create default wildcard entities in the security policy.
Conditions:
Importing a partially defined XML security policy file.
Impact:
Policy was not created with default entities as expected.
Workaround:
Add the missing entities after importing the incomplete XML file.
Fix:
Previously, importing an XML file without defining the entity sections resulted in an empty URL wildcard list. Now, this process creates default wildcard entities in the security policy, as expected.
506349-5 : BIG-IP Edge Client for Mac identified as browser by APM in some cases
Component: Access Policy Manager
Symptoms:
APM sometimes determines that BIG-IP Edge Client for Mac is a browser. This can happen if user connects again using the link on the logout page that says "Click here to open new session"
Conditions:
APM, MAC Edge client
Impact:
Impact depends upon access policy but user might not be able to connect.
Workaround:
Click the Disconnect/Connect buttons on BIG-IP Edge Client instead of clicking the links on the logout page.
Fix:
APM now correctly identifies BIG-IP Edge Client for Mac as an Edge Client even if the user opens a new session by clicking the link on the logout page that says "Click here to open new session".
506315-10 : WAM/AAM is honoring OWS age header when not honoring OWS maxage.
Component: WebAccelerator
Symptoms:
WAM/AAM policy is configured to ignore OWS maxage header values, but the policy does not ignore the OWS Age header.
Conditions:
BIG-IP system with AAM provisioned, content matching a policy node not honoring OWS headers maxage and or s-maxage, and a large 'Age' value.
Impact:
This results in WAM/AAM improperly reducing the lifetime of OWS responses by the amount of the Age header, and more frequent WAM/AAM revalidation of the affected content (possibly on every request if the Age header is larger than the policy-specified cache lifetime).
Workaround:
You can use any one of the following as a workaround:
-- Honor OWS lifetime headers (s-maxage and max-age).
-- Use an iRule to delete OWS Age header.
-- Increase cache AAM/WAM cache lifetime for that content to compensate.
Fix:
When WAM/AAM policy is configured not to honor OWS maxage, it also does not honor OWS Age headers, which is correct behavior.
506304-3 : UDP connections may stall if initialization fails
Component: Local Traffic Manager
Symptoms:
UDP connections that never expire. tmm logs containing 'hud queue full' errors.
Conditions:
UDP connections fail to initialize if the tmm's hud message queue is full. If these connections are flagged to not expire then they will linger forever.
Impact:
Stalled connections. Increased memory usage.
Fix:
UDP connections no longer stall if initialization fails.
506290-3 : MPI redirected traffic should be sent to HSB ring1
Component: Local Traffic Manager
Symptoms:
The MPI redirected traffic is the traffic between two TMMs. It is currently sent to HSB ring0. HSB ring0 has small packet buffers and is used to handle the traffic of highest priority. Large amount of MPI redirect traffic can cause packet drops on HSB ring0.
Conditions:
Large amount of MPI redirect traffic.
Impact:
Potential packet drops on HSB ring0.
Workaround:
None.
Fix:
Send MPI redirected traffic to HSB ring1, which is correct behavior.
506282-5 : GTM DNSSEC keys generation is not sychronized upon key creation
Solution Article: K16168
Component: Local Traffic Manager
Symptoms:
DNSSEC key generation is not synchronized upon key creation.
Conditions:
This occurs when creating LTM DNSSEC keys on one unit of a sync group.
Impact:
The keys are synced, but the key generation information is not.
Workaround:
Modify another parameter on the GTM system after DNSSEC key generation to trigger the sync operation.
Fix:
DNSSEC key generation is now synchronized upon key creation.
506235-4 : TMM Crash
Component: Access Policy Manager
Symptoms:
TMM may crash
Conditions:
APM active
Impact:
TMM crash: -- Failover to standby (if applicable). -- Possible additional TMM cores on active and Standby units. If the BIG-IP system is configured in an HA pair, TMM might crash on the Standby unit shortly after the Active unit. The TMM log entries reporting the TMM core might not include any stack trace details.
Fix:
This release fixes a TMM crash that occurred with APM provisioned.
506223-1 : A URI in request to cab-archive in iNotes is rewritten incorrectly
Component: Access Policy Manager
Symptoms:
There are direct (not rewritten) requests in web application traffic (iNotes 8.5, 9)
Conditions:
Web application runs through Portal Access
Impact:
Installation of iNotes plug-ins is impossible.
Some resources may be not loaded.
Fix:
Portal Access rewrites URIs correctly.
506199-8 : VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles
Component: TMOS
Symptoms:
When multiple VCMP guests are configured on a VDAG platform, It is possible through cycles of provisioning and deprovisioning the guests to cause switch rules that play a role in disaggregation to be programmed in an order that causes packets to reach the wrong TMM in a guest, thus causing lower dataplane performance.
Conditions:
On a configuration with at least two VCMP guests that share at least one blade on a VDAG-based platform, change the vCMP state to provisioned, then to configured, then to provisioned, and so on.
Impact:
The potential for decreased dataplane performance. In addition to potentially lower performance, the guest's tmm flow redirect statistics increment quickly in conjunction with traffic. To determine these stats, run a command similar to the following: config # tmctl -d blade tmm/flow_redir_stats. This presents results similar to the following:
pg pu redirect_pg redirect_pu packets
-- -- ----------- ----------- -------
0 0 0 1 636991
Also, VDAG statistics on the host might show an imbalance in destination port hits for those assigned to a single guest. To determine these stats, run a command similar to the following: config # tmctl -d blade switch/vdag_dest_hits -w 200. This presents results similar to the following:
slot dst_mod dst_port dst_trunk hits red_hits
---- ------- -------- --------- ------ --------
1 1 0 0 0 0
1 7 0 0 0 0
1 13 0 0 0 0
1 19 0 0 0 0
1 0 0 0 0 0
1 1 5 0 509100 0
1 1 6 0 0 0
Workaround:
During a window in which a brief traffic interruption is acceptable, restart bcm56xxd on each effected blade in the host. On the host, run a command similar to the following: clsh bigstart restart bcm56xxd
Fix:
The system now ensures that VDAG entries get ordered correctly to avoid cases where VCMP guests on VDAG platforms might experience excessive TMM redirects after multiple guest provisioning cycles
506041-5 : Folders belonging to a device group can show up on devices not in the group
Solution Article: K01256304
Component: TMOS
Symptoms:
All folders and partitions always get synced regardless of whether they are in the device group. If a user wants to utilize the same folder/partition scheme across multiple devices, this can lead to conflicts. In particular it can clobber the default route domain on a partition or rewrite the device group of a folder.
Conditions:
This only occurs during a full sync.
This can occur if two different device groups use the same folder or partition names. For example, if there are two separate failover-sync groups in the same trust and they both sync a different set of objects in /MyHAFolder.
This can also occur if a device has a local folder or partition with the same name as one in a device group.
Impact:
If a conflicted partition uses different default route domains, they will be overridden and may result in a sync error.
Conflicted folders will inherit the configuration of the source of the config sync. This can override the device group, traffic group, and iApp reference of the folder.
Workaround:
Use unique partition and folder names across all devices in the trust group.
Fix:
Only folders and partitions in the device group will get synced. However, since multiple device groups can still share the same partition, there is still a chance that the route domain on the partition could get overridden if the two device groups use different route domains.
506034-5 : NTP vulnerabilities (CVE-2014-9297,CVE-2014-9298)
Solution Article: K16393
505964-3 : Invalid http cookie handling can lead to TMM core
Component: Local Traffic Manager
Symptoms:
If an http cookie is invalid, then subsequent modifications to http cookie entries can result in a TMM core.
Conditions:
This issue can occur with an HTTP virtual server that performs cookie processing (either via an iRule, profile configuration, or as a result of persistence) and also performs header manipulation.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
A crash in the HTTP profile implementation of cookie handling has been fixed.
505755-4 : Some scripts on dynamically loaded html page could be not executed.
Solution Article: K11043155
Component: Access Policy Manager
Symptoms:
Some scripts on dynamically loaded HTML page might not execute.
Conditions:
Dynamically loaded HTML page
Impact:
Web application accessed via Portal Access does not work as expected.
Workaround:
None.
Fix:
Fixed an issue in Portal Access that could affect script execution in documents.
505705-6 : Expired mirrored persistence entries not always freed using intra-chassis mirroring
Component: Local Traffic Manager
Symptoms:
When using persistence mirroring, it is possible for the mirror owner of a persistence record to also be the proxying tmm for the connection. In this case, depending on timing of the connection and timeouts configured, it is possible for a persistence record to not be released when the connection is terminated and persistence timeout expires.
Conditions:
* VIPRION chassis with 2 or more blades installed.
* Mirroring is set to "intra-chassis".
* Mirroring is enabled on one or more persistence profiles.
* The records appear in tmsh show sys persistence persist-records all-properties, with an age always set to zero but no connection and no other persistence records for the same persistence key.
Impact:
Possible memory growth. This is not a leak, in that the memory can be recovered when subsequent requests reach different tmms that might need the same persistence record.
Workaround:
None.
Fix:
Both the local and mirrored owner persistence record are properly removed.
505624-2 : Remote logger will continue to get DoS L7 messages after it was removed from the virtual server configuration
Component: Advanced Firewall Manager
Symptoms:
A remote logger will continue to get DoS layer 7 messages after it was removed from the virtual server configuration.
Conditions:
A remote logger was connected to a virtual server and the user removed it from the virtual server configuration.
Impact:
That remote logger will continue to get DoS layer 7 messages.
Workaround:
bigstart restart dosl7d
Fix:
An issue where the DoS profile continued to write to a removed logging profile was fixed.
505452-1 : New db variable to control packet priority for TMM generated packets
Component: Local Traffic Manager
Symptoms:
For TMM generated packets (such as ICMP request), the existing behavior is TMM would use hard code value 3 for the packet priority.
Conditions:
Packets are generated internally by TMM.
Impact:
No way to control those packets's priority.
Fix:
A new db variable tm.egress.pktpriority is added to set packet priority
of TMM generated egress packets. Default 3 with range 0-7.
505222-3 : DTLS drops egress packets when traffic is sufficiently heavy.
Component: Local Traffic Manager
Symptoms:
DTLS drops egress packets when traffic is sufficiently heavy.
Conditions:
-- DTLS has egress queue with maximum elements 127 (the default).
-- Traffic is very heavy.
Impact:
DTLS drops egress packets.
Workaround:
None.
Fix:
This release fixes this issue by sending multiple requests to CN.
505101-4 : tmm may panic due to accessing uninitialized memory
Component: Access Policy Manager
Symptoms:
tmm panics with the message "memory owned by current process"
Conditions:
SAML plugin encounters an internal error and attempts to free an uninitialized memory region.
Impact:
tmm restarts
Workaround:
none
Fix:
Initialized SAML memory region to prevent tmm panic.
505089-3 : Spurious ACKs result in SYN cookie rejected stat increment.
Component: Local Traffic Manager
Symptoms:
Sending unsolicited ACK to a virtual server increments the counter 'Total Software Rejected' from tmsh show ltm virtual 'name_of_virtual_server' when syn cookie status is not activated.
Conditions:
This has been observed under the following conditions: 1. The client sends a SYN, the LTM sends an SYN/ACK and then the client sends a bad ACK. 2. A client sends an ACK for a connection that does not exist in the connection table (either it never existed or had been closed).
Impact:
Potentially inaccurate statistics in tmsh show ltm virtual.
Workaround:
None.
Fix:
In this release, the system increments the syncookie reject stat only if a bad ACK could correspond to a syncookie the system issued.
505071-2 : Delete and create of the same object can cause secondary blades' mcpd processes to restart.
Component: TMOS
Symptoms:
A single transaction containing both a delete and a create of the same object can, for certain types of objects, cause the secondary blades' mcpd processes to restart because of validation failure. The validation error appears similar to the following: 01020036:3: The requested object type (object name) was not found.
Conditions:
This has been seen to occur when an APM policy agent logon page is modified, and the error reports that its customization group cannot be found.
In BIG-IP v11.6.0 HF6 and BIG-IP v11.5.4 and BIG-IP v11.5.4 HF1, this can also occur when an iApp creates a virtual server.
Impact:
mcpd restarts on every secondary blade, causing most other system services to restart as well. This might result in a temporary loss of traffic on all secondary blades. After mcpd restarts, the new configuration is accepted and the system returns to normal operation.
Workaround:
None.
Fix:
For certain types of objects, an incorrect message was sent to the secondary blades' mcpd processes if an object of that type was deleted and then recreated within a single transaction. This caused mcpd to restart on every secondary blade. The correct message is now sent, even for this type of object.
505056-3 : BIG-IP system might send an egress packet with a priority different from that of ingress packet on the same flow.
Component: Local Traffic Manager
Symptoms:
When the hardware COS queue feature is enabled, in some cases the BIG-IP system sends an egress packet with a priority different from that of ingress packet on the same flow.
Conditions:
Hardware COS queue feature is enabled.
Impact:
Egress packets are sent with an incorrect packet priority and delivered on the incorrect switch COS queues, resulting in lower performance.
Workaround:
None.
Fix:
Packet priority passthrough mode is now sending correct packet priority and delivering on the correct switch COS queue.
504973-2 : Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead
Component: Application Security Manager
Symptoms:
When creating a policy using a route domain and a full 32 bit subnet mask, the ASM saves it as a 128 bit mask.
Conditions:
Provisioned ASM
Impact:
Wrong 128 bit subnet mask is saved instead of the configured 32 bit mask.
Fix:
When creating a security policy using a route domain and a full 32 bit subnet mask, ASM no longer saves it as a 128 bit mask.
504917-2 : In ASM Manual Sync Only group, policies do not stay deleted or inactive on secondary after sync is pushed
Component: Application Security Manager
Symptoms:
An inactive ASM policy on a sync target is suddenly re-activated.
Conditions:
This occurs when ASM manual sync is configured, and a policy is de-activated or deleted. The time stamp of the policy does not get updated, so the active policy will take precedence and re-activate it.
Impact:
If the user deactivates or deletes a policy on one device and then pushes the ASM config to the other device, the policies will end up being reactivated (or recreated as a default policy) on the other device.
Workaround:
The workaround is to make a change to Policy one of the machines before de-activating it, to update its timestamp to newer than the other machine.
Fix:
When loading the ASM side of a UCS, ensure that the MCP data is updated correctly for policies that have become inactive or have been deleted.
504899-1 : Duplicated snat-translation addresses are possible (a named and an anonymous (created by snatpool) one)
Component: Local Traffic Manager
Symptoms:
It is possible to have duplicated snat-translation addresses if one is explicitly created (named one) and the other is implicitly created when adding anonymous addresses to a snatpool.
Conditions:
No special conditions required other than to perform the configuration changes.
Impact:
As duplicated snat-translation addresses may exist, any change to an address entry that is assigned to an snatpool might not affect the right entry, for example, with the following snat-addresses:
snat_address_01 address 1.2.3.1
1.2.3.1(anonymous) address 1.2.3.1
And the following snatpool:
snat_pool { 1.2.3.1 1.2.3.2 }
If there is a change in snat_address_01 (whose address is part of snat_pool (1.2.3.1)), then the actual snat_pool member (anonymous 1.2.3.1) will not be updated with the new setting, and there will be no effect.
Workaround:
None.
Fix:
The system now automatically converts anonymous addresses added to snatpool into named snat-translation objects if they exist.
504827-3 : Use of DHCP relay virtual server might result in tmm crash 'top filter'.
Component: Local Traffic Manager
Symptoms:
The Traffic Management Microkernel (TMM) may produce a core file with the 'Assertion "top filter" failed' error message.
As a result of this issue, you may encounter one or more of the following symptoms:
Your BIG-IP system fails over to the standby system if configured for HA.
Messages similar to the following example are logged to the /var/log/tmm* files:
notice panic: ../modules/hudfilter/hudnode.c:310: Assertion "top filter" failed.
Messages similar to the following example are logged to the /var/log/ltm file:
notice sod[8810]: 01140045:5: HA reports tmm NOT ready.
Messages similar to the following example are logged to the /var/log/messages file:
notice logger: Started writing core file: /var/core/tmm.0.bld2384.0.core.gz for PID 13897
notice logger: Finished writing 236194271 bytes for core file: /var/core/tmm.0.bld2384.0.core.gz for PID 13897
Your BIG-IP system generates TMM core files to the /var/core directory, with a time stamp that correlates to the traffic interruption, similar to the following example:
-rw-r--r-- 1 root root 226M Apr 13 15:09 tmm.0.bld2384.0.core.gz
Conditions:
This issue occurs when the following condition is met:
A Dynamic Host Configuration Protocol (DHCP) relay virtual server and another BIG-IP virtual server are both configured to use the same IP address and port combination.
Impact:
The BIG-IP system may temporarily fail to process traffic as it recovers from TMM restarting, and systems configured as part of a high availability (HA) group may fail over. Traffic disrupted while tmm restarts.
Workaround:
Avoid configuring virtual servers that share address:port with DHCP relay virtual server.
In releases prior to version 11.5.4, use regular IP forwarding virtual servers if the virtual server is not for Relay but just for 'forwarding'. When the virtual server destination is not 255.255.255.255, it is typically for forwarding, not for Relay.
Fix:
Verify existing serverside flows are actual relay flows before reusing it.
504803-4 : GUI Local Traffic Pool list does not show certain Pools with name containing 'mam'.
Component: TMOS
Symptoms:
Local Traffic Pool list does not show Pools with names that contain the characters 'mam' starting at the 5th position of the name.
Conditions:
This occurs using the GUI.
Impact:
Cannot see these pools in the GUI.
Workaround:
Use tmsh to list pools with mam in the name.
Fix:
Pools with a name that end in mam are now showing up in the Pools list in the GUI.
504633-7 : DTLS should not update 'expected next sequence number' when the record is bad.
Component: Local Traffic Manager
Symptoms:
DTLS updates the 'expected next sequence number' even if the record is bad. This might cause the unexpected sequence number of good records dropping.
Conditions:
DTLS receives a bad record with a very large sequence number.
Impact:
DTLS might drop the good records that have smaller sequence number packets than the bad records.
Workaround:
None.
Fix:
The system now updates the 'expected next sequence number' only when the record is good.
504606-6 : Session check interval now has minimum value
Component: Access Policy Manager
Symptoms:
Session check interval can be changed or turned off completely for debug purposes.
Conditions:
Using the session check interval.
Impact:
Session check interval may be set to excessively short value.
Workaround:
None.
Fix:
Session check interval now has a minimum (5000 msec), which prevents the value from being too small.
504572-3 : PVA accelerated 3WHS packets are sent in wrong hardware COS queue
Solution Article: K30038035
Component: TMOS
Symptoms:
Under full ePVA acceleration, 3WHS (3-way handshake) packets from VIP to node will always egress on hardware COS queue 3, regardless of COS queue mapping configured on the system.
Conditions:
The packets needs to be fully accelerated by ePVA.
Impact:
Potential performance downgrade.
Workaround:
None.
Fix:
PVA accelerated 3WHS packets are new egressed on correct hardware COS queue.
504508-4 : IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled
Solution Article: K16773
Component: TMOS
Symptoms:
When establishing IPsec tunnel from the BIG-IP system to some Cisco devices enabled with an older Dead Peer Detection (DPD) implementation, IPsec tunnel does not stay up because of a mismatched Cookie field in the DPD message.
Conditions:
An IPsec tunnel connection from a BIG-IP system to certain Cisco ASA configurations does not stay up when DPD is enabled
Impact:
IPsec tunnel goes down, traffic stops.
Workaround:
Disable Dead Peer Detection for the Ike Peer configuration to the Cisco devices exhibiting this issue.
Fix:
IPsec Tunnel between the BIG-IP system and CISCO devices with older Dead Peer Detection (DPD) are no longer brought down because of mismatched Cookie Field in the DPD messages.
504496-4 : AAA Local User Database may sync across failover groups
Component: TMOS
Symptoms:
APM units that are not in the same BIG-IP Sync-Failover group are sharing local user entries. The system may possibly also experience higher management CPU load as a result of frequently syncing the local user database.
Conditions:
There is at least one sync-failover group in the Device Management :: Device Groups list, and there are devices listed in Device Management :: Devices list that are not members of that sync-failover group (either standalone or members of another device group), and those devices are provisioned with APM.
Impact:
Unwanted sharing of local user database between sync-failover groups and/or standalone devices. The system may also experience higher management CPU load as a result of frequently syncing the local user database. Under severe conditions where the database is synced multiple times per minute continually for hours or days, the rapid syncing of the database may result in unexpected failover.
Fix:
AAA Local User Database now syncs correctly.
504494-4 : Upgrading to 11.5.0 and later might associate a disabled HA group to traffic groups.★
Solution Article: K43624250
Component: TMOS
Symptoms:
If the BIG-IP system has a disabled HA Group and is upgraded to 11.5.x or later, the disabled group might be associated with traffic groups on upgrade.
Conditions:
Pre-upgrade there is exists a HA Group that is disabled.
Upgrade to 11.5.x or later from 10.2.x or 11.x (pre-11.5.0) to a version earlier than 12.0.0, 11.5.4, or 11.6.1.
Impact:
If the BIG-IP system is rebooted after the upgrade, it's possible that the switch will fail over because the HA group score is used even though the HA group is disabled.
Workaround:
After the upgrade, check all traffic groups and ensure that none of them are configured to use a disabled HA Group.
Fix:
Upgrading to 11.5.0 and later no longer associates a disabled HA group to traffic groups. This is correct behavior.
504461-3 : Logon Page agent gets empty user input in clientless mode 3 when a Variable Assign agent resides in front of it.
Component: Access Policy Manager
Symptoms:
APM is unable to complete the access policy when there is a Variable Assign agent in front of a Logon Page agent.
Conditions:
Access policy has a Variable Assign agent in front of a Logon Page agent.
Impact:
APM is unable to complete the access policy.
Fix:
Now APM can successfully run access policies where a Variable Assign agent resides in front of a Logon Page agent.
504396-3 : When a virtual's ARP or ICMP is disabled, the wrong mac address is used
Component: Local Traffic Manager
Symptoms:
When using tmsh to modify the icmp_enabled or arp_enabled property of a virtual address object from true to false, tmm does not reset the internal state properly. This results in a tmm using the VLAN's true MAC as the source MAC instead of the traffic group's MAC masquerade address.
Conditions:
Using MAC masquerading in a high availability (HA) traffic group.
Impact:
Packets may be dropped by switches or routing tables improperly updated.
Workaround:
None.
Fix:
When a virtual server's ARP or ICMP is disabled, the correct MAC address is now used.
504384-3 : ICMP attack thresholds
Component: Advanced Firewall Manager
Symptoms:
ICMP flood protection triggers at an earlier than expected threshold if all of the ICMP attack traffic contains the same ID. This is because all traffic is sent to the same tmm when it contains the same ID but the threshold takes into account the number of tmms.
Conditions:
When ICMP traffic is sent with the same ICMP id, and the DoS threshold was configured assuming the ICMP traffic would be spread across all tmms.
Impact:
The forwarded ICMP traffic has higher priority that regular traffic causing normal traffic to potentially get dropped sooner as compared to forwarded traffic.
Workaround:
None
Fix:
ICMP attack traffic with same ID being forwarded to a single TMM for processing is now tagged with the correct priority.
504306-7 : https monitors might fail to re-use SSL sessions.
Component: Local Traffic Manager
Symptoms:
SSL handshakes for https monitors might fail to correctly re-use SSL session IDs.
Conditions:
A configuration that utilizes https monitors to servers that implement an SSL session cache. More servers utilizing the same https monitor make the problem more likely to occur.
For the monitor flapping or false negative symptom in 11.5.0 or higher, a monitor must be configured for a combination of TLS 1.0 and TLS 1.2 servers.
Impact:
The bigd process might consume more CPU than necessary because it might always be performing complete SSL handshakes with monitored servers.
BIG-IP version 11.5.0 or higher in environments with both TLS 1.0 and TLS 1.2 servers that perform SSL session caching may experience monitor flapping or servers that are marked down unexpectedly.
Workaround:
None.
Fix:
https monitors now properly perform SSL session re-use.
504225-1 : Virtual creation with the multicast IPv6 address returns error message
Component: Local Traffic Manager
Symptoms:
When LTM has DHCPv6 profile attached to a virtual server with relay mode configured with multicast IPv6 address, it will return error message, '01020064:3: IPv6 Address ff02::1:2 is invalid, Multicast address not allowed.'
Conditions:
Create an IPv6 virtual with multicast IPv6 address with DHCPv6 profile (relay mode) attached.
Impact:
Cannot create a IPv6 virtual server with multicast IPv6 address and DHCPv6 relay mode profile attached.
Workaround:
None.
Fix:
Can now create an IPv6 virtual with multicast IPv6 address with DHCPv6 profile (relay mode) attached.
504182-2 : Enforcer cores after upgrade upon the first request★
Component: Application Security Manager
Symptoms:
If an ASM security policy contains entities with an invalid configuration from a previous version, UCS load will fail and leave the device in an inconsistent state, leading to BD crash.
Conditions:
-- An ASM security policy contains entities with an invalid configuration from a previous version.
-- This can occur on an upgrade from 11.5.x to 11.6.0 prior to HF5.
Impact:
UCS load will fail and leave the device in an inconsistent state, leading to BD crash.
Workaround:
Correct ASM entity configuration before upgrade.
Fix:
This release fixes an upgrade issue where the Enforcer crashed after the upgrade upon the first request.
504105-3 : RR-DAG enabled UDP ports may be used as source ports for locally originated traffic
Component: Local Traffic Manager
Symptoms:
RR-DAG enabled UDP ports may be used as the source port on locally originated connections.
Conditions:
Disaggregation mode set to RR-DAG
Impact:
Connections may be forwarded between tmms resulting in a performance impact
Fix:
RRDAG enabled ports can no longer be selected as a source port for locally originated connections.
503979-3 : High CPU usage when DNS cache resolver sends a large number of DNS queries to the backend name server.
Component: Local Traffic Manager
Symptoms:
When DNS cache resolver is resolving a DNS query, it might send queries to the backend name server iteratively. If the name server is responding slowly and the cache resolver is sending queries to name servers at a high rate, the CPU usage of the BIG-IP system might be vary high.
Conditions:
(1) Configure the cache resolver to have a large value (, for example, 40 KB) for both max-concurrent-queries and max-concurrent-udp.
(2) The cache resolver sends queries to the name servers at a high rate.
(3) The backend name server is responding slowly to the cache resolver.
Impact:
The CPU usage might be extremely high. Site might be unstable.
Workaround:
Configure the cache resolver to have a default value for both max-concurrent-queries and max-concurrent-udp.
Fix:
The CPU usage does not increase unexpectedly when the cache resolver sends a large number of DNS queries to slow backend name servers.
503841-4 : Slow performance with delete_string_class_member in iControl-SOAP
Component: TMOS
Symptoms:
Starting 11.5.1 HF6, deleting ~9000 strings takes about 60 seconds to complete.
Conditions:
Delete a large number of strings with the delete_string_class_member API in iControl-SOAP.
Impact:
Poor performance and can cause time out
Fix:
With the fix in place, deleting ~9000 strings take about 5 seconds.
503741-14 : DTLS session should not be closed when it receives a bad record.
Solution Article: K16662
Component: Local Traffic Manager
Symptoms:
According to RFC6347: 4.1.2.7. Handling Invalid Records:
'Unlike TLS, DTLS is resilient in the face of invalid records (e.g., invalid formatting, length, MAC, etc.). In general, invalid records SHOULD be silently discarded, thus preserving the association; however, an error MAY be logged for diagnostic purposes. Implementations which choose to generate an alert instead, MUST generate fatal level alerts to avoid attacks where the attacker repeatedly probes the implementation to see how it responds to various types of error. Note that if DTLS is run over UDP, then any implementation which does this will be extremely susceptible to denial-of-service (DoS) attacks because UDP forgery is so easy. Thus, this practice is NOT RECOMMENDED for such transports.'
In the BIG-IP implementation, DTLS chooses to disconnect the session when it receives invalid record.
Conditions:
DTLS receives a bad record packet.
Impact:
DTLS disconnects the session.
Workaround:
None.
Fix:
The system now silently discards all of the invalid records and preserves the association. This is correct behavior.
503676-5 : SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events
Component: Service Provider
Symptoms:
SIP REFER, INFO, and UPDATE requests do not trigger iRule events.
Conditions:
The occurs when the following conditions are met: -- Virtual server has a SIP profile. -- Virtual server has iRule(s) containing SIP_REQUEST or SIP_REQUEST_SEND events. -- SIP REFER, INFO, or UPDATE request is received on the virtual server.
Impact:
iRule event is not executed.
Workaround:
none
Fix:
SIP REFER, INFO, and UPDATE requests now trigger the SIP_REQUEST and SIP_REQUEST_SEND iRule events. This is the correct behavior.
503652-1 : Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit.
Solution Article: K17162
Component: Service Provider
Symptoms:
When a blade is enabled on a cluster while it is actively processing SIP UDP traffic, some packets might be lost.
Conditions:
This occurs in an Active HA cluster containing VIPRION B2100 blades with the udp.hash value set to 'ipport' and client-side round robin TMM disaggregation enabled.
Impact:
Some SIP UDP traffic packets might be lost.
Workaround:
Do not enable a blade in a cluster while the blade is processing SIP UDP traffic.
Fix:
Some SIP UDP connections are now retained after enabling a blade on the Active HA unit.
503620-2 : ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later
Component: Local Traffic Manager
Symptoms:
BIG-IP SSL when using ciphers ECDHE_ECDSA and DHE_DSS does not work consistently with OpenSSL clients using OpenSSL versions 1.0.1k or later.
Conditions:
When the ciphers used are ECDHE_ECDSA or DHE_DSS, and the OpenSSL clients have versions later than OpenSSL 1.0.1k.
Impact:
SSL handshake failed. The OpenSSL clients might encounter a decryption error while reading the server key exchange.
Workaround:
Use OpenSSL versions earlier than OpenSSL 1.0.1k.
Fix:
BIG-IP SSL now works well with ciphers ECDHE_ECDSA or DHE_DSS with OpenSSL client version OpenSSL 1.0.1k and later.
503604-2 : Tmm core when switching from interface tunnel to policy based tunnel
Component: TMOS
Symptoms:
When the configuration is changed from interface tunnel to policy based tunnel, tmm crashes.
Most likely this is a timing issue where the pnh is not updated while the policy was updated. So the policy_type (policy_interface vs policy_ipsec) mismatched.
Conditions:
Traffic passing in the background and change the configuration from interface tunnel to policy based tunnel.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround
Fix:
When switching from interface tunnel to policy based tunnel, tmm cores.
503600-3 : TMM core logging from TMM while attempting to connect to remote logging server
Solution Article: K17149
Component: TMOS
Symptoms:
TMM crash and coredump while logging to remote logging server.
Conditions:
The problem might occur when a log message is created as the result of errors that can occur during log-connection establishment. The crash specifically occurs when an error occurs while attempting to connect to the remote logging server.
Impact:
TMM runs out of stack and dumps core. Stack trace shows recursion in errdefs. The system cannot function under these conditions. This is an issue that might occur anytime logs are generated when managing resources that are also used by the logging system itself.
Workaround:
Two possible workarounds are available:
1) Create a log filter specifically for message-id :1010235: that either discards or directs such messages to local syslogs.
2) If the problem occurs on TMM startup, disable and then re-enable the corresponding log source once the TMM starts up.
Fix:
TMM no longer crashes and coredumps while logging to remote logging server.
503560-5 : Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server.
Component: Local Traffic Manager
Symptoms:
Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server.
Conditions:
HTTP transparent profile is attached to a virtual server. Statistics profile now cannot be attached to the same virtual server.
Impact:
Only a Statistics profile or an HTTP transparent profile may be assigned to a single virtual server.
Workaround:
None.
Fix:
The validation logic is now changed so as to allow a Statistics profiles and an HTTP transparent profile to be attached to the same virtual server simultaneously.
503541-3 : Use 64 bit instead of 10 bit for Rate Tracker library hashing.
Component: Advanced Firewall Manager
Symptoms:
Rate Tracker 10 bit hashing may cause inaccurate rate-limits by the Sweep & Flood DoS vectors.
Conditions:
When Sweep and Flood vector is enabled in AFM module.
Impact:
Impact to Sweep and Flood detection rate accuracy.
Workaround:
None.
Fix:
The system now uses 64 bit instead of 10 bit for Rate Tracker hashing, which results in more accuracy in attack detection and mitigation.
503471-2 : Memory leak can occur when there is a compressed response, and abnormal termination of the connection
Solution Article: K17395
Component: Application Visibility and Reporting
Symptoms:
Memory utilization grows over time.
Conditions:
This issue occurs when the BIG-IP system sends a compressed response, and an abnormal termination of the connection occurs.
Impact:
Memory leak in TMM that grows over time.
Workaround:
Avoid configuration of Application DoS with Client-side mitigation.
Fix:
A memory leak has been fixed that occurred when there was a compressed response and an abnormal termination of the connection.
503343-9 : TMM crashes when cloned packet incorrectly marked for TSO
Component: Local Traffic Manager
Symptoms:
TMM cores
Conditions:
1. Clone pool configured
2. Clone MTU > Client or Server MTU
3. tm.tcpsegmentationoffload db var in "disable" state
4. TSO enabled in client or server side interface
5. TSO disabled in clone interface
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove the configured clone pool
Fix:
Prevent TMM crash due to cloned packet incorrectly marked for TSO.
503319-5 : After network access is established browser sometimes receives truncated proxy.pac file
Solution Article: K16901
Component: Access Policy Manager
Symptoms:
On MAC OSX platform, After network access is established, poxy.pac received by the browser is truncated.
Conditions:
This occurs if proxy.pac file is larger than 65535 bytes (~65 KB).
Impact:
Large proxy.pac file might not be downloaded or might be truncated.
Workaround:
Reduce proxy.pac file size so that merge file is less than ~65 KB.
Fix:
Merged (by F5 tunnel server) proxy.pac is now NOT truncated when sent to the browser even if its size is greater than ~65 KB.
503257-13 : Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST
Component: Local Traffic Manager
Symptoms:
Client connections to a virtual server with persistence, connection limits, and an iRule that issues an HTTP response may receive a RST with a cause of "pmbr enqueue failed" even though connection queuing is not enabled.
Conditions:
This can happen if the connection makes an HTTP request and an iRule directly responds to the first request on the connection. A future request on that TCP connection would be reset if it is persisted to a pool member that is at its connection limit. The iRule would use HTTP::respond (without "connection close") or HTTP::redirect.
Impact:
Clients may receive a RST and fail to connect to an available pool member under some traffic patterns.
Workaround:
If using HTTP::respond or HTTP::redirect in an iRule, change to HTTP::respond with the "Connection close" option in order to force the connection to terminate and the client to start a new connection after the redirect is sent.
Fix:
Persistence, connection limits and HTTP::respond or HTTP::redirect no longer result in RST.
503214-11 : Under heavy load, hardware crypto queues may become unavailable.
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system is under heavy load, it may erroneously determine that the hardware crypto queues are unavailable and trigger an HA failover event.
Conditions:
BIG-IP system under heavy load and using hardware crypto.
Impact:
HA failover. You might see messages similar to the following:
-- crit tmm2[22560]: 01010025:2: Device error: crypto codec cn-crypto-2 queue is stuck.
-- warning sod[6892]: 01140029:4: HA crypto_failsafe_t cn-crypto-2 fails action is failover.
-- notice sod[6892]: 010c0052:5: Standby for traffic group /Common/traffic-group-1.
Workaround:
None.
Fix:
BIG-IP system now performs an extra check to determine whether the crypto hardware queues are available.
503125-2 : Excessive MPI net traffic can cause tmm panics on chassis systems
Component: Local Traffic Manager
Symptoms:
Excessive MPI net traffic can cause tmm panics on chassis systems.
Conditions:
This occurs on chassis systems with excessive internal traffic resulting from abnormal load distribution or excessive session DB usage. The session DB usage can be the result of modules or of custom iRules that store session data.
Impact:
Temporary outage and possible failover when using HA. The source conditions will also continue on the new active device, which can cause repeated failovers. When this occurs, the tmm logs will contain messages similar to: notice MPI stream: connection to node 127.20.3.24 expired for reason: TCP retransmit timeout
Workaround:
If affected by this when using iRules to create custom keys and data, this can be partially mitigated by consolidating multiple keys and using smaller key lengths as possible. This is affected by the amount of data stored as well, but large keys can exacerbate the issue.
Fix:
Excessive MPI net traffic no longer causes tmm panics on chassis systems.
503118-1 : clientside and serverside command crashes TMM
Component: Local Traffic Manager
Symptoms:
When parking command is used inside clientside or serverside, tmm crashes.
Conditions:
Parking command, e.g., the table command, is used inside clientside or serverside command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Move the parking command outside clientside or serverside command.
Fix:
Parking command can run inside clientside and serverside.
The client side connection must exist when clientside command runs; the server side connection must exist when serverside command runs; otherwise the clientside and serverside commands fail.
503085-2 : Make the RateTracker threshold a constant
Component: Advanced Firewall Manager
Symptoms:
Dynamic detection threshold may impact Sweep and Flood detection rate accuracy under high traffic conditions.
Conditions:
When Sweep and Flood is enabled in AFM module.
Impact:
Some Sweep and Flood functionality might not provide sufficient detection rate accuracy.
Fix:
The RateTracker threshold is now a constant, which improves detection rate accuracy.
502959-3 : Unable get response from virtual server after node flapping
Component: Local Traffic Manager
Symptoms:
If persistence is used, and a node is marked down and then up in quick succession (less than about 7 seconds), then persistence may act inconsistently.
Conditions:
Persistence, rapid node flapping, new connection (via a TMM with an existing connection) after node has been re-marked as up.
Impact:
Persistence may act inconsistently (meaning, not all connections expected to persist to a server will do so). In certain circumstances, requests may hang (the client is connected, waiting for a response).
Workaround:
None.
Fix:
The system now deletes a persist entry from all peer TMMs when it is deleted in any TMM, so no conflicts occur.
502852-4 : Deleting an in-use custom policy template
Component: Application Security Manager
Symptoms:
If a user tries to delete a custom policy template while there are still security policies in the system that were created from that template, the delete will fail. This also leaves the custom template in an unusable state that can neither be used to create further Policies nor can it ever be deleted.
Conditions:
A security policy exists on the system that was created from a custom template. The user then tries to delete the template before removing the policy from the system.
Impact:
The custom template becomes unusable for creating new policies, and cannot be deleted even after there are no longer any policies created from it left on the system.
Workaround:
Contact support for a script that will disassociate all user defined policy templates from existing policies.
This will allow any user defined template to be successfully deleted.
Fix:
If you fail to delete a custom policy template because an existing security policy refers to it, it no longer leaves the custom policy template in an unusable state.
502770-3 : clientside and serverside command crashes TMM
Component: Local Traffic Manager
Symptoms:
When the parking command is used inside clientside or serverside, tmm crashes.
Conditions:
Parking command, e.g. table command, is used inside clientside or serverside command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Move the parking command outside clientside or serverside command.
Fix:
Parking command can run inside clientside and serverside.
The client side connection must exist when clientside command runs; the server side connection must exist when serverside command runs; otherwise the clientside and serverside commands fail.
Behavior Change:
clientside and serverside command error out if client side or server side connection does not exist at the time the command runs. Here is an example of where this might occur: clientside { SSL::disable }. This script fails if the client side connection does not exist. To work correctly, change the script to: SSL::disable clientside.
502747-13 : Incoming SYN generates unexpected ACK when connection cannot be recycled
Component: Local Traffic Manager
Symptoms:
Incoming SYN causes the BIG-IP system to generate ACK instead of SYN-ACK.
Conditions:
This can occur when the following conditions are met:
- IP addresses and ports of SYN match an existing connection;
- Sequence number of the SYN is greater than 2^31+ from previously sent FIN;
- Existing connection is in TIME_WAIT state;
- Virtual server has time_wait_recycle enabled.
Impact:
Client will generate RST and connection must be re-tried.
Workaround:
Set time-wait-timeout to 1 millisecond per SOL12673.
Fix:
The BIG-IP system will no longer generate an ACK to incoming SYNs which match an existing connection that cannot be recycled.
502714-6 : Deleting files and file object references in a single transaction might cause validation errors
Solution Article: K75031635
Component: TMOS
Symptoms:
Deleting files and file object references in a single transaction can lead to a validation error.
This might occur during device group configuration sync, an iApp, a tmsh cli transaction, or an iControl transaction.
Conditions:
A file object is deleted in the same transaction that its references are also deleted.
Impact:
This can cause an invalid validation error, including during a config sync.
Workaround:
In the case of iControl and tmsh, file object references must first be deleted/removed in a separate transaction. In the case of config sync, perform a full sync.
Fix:
File objects properly resolve references within the transaction, so there are no validation errors when deleting files and file object references in a single transaction.
502683-6 : Traffic intermittently dropped in syncookie mode, especially when hardware syncookie is on
Component: Local Traffic Manager
Symptoms:
In certain corner cases, BIG-IP software rejects valid SYN-Cookie responses due to incorrect hardware algorithm masking on the software side.
Conditions:
This issue appears only on hardware-SYN-Cookie-capable platforms when running the hardware SYN-Cookie algorithm.
Impact:
Intermittent connection failures.
Workaround:
Run software SYN-Cookie algorithm. Use the DB variable.
This makes sure software is running correct generation and validation algorithm.
Fix:
Traffic is now handled correctly in certain corner cases involving hardware syncookies.
502443-9 : After enabling a blade/HA member, pool members are marked down because monitoring starts too soon.
Solution Article: K16457
Component: Local Traffic Manager
Symptoms:
The external monitoring daemon (bigd) sends monitoring traffic before tmm is ready to receive those responses. The response traffic is routed to a tmm on another blade/HA member. This tmm responds to the server with an ICMP "Unreachable" message. Meanwhile, the originating tmm on the new blade/HA member marks the pool member "down" because it never received the server's response.
Conditions:
Start with at least 1 blade enabled in a chassis or one HA member configured, and pass traffic constantly through a virtual server with a monitor-enabled pool attached. Then, enable a new blade in the cluster or a new HA member.
Impact:
Some packets are lost for several seconds. It can be longer depending on the total number of pool members.
Workaround:
Before adding a new blade to a chassis or a member to the HA configuration that is actively processing traffic, temporarily remove the monitor(s) from the pool. Once the new blade/HA member is up, manually add the monitor(s) back to the pool.
Fix:
When a VIPRION blade or BIG-IP HA member comes on-line, the bigd process on the blade/HA member no longer starts health monitors prematurely, which could have caused some monitored objects to be marked down incorrectly.
Behavior Change:
The external monitoring daemon (bigd) no longer sends monitoring traffic while the blade (cluster member) is offline or disabled, or while the HA member (chassis or appliance) is offline (including forced offline).
502441-7 : Network Access connection might reset for large proxy.pac files.
Component: Access Policy Manager
Symptoms:
Network Access connection might reset when large proxy.pac files are configured in the access policy.
Conditions:
MAC Edge client, browsers, Network Access, large proxy.pac file.
Impact:
Network Access connection might reset.
Workaround:
Reduce the proxy.pac file size to be less than 10 KB.
Fix:
Network Access connection does not reset if a large proxy.pac file is configured.
502414-3 : Make the RateTracker tier3 initialization number less variant.
Component: Advanced Firewall Manager
Symptoms:
Sweep and Flood vectors may exceed configured rate limit values by 10%-30$.
Conditions:
When Sweep and Flood vector is enabled in AFM module.
Impact:
Sweep and Flood attack detection at higher than configured levels.
Workaround:
None.
Fix:
An optimization was made to Rate Tracker that makes attack detection more accurate.
502269-2 : Large post requests may fail using form based SSO.
Component: Access Policy Manager
Symptoms:
SSOV2 modifies the payload for big post requests and since the server does not understand this, so all such transactions fail.
Conditions:
Large post requests using form based SSO.
Impact:
SSOV2 is a very common use case for APM. Many applications are configured with SSOV2. Any large post in such case will fail.
Workaround:
This issue has no workaround at this time.
Fix:
The fix essentially does not modify the payload so the applications have no problem.
502238-2 : Connectivity and traffic interruption issues caused by a stuck HSB transmit ring
Solution Article: K16736
Component: TMOS
Symptoms:
BIG-IP can experience sudden and permanent traffic interruption, impacting all traffic through TMM.
Conditions:
With TCP Segmentation Offload (TSO) enabled, it is possible to fill up the High-Speed Bridge (HSB) transmit ring, resulting in a stuck transmit ring.
The exact conditions under which this occurs is unknown, but it requires sudden transmission of a number of large packets that require TSO in order to result in a full transmit ring.
Impact:
The HSB's transmit ring becomes stuck. This requires a TMM restart in order to clear.
Workaround:
Disable TSO. This can be done using the following steps:
1. tmsh modify sys db tm.tcpsegmentationoffload value disable
2. bigstart restart tmm.
If TSO is not disabled, three related fixes are needed to fully address the issue:
-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:
-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html
Fix:
Three related fixes are needed to fully address the issue:
-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:
-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html
502174-6 : DTLS fragments do not work for ClientHello message.
Component: Local Traffic Manager
Symptoms:
DTLS fragments do not work for ClientHello message.
Conditions:
DTLS ClientHello splits into multiple fragments.
Impact:
Both first handshake and renegotiation are affected.
Fix:
DTLS ClientHello fragments are now handled.
502149-2 : Archiving EC cert/key fails with error 'EC keys are incompatible for Webserver/EM/iQuery.'
Solution Article: K06334742
Component: Local Traffic Manager
Symptoms:
When archiving cert/key via GUI, the following error message is displayed : 'EC keys are incompatible for Webserver/EM/iQuery.'
Conditions:
When archiving cert/key via GUI.
Impact:
Intermittently, an error is received when trying to archive key or certificates via GUI.
Workaround:
None.
Fix:
iControl stores the mode info and set a default value to it, so no error is reported..
502049-3 : Qkview may store information in the wrong format
Component: TMOS
Symptoms:
When creating a new monitor, some information may be stored in the wrong format.
Conditions:
Create a new monitor. Run qkview.
Impact:
Occasionally, some information stored for the new monitor will be in the incorrect format.
Workaround:
None.
Fix:
Monitor information is now stored in the correct format.
502048-3 : Qkview may store information in the wrong format
Component: TMOS
Symptoms:
When creating a new monitor, some information may be stored in the wrong format.
Conditions:
Create a new monitor. Run qkview.
Impact:
Occasionally, some information stored for the new monitor will be in the incorrect format.
Workaround:
None.
Fix:
Monitor information is now stored in the correct format.
501986-2 : Add a sys db tunable to make Sweep and Flood vectors be rate-limited per-TMM process
Component: Advanced Firewall Manager
Symptoms:
There is a need for Sweep and Flood vectors to be very accurate (+-5%). To ensure that Sweep and Flood can be very accurate the system needs a mode in which the Sweep and Flood vectors work per-TMM process. In this case the traffic must be very well distributed for it to be effective.
BIG-IP systems now has a sys db tunable which is: dos.globalsflimits which is true by default. If the tunable is set to false, then the Sweep and Flood vectors work per-TMM process. The limits that have been configured are divided equally among the various TMM processes, and because the traffic is well-distributed among the TMM processes, the system will get close to the limits specified.
Conditions:
When Sweep and Flood vector is enabled in AFM module.
Impact:
If the db variable is changed to false, the incoming traffic must be well distributed.
Workaround:
None.
Fix:
Add a sys db tunable to make Sweep and Flood vectors be rate-limited per-TMM process.
501953-1 : HA failsafe triggering on standby device does not clear next active for that device.
Component: TMOS
Symptoms:
An HA failsafe triggering on a standby device that is marked as next active for a traffic group does not clear the next active setting for that device. This leaves the system in a state in which the device designated as next active cannot take over for the active device in the case of a failure.
Conditions:
-- High availability (HA) setup with two or more devices in a device trust and device group.
-- HA failsafes are configured on one or more devices in the device group.
-- The HA failsafes are triggered on a device that is currently in the standby state and designated next active for a traffic group.
Impact:
A device marked as next active for a traffic group with a triggered HA failsafe does not take over a traffic group in the case of a failure on the active switch.
Workaround:
Workaround is to force the device in question offline, so that another device is marked as next active.
Fix:
The system now correctly removes the next active setting for a device when it is in standby mode and an HA failsafe triggers. This causes a new device to be picked as next active if one is in standby mode and capable of running the traffic group.
501714-4 : System does not prevent low quality JPEGs from optimizing to higher quality (becoming larger) does not work when AAM image optimization enabled and JPEG quality in policy is higher than JPEGs on OWS.
Component: WebAccelerator
Symptoms:
The test to prevent JPEGs on OWS with low quality from being 'optimized' to higher quality (if the quality setting in WAM policy is higher than in the file on OWS) is not working.
Conditions:
AAM image optimization enabled and the JPEG quality in AAM policy is higher than the JPEGs on OWS.
Impact:
image optimization can make the file significantly bigger.
Workaround:
Add the line below to /service/wamd/settings (create the file if it does not exist):
export WAMD_OPT_IMAGES_NO_BIGGER=all
Note this will return the original file if the 'optimized' one comes out bigger: subtly different behavior than making any other requested changes but leaving the quality the same as the file on OWS.
Fix:
The test to prevent low quality JPEGs from optimizing to higher quality (becoming larger) is fixed.
501690-7 : TMM crash in RESOLV::lookup for multi-RR TXT record
Component: Local Traffic Manager
Symptoms:
TMM crashes with a specific ASSERT-based backtrace.
Conditions:
Requires an LTM listener with an iRule that has a RESOLV::lookup command querying for a TXT record and receiving multiple RRs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes due to the behavior of the LTM listener with an iRule that has a RESOLV::lookup command when parsing its return values.
501612-5 : Spurious Configuration Synchronizations
Component: Application Security Manager
Symptoms:
Some items (for example, Incidents) were considered to be config elements that require synchronization when their status changes (such as being read), but are not actually synchronized in a device group.
Conditions:
Event Correlation Incidents occur and are read by the user while in a manual sync device group for ASM.
Impact:
The synchronization state of a device group erroneously changes to "Pending"
Workaround:
None.
Fix:
Items that are not synchronized across a device group no longer cause changes to the synchronization state.
501517-5 : Very large configuration can cause transaction timeouts on secondary blades
Solution Article: K17478
Component: TMOS
Symptoms:
Messages with 'end_transaction message timeout on connection 0x5ea9a9c8 (user mcpd-primary)' in them in the ltm log after a secondary blade is inserted or restarted.
Conditions:
A multi-bladed system with a very large configuration that takes more than a minute to transfer to secondary blades.
Impact:
mcpd's transaction does not complete and the configuration is not loaded properly.
Workaround:
None.
Fix:
Increased the transaction timeout to accommodate very large configuration transfers.
501516-4 : If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted.
Component: Local Traffic Manager
Symptoms:
When using a very large number of monitors, bigd may run out of file descriptors when it is restarted.
Conditions:
A system with a large number of monitors configured.
Impact:
bigd cores and gets into a restart loop; monitors no longer work properly. The ltm log might contain error messages similar to the following: socket error: Too many open files.
Workaround:
Reduce the number of monitors on the system.
Fix:
bigd no longer runs out of file descriptors during restart when using a very large number of monitors.
501498-4 : APM CTU doesn't pick up logs for Machine Certificate Service
Component: Access Policy Manager
Symptoms:
CTU report does not contain logs from Machine Certificate Service.
Conditions:
When the CTU report is run, it does not contain data in the logs.
Impact:
Logs are not available to technical staff
Workaround:
You can pick up logs manually from C:\Windows\Temp\logterminal.txt.
Fix:
CTU correctly pick ups logs for Machine Cert service.
501480-2 : AFM DoS Single Endpoint Sweep and Flood Vectors crash TMM under heavy traffic.
Component: Advanced Firewall Manager
Symptoms:
With AFM DoS Single Endpoint Sweep and Flood Vectors configured, TMM might crash while processing a huge amount of the configured attack traffic.
Conditions:
AFM DoS Single Endpoint Sweep and Flood attack vector is enabled in the AFM module.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not configure the AFM DoS Single Endpoint Sweep and Flood Vector.
Fix:
AFM DoS Single Endpoint Sweep and Flood Vectors now correctly handles traffic so that TMM does not crash.
501437-6 : rsync daemon does not stop listening after configsync-ip set to none
Component: TMOS
Symptoms:
If a device is not in a Device Services Clustering configuration, but has configsync-ip set on its self device object, and this configsync-ip is set to none, an rsync daemon continues to listen on the old configsync-ip.
Conditions:
This occurs when the following conditions are met: -- Device is not in a Device Services Clustering configuration. -- Self device has a configsync-ip set.
Impact:
The rsync server may continue to listen even after it is expected that it will not listen.
Workaround:
None.
Fix:
The rsync daemon is now shut down properly when the configsync-ip is set to none, and no longer listens on configsync-ip.
501371-2 : mcpd sometimes exits while doing a file sync operation
Solution Article: K39672730
Component: TMOS
Symptoms:
mcpd exits randomly. If mcpd debug logging is enabled, the system might post an operation similar to the following: Received request message from connection 0x5fe47008 (user %cmi-mcpd-peer-/Common/LNJDCZ-VPN1.example):
query_all {
sync_file {
sync_file_file_to_sync "/var/apm/localdb/mysql_bkup.sql"
sync_file_target_dg "/Common/HA_Rhodes_APM"
sync_file_postprocess_action "/usr/libexec/localdb_mysql_restore.sh"
sync_file_originator "/Common/LNJDCZ-VPN1.example"
}
}
Conditions:
mcpd is performing a file sync.
Impact:
Randomly, mcpd exits, triggering a failover.
Workaround:
None.
Fix:
Ensured mcpd no longer exits while performing a file sync.
501343-2 : In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle
Component: TMOS
Symptoms:
In FIPS HA setup when the FIPS private handle of x.key on Device A is a FIPS public handle of x.key on Device B, Device B (the HA peer) gets the configuration from Device A and operates as if the handle is correct because the modulus matches, but it actually is the public-handle and not the private-handle.
Conditions:
FIPS HA setup and FIPS private handle of x.key on Device A is a FIPS public handle of x.key on Device B.
Impact:
With this configuration, when the device fails over, it can lead to traffic failure. This occurs because TMM tries to use the public-handle when it should be using the private-handle.
Fix:
FIPS HA peer verifies the FIPS handle type to confirm that it uses only the private FIPS handles.
500938-4 : Network Access can be interrupted if second NIC is disconnected
Component: Access Policy Manager
Symptoms:
Networks Access connection breaks if second NIC disconnects.
Both NICs should be connected to same network. This happens for a specific Network Access configuration.
Conditions:
Network Access configuration:
* Full tunnel with "Prohibit routing table changes during Network Access connection" set to true.
* Split tunneling with "Prohibit routing table changes during Network Access connection" set to true, Address space is 0.0.0.0/0.
Client with 2 NICs both connected to the same network.
Impact:
NA is interrupted.
500925-2 : Introduce a new sys db variable to control number of merges per second of Rate Tracker library.
Component: Advanced Firewall Manager
Symptoms:
The accuracy of the rate limit for the Sweep and Flood vectors is affected by the number of merges per second in Rate Tracker library.
Conditions:
When sweep and flood vector is enabled in AFM module.
Impact:
No way to control number of merges per second of Rate Tracker, which could help in Rate Tracker libray accuracy.
Workaround:
None.
Fix:
Introduce a new sys db variable to control number of merges per second of Rate Tracker library.
500786-4 : Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile
Component: Local Traffic Manager
Symptoms:
When a FastL4 virtual server with HTTP profile is used, certain kinds of traffic may cause huge memory growth and result in out-of-memory situation.
Conditions:
-- FastL4 virtual server with HTTP profile.
-- Handles HTTP cloaking traffic that starts up as HTTP and then switches over to non-HTTP data
Impact:
Memory growth could grow unbounded due to lack of flow control. This may lead to out of memory conditions eventually.
Workaround:
Two mitigation scenarios exist:
1. Avoid using FastL4 with HTTP profiles, unnecessarily.
2. If it cannot be avoided:
-- Use FastL4 and HTTP-Transparent profile combinations instead.
-- Set the http-transparent profile attribute enforcement.pipeline to 'pass-through'.
This allows the HTTP filter to run in 'passthrough' mode which avoids the excessive memory consumption.
Fix:
If the FastL4 virtual server with HTTP profile handles HTTP cloaking traffic that starts up as HTTP and then switches over to non-HTTP data, memory growth no longer increases unbounded due to lack of flow control.
500640-2 : TMM core might occur if FLOW_INIT iRule attached to Virtual server
Solution Article: K21264026
Component: Advanced Firewall Manager
Symptoms:
TMM core is seen when FLOW_INIT iRule is applied to Virtual server for global rule
Conditions:
When logging is enabled and a FLOW_INIT rule is applied and the system gets packets but cannot find virtual server.
Impact:
TMM core and restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Added check for NULL context in connflow to avoid rare crash bug.
500452-3 : PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware
Solution Article: K28520025
Component: TMOS
Symptoms:
PB4300 blade tries to disaggregate the ESP traffic based on the IPsec ESP Security Parameter Index (SPI) value in hardware. But the blade used doesn’t have that capability, which causes ESP traffic being sent to one HSB and results in throughput degradation.
Conditions:
When PB4300 receives ESP traffic.
Impact:
Throughput degradation.
Workaround:
None.
Fix:
The PB4300 blade now uses IP addresses to disaggregate ESP traffic in hardware, so throughput is no longer impacted.
500450-2 : ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso.
Component: Access Policy Manager
Symptoms:
With APM and ASM configured on the same virtual server, cookie validation on ASM could modify the Set-Cookie header sent by the application server or inject another Set-Cookie header. APM websso module does not honor the Set-Cookie modification, nor the injection. ASM subsequently causes the connection to reset.
Conditions:
With APM and ASM configured on the same virtual server, if cookie validation on ASM modifies the Set-Cookie header sent by the application server or injects another Set-Cookie header, then APM websso module does not honor this.
Impact:
Connection reset on the above condition.
Workaround:
Use layered virtual servers with an iRule virtual command to send traffic from the ASM virtual server to an APM virtual server with ARP disabled instead of having everything on one virtual server.
Fix:
The APM websso module is modified to handle an ASM use case. Now the websso reparses the HTTP 401 response header from the server at the client side in addition to the current parsing at server-side processing.
With this fix any Set-Cookie modification or addition by ASM is sent to server in the response to 401 header.
500424-5 : dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error
Component: Carrier-Grade NAT
Symptoms:
DNATutil exits with the error "dnatutil: No tmms on the blade."
Conditions:
A DNAT state log entry that is interpreted as invalid
Impact:
DNATUtil will not be able to parse the whole log file for reverse mappings
Workaround:
remove the DNAT state chunk that produces the error.
Fix:
DNATUtil will continue on even if it encounters an error. It will report the error but not exit.
500365-5 : TMM Core as SIP hudnode leaks
Component: Service Provider
Symptoms:
There is a memory leak when using SIP in TCP/ClientSSL configurations.
Conditions:
The leak occurs when the clientside flow is torn down in response to the SSL handshake not completing.
Impact:
Because the SSL handshake is not complete, the SIP handler cannot complete the operation as expected, which results in an error and a memory leak of the SIP handler. The tmm memory increases, which eventually requires restarting tmm as a workaround.
Workaround:
Although there is no workaround to prevents the issue, you can recover from the memory-leak condition by restarting tmm.
Fix:
This release fixes a memory leak that occurred when using SIP in TCP/ClientSSL configurations, when the clientside flow was torn down in response to the SSL handshake not completing. The system now frees the SIP handler upon receiving the notification of a failed SSL handshake, so that the connection is rejected, the system performs the proper cleanup of the SIP handler, and no memory leak occurs.
500303-11 : Virtual Address status may not be reliably communicated with route daemon
Solution Article: K17302
Component: Local Traffic Manager
Symptoms:
Occasionally, when the Virtual Server status changes, the Virtual Address status may not me communicated to the routing services (that is, the tmrouted service).
This can result in incorrect routes.
Conditions:
Exact conditions unknown, but it can occur when the Virtual Server status changes.
Impact:
Virtual Addresses may have advertised routes when they are down, or vice versa.
Workaround:
None.
Fix:
The Virtual Address state change code was improved in multiple areas:
1. GTM is checked for provisioning.
2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast.
3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority.
4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3.
5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations.
Behavior Change:
The Virtual Address state change code was improved in multiple areas:
1. GTM is checked for provisioning.
2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast.
3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority.
4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3.
5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations.
500234-3 : TMM may core during failover due to invalid memory access in IPsec components
Component: TMOS
Symptoms:
TMM cores when transitioning from standby to active.
Conditions:
This might occur when the following conditions are met: -- An IPsec tunnel is enabled. -- The BIG-IP system is a member of an HA pair. -- The BIG-IP system transitions from standby to active.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a race condition that might have caused IPsec components to access previously freed memory.
500091-3 : CVE-2015-0204 : OpenSSL Vulnerability
Solution Article: K16139
500088-10 : OpenSSL Vulnerability (January 2015) - OpenSSL 1.0.1l update
Solution Article: K16123
500034-2 : [SMTP Configuration] Encrypted password not shown in GUI
Component: Application Visibility and Reporting
Symptoms:
Under SMTP configuration, when authentication is enabled (the "use authentication" check box is checked) and a user name and password are configured, the password field is empty in the configuration utility when accessing the newly created SMTP object. TMSH shows the password in hash format.
Conditions:
1. authentication is enabled.
2. username and password are configured.
Impact:
SMTP authentication fails.
Workaround:
After saving the SMTP configuration for the first time using the configuration utility, use only TMSH, REST API, or iControl to edit it or re-enter the password.
Note: This will not fix sending AVR e-mails. The only way to send e-mail before this fix is using a non-authenticated SMTP server.
Fix:
Under SMTP configuration, when authentication is enabled (the "use authentication" check box is checked) and a user name and password are configured, the password is correctly decrypted using standard BIG-IP tools.
500003-3 : Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP
Component: Local Traffic Manager
Symptoms:
When incoming NTP packets from the configured NTP server arrive for a non-local IP on a BIG-IP system that is either a Virtual Edition (VE) guest, an appliance, or a vCMP guest on an appliance host, an iptables rule is triggered that results in further outgoing packets to the NTP server to have their destination IP addresses changed to 127.3.0.0, which is not routable and thus causes NTP time syncs to stop.
Conditions:
An NTP server is configured on a BIG-IP system that is either a VE, an appliance, or a vCMP guest on an appliance host, and packets arrive from the configured NTP server destined for an IP address belonging to another machine on the network. This can happen for several reasons:
1) The customer has a device on the same management network doing very low-to-zero volume of traffic over its management port. NTP syncs time less often than the L2 FDB expiration time.
2) The customer is using a L2 topology that uses redundant switches with NIC teaming / bonding, and one of the hosts cuts over to the other switch. This also causes transmits of packets that have no valid L2 FDB entry.
3) An STP topology change occurs in a given network, causing switches to drop L2 FDB entries for relevant hosts and flood unknown unicast destination traffic to all ports of a given VLAN.
4) Any unicast misdirection of NTP traffic to the management port not covered above.
Impact:
NTP time syncing stops on affected BIG-IP systems.
Workaround:
To remove the iptables rule that is causing the problem:
# iptables -t nat -D bpnet-in -p udp --dport 123 -j DNAT --to-destination 127.3.0.0.
Comment out the following line in the function setup_virtual_backplane() in the file /etc/init.d/cluster to prevent the rule from coming back upon reboot:
iptables -t nat -A bpnet-in -p udp --dport 123 -j DNAT --to-destination $int_mgmtip.
Fix:
Incoming NTP packets from configured NTP server to non-local IP now works correctly with outgoing NTP.
499950-6 : In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs
Component: Local Traffic Manager
Symptoms:
Inconsistent persistence entries across TMMs.
Conditions:
This occurs under the following conditions are met: -- intra_cluster HA configuration. -- node flapping.
Impact:
Inconsistent persistence behaviors.
Workaround:
Add an iRule command to the PERSIST_DOWN event that deletes the persistence entry for this connection. One example might be:
when PERSIST_DOWN {
persist delete source_addr [IP::client_addr]
}
For more information, see SOL14918: Node flapping may cause inconsistent persistence records, available here: http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14918.html.
Fix:
An issue involving inconsistent behavior of persistence across TMMs is fixed.
499947-3 : Improved performance loading thousands of Virtual Servers
Component: TMOS
Symptoms:
In v11.5.1 and newer, when loading thousands of Virtual Servers, mcpd might become overloaded, causing loads to take a long time, or fail entirely when mcpd times out and is restarted.
This might be more severe if GTM was enabled.
Conditions:
Thousands of Virtual Servers, GTM enabled. The problem is caused when tracking the state of Virtual Address changes and broadcasting those state changes under certain circumstances.
Impact:
Might cause long load times or configuration load failure because of mcpd timeout and restart.
Workaround:
Disable GTM. Reduce the number of Virtual Addresses.
Fix:
The Virtual Address state change code was improved in multiple areas:
1. GTM is checked for provisioning.
2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast.
3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority.
4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3.
5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations.
Behavior Change:
The Virtual Address state change code was improved in multiple areas:
1. GTM is checked for provisioning.
2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast.
3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority.
4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3.
5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations.
499946-2 : Nitrox might report bad records on highly fragmented SSL records
Solution Article: K16801
Component: Local Traffic Manager
Symptoms:
When using an AES-GCM cipher on highly fragmented SSL records, platforms with Cavium Nitrox cards might report Bad records.
Conditions:
The negotiated cipher is one of the AES-GCM ciphers, and the MTU is such that the SSL records are highly fragmented.
Impact:
The BIG-IP system disconnects Client SSL connections prematurely. The SSL profile shows a number of Bad records.
Workaround:
None.
Fix:
The processing buffers reserve the proper number of subsequent parameters.
499800-2 : Customized logout page is not displayed after logon failure
Component: Access Policy Manager
Symptoms:
Default logout page is displayed instead of customized logout page after maximum logon attempts allowed is reached.
Conditions:
1. Access profile has customized logout page.
2. The number of failed logon attempts reaches what is allowed by the policy.
Impact:
User will not see the customized logout page.
Workaround:
None.
Fix:
Customized logout page is now displayed after logon failure.
499795-3 : "persist add" in server-side iRule event can result in "Client Addr" being pool member address
Component: Local Traffic Manager
Symptoms:
When using Universal Persistence, depending on how an iRule is implemented, the Client Addr field in persist records may be the selected pool member's address, instead of the client address.
Conditions:
Universal Persistence
Impact:
The "Client Address" field in persistence records may be wrong. Note that this field is not used for anything in the data path, so this issue is purely cosmetic.
Fix:
Persist record now has correct "Client Addr" even when the owner for the persist record is in different TMM.
499701-6 : SIP Filter drops UDP flow when ingressq len limit is reached.
Component: Service Provider
Symptoms:
UDP stats shows increase in the number of flows and valid SIP messages are dropped.
Conditions:
This occurs when an iRule processing delay occurs (session db operations) combined with increase in the SIP incoming flow.
Impact:
SIP UDP flows are dropped.
Workaround:
None.
Fix:
The SIP UDP flow now remains when the ingress len limit is reached.
499620-8 : BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated.
Component: Access Policy Manager
Symptoms:
The BIG-IP Edge Client for Mac shows the wrong SSL protocol version in Details; it does not display the protocol version that was negotiated.
Conditions:
BIG-IP Edge Client for Mac.
Impact:
The BIG-IP Edge Client for Mac displays the incorrect SSL protocol version now in Details.
Workaround:
None.
Fix:
The BIG-IP Edge Client for Mac displays the correct SSL protocol version now in Details.
499537-2 : Qkview may store information in the wrong format
Solution Article: K22406859
Component: TMOS
Symptoms:
When creating a new monitor, some information may be stored in the wrong format.
Conditions:
Create a new monitor. Run qkview.
Impact:
Occasionally, some information stored for the new monitor will be in the incorrect format.
Workaround:
None.
Fix:
Monitor information is now stored in the correct format.
499478-3 : Bug 464651 introduced change-in-behavior for SSL server cert chains by not including the root certificate
Solution Article: K16850453
Component: Local Traffic Manager
Symptoms:
Bug 464651 fixed a loop issue that occurred when building a certificate chain caused by an invalid configuration in certificates.
That fix unintentionally excluded the root certificate in the chain. While it is still a valid certificate chain, it does result in a change-in-behavior issue that is unacceptable in certain cases.
Conditions:
This occurs in versions containing the fix for Bug 464651 (11.4.1, 11.5.4).
Impact:
In some instances, the root certificate must be included in the certificate chain. In other cases, the certificate validation fails.
Workaround:
None.
Fix:
This fix restores the previous behavior by including the root certificate in the chain.
499430-6 : Standby unit might bridge network ingress packets when bridge_in_standby is disabled
Solution Article: K16623
Component: Local Traffic Manager
Symptoms:
On a standby unit with a vlangroup configured with multiple VLAN members and bridge_in_standby attribute set to false, the unit might still bridge network ingress packets across the vlangroup, if those packet happen to match the host monitor traffic flows.
Conditions:
This occurs when the following conditions are met: Configure a vlangroup with multiple VLAN members in HA configuration and set vlangroup's bridge_in_standby attribute to false. Configure monitors to use non-default monitor rules (ICMP, etc.).
Impact:
This results in a traffic bridging loop among active and standby unis. Excessive traffic load might take down monitors on the BIG-IP system.
Workaround:
None.
Fix:
Standby unit no longer bridges network ingress packets when bridge_in_standby is disabled. This is correct behavior.
499427-4 : Windows File Check does not work if the filename starts with an ampersand
Component: Access Policy Manager
Symptoms:
Windows File Check does not work if the filename starts with an ampersand.
Conditions:
Run Windows file check and add a file name that starts with an ampersand.
Impact:
Depends upon access policy, but in the worst case a user might be allowed to log in.
Fix:
Access policy Windows File check now works with a file name that starts with an ampersand (&).
499422-2 : An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm.
Solution Article: K31310380
Component: Local Traffic Manager
Symptoms:
An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet results in a FIN/ACK storm.
Conditions:
When an ACK with an 'invalid' sequence number is received, the resulting calculations involving the incoming seqno and rcv_nxt causes an outgoing ACK to be generated which will repeat if the server behavior repeats.
Impact:
Many connections delayed and CPU usage is very high. Peak usage is around 90%. Traffic suffers severe deterioration.
Workaround:
None.
Fix:
This problem is now corrected by ensuring that when outgoing ACK is being generated that the FIN is stripped if it is not a retransmission of the FIN.
499347 : JSON UTF16 content could be blocked by ASM as Malformed JSON
Component: Application Security Manager
Symptoms:
When JSON UTF16 content is handled by ASM and the content includes one of the characters below, the request could be blocked by ASM policy.
XML_CHAR_BACKSLASH
XML_CHAR_LEFT_CURLY_BRACKET
XML_CHAR_RIGHT_CURLY_BRACKET
Conditions:
ASM policy assigned to a virtual server and the policy configured to enforce JSON content.
Impact:
False positive request blocking.
Workaround:
None.
Fix:
JSON unicode_charmap table has been fixed, thus UTF16 characters are interpreted correctly.
499260-2 : Deleting trust-domain fails when standby IP is in ha-order
Component: TMOS
Symptoms:
Deleting trust-domain fails when the ha-order traffic group contains a standby unit's IP address.
Conditions:
This occurs when there is a non-local device that is used by the HA order in one of the traffic groups.
Impact:
Unable to delete trust domain. The tmsh command 'delete cm trust-domain all' intermittently hangs. Pressing Ctrl + C shows: Unexpected Error: Could not reset trust-domain (error from devmgmtd): Error reading from server...' In the /var/log/ltm the system posts the message: 'err devmgmtd[7887]: 015a0000:3: -unknown- failed on -unknown-.devicegroup: 01071761:3: Cannot delete device (BIG-IPsystem.example.com) from device group (/Common/sync-failover-1) because it is used by HA order on traffic group (/Common/traffic-group-2)'.
Workaround:
Retrying sometimes succeeds. Removing the ha-order traffic group also allows the operation to succeed.
Fix:
Deletion of a device trust domain now completes successfully when the BIG-IP system is a member of a device trust domain configured with a traffic group high-availability order that references a device other than the local system.
499150-2 : OneConnect does not reuse existing connections in VIP targeting VIP configuration
Solution Article: K16721
Component: Local Traffic Manager
Symptoms:
Significant increase in Active Connections and Connections per Second for virtual servers that receive connections from another virtual server with the Policy action 'virtual' or iRule command 'virtual' and the client virtual server has a OneConnect profile. The connections per second will match the rate of HTTP requests sent to the server virtual server.
A packet capture would reveal that OneConnect is not reusing previously opened connections, and previously opened connections remain idle until timeout.
Conditions:
This occurs when either of the following conditions are met:
-- Virtual-to-virtual configuration with OneConnect profile.
-- iRule contains the following command: node <ip> <port>.
Impact:
An increase in CPU and memory resources occurs due to the increase in connections established and connections that remain in memory.
Workaround:
If not required, remove the OneConnect profile from the client virtual server.
Fix:
Connections are correctly reused even with VIP on VIP configuration.
498992-9 : Troubleshooting enhancement: improve logging details for AWS failover failure.
Component: TMOS
Symptoms:
Logging information on BIG-IP VE for Failover on AWS was inadequate and did not provide the reason for failures in Failover.
Conditions:
Traffic-group failover sometimes failed without providing specific reason for the failure.
Impact:
The lack of logging messages that could pin-point the mis-configuration or connectivity issues on AWS makes it difficult to determine what is causing the Failover to fail.
Workaround:
None
Fix:
Added more logging details for AWS failover failure to assist in detecting problems in failover.
Behavior Change:
Previously, the following AWS permissions were required when running failover: ec2:AssignPrivateIpAddresses and ec2:DescribeNetworkInterfaces. Failover could fail because of region or key issues, and so an additional AWS permission, ec2:DescribeInstanceStatus, is now also required for running failover.
498782-5 : Config snapshots are deleted when failover happens
Solution Article: K17104
Component: Access Policy Manager
Symptoms:
When failover occurs, the config snapshots on the new active node might be deleted during the HA state transition. As a result, a user might encounter one of the errors below:
1. Login failure/denied.
2. Some webtop resources are missing after successful login.
Conditions:
When the standby node switches to active.
Impact:
User cannot login or access some resources after login.
Workaround:
Restart APD by running the command: bigstart restart apd.
Fix:
Now APD uses a short time interval for periodic checking of config snapshots right after failover happens. If config snapshots are found to be missing, APD recreates them. After a few such cycles, APD reverts to using a long time interval for the check.
498704-1 : Module provisioning doesn't properly account for disk space
Component: TMOS
Symptoms:
You are able to provision modules, but module daemons fail to start.
Conditions:
Low free disk space on HD1 as reported by tmsh list sys disk logical-disk
Impact:
The module(s) provisioned may not function.
Workaround:
None
498597-8 : SSL profile fails to initialize and might cause SSL operation issues
Solution Article: K16761
Component: Local Traffic Manager
Symptoms:
When the SSL profile fails to initialize, it causes the SSL enter pass-through mode instead of rejecting traffic.
Conditions:
SSL profile fails to initialize, for example, due to failure to load cert/key files.
Impact:
SSL enters pass-through mode instead of rejecting traffic. As a side effect, ConfigSync might fail, as the communication channel does not establish because of a hung SSL connection.
Workaround:
Make sure cert/key is available and has the proper grant access mode.
Fix:
When the SSL profile fails to initialize, it now causes the SSL to reject traffic correctly.
498469-8 : Mac Edge Client fails intermittently with machine certificate inspection
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Mac fails intermittently with machine certificate inspection when "Match CN with FQDN" setting is configured.
Conditions:
The problem occurs with BIG-IP Edge Client for Mac and machine certificate agent when in the access policy "Match CN with FQDN" is set.
Impact:
Edge ClienT fails to pass machine certificate inspection.
Fix:
BIG-IP Edge Client for Mac does not fail intermittently with machine certificate inspection agent.
498361 : Manage ASM security policies from BIG-IQ
Component: Application Security Manager
Symptoms:
Certain aspects of ASM Security Policies on BIG-IP 11.5.2 cannot be managed by BIG-IQ Security.
Conditions:
Using BIG-IQ Security to manage ASM on BIG-IP 11.5.2.
Impact:
BIG-IQ Security cannot effectively manage ASM on BIG-IP 11.5.2.
Workaround:
None.
Fix:
New ASM security policies can now be created by BIG-IQ version 4.5. Currently, discovery of 11.5.2 HF1 by a 4.5 BIG-IQ is disabled by default on the BIG-IP system, and can be turned on by changing the rest_api_extensions option to '1' on the Advanced Configuration/System Variables screen in the ASM user interface (navigate to Security: Options: Application Security: Advanced Configuration: System Variables) on the BIG-IP system. After saving the change, the user is instructed to do a 'tmsh restart sys service asm'. Additionally, the user should restart the httpd service via: 'bigstart restart httpd'.
498334-6 : DNS express doesn't send zone notify response
Solution Article: K16867
Component: Local Traffic Manager
Symptoms:
When a virtual server on the BIG-IP system receives a zone notify message, it does not send a response message back. Instead, it sends the original notify message back to the remote name server.
Conditions:
A zone notify message is sent to a virtual server with a DNS profile. The zone is configured to allow notify from the sender and the notify action is set to be consumed.
Impact:
The remote name server sends the notify message to the BIG-IP system several times since the remote name server does not receive a response message.
Workaround:
None.
Fix:
TMM will correctly send a response message back when processing a zone notify message from a remote name server.
498227 : Incorrect AFM firewall rule counter update after pktclass-daemon restarts.
Component: Advanced Firewall Manager
Symptoms:
Incorrect firewall rule counters are updated upon classifying traffic when rules are re-ordered AND pktclass-daemon is also restarted.
Conditions:
pktclass-daemon restarts and there are active firewall rules present (at any context).
Impact:
While there is no incorrect behavior in matching/classifying traffic, updating incorrect rule counter may lead to impression that traffic is being classified incorrectly.
Workaround:
None
Fix:
The issue regarding update of incorrect rule counter (after pktclass-daemon restarts) has been fixed.
498189-6 : ASM Request log does not show log messages.
Component: Application Security Manager
Symptoms:
The request log does not show log messages related to ASM.
Conditions:
This occurs when first assigning the application logging profile, and then assigning the DOS logging profile on the same virtual server.
Impact:
There will not be log messages related to ASM.
Workaround:
Remove the ASM logging profile, apply and re-add the application logging profile.
Fix:
ASM request log now shows log messages related to ASM, even if the application logging profile was assigned to the virtual server before the DOS logging profile was assigned to it.
498005-1 : The HTTP:payload command could cause the TMM to crash if invoked in a non-HTTP event
Component: Local Traffic Manager
Symptoms:
The HTTP::payload command could cause the TMM to crash if invoked when HTTP had already started egressing data to other filters.
This could only happen if HTTP::payload was used in a non-HTTP event.
Conditions:
HTTP::payload is used in a non-HTTP iRule.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use i.e. ASM::payload if you want the payload within an ASM event.
Fix:
HTTP::payload will no longer cause a TMM crash if invoked in a non-HTTP event. Instead, an error will be returned to the iRule.
497769-2 : Policy Export: BIG-IP does not export redirect URL for 'Login Response Page'
Component: Application Security Manager
Symptoms:
ASM does not export redirect URLs in 'Login Response Page' for XML policies.
Conditions:
Redirect URL in 'Login Response Page' is used in ASM security policy.
Impact:
Redirect response page is missing from the security policy.
Workaround:
Use binary policy export for exporting redirection response pages for login URL.
Fix:
This release fixes an issue with XML policy export where the redirect response page was missing from the security policy.
497742-5 : Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address
Component: Local Traffic Manager
Symptoms:
Some packets re-transmitted as part of a full-proxy, non-SNAT'd TCP virtual server on a translucent-mode vlangroup do not correctly have the translucent-mode bit-flip applied.
Conditions:
This occurs with a translucent vlangroup and full virtual server with no SNAT.
Impact:
Egressing traffic with the source-MAC of another host can potentially lead to traffic loops.
Workaround:
Enable SNAT on the virtual server.
Fix:
All TCP re-transmits have the proper source MAC address.
497732 : Enabling specific logging may trigger other unrelated events to be logged.
Component: Advanced Firewall Manager
Symptoms:
When logging is enabled for TCP events some internal traffic like UDP could be logged.
Conditions:
When logging is enabled in AFM for TCP events.
Impact:
Some unwanted log messages with show up
Workaround:
There is no work around.
Fix:
Fixed a bug where undesired traffic was logged when TCP events logs were enabled.
497719-12 : NTP vulnerability CVE-2014-9293, NTP vulnerability CVE-2014-9294, NTP vulnerability CVE-2014-9295, and NTP vulnerability CVE-2014-9296
Solution Article: K15934
497681-3 : Tuning of Application DoS URL qualification criteria
Component: Application Visibility and Reporting
Symptoms:
Application DoS can not be tuned in order to tell which transactions are qualified for client side mitigation.
Conditions:
This occurs in response to the following scenario:
1. Create new L7-DoS profile, enable CS injection prevention.
2. Send more than 10 requests to a qualified URL. Make sure that URL is detected as qualified.
3. Send 1 request with HEAD or TRACE methods.
Impact:
URL will be detected as non-qualified. AVR does not qualify URLs according to the system's qualification criteria.
Workaround:
None.
Fix:
This release provides tuning for the Application DoS URL qualification criteria.
497671 : iApp GUI: Unable to add FW Policy/Rule to context via iApp
Component: Advanced Firewall Manager
Symptoms:
Unable to add FW Policy/Rule to context via iApp. Error message appears: "General database error retrieving information."
Impact:
Unable to create FW rules via iApp.
Workaround:
The issue is fixed. But could configure via tmsh.
Fix:
Fixed
497667 : Configuring of ICMPv4/ICMPv6 ip-protocol in mgmt port ACL Rules generated error
Component: Advanced Firewall Manager
Symptoms:
PCCD gives error exhausted; causes inability to activate new mgmt port rules.
Conditions:
The mgmt port is configured as an IPV4 interface and an ICMPv6 protocol rule is applied with the action set to reject or vice-versa.
Impact:
error: resources exhausted; causes inability to activate new mgmt port rules
Fix:
Validation added to block invalid application of management firewall rule specifying ICMPv6 when management interface is configured with only IPv4 address. Validation also detects the reverse condition (IPv6 management address, ICMPv4 firewall rule). A descriptive error message is added.
497662-4 : BIG-IP DoS via buffer overflow in rrdstats
Component: Access Policy Manager
Symptoms:
BIG-IP DoS via buffer overflow in rrdstats
Conditions:
rrdstats given malformatted input
Impact:
Crash in rrdstats - some services unavailable while rrdstats down
Workaround:
No workaround. rrdstats will be restarted by BIG-IP
Fix:
Improved request parsing to make it more robust against invalid formats.
497627-2 : Tmm cores while using APM network access and no leasepool is created on the BIG-IP system.
Solution Article: K58125050
Component: Access Policy Manager
Symptoms:
TMM cores in Network Access scenario when no leasepool is created on the BIG-IP system and IP address assignment is done through the Variable Assign agent (mcget {session.ldap.last.attr.vpnClientIp}).
Conditions:
APM network access and no leasepool is created on the BIG-IP system.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
To work around the problem, create a leasepool on the BIG-IP system; it does not need to be attached to an access policy.
Fix:
TMM does not core now when using APM network access and no leasepool is created on the BIG-IP system.
497619-7 : TMM performance may be impacted when server node is flapping and persist is used
Solution Article: K16183
Component: Performance
Symptoms:
TMM consumes a higher percentage of the CPU resources when handling traffic.
Conditions:
This intermittent issue occurs when a pool members goes up and down when using source_addr persistence.
Impact:
System performance is impacted.
Workaround:
This issue has no workaround at this time.
Fix:
The intermittent performance impact no longer occurs when a pool members goes up and down when using source_addr persistence.
497584-5 : The RA bit on DNS response may not be set
Component: Local Traffic Manager
Symptoms:
Under some circumstances, the recursion available (RA) bit may be unset in responses from DNS cache.
Conditions:
If the system caches a message from the authoritative server without the rd bit, and subsequent queries with rd set find that message, the first message will not be used because the rd bit is not set. In this case, the operation falls back to the rrset cache and composes a message, but leaves the RA bit unset. This is appropriate for the transparent cache, but not the non-transparent cache.
Impact:
The impact of this issue is that recursion available is not signaled to clients so they may not treat the DNS cache as an available resolver.
Workaround:
To work around this issue, write an iRule to set the RA bit when the cache is a resolver. Must also check origin for CACHE.
Fix:
The RA bit is set for the response when the cache resolver answers the query from the fast path.
497564-5 : Improve High Speed Bridge diagnostic logging on transmit/receive failures
Component: TMOS
Symptoms:
When an HSB transmitter or receive failure occurs, no information is provided on the state of the HSB transmit/receive rings prior to the failure.
Conditions:
The HSB experiences a transmitter or receive failure.
Impact:
The unit is rebooted.
Workaround:
None.
Fix:
Improved High Speed Bridge diagnostic logging on transmit/receive failures.
497436-3 : Mac Edge Client behaves erratically while establishing network access connection
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Mac does not establish a network access connection, or if it can establish a connection, then it drops the connection. A user might see a cycle of connect/re-connect again.
Conditions:
OS X Yosemite, network access, BIG-IP Edge Client for Mac.
Impact:
User cannot establish network access connection.
Workaround:
None.
Fix:
BIG-IP Edge Client for Mac can now establish a connection correctly. An issue with routing table patch coding deleting an essential route has been resolved.
497389-2 : Extraneous dedup_admin core
Component: Wan Optimization Manager
Symptoms:
There have been some extraneous dedup_admin cores generated during system shutdown.
Conditions:
Race condition during shutdown of vcmp with 2 blades.
Impact:
Extraneous dedup_admin core generated.
Workaround:
None
Fix:
Missing virtual destructor was added.
497342-2 : TMM crash while executing FLOW_INIT event (with multiple commands that abort the connection) in an iRule attached to an AFM firewall rule.
Component: Advanced Firewall Manager
Symptoms:
Critical system failure due to TMM process restarting.
Conditions:
Following conditions will trigger the TMM crash:
i) AFM rule match triggers an iRule execution.
ii) iRule has one (or more) FLOW_INIT event with 2 (or more) commands that result in aborting the connection (e.g. 'drop' followed by 'reject')
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
The aforementioned TMM crash has been fixed.
497325-5 : New users cannot log in to Windows-based systems after installing BIG-IP EDGE client in certain deployment
Solution Article: K16643
Component: Access Policy Manager
Symptoms:
New users cannot log in to Windows-based systems after installing BIG-IP Edge client in certain deployments.
Conditions:
This is a rare, environment-based issue.
Impact:
New users cannot log in to Windows-based systems
Workaround:
Remove \F5 Networks\VPN\client.f5c file.
Fix:
A rare, environment-based issue that prevented new users from logging in to Windows-based systems has been fixed.
497311-1 : Can't add a ICMPv6 type and code to a FW rule.
Component: Advanced Firewall Manager
Symptoms:
Can't add a ICMPv6 type and code to a FW rule
Conditions:
choose the protocol as ICMPv6 and try to add a type and code.
Impact:
Firewall Rule Creation Page gets affected.
Workaround:
Use tmsh to add ICMPv6 type and code to a FW rule.
Fix:
GUI now accepts firewall rules specifying ICMPv6 with type and code.
497304-10 : Unable to delete reconfigured HTTP iApp when auto-sync is enabled
Component: TMOS
Symptoms:
When deleting an HTTP iApp, the system posts errors similar to this in the LTM log, along with similar sync errors in the GUI:
-- err mcpd[6629]: 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16).
-- err mcpd[6629]: 01071488:3: Remote transaction for device group /Common/HA_Group to commit id 895 6070871290648001573 /Common/cr-ltm-bb2.ns.uwaterloo.ca 0 failed with error 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16).
Conditions:
Auto-sync must be enabled. HTTP iApp must have been reconfigured prior to deleting the iApp.
Impact:
Sync failure. Cannot delete the iApp manually after the error occurs.
Workaround:
Do not use auto-sync. If the sync failure has already occurred, refer to SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) for information on how to restore configuration sync.
Fix:
Ensure the sFlow data source is removed from an HTTP profile when it is deleted.
497299-7 : Thales install fails if the BIG-IP system is also configured as the RFS
Component: Local Traffic Manager
Symptoms:
Thales install fails.
Conditions:
This occurs when the BIG-IP system is also configured as the RFS.
Impact:
Cannot use Thales HSM with the BIG-IP system.
Workaround:
In the following procedure, when running nethsm-thales-rfs-install.sh, the script returns the IP address used by the RFS server. Use that IP address when running the 'rfs-setup' command. When prompted with: Did you successfully run the above 'rfs-setup' command on the RFS server? (Yes/No), perform the following steps: 1. Open a new SSH connection to the BIG-IP system. 2. Run the following command: /opt/nfast/bin/rfs-setup --force -g --write-noauth x.x.x.x. 3. Return to nethsm-thales-install.sh SSH screen and answer 'Yes'. The script should now exit with a success message.
Fix:
Thales install script now runs successfully when the BIG-IP system is also configured as the RFS.
497263-2 : Global whitelist count exhausted prematurely
Component: Advanced Firewall Manager
Symptoms:
You receive an error message with this signature: error 0107181d:3: Cannot create white list entry, maximum limit 8 entries reached.
Conditions:
This can occur when configuring entries on both BIG-IP's in a sync group and syncing them. The whitelist count may be less than 8 but the error is still generated.
Impact:
You may receive an error message while creating a whitelist telling them they've exceeded the global whitelist count limit.
Workaround:
None
Fix:
An internal inconsistency with the system that oversees the whitelist count has been fixed.
497118-6 : Tmm may restart when SAML SLO is triggered
Component: Access Policy Manager
Symptoms:
Tmm restarts when SLO is executed.
Conditions:
BIG-IP is used as SAML SP or IdP, single logout is configured on appropriate objects.
Impact:
tmm may restart
Workaround:
Disable SAML SLO
Fix:
TMM will no longer restart when SAML SLO is triggered.
496998-2 : Update offenders more aggressively. Increase batch size for Dwbld processing.
Component: Performance
Symptoms:
Offenders are not blacklisted fast enough.
Conditions:
DoS configured with auto-blacklisting
Impact:
When DoS doesn't track offenders aggressively, it doesn't report them. Once reported, Dwbld processes the offenders in smaller batches. This impacts how soon an offender is blacklisted.
Workaround:
None
Fix:
DoS code reports offenders more aggressively. Dwbld processes offenders with bigger batches.
496950-2 : Flows may not be mirrored successfully when static routes and gateways are defined.
Component: Local Traffic Manager
Symptoms:
In certain circumstances, some L4 flows may not be successfully remirrored when a standby BIG-IP comes online. This involves a race condition when there are multiple routes and/or gateways defined; if the new standby device does not yet have the lasthop information when it gets the mirrored flow.
Conditions:
Using mirroring with layer 4 virtuals, with gateways and/or static routes defined.
Impact:
Not all flows will have been successfully remirrored to the standby device.
Workaround:
Usually "bigstart restart tmm" will recover most or all of the L4 flows. This does not work perfectly all of the time, but is far less likely to encounter the error condition than a "bigstart restart" or "shutdown -r".
Fix:
The standby device ignores the route to the client when accepting mirrored connections. If failover occurs without a route back to the client, the connection will still fail on failover.
496849-2 : F5 website update retrievals vulnerability
Solution Article: K16090
496845-2 : NTP vulnerability CVE-2014-9296
Solution Article: K15933
496817-7 : Big-IP Edge client for Windows fails to connect to Firepass server if tunnel is established through a proxy
Component: Access Policy Manager
Symptoms:
In a reconnect scenario, Big-IP Edge Client cannot connect to a FirePass server if the tunnel was established through a proxy server.
Conditions:
Proxy is used to create VPN tunnel.
The server is FirePass.
Impact:
The client fails to restore the VPN connection to the FirePass server.
Workaround:
Restart client.
Fix:
Added backward compatibility changes to BIG-IP Edge Client for Windows to work properly with FirePass.
496775-6 : [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for the bigip monitor
Solution Article: K16194
Component: Global Traffic Manager (DNS)
Symptoms:
[GTM] [big3d] Unable to mark LTM virtual server up if there is another virtual server with same ltm_name for the bigip monitor.
Conditions:
LTM (running BIG-IP software older than v11.2.0) with a virtual server: /Common/http_vip with destination /Common/192.168.10.34:80.
GTM (running BIG-IP software newer than v11.5.0) with this LTM as a BIG-IP Server. Two virtual servers on LTM: One with the original LTM virtual server address, and the other with the translated address: 1. name ltm_http_vip :: destination 192.168.10.34:80 :: monitor /Common/bigip. 2. name ltm_http_trans_vip :: destination 10.10.10.34:80 :: translation-address 192.168.10.34:80 :: monitor /Common/bigip.
Impact:
Both virtual servers are marked up for a brief interval. After a few minutes, one of them is marked down.
Workaround:
You can use either of the following workarounds:
-- Use a monitor other than bigip.
-- Replace /shared/bin/big3d on the LTM system with a copy of a version v11.2.1 or later big3d.
Fix:
The BIG-IP health monitor no longer incorrectly marks down virtual servers with a duplicate ltm-name when there are BIG-IP GTM systems with differing software versions monitoring BIG-IP LTM virtual servers using the bigip monitor.
496758-4 : Monitor Parameters saved to config in a certain order may not construct parameters correctly
Solution Article: K16465
Component: Local Traffic Manager
Symptoms:
When configuring both a monitor and a child monitor, if the two monitors are saved in reverse order, the default monitor parameters will not be created.
For example:
ltm monitor tcp /Common/child {
defaults-from /Common/parent
destination *.990
interval 5
ip-dscp 0
time-until-up 0
timeout 16
}
ltm monitor tcp /Common/parent {
defaults-from /Common/tcp
destination *:*
interval 5
ip-dscp 0
time-until-up 0
timeout 16
}
Some of the default parameters for the above configuration will not be created upon loading config.
Conditions:
This occurs when there are at least two monitors, and the child custom monitor appears before the parent monitor. Must have a parent that derives from a root monitor, and a child that derives from the parent monitor.
Impact:
Possible undefined behavior in bigd, and failing iControl calls. On performing a 'tmsh load sys config verify' the system posts an error message similar to the following: 01070740:3: Performance monitor /Common/http-a may not have the manual resume feature. Unexpected Error: Validating configuration process failed.
Workaround:
A possible workaround involves switching the order of the monitors in the config file. This can either be accomplished manually, or by naming things in alphabetical order, such that the parent precedes the child:
ltm monitor tcp /Common/aaa_parent {
defaults-from /Common/tcp
destination *:*
interval 5
ip-dscp 0
time-until-up 0
timeout 16
}
ltm monitor tcp /Common/bbb_child {
defaults-from /Common/aaa_parent
destination *.990
interval 5
ip-dscp 0
time-until-up 0
timeout 16
}
Fix:
The system now handles a configuration in which a child custom monitor precedes the parent's, so that monitor parameters are constructed properly.
496679-3 : Configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.★
Component: TMOS
Symptoms:
After renaming a CM device object, or performing an upgrade from a version prior to 11.4.0, configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.
Conditions:
This issue occurs when one of the following conditions is met:
-- You load the BIG-IP configuration.
-- You upgrade the BIG-IP system software.
-- You perform a configuration synchronization (ConfigSync) operation for the device group.
The 'default-device' attribute has been deprecated beginning in 11.4.0 in favor of new functionality. Prior to 11.4.0, default-device was used to specify the device-group member that failback tries to make active.
From 11.4.0 and later, when auto-failback is enabled, the system uses the first member of the 'Failover Order' ('ha-order' in tmsh).
In 11.4.0 and later, this field is not used, but will fail validation if it contains a value that does not reference the name of an existing device-group member, or the value 'none'.
Impact:
Although the configuration can be saved, it fails when being loaded (for example, in response to a ConfigSync operation, during software upgrade, or when running the command: 'tmsh load sys config').
Workaround:
Modify any traffic-group default-device attributes that refer to the now-deprecated, default-device name.
Note: The system does not use this value, regardless of how you set it.
To work around this issue, you can modify the traffic-group default-device attribute to refer to default-device none. To do so, perform the following procedure:
1. Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh
2. To list the configured default device for a traffic group, use the following command syntax:
list /cm traffic-group <traffic group name>
For example, to list the configured default device for traffic-group-1, type the following command:
list /cm traffic-group traffic-group-1
3. Use none as the default device for your traffic group using the following command syntax:
modify cm traffic-group <traffic group name> default-device <default device name>.
For example, to modify your default device to none for traffic-group-1, type the following command:
modify cm traffic-group traffic-group-1 default-device none
4. Save the configuration changes by typing the following command:
save /sys config
Fix:
Renaming a device also renames the associated traffic-group's default device, so configuration load now completes successfully.
496588-2 : HTTP header that is larger than 64K can be analyzed incorrectly, leading to TMM crash
Component: Local Traffic Manager
Symptoms:
TMM may restart
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
Fix:
Fixed a problem that occurred when extracting request headers. This problem could sometimes cause TMM to crash.
496565-2 : Secondary Blades Request a Sync
Component: Application Security Manager
Symptoms:
Secondary blades requesting ASM sync "ASM is now entering sync recovery state. Requesting complete configuration from" noise in the logs, and needless sync work done.
This issue does not affect enforcement or the actual sync state of the devices, it is just requesting extra synchronizations when they may not be needed.
Conditions:
Secondary blade restarts in unsynchronized mode.
Impact:
Unnecessary sync events are created
Workaround:
Restarting the asm_config_server process on the secondary blade should alleviate the issue, but it may recur.
Fix:
To optimize the system, DSC synchronization is no longer requested from secondary blades. This issue did not affect enforcement or the actual synchronization state of the devices.
496278 : Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name
Solution Article: K16294
Component: Advanced Firewall Manager
Symptoms:
Disabling/enabling Rule within Rule List causes disabling/enabling of a different but same-named Rule in a single Policy on the Active Rule Page in the GUI.
Conditions:
Only happens it the Rule names are the same with a single policy.
Impact:
Potentially, the incorrect Rule is disabled.
Workaround:
Make sure Rules have different names.
Fix:
The system now enables/disables only the selected Rule, regardless of the existence of other, same-name Rules in the policy.
496011-2 : Resets when session awareness enabled
Solution Article: K17385
Component: Application Security Manager
Symptoms:
A connection reset may occur when a transaction takes a long time (more than 10 seconds together from the request start till the response end).
Conditions:
The session tracking feature is turned on and long transaction occurs.
Impact:
A connection reset.
Workaround:
Turn off session tracking.
Fix:
Connection resets no longer occur when session awareness is enabled and the server response takes a long time.
495928-4 : APM RDP connection gets dropped on AFM firewall policy change
Component: Advanced Firewall Manager
Symptoms:
An active RDP connection over APM VPN tunnel gets dropped when administrator makes a change to the AFM firewall policy.
Conditions:
APM tunnel and its application connections are subject to AFM firewall policy.
Impact:
RDP session disconnects and automatically reconnects.
Workaround:
Add an Allow rule to the firewall policy for destination TCP port 3389.
Fix:
RDP connections no longer get dropped during AFM firewall policy changes.
495913-3 : TMM core with CCA-I policy received with uninstall
Component: Policy Enforcement Manager
Symptoms:
If a CCA-I is received with Charging-Rule-Remove AVP for the session then TMM will core.
Conditions:
CCA-I message received with charging-rule-remove AVP
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed the tmm crash when CCA-I with policy uninstall is received.
495901-4 : Tunnel Server crash if probed on loopback listener.
Component: Access Policy Manager
Symptoms:
VPN client might disconnect and reconnect.
Conditions:
Unexpected request is sent on tunnel server loopback listener.
Impact:
Tunnel server crashes resulting in VPN disconnection and reconnection.
Workaround:
None.
Fix:
Additional check implemented in tunnel server before accepting incoming connection.
495865-4 : iApps/tmsh cannot reconfigure pools that have monitors associated with them.
Solution Article: K15116582
Component: TMOS
Symptoms:
iApps are unable to reconfigure pools that have monitors associated with them.
Conditions:
Using tmsh or iApps in the GUI to re-configure the pool monitor (for example, changing the monitor from 'http' to 'none').
Impact:
Monitor change does not occur. GUI or tmsh might post an error similar to the following: Monitor rule not found.
Workaround:
None.
Fix:
Users can now remove a monitor from a pool / set it to 'none' through tmsh or a GUI iApp transaction.
495862-7 : Virtual status becomes yellow and gets connection limit alert when all pool members forced down
Component: TMOS
Symptoms:
Invalid display of virtual status.
Conditions:
When all pool members forced down and the pool member's connection limit has been reached.
Impact:
Virtual monitor status becomes yellow and receives the following connection limit alert: The pool member's connection limit has been reached.
Workaround:
None.
Fix:
Virtual status now stays red if all the pool members are down.
495702-3 : Mac Edge Client cannot be downloaded sometimes from management UI
Solution Article: K40419383
Component: Access Policy Manager
Symptoms:
Sometimes BIG-IP Edge Client for Mac cannot be downloaded from the management GUI.
Conditions:
Mac Edge Client, BIG-IP management UI.
Impact:
Mac Edge Client cannot be downloaded.
Workaround:
None.
Fix:
BIG-IP Edge Client for Mac can now be downloaded from the connectivity profile screen of the APM GUI.
495698 : iRule can be deleted even though it exists in a rule-list
Component: Advanced Firewall Manager
Symptoms:
The rule-list will reference a non existent iRule.
Conditions:
Have a rule-list that contains an iRule, and then delete that iRule.
Impact:
iRule will no longer have an effect, even though it still appears to be contained in the rule-list.
Workaround:
Do not delete an iRule if it is referenced by a rule-list.
Fix:
Introduced validation to ensure that a referenced iRule cannot be deleted.
495588-4 : Configuration fails with Syntax Error after upgrading from pre-11.5.0 releases★
Component: Local Traffic Manager
Symptoms:
Configuration fails with Syntax Error after upgrading to 11.5.0 from pre-11.5.0 releases.
Conditions:
When upgrading from a pre-11.5.0 release to version 11.5.0, the key/cert have an extra period in the name (for example mykey..key and mycert..crt). Beginning with version 11.5.0, multiple key/cert pairs are associated with one clientssl, so each key/cert pair has a name. During upgrade, the system provides a name for each key/cert, which can cause problems if the existing key/cert name contains a period character.
Impact:
Configuration load fails, and the system posts the alert: Syntax Error:(/config/bigip.conf at line: 12) one or more configuration identifiers must be provided.
Workaround:
Manually edit the bigip.conf to add a title for the cert-key-chain, and then run the command: tmsh load sys config.
Fix:
Before v11.5.0, Clientssl profile only supports one key/cert pair, no name associated with the key/cert pair. In v11.5.0, multiple key/cert pairs are associated with one clientssl, so each key/cert pair has a name.
495574-6 : DB monitor functionality might cause memory issues
Solution Article: K16111
Component: Local Traffic Manager
Symptoms:
TMM restarts continuously.
Conditions:
DB monitors configured
Impact:
System stops responding. System posts message: notice panic: FATAL: mmap of: /dev/mprov/tmm/tmm.4 length 1480589312 offset 4441767936 failed 12 (Cannot allocate memory).
Workaround:
Either kill the DB monitor java process or issue a bigstart restart.
Fix:
DB monitor functionality might cause memory issues.
495526-2 : IPsec tunnel interface causes TMM core at times
Component: TMOS
Symptoms:
If users choose to modify the tunnel interface attributes, such as MTU value, TMM cores. This can occur regardless if traffic has flowed through the tunnel.
Conditions:
When IPsec tunnel interface has its configuration modified.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid modifying IPsec tunnel interface. Configure IPsec tunnel interface in one shot, using either create or delete.
Fix:
TMM no longer cores if users choose to modify the tunnel interface attributes, such as MTU value.
495443-3 : ECDH negotiation failures logged as critical errors.
Component: Local Traffic Manager
Symptoms:
When a failure occurs in an SSL negotiation involving Elliptic Curve Diffie-Hellman (ECDH) key agreement, a critical error may be logged. However, an SSL negotiation failure is not a critical issue.
Conditions:
An SSL negotiation failure involving ECDH key agreement.
Impact:
Spurious critical error logs.
Workaround:
Treat SSL ECDH negotiation failures as non-critical errors.
Fix:
These ECDH failures are now logged as non-critical errors.
495432-1 : Add new log messages for AFM rule message load/activation in datapath.
Component: Advanced Firewall Manager
Symptoms:
An AFM rule message is compiled/serialized by pktclass, and TMM is notified to activate it in datapath. However, there is no visibility to indicate whether the activation failed or succeeded.
Conditions:
AFM rule serialization message is processed by TMM.
Impact:
No visible indication of whether the AFM rule serialized message is successfully being used in the data path.
Workaround:
None.
Fix:
The system now logs a message in /var/log/ltm that the AFM rule serialized message is activated in datapath.
495390-2 : An error occurs on Active Rules page after attempting to reorder Rules in a Policy
Component: Advanced Firewall Manager
Symptoms:
An error occurs on Active Rules page after attempting to reorder Rules in a Policy: "An error has occurred while trying to process your request."
Conditions:
Attempting to reorder rules if they span more than one page
Impact:
You cannot reorder the rules, and an error message is displayed, "An error has occurred while trying to process your request."
Fix:
Reordering of rules is now working.
495336-5 : Logon page is not displayed correctly when 'force password change' is on for local users.
Solution Article: K39768154
Component: Access Policy Manager
Symptoms:
Logon page is not displayed correctly when 'force password change' is on for local users.
Conditions:
When more than one logon page is configured in the Access policy, and the administrator sets 'Force Password Change' in the local user account database.
Impact:
Although it is correct behavior to require an initial password change and to require a logon after changing the password, the expected first page is a one-time password-change request, instead of the same change-password change page displayed twice.
Workaround:
The current workaround is to add 'Variable Assign' agent in the LocalDB Auth Successful branch with a custom variable, for example: session.logon.page.challenge = expr { 0 }.
Fix:
The system now shows the correct logon page after the successful password change.
495335-4 : BWC related tmm core
Solution Article: K17436
Component: TMOS
Symptoms:
tmm coredumps while BWC is processing packets.
Conditions:
BWC is being enabled on a virtual server that does not have any BWC iRules enabled. Reasons for this are being investigated.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Avoid a divide by zero while computing average packet size.
495319-9 : Connecting to FP with APM edge client is causing corporate network to be inaccessible
Component: Access Policy Manager
Symptoms:
Connecting to FirePass with a BIG-IP Edge Client for Mac that was downloaded from APM might not provide complete network access.
Conditions:
APM Edge Client, Firepass server, network access connection.
Impact:
Incomplete network access.
Workaround:
None.
Fix:
All configured networks are now reachable when connecting to FirePass using a BIG-IP Edge Client for Mac downloaded from APM.
495265-6 : SAML IdP and SP configured in same access profile not supported
Component: Access Policy Manager
Symptoms:
SLO might not work properly under certain conditions.
When a user attempts to start SLO, the connection gets reset. The system logs messages such as the following: RST sent from x.x.x.x:433 to x.x.x.x:xxxx, [0xxxxxx:xxx] Internal error ((APM::SSO) Error in reading sp info from session db failed)
Conditions:
All conditions must be met:
1. Both BIG-IP as SP and BIG-IP as IdP are configured on the same access profile.
2. SLO is configured for both BIG-IP as IdP and BIG-IP as SP.
3. SLO is executed in multiple TCP sessions between the user's browser and the BIG-IP system.
Impact:
SLO is not properly executed; users's session might not be terminated.
Workaround:
None.
Fix:
A problem with SAML single-logout has been fixed.
495253-5 : TMM may core in low memory situations during SSL egress handling
Solution Article: K16603
Component: Local Traffic Manager
Symptoms:
TMM may core in low memory situations during SSL egress handling.
Conditions:
This occurs when the following conditions are met: -- Low memory. -- SSL connections
Impact:
Traffic disrupted while tmm restarts.
Fix:
TMM no longer cores in low-memory situations during SSL egress handling.
495242 : mcpd log messages: Failed to unpublish LOIPC object
Component: Local Traffic Manager
Symptoms:
The system posts the following message in the mcpd log: Failed to unpublish LOIPC object.
Conditions:
This is an intermittent issue that occurs on standby systems in High Availability configurations. In this case, the system is attempting to remove a file/directory that does not exist. Either it has already been removed or it was not created.
Impact:
The system posts the following error: err mcpd[7143]: 010716d6:3: Failed to unpublish LOIPC object for (loipc_name.1417443578.297505208). Call to (shm_unlink) failed with errno (2) errstr (No such file or directory). This is a benign error that can be safely ignored.
Workaround:
None.
495030-3 : Segfault originating from flow_lookup_nexthop.
Component: Local Traffic Manager
Symptoms:
Segfault originating from flow_lookup_nexthop when neighbor_resolve is not able to determine the next hop.
Conditions:
Memory pressure or error condition.
Impact:
tmm core and tmms restart.
Fix:
Segfault originating from flow_lookup_nexthop problem has been corrected.
494977-1 : Rare outages possible when using config sync and node-based load balancing
Component: Local Traffic Manager
Symptoms:
In rare circumstances it is possible for tmm to experience an outage when processing traffic and using config sync. This is rare and appears to be related to a combination of config sync and processing traffic shortly after the tmm is brought online.
Conditions:
Using config sync and node-based load balancing. This has only been observed early in traffic processing during a config sync; it does not appear to be related to how long the tmm has been online (e.g., online and not processing traffic or online in standby does not seem to make any difference; however, issuing a config sync and failing over at the same time might cause this to occur.)
Impact:
Interruption in service or HA failover.
Fix:
Fixed a error that rarely occurred using config sync and node-based load balancing early in traffic processing.
494743-8 : Port exhaustion errors on VIPRION 4800 when using CGNAT
Solution Article: K17389
Component: Carrier-Grade NAT
Symptoms:
You may see the following on a VIPRION 4800 platform configured to use LSN deterministic NAT:
crit tmm3[12240]: 01010201:2: Inet port exhaustion on ...
Conditions:
VIPRION 4800 platform with multiple blades with LSN deterministic NAT
Impact:
DNAT port exhaustion alert,
Workaround:
Change LSN Pool members for LSN deterministic NAT pools, which will trigger a deterministic NAT data rebuild.
Fix:
TMM translations after blade failure or startup can be properly reverse-mapped by dnatutil, which fixes the port exhaustion alerts.
494637-6 : localdbmgr process in constant restart/core loop
Solution Article: K80550446
Component: Access Policy Manager
Symptoms:
The localdbmgr process keeps crashing repeatedly.
Conditions:
The issue is caused by corruption in the contents stored in the memcache. Although the conditions under which the memory corruption occurs are not reproducible, this is a rarely occurring issue.
Impact:
The localdbmgr process crashes repeatedly.
Workaround:
None.
Fix:
The localdbmgr process has been updated in order to gracefully handle corruption in the memcache contents.
494565-3 : CSS patcher crashes when a quoted value consists of spaces only
Solution Article: K65181614
Component: Access Policy Manager
Symptoms:
CSS content that contains some spaces between quotes leads to rewrite crash.
Example:
...
background: url(' ') // some spaces between quotes
...
Conditions:
Conditions leading to this problem include any case when CSS content contains a quoted value which consists of spaces only.
Impact:
The impact of this issue causes a rewrite crash which leads to a possible web application malfunction.
Workaround:
To work around this issue, create a particular iRule that removes mentioned spaces between quotes.
494367-4 : HSB lockup after HiGig MAC reset
Component: TMOS
Symptoms:
HSB lockups can occur after a HiGig MAC reset on BIG-IP 5000/7000-series and 10250 platforms.
Conditions:
-- HiGig MAC reset.
-- BIG-IP 5000/7000-series and 10250 platforms.
Impact:
An HSB lockup results in a NIC failsafe and reboot of the unit.
The system posts messages similar to the following in the LTM log:
-- bcm56xxd[8161]: 012c0015:6: Link: 4.1 is DOWN.
-- bcm56xxd[8161]: 012c0012:6: Reset HSBe2 (bus 1) HGM0 MAC completed on higig2 link 4.1 down event.
-- bcm56xxd[8161]: 012c0015:6: Link: 4.1 is UP. ...
-- tmm2[13842]: 01230111:2: Interface 0.3: HSB DMA lockup on transmitter failure.
Workaround:
None.
Fix:
HSB lockups no longer occur after a HiGig MAC reset on BIG-IP 5000/7000-series and 10250 platforms.
494333-1 : In specific cases, persist cookie insert fails to insert a session cookie when using an iRule
Component: Local Traffic Manager
Symptoms:
The 'persist cookie insert' and 'persist cookie rewrite' iRule commands fail to set session cookies.
Conditions:
A persistence cookie profile with a timeout of zero must be applied. If either command is used without an explicit timeout, LTM will fail to set a session cookie.
Impact:
TMM sets a cookie that expires using timeout of 180 instead of a session cookie.
Workaround:
Explicitly specify a 0 for the cookie timeout in the iRule.
Fix:
Cookie persistence now works as expected.
494322-5 : The HTTP_REQUEST iRule event may cause the TMM to crash if the explicit proxy is used
Component: Local Traffic Manager
Symptoms:
If the flow inside a HTTP_REQUEST event raised by the explicit proxy is expired, the TMM may crash.
Conditions:
The explicit proxy is configured for HTTP, and the HTTP_REQUEST iRule event is used.
Impact:
If state-changing commands are used within the HTTP_REQUEST event raised by the explicit proxy, they may not work correctly, and TMM might crash.
Workaround:
Avoid the HTTP_REQUEST event if possible.
Fix:
The TMM no longer crashes when under load when the HTTP_REQUEST iRule handler is used with the explicit proxy. HTTP state-changing commands used within HTTP_REQUEST on the explicit proxy works correctly.
494305-6 : [GUI] [GTM] Cannot remove the first listed dependent virtual server from dependency list.
Solution Article: K36360597
Component: Global Traffic Manager (DNS)
Symptoms:
Cannot use the GUI to remove the first virtual server listed in alphabetical order from the dependent list of virtual server if there are multiple virtual servers in the dependency list.
Conditions:
Virtual server with several dependency virtual servers configured.
Impact:
Cannot manage virtual server dependency list using GUI as expected.
Workaround:
Use the corresponding tmsh commands to manage the virtual server dependency list.
Fix:
You can now use the GUI to remove the alphabetically first virtual server from the dependent list of virtual servers.
494284-10 : Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status.
Solution Article: K16624
Component: Access Policy Manager
Symptoms:
With BIG-IP Edge Client for Mac, when primary language is set to German on the Mac, the text shown under the disconnected status contains extra, unneeded text wording.
Conditions:
Edge Client for Mac, when primary language is set to German on the Mac.
Impact:
Shows the following message: 'Um eine Verbindung herzustellen, wählen Sie aus dem Menü oben einen Server aus, und klicken Sie dann auf die Schaltfläche 'Auto-Verbindung' oder 'Verbinden' sichern und Werner der Seite standen aufs Auge drücken als Schadenersatz einer Woche kein Telefonat erneute.'
Workaround:
None.
Fix:
For BIG-IP Edge Client for Mac with primary language of German, the content that displays under disconnected status is now correct, without any unneeded text.
494189-3 : Poor performance in clipboard channel when copying
Component: Access Policy Manager
Symptoms:
JavaRDP client hangs when user tries to copy very large text fragment into clipboard.
Conditions:
User tries to copy very large text fragment.
Impact:
JavaRDP client lags or hangs on copying. In the worst case, user should close and reconnect JavaRDP client.
Workaround:
None
Fix:
Clipboard channel has significantly better performance now.
494176-1 : Network access to FP does not work on Yosemite using APM Mac Edge Client.
Component: Access Policy Manager
Symptoms:
If APM BIG-IP Edge Client for Mac on OS X Yosemite attempts to connect to FirePass, network access cannot be established.
Conditions:
APM Edge Client for Mac on OS X Yosemite connecting to FirePass.
Impact:
Network access cannot be established with FirePass.
Workaround:
None.
Fix:
Network access can now be established with FirePass using APM BIG-IP Edge Client for Mac on OS X Yosemite.
494122-6 : Deterministic NAT state information from HSL is not usable on VIPRION B4300 blades
Solution Article: K02533962
Component: Carrier-Grade NAT
Symptoms:
Deterministic NAT HSL state information is not useable by dnatutil, resulting in "Unparseable line" error.
Conditions:
Deterministic NAT and HSL logging for LSN pool on a VIPRION B4300 blade.
Impact:
Cannot use the HSL logged state information for dnatutil.
Workaround:
Use LTM logged deterministic NAT state information.
Fix:
Deterministic NAT state information from HSL is now usable on VIPRION B4300 blades.
494098-9 : PAC file download mechanism race condition
Solution Article: K16857
Component: Access Policy Manager
Symptoms:
PAC file download mechanism might encounter a race condition if /etc/hosts is patched with the static entry of the host that contains PAC file.
Conditions:
The /etc/hosts is patched with the static entry of the host that contains PAC file.
Impact:
Proxy PAC file fails to download.
Workaround:
Add delay in proxy PAC file download to avoid race condition.
Fix:
PAC file download mechanism now avoids a race condition if /etc/hosts is patched with the static entry of the host that contains PAC file.
494088-5 : APD or APMD should not assert when it can do more by logging error message before exiting.
Component: Access Policy Manager
Symptoms:
APD or APMD asserts and exits without logging error messages to aid in debugging the error.
Conditions:
In some rare situation apmd (for example, access 'profile not found', failure in 'loading policy object'), APD, APMD assert. This results in dumping core.
Impact:
Restarting of APD, APMD and core file.
Workaround:
None.
Fix:
Now, in some rare situations where previously APD or APMD would assert, the system logs proper error messages before exiting. This results in restarting APD or APMD.
494070-4 : BIG-IP DNS cannot use a loopback address with fallback IP load balancing
Solution Article: K59225090
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP DNS cannot use a loopback address with fallback IP load balancing.
Conditions:
BIG-IP DNS pool using fallback IP load balancing.
Impact:
Cannot configure a loopback address using fallback IP load balancing.
Workaround:
None.
Fix:
Now, a BIG-IP DNS Pool fallback IP address can be localhost.
494008-4 : tmm crash while initializing the URL filter context for SWG.
Component: Access Policy Manager
Symptoms:
tmm crash while initializing the URL filter context for SWG.
Conditions:
It is not known what triggers this crash. It may be connected to BIG-IP being unable to update the SWG database.
Impact:
Traffic disrupted while tmm restarts.
Fix:
tmm no longer crashes while initializing the URL filter context for SWG.
493807-4 : TMM might crash when using PPTP with profile logging enabled
Solution Article: K15989
Component: Carrier-Grade NAT
Symptoms:
TMM might crash when using PPTP with profile logging enabled.
Conditions:
This occurs when the following conditions are met: -- PPTP-ALG with log profile enabled. -- CGNAT configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable logging from the PPTP profile.
Fix:
Using PPTP with profile logging now works correctly and no longer causes TMM to crash.
493673-5 : DNS record data may have domain names compressed when using iRules
Solution Article: K12352524
Component: Local Traffic Manager
Symptoms:
Some DNS record types forbid dns name compression in their record data, e.g., the NAPTR Replacement field. For certain parts of the DNS feature set, some of these record datum may have compressed names, e.g., DNS iRules, DNSSEC, GTM.
Conditions:
Using iRules.
Impact:
Some clients may expect uncompressed names and may not be able to follow compression pointers. This may cause the client to fail to use the RR.
Workaround:
None.
Fix:
Fields are properly not compressed, e.g., the NAPTR Replacement field.
493558-3 : TMM core due to SACK hole value mismatch
Solution Article: K16206
Component: Local Traffic Manager
Symptoms:
TMM cores with 'sack scoreboard population counts valid' assert. The TMM core occurs due to lost-packet retransmitted packet value mismatch.
Conditions:
This occurs when processing retransmitted packets configured for selective acknowledgement (SACK), when multipath TCP (MPTCP) and selective negative acknowledgement (SNACK) are enabled with a SNACK-supporting client.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There are two possible workarounds: -- Disable MPTCP. -- Disable the SNACK option in the TCP profile.
Fix:
TMM handles the case, and no longer cores due to lost-packet retransmitted packet value mismatch.
493487-5 : Function::call() and Function::apply() wrapping does not work as expected
Solution Article: K45558362
Component: Access Policy Manager
Symptoms:
Function::call() and Function::apply() wrapping does not work as expected.
Conditions:
This occurs when using an indirect method call.
Impact:
Possible Adobe Flash web application malfunction, but the symptoms can vary.
Fix:
Indirect method call using Function::call() or Function::apply() works properly now.
493401-3 : Concurrent REST calls on a single endpoint may fail
Component: Application Security Manager
Symptoms:
Concurrent REST PATCH calls on a particular endpoint, or configuration by BIG-IQ, may fail due to database deadlocks.
Conditions:
Concurrent REST PATCH calls were made on a particular endpoint, or device was configured by BIG-IQ.
Impact:
Configuration changes fail due to database deadlock.
Workaround:
Return values from REST calls should be checked before proceeding to next call.
Fix:
Fixed a MySQL deadlock that occurred when using REST API to send several patch requests to parameters of a security policy.
493385-9 : BIG-IP Edge Client uses generic icon set even if F5 icon set is configured
Component: Access Policy Manager
Symptoms:
BIG-IP Edge client uses generic icon set even if F5 icon set is configured.
Conditions:
BIG-IP MAC Edge client customized for a specific language.
Impact:
The UI might show the generic icon set for MAC edge client in the system menu.
Workaround:
Remove customization for that language.
Fix:
Now BIG-IP Edge Client uses the set of icons that the configuration specifies. Also, F5 icons no longer display for a split second during application launch when the configuration specifies the generic set of icons.
493360-4 : Fixed possible issue causing Edge Client to crash during reconnect
Component: Access Policy Manager
Symptoms:
Edge Client may rarely crash during reconnect.
Conditions:
Session reconnection using Edge Client. When APM session closes on BIG-IP (by a timeout, or by other options, for example, 'Restrict to Single Client IP') the Edge Client starts new session. Occasionally when reestablishing connection to the BIG-IP system, the Edge Client crashes.
Impact:
Rarely encountered crash.
Workaround:
None.
Fix:
Fixed possible issue that could cause BIG-IP Edge Client for Windows to crash during reconnect.
493246-1 : SNMP error: Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot
Solution Article: K17414
Component: TMOS
Symptoms:
An SNMP query for sysCpuSensorSlot 0 returns 'Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot'.
Conditions:
SNMP query for sysCpuSensorSlot 0.
Impact:
SNMP MIB variable sysCpuSensorSlot 0 is not available.
Workaround:
Use the command 'tmctl cpu_info_stat' on the BIG-IP system to retrieve the sysCpuSensorSlot value.
Fix:
The software that generates the F5 BIG-IP MIBs has been updated to allow a slot 0 return value.
493223-2 : syscalld core dumps now keep more debugging information
Component: TMOS
Symptoms:
syscalld has a fixed-size queue of jobs. If this fills up, then it will intentionally dump core, but this core dump has little visibility into what commands were being run at the time.
Conditions:
syscalld is mostly invoked by the GUI or CMI sync to trigger the configuration being saved.
Impact:
syscalld core dumps will occur and generate customer cases, but it is difficult for a developer to obtain any useful information.
Workaround:
None.
Fix:
syscalld has a fixed-size queue of jobs. If this fills up, then it will intentionally dump core, but this core dump used to have little visibility into what commands were being run at the time. It now maintains a list of the most recently run commands that will be written into the core file.
493164-4 : flash.net.NetConnection::connect() has an erroneous security check
Solution Article: K62553244
Component: Access Policy Manager
Symptoms:
Accessing some content in a different domain does not work as expected because of an erroneous security check.
Conditions:
This occurs when getting a URI property immediately after calling the connect() method.
Impact:
Possible Flash web application malfunction, but symptoms vary.
Fix:
The erroneous security check has been fixed, so accessing some content in a different domain now works as expected.
493140-6 : Incorrect persistence entries are created when invoking cookie hash persistence within an iRule using offset and length parameters.
Solution Article: K16969
Component: Local Traffic Manager
Symptoms:
When using a cookie hash persistence profile and an iRule to provide finer granularity using offset and length parameters to calculate the hash, the system creates incorrect persistence entries.
Conditions:
Cookie hash persistence profile and iRule on top of that specifies offset and length of the cookie to be used for hashing is needed.
Impact:
Incorrect persistence entries are created.
Fix:
Using cookie hash persistence and invoking cookie hash persistence from within an iRule now works as expected.
493117-12 : Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted
Solution Article: K16986
Component: Local Traffic Manager
Symptoms:
After changing the netmask of an advertised virtual address, the address is no longer advertised.
Conditions:
Must have an advertised virtual address, and change its netmask.
Impact:
tmrouted must be restarted whenever the netmask of an advertised virtual address is changed.
Workaround:
Restart tmrouted whenever the netmask of an advertised virtual address is changed.
Fix:
Now, an advertised route remains advertised after its netmask is changed.
493006 : Export of huge policies might endup with 'too many pipes opened' error
Component: Access Policy Manager
Symptoms:
Export of huge policies might endup with 'too many pipes opened' error. Policy must be >321 element
Conditions:
Huge policy (300+ elements i.e. ~100 items)
Impact:
It's not possible to export access policy
Workaround:
N/A
Fix:
Extra huge policies are exportable
492780-3 : Elliptic Curves Extension in ServerHello might cause failed SSL connection.
Solution Article: K37345003
Component: Local Traffic Manager
Symptoms:
Supported Elliptic Curves Extension is present in ServerHello, but some clients cannot process it.
Conditions:
The issue occurs when Supported Elliptic Curves Extension is present in ServerHello when presented to a client that cannot process it.
Impact:
Failed SSL connection.
Workaround:
None.
Fix:
Elliptic Curves Extension has been removed to support more types of clients.
492732-1 : Linux kernel driver vulnerabilities CVE-2014-3184, CVE-2014-3185, CVE-2014-3611, CVE-2014-3645, and CVE-2014-3646
Solution Article: K15912
492701-2 : Resolved LSOs are overwritten by source device in new Policy Sync with new LSO
Component: Access Policy Manager
Symptoms:
Previously resolved Location-Specific Object (LSO) on target devices are overwritten by values on source device in a new Policy Sync operation with new LSO to resolve.
Conditions:
Perform a Policy Sync on a profile with LSO, make changes to the LSO on resolution.
Perform another Policy Sync on the same profile with new LSO that requires resolution
Impact:
Previously customized values for LSO on target device are lost.
Workaround:
Config the value back on target device after the new sync.
Fix:
Customized LSO values on target device from previous Policy Sync will be retained after a new Policy Sync with new LSO.
492422-3 : HTTP request logging reports incorrect response code
Solution Article: K24508323
Component: TMOS
Symptoms:
HTTP request logging reports 200/OK response code before any response has been received.
Conditions:
HTTP request logging enabled.
Impact:
Misleading messages in the logs. These messages are benign and can safely be ignored.
Fix:
Response code now reported only in HTTP response logs.
492368-10 : Unbound vulnerability CVE-2014-8602
Solution Article: K15931
492305-2 : Recurring file checker doesn't interrupt session if client machine has missing file
Component: Access Policy Manager
Symptoms:
If file required for recurring file checker agent is deleted on client machine when session already established - session would not be interrupted.
Conditions:
File checker agent is used.
Recurring check is enabled for it.
Impact:
Session is not interrupted when it should be.
Fix:
Now session is interrupted when file required for recurring file check is missing.
492238-9 : When logging out of Office 365 TMM may restart
Solution Article: K16848
Component: Access Policy Manager
Symptoms:
TMM may restart when a user initiates single logout (SLO) from Microsoft Office 365 configured as a SAML Service Provider (SP).
Conditions:
The problem occurs under these conditions: 1. The BIG-IP system is configured as a SAML Identity Provider (IdP) with Office 365 configured as a SAML Service Provider (SP).
2. Single logout (SLO) is configured on the BIG-IP system.
3. As a part of a SLO request, the SP sends unsupported query parameters.
Impact:
Under certain conditions TMM may restart.
Workaround:
To work around the problem, disable SLO on the BIG-IP system.
Fix:
TMM no longer restarts when a user initiates single logout (SLO) from Microsoft Office 365 configured as a SAML Service Provider (SP).
492163-6 : Applying a monitor to pool and pool member may cause an issue.
Solution Article: K12400
Component: TMOS
Symptoms:
Typically, when applying a monitor to pool and a monitor to pool member, there are no issues. In a scenario where the pool monitor is incompatible with the pool member, it can cause validation issue.
Conditions:
A scenario where the pool monitor is incompatible with the pool member, it can cause validation issue. For example, a pool with an http monitor and a wildcard pool member (even if pool member had its own monitor).
Impact:
Failed transaction or configuration load.
Workaround:
Remove the pool monitor, load, then add pool monitor back.
Fix:
Instances in which the pool monitor is incompatible with the pool member are now validated correctly.
492153-7 : Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated.
Solution Article: K17055
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel changes to deprecated.
Conditions:
BIG-IP Edge Client monitors the state of IP address for the DTLS tunnel, so the system can react quickly to any network connectivity issues. The monitor correctly disconnects the tunnel if the adapter loses the IP address. However, there is an issue that causes the tunnel to shut down when the state of IP address is changed to deprecated.
Impact:
Tunnel processing halts.
Fix:
BIG-IP Edge Client now keeps the DTLS connection until the IP address becomes invalid, as expected.
492149-2 : Inline JavaScript with HTML entities may be handled incorrectly
Component: Access Policy Manager
Symptoms:
If JavaScript code is included into an HTML page and contains HTML entities inside, it may be processed incorrectly by Portal Access.
Conditions:
HTML page which contains inline JavaScript code with HTML entities inside.
Impact:
Web application does not work as expected.
Workaround:
Use an iRule for each individual case to correct this behavior.
Fix:
Now JavaScript code with HTML entities inside is processed correctly.
492122-4 : Now Windows Logon Integration does not recreate temporary user for logon execution each time
Solution Article: K42635442
Component: Access Policy Manager
Symptoms:
Temporary user 'f5 Pre-Logon User' is created and deleted each time it is used which prevents the performance of domain operations like adding that user to specific domain group or setting properties because the SSID changes every time.
Conditions:
This happens when both of these conditions exist:
1. Windows Logon Integration is used.
2. Enforce access policy execution option is selected.
Impact:
As a result, it is impossible to manage the temporary user 'f5 Pre-Logon User'.
Fix:
Now the 'f5 Pre-Logon User' is created only once, which allows a Domain or System Administrator to manage it, because the SSID does not change. When the user is no longer required (that is, when the logon process is complete), 'f5 Pre-Logon User' is disabled and remains disabled until the next usage.
491791-2 : GET on non-existent pool members does not show error
Component: TMOS
Symptoms:
Performing a GET on nonexistent pool members does not show an error.
Conditions:
This occurs when using iControl REST with nonexistent pool members.
Impact:
The returned response typically indicates an almost-empty resource instead of a not-found error.
Workaround:
Use members GET for all members and iterate through the items returned to determine if a pool member exists.
Fix:
Performing a GET on nonexistent pool members now shows an error when using iControl REST with nonexistent pool members.
491771-1 : Parking command called from inside catch statement
Component: Policy Enforcement Manager
Symptoms:
If inside a proc or control statement (if, for, while) and a parking command (like table, session, open, send, RESOLVE::lookup) which is called from catch statement followed by a command which results in TCL error (caught), TMM will core with SIGFPE panic and this message:
panic: TclExecuteByteCode execution failure: end stack top < start stack top
Example (THIS CODE MAY CAUSE TMM TO CRASH if this procedure is called):
proc id491771 {
# WILL CAUSE TMM TO CRASH
catch { [table lookup "key"] }
}
The correct usage of "catch" is without the brackets:
proc id491771 {
catch { table lookup "key" }
}
Conditions:
1) A parking command like "table"
2) The very next operation generates an error
3) Both commands are inside a "catch" block
4) And this catch block exists within a proc or control statement (e.g., if, for, while)
Impact:
TMM cores with a SIGFPE and this panic string:
panic: TclExecuteByteCode execution failure: end stack top < start stack top
Workaround:
Any command which completes without parking after the parking command but before the error will prevent the issue. For instance
set A "a"
Another solution is to move "catch" statement outside of proc or control statement into body of script.
Alternately remove the square brackets that indicate that the result of the command should be evaluated in this specific case. The use of brackets in this way is likely a mistake in coding of the iRule.
491716-3 : SNMP attribute type incorrect for certain OIDs
Component: TMOS
Symptoms:
The following OIDs have an incorrect setting of Gauge when they should be Integer:
sysIntfMediaIndex
sysIfIndex
sysPacketFilterAddrIndex
sysPacketFilterVlanIndex
sysPacketFilterMacIndex
sysStpBridgeTreeStatIndex
sysStpInterfaceTreeStatIndex
sysHostCpuIndex
sysIntfMediaSfpIndex
Conditions:
SNMP queries to some F5 enterprise OIDs.
Impact:
The attribute type mismatch may cause some MIB browsers to report errors because of a failure to strictly adhere to the SNMP standard.
Fix:
All F5 enterprise MIB attribute which include a limited value range have been changed to type Integer.
491556-10 : tmsh show sys connection output is corrected
Solution Article: K16573
Component: TMOS
Symptoms:
tmsh show sys connection output is corrupted for certain user roles.
Conditions:
This occurs for users with user roles that do not have access to all partitions.
Impact:
The output from tmsh show sys connection is corrupted. After issuing this command, the output of subsequent tmsh commands might not be correct or complete.
Workaround:
Quit out of tmsh. Restart the shell. Do not use the show sys connection command for users that do not have access to all partitions. Use the GUI instead to get this information.
Fix:
tmsh show sys connection output is correct for users that do not have access to all partitions.
491554-5 : [big3d] Possible memory leakage for auto-discovery error events.
Solution Article: K54162409
Component: Global Traffic Manager (DNS)
Symptoms:
The big3d process may leak memory.
As a result of this issue, you may encounter one or more of the following symptoms:
You notice a progressive increase in the amount of memory that the big3d process uses.
The big3d process produces a core file in the /shared/core directory.
The BIG-IP system unexpectedly fails over to another system in the device group.
The monitoring system marks the monitored device as unavailable.
Conditions:
This issue occurs when all of the following conditions are met:
Your system is actively monitored by a BIG-IP GTM or Enterprise Manager system.
The monitoring system is configured with discovery enabled.
The big3d process returns error messages to monitor requests.
Impact:
Memory usage for the big3d process increases, and may eventually affect other services and overall system performance.
Workaround:
None.
Fix:
big3d no longer leaks memory during auto-discovery failure events.
491518-5 : SSL persistence can prematurely terminate TCP connection
Component: Local Traffic Manager
Symptoms:
SSL [session id] persistence might prematurely close (FIN) a TCP connection before forwarding all data.
Conditions:
SSL persistence must be in use. A slow client side (WAN) exacerbates the issue.
Impact:
Premature close of TCP connection and potential data loss.
Workaround:
Disable SSL persistence.
Fix:
SSL [session id] persistence no longer prematurely terminate TCP connection.
491454-8 : SSL negotiation may fail when SPDY profile is enabled
Component: Local Traffic Manager
Symptoms:
SSL handshake fails when SPDY profile is attached.
Conditions:
This occurs when the following conditions are met: -- Client (i.e., Chrome for Android) attempts to use SPDY protocol using Next Protocol Negotiation (NPN) during SSL handshake. -- BIG-IP system has a Cavium Nitrox card.
Impact:
SSL handshake or other connection failure.
Workaround:
Remove SPDY profile.
Fix:
SSL handshake now completes successfully when a SPDY profile is attached when Next Protocol Negotiation (NPN) is detected on a BIG-IP system with a Cavium Nitrox accelerator.
491406-2 : TMM SIGSEGV in sctp_output due to NULL snd_dst
Component: TMOS
Symptoms:
Crash in tmm sctp_output routine.
Conditions:
SCTP incorrectly processes a duplicate or unexpected COOKIE_ECHO following association shutdown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash.
491371-4 : CMI: Manual sync does not allow overwrite of 'newer' ASM config
Solution Article: K17285
Component: Application Security Manager
Symptoms:
ASM Sync was designed to only request the ASM portion of the configuration if it recognizes that a peer has a newer configuration.
This precludes the ability to 'roll back' changes on a device by pushing from the peer that still has the older configuration.
Conditions:
Devices are set up in a Manual Sync ASM-enabled group.
Impact:
User is unable to 'roll back' changes on a device by pushing from the peer that has an older configuration.
Workaround:
Make a spurious change on the device that has an older config and then push the changes to the peer.
Fix:
An older ASM configuration can now be manually pushed to a peer in a device group.
491352-4 : Added ASM internal parameter to add more XML memory
Component: Application Security Manager
Symptoms:
It is not possible to add more than 1.2 GB of memory to the XML parser.
Conditions:
More than 1.2 GB of XML memory is needed for the XML parser.
Impact:
XML out-of-memory messages; traffic dropped.
Workaround:
None.
Fix:
This release adds the internal parameter 'additional_xml_memory_in_mb' that enables specifying an additional amount of XML memory (as specified in MB).
491233-9 : Rare deadlock in CustomDialer component
Solution Article: K16105
Component: Access Policy Manager
Symptoms:
Windows 7 systems hang at a black screen after a reboot. This requires a hard boot to resolve.
Conditions:
CustomDialer component.
Impact:
Cannot log in. Requires hard boot to resolve.
Fix:
The CustomDialer component has been updated to prevent a rarely occurring deadlock.
491185-3 : URL Latencies page: pagination limited to 180 pages
Component: Application Visibility and Reporting
Symptoms:
When there is a lot of information in URL Latencies with paging being available for more than 180 pages, no data is being displayed when switching to any of the pages above 180
Conditions:
URLs count exceeds 1800
Impact:
Not all URLs will be visible
Workaround:
Filtering can be used to limit the number of results below 1800.
Fix:
Number of reported URLs is now limited to 1000 (100 pages), consistent with other reporting pages.
491080-2 : Memory leak in access framework
Solution Article: K92821195
Component: Access Policy Manager
Symptoms:
When multiple concurrent attempts are made to access a resource protected by APM, one of these attempts proceeds to policy execution and the rest get a message stating that session evaluation is in progress. The page that delivers this message has a unique identifier in the URL that causes the caching of this page to be ineffective. Multiple cache entries are created and these entries present themselves as a leak.
Conditions:
Use of APM.
Multiple concurrent accesses to a resource protected by a virtual server with an APM profile attached.
Note that no prior established sessions must exist for that client for this to happen.
Impact:
A memory leak occurs.
Workaround:
None.
Fix:
The APM page caching now omits the unique identifier in the key. As a result, a single page, or a small fixed number of pages, can serve a multitude of clients without an increase in memory usage.
490936-1 : SSLv2/TLSv1 based handshake causing handshake failures
Component: Local Traffic Manager
Symptoms:
You are experiencing SSL handshake failures. /var/log/ltm contains error messages that read tmm[16895]: 01260009:7: Connection error:9044: invalid pre-master secret (40)
Conditions:
This occurs with clientssl profiles enabled and a client sends a CLIENTHELLO containing a SSLv2 or TLSv1 version in the handshake message.
Impact:
SSL connection unable to establish; error generated. Note this only occurs for clients that send SSLv2 or TLSv1 in the hello.
490893-9 : Determinstic NAT State information incomplete for HSL log format
Solution Article: K16762
Component: Carrier-Grade NAT
Symptoms:
Deterministic NAT state information incomplete for HSL log format, could possibly result in incorrect reverse and forward map for dnatutil when using with HSL logged state information.
Conditions:
Found to affect VIPRION B2250 blades with HTSPLIT enabled, when using dnatutil with HSL logged deterministic NAT state for reverse map.
Impact:
Reverse and forward map could be incorrect when use with HSL logged deterministic NAT state information.
Workaround:
Use LTM logged deterministic NAT state information for reverse or forward map.
Fix:
HSL logged deterministic NAT state information can be use to correctly forward and reverse map.
490844-2 : Some controls on a web page might stop working.
Solution Article: K50522620
Component: Access Policy Manager
Symptoms:
Some controls on a web page might stop working.
Conditions:
Some events with that execute in web applications.
Impact:
Unexpected web application malfunctions.
Workaround:
Create an iRule specific to each case.
Fix:
Problems with EventTarget.addEventListener() new feature support were fixed.
490830-3 : Protected Workspace is not supported on Windows 10
Component: Access Policy Manager
Symptoms:
APM does not support Protected Workspace on Windows 10
Conditions:
Protected Workspace action configured on BIG-IP APM server.
Users connecting to BIG-IP APM using Windows 10 client.
Impact:
Users cannot use Protected Workspace feature on Windows 10.
Workaround:
n/a
Fix:
Protected Workspace disabled on Windows 10 client.
490801-3 : mod_ssl: missing support for TLSv1.1 and TLSv1.2
Component: TMOS
Symptoms:
This is due to using older versions of httpd
(which includes mod_ssl ...). Newer versions
of httpd as of 2.2.15-39 include the necessary
support for TLSv1.1 and TLSv1.2.
Conditions:
Any older versions of httpd which are not
upgraded to 2.2.15-39 or selectively patched
for the mod_ssl component will not be able
to provide support for TLSv1.1 and TLSv1.2.
Note that in older releases, there is
a dependency on openssl 1.0.1 for a backport
of the mod_ssl changes to actually support
TLSv1.1 and TLSv1.2.
Impact:
No support is provided for TLSv1.1 and TLSv1.2.
Workaround:
Upgrade to one of the following:
12.0.0-hf1 - includes changes to mod_ssl
12.1.0 - includes update to httpd 2.2.15-39
Fix:
Upgrade to httpd 2.2.15-39 (from el6.6)
provides the needed changes to mod_ssl
to support TLSv1.1 and TLSv1.2.
490740-9 : TMM may assert if HTTP is disabled by another filter while it is parked
Component: Local Traffic Manager
Symptoms:
If HTTP is parked in an iRule, if it is disabled by another filter on the client-side it will assert with the message:
TCL passthrough switch state only valid server-side.
Conditions:
A HTTP iRule on the client side parks. Another filter tells HTTP to disable itself.
Impact:
The impact of this issue is that the TMM will crash.
Workaround:
Avoid using HTTP::disable in iRules that can run simultaneously with with iRules triggered by the HTTP filter.
Instead, disable
Fix:
HTTP will no longer crash if HTTP is disabled while it is parked on the client side.
490713-5 : FTP port might occasionally be reused faster than expected
Component: Local Traffic Manager
Symptoms:
FTP port is randomly selected and occasionally might be reused quickly.
Conditions:
FTP active mode. Source Port is set to change.
Impact:
FTP port might occasionally be reused faster than expected.
Fix:
FTP port selection uses a round robin method to avoid quick-reuse as much as possible.
490681-5 : Memcache entry for dynamic user leaks
Solution Article: K17470
Component: Access Policy Manager
Symptoms:
A race condition causes a memcache entry to remain in memcache forever.
Conditions:
Due to a race condition between identifying dynamic users in MySQL and removing them from memcache (based on timestamp), some memcache entries remain. Although the entry is removed from MySQL, it remains in memcache.
Impact:
The user state information for the user remains unchanged. If the user is locked out in memcache, the user state remains locked out.
Workaround:
The only way to recover is to remove the user using telnet to access memcache (which is not a typical operation and is difficult to perform).
Fix:
Now a self expiry is set for each memcache object (which is configurable). With this change, each user remains in the cache only for the configured duration.
490675-5 : User name with leading or trailing spaces creates problems.
Solution Article: K16855
Component: Access Policy Manager
Symptoms:
User name containing leading or trailing spaces (e.g., ' user1 ') results in processing errors. When the user entry gets created in MySQL it treats the user name ' user1 ' as if it were 'user1', stripping out the spaces at the beginning and the end of the name. The memcache entry does not do the same.
Conditions:
-- There is a user name containing leading or trailing spaces (e.g., ' user1 ').
-- There is the same user name without leading or trailing spaces (e.g., 'user1').
Impact:
Unnecessary memcache entries. There will be multiple entries for the same user (one with and one without spaces). When the dynamic user gets deleted, the regular user name is deleted from memcache and from MySQL; the other user entry remains in memcache.
Workaround:
None.
Fix:
The system now trims leading and trailing spaces from any user name before using it. So the user name is uniform everywhere.
490537-4 : Persistence Records display in GUI might cause system crash with large number of records
Component: TMOS
Symptoms:
Using the GUI to view Persistence Records statistics in GUI when there are a large number of records might crash the system. (Persistence Records are available for LTM and GTM by navigating to Statistics :: Module Statistics, clicking on Local Traffic, DNS Delivery, or DNS GSLB and then selecting 'Persistence Records' for Statistics Type.)
Conditions:
This occurs when viewing statistics in the GUI for a large number of Persistence Records (approximately 100,000, but the number might depend on system configuration and capacity).
Impact:
The system runs out of memory and fails over.
Workaround:
Use TMSH to see Persistence Records and associated statistics.
For LTM and GTM Delivery: tmsh show ltm persistence persist-records.
For GTM GSLB: tmsh show gtm persist destination | level | target-name | key | max-results | target-type.
Fix:
The fix for this issue allows management of the visibility of Persistence Records using three db variables: ui.statistics.modulestatistics.<localtraffic | dnsdelivery | dnsgslb>.persistencerecords.
A db variable setting of "false" prevents the potential system crashes with a large number of persistence records.
Beginning in version 12.0.0, the three db variables default to 'false', preventing use of the config utility to display the persistence records. For fixed versions of 11.5 and 11.6, the db variables default to 'true' to avoid a change in behavior within these versions. It is necessary to modify those variables to 'false' to prevent use of the config utility to display persistence records.
To set the db variable:
-- for LTM Persistence Records, run the command: modify sys db ui.statistics.modulestatistics.localtraffic.persistencerecords value true
-- for DNS Delivery Persistence Records, run the command: modify sys db ui.statistics.modulestatistics.dnsdelivery.persistencerecords value true
-- for DNSGSLB, run the command: modify sys db ui.statistics.modulestatistics.dnsgslb.persistencerecords value true
Important: When you enable the db variable, the GUI-specific out-of-memory condition might occur if you have a large number of records. In that case, you should use tmsh to see Persistence Records and associated statistics.
For LTM and GTM Delivery: tmsh show ltm persistence persist-records.
For GTM GSLB: tmsh show gtm persist destination | level | target-name | key | max-results | target-type.
Behavior Change:
Beginning in version 12.0.0, the db variable ui.statistics.modulestatistics.<localtraffic | dnsdelivery | dnsgslb>.persistencerecords defaults to 'false'. In previous versions, the default was 'true.'
That means that Persistence Records are no longer visible by default in the GUI. This prevents potential system crashes with a large number of persistence records. You can manage visibility of Persistence Records using the db variable.
Important: When you enable the db variable, the GUI-specific out-of-memory condition might occur if you have a large number of records. In that case, you should use TMSH to see Persistence Records and associated statistics. For example, for LTM, you can use the following command: tmsh show ltm persistence persist-records.
To set the db variable:
-- for LTM Persistence Records, run the command: modify sys db ui.statistics.modulestatistics.localtraffic.persistencerecords value true
-- for DNS Delivery Persistence Records, run the command: modify sys db ui.statistics.modulestatistics.dnsdelivery.persistencerecords value true
-- for DNSGSLB, run the command: modify sys db ui.statistics.modulestatistics.dnsgslb.persistencerecords value true
490429-4 : The dynamic routes for the default route might be flushed during operations on non-default route domains.
Solution Article: K17206
Component: Local Traffic Manager
Symptoms:
The dynamic routes for the default route might be flushed during operations on non-default route domains. For example when non-default route domain is deleted TMM, the operation also removes routes in the default route domain.
Conditions:
This happens on configuration changes and failover.
Impact:
Routing in default route domain might be impacted until tmrouted is restarted.
Workaround:
Avoid deleting non-default route domains. Issuing a bigstart restart tmrouted returns the system to a consistent state.
Fix:
The dynamic routes for the default route are no longer flushed during operations on non-default route domains.
490284-6 : ASM user interface extremely slow to respond (e.g., longer that 2 minutes to render policy list)
Solution Article: K17383
Component: Application Security Manager
Symptoms:
ASM screens take a long time to load. MySQL spikes in usage.
Conditions:
Occurs after several thousand policy configuration changes have been made to the system.
Impact:
Slow ASM user interface pages.
Workaround:
None.
Fix:
The system now takes less time for ASM screens to load.
490174-3 : Improved TLS protocol negotiation with clients supporting TLS1.3
Component: Local Traffic Manager
Symptoms:
When a TLS client connects to a BIG-IP TLS server requesting TLS1.3, the handshake will fail. A message will be logged in the Local Traffic Manager (LTM) log about a handshake failure.
The estimated deployment of clients supporting TLS1.3 is 2016.
Conditions:
A TLS client handshake with the protocol version set to TLS1.3 in the ClientHello.
Impact:
Lower performance is the most likely outcome. The hanshake requesting TLS1.3 will fail, after which a client will reconnect with a TLS 1.2 hanhdshake and succeed.
The worst case scenario is inability to establish a connection for clients that only implement standard TLS version negotiation mechanism.
The estimated deployment of clients supporting TLS1.3 is 2016.
Workaround:
This issue has no workaround at this time.
Fix:
TLS server code can now handle ClientHello.protocol_version that is higher than TLS1.2, according to the TLS1.2 specification.
489957-8 : RADIUS::avp command fails when AVP contains multiple attribute (VSA).
Component: Service Provider
Symptoms:
The RADIUS::avp command fails when AVP contains multiple attributes (VSA) within an AVP.
Conditions:
One AVP contains multiple attributes (VSA).
Impact:
RADIUS::avp command fails.
Workaround:
None.
Fix:
RADIUS::avp command now completes successfully when AVP contains multiple attribute (VSA).
489845-1 : Sometimes auto-blacklisting will not function after the provisioning of AFM and APM modules
Component: Advanced Firewall Manager
Symptoms:
occasionally dwbl will crash after the provisioning of AFM and APM modules
Conditions:
provisioning of AFM and APM modules in BIG-IP at same time
Impact:
sometimes auto-blacklisting will not function because of the crash
Workaround:
NONE
Fix:
Fixed rare crash bug that could occur when provisioning AFM and APM modules at the same time.
489750-2 : Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config
Solution Article: K16696
Component: TMOS
Symptoms:
11.4.0 onwards, deletion of FIPS keys by-handle is expected to throw error if the BIG-IP config contains that key object. However, if the key name is different from the FIPS-label of the key, such deletion by-handle will delete key from FIPS card without checking BIG-IP config. It will not delete that key from BIG-IP config.
Conditions:
Delete FIPS key by-handle using tmsh when the key name is different from the FIPS-label of the key.
Impact:
FIPS key deletion by-handle may not throw expected error when the FIPS handle corresponds to a key in the BIG-IP config and will delete the key from FIPS card without deleting the key in the BIG-IP config.
Workaround:
First, FIPS key deletion by-handle should be used only for FIPS key handles that don't have corresponding key objects in the BIG-IP config.
If the FIPS key deletion was desired and by-handle deletion is already performed which did not delete the key from BIG-IP config, then follow the below workaround:
After executing:
'tmsh delete sys crypto fips by-handle <handle-number>'
check if the corresponding key still exists in BIG-IP config by executing:
'tmsh list sys crypto key'
If the concerned key did not get deleted, execute:
'tmsh delete sys crypto key <keyname>'
Fix:
The system now handles the case in which deleting FIPS key by-handle using tmsh when the key name is different from the FIPS-label of the key.
489705-3 : Running out of memory while parsing large XML SOAP requests
Solution Article: K16245
Component: Application Security Manager
Symptoms:
Running out of memory while parsing large XML SOAP requests.
Conditions:
System parses as XML a large multipart file upload.
Impact:
Unnecessary memory allocations which could cause the Enforcer to run out of memory. The system posts an error similar to the following: 'ASM out of memory error: event code X239 Exceeded maximum memory assigned for XML/JSON processing'.
Fix:
This release fixes an issue where the system parsed as XML a large multipart file upload. Doing that caused unnecessary memory allocations which could cause the Enforcer to run out of memory. The following error message was displayed "ASM out of memory error: event code X239 Exceeded maximum memory assigned for XML/JSON processing".
489682-4 : Configuration upgrade failure due to change in an ASM predefined report name★
Solution Article: K40339022
Component: Application Visibility and Reporting
Symptoms:
A configuration load failure occurs after creating an ASM predefined report in a previous version and upgrading.
Conditions:
Define scheduled report on top of "Top alerted URLs" on 11.3.0 and upgrade the version.
Impact:
Version upgrade fails (the BIG-IP becomes unusable).
Workaround:
Change the "/Common/Top Alerted URLs" reference in the bigip.conf file of the UCS to "/Common/Top Alarmed URLs", and then load the modified UCS.
Fix:
If an ASM predefined report was created in a previous version and the system was updated, it could have caused the configuration upgrade to fail. This failure no longer occurs.
489451-2 : TMM might panic due to OpenSSL failure during handshake generation
Solution Article: K17278
Component: Local Traffic Manager
Symptoms:
TMM might panic due to OpenSSL failure during handshake generation.
Conditions:
Low memory. Software-based SSL handshake generation.
Impact:
TMM outage.
Fix:
The system now checks for OpenSSL failures during SSL handshake generation, so TMM no longer panics.
489382-8 : Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert
Component: Access Policy Manager
Symptoms:
Browser clients allow Machine Cert Auth agent to pass even if the match SubjectCN and FQDN criteria is not satisfied.
It only happens if the selected certificate is recognized by the BIG-IP system but does not fit the Machine Cert Auth selection criteria.
Conditions:
The problem occurs with a Mac and the browser client, with the Machine Cert Auth agent in the access policy, and a valid certificate.
Impact:
Browser allows network access to be established even though it should not
Workaround:
To work around the problem, add more search criteria in the Machine Cert Auth agent.
Fix:
Browser client now selects the appropriate certificate when the match SubjectCN and FQDN criteria is specified in the Machine Cert Auth agent.
489364-6 : Now web VPN client correctly minimizes IE window to tray
Component: Access Policy Manager
Symptoms:
An Internet Explorer window remains on taskbar on Network Access connect even if 'minimize to tray' option is enabled.
Conditions:
Internet Explorer is used and 'minimize to tray' option is enabled
Impact:
IE window stays on desktop
Fix:
Now an Internet Explorer window is correctly minimized to tray.
489328-8 : When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash.
Component: Access Policy Manager
Symptoms:
If a BIG-IP virtual server is accessed from multiple tabs with long initial URLs before session creation, this might cause TMM to crash.
Conditions:
Rare condition: a user opens the browser and different tabs in the browser pointing to BIG-IP APM virtual server and they cause the access policy to run from both tabs. If the length of the encoded URL falls into 4K boundary then TMM might crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Proper checks were added before processing the URL so that, if there is a long initial URL, the BIG-IP system does not process it, and a user might see a reset. After establishing the session in other tabs, the user can access the long URL again.
489323-6 : Out-of-bounds memory access when 'remotedesktop' profile is assigned to a virtual server.
Solution Article: K43552605
489259-2 : [AFM] packets from good ip's are being dropped by DoS Sweep & Flood logic
Component: Performance
Symptoms:
Rate tracker library is not accurate.
Conditions:
When traffic is at very low rate.
Impact:
Traffic from good IP addresses could end up being dropped.
Workaround:
None
Fix:
AFM no longer drops packets from good IP addresses during sweep and flood.
489113-7 : PVA status, statistics not shown correctly in UI
Solution Article: K16375
Component: TMOS
Symptoms:
When affected versions of BIG-IP are running on VIPRION B2250 blades, the PVA status and statistics are not displayed correctly (missing entirely) from the user interface.
Conditions:
VIPRION B2250 blades running affected versions of BIG-IP.
Impact:
PVA appears to be disabled/unavailable.
PVA statistics are not available.
PVA functionality is actually enabled and operating in the data plane.
Workaround:
Example of incorrect display:
# guishell -c 'select name,has_pva,pva_version from platform'
--------------------------------
| NAME | HAS_PVA | PVA_VERSION |
--------------------------------
| A112 | false | | <<< incorrect
--------------------------------
# tmsh show ltm virtual
------------------------------------------------------------------
Ltm::Virtual Server: vs1
------------------------------------------------------------------
Status
Availability : unknown
State : enabled
Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet
CMP : enabled
CMP Mode : all-cpus
Destination : 30.30.30.1:80
<<< missing 'PVA Acceleration' item
Fix:
PVA status and statistics are displayed correctly for VIPRION B2250 blades.
488989-4 : AVRD does not print out an error message when the external logging fails
Component: Application Visibility and Reporting
Symptoms:
External logging of AVR statistics is done by HSL framework, if a message is failed to be sent to the syslog server, then AVR does not log this error.
Conditions:
If network is under stress, there is a possibility that the external logging will not be 100% transmitted
Impact:
The logging application will not receive all log entries.
Fix:
AVR is logging about HSL sending error.
It is important to notice that it is still not 100% sure that the message will arrive to the destination, since an application level ack does not exist in syslog, but this by definition.
488986-13 : Access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and edge client.
Solution Article: K16582
Component: Access Policy Manager
Symptoms:
An access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and Windows Edge client.
Conditions:
Internet Explorer versions 10 and 11.
Impact:
Access policy cannot enter Windows Protected Workspace.
Workaround:
Use a browser other than Internet Explorer versions 10 and 11.
Fix:
An access policy can now enter Windows Protected Workspace on Internet Explorer versions 10 and 11.
488921-3 : BIG-IP system sends unnecessary gratuitous ARPs
Component: Local Traffic Manager
Symptoms:
The BIG-IP system sends unnecessary gratuitous ARPs for its virtual IP addresses and self IP addresses.
Conditions:
When the virtual server status transitions from online to offline status or vice versa.
Impact:
The BIG-IP system sends out a large number of unwanted gratuitous ARPs if the virtual server changes its status rapidly. If devices connected to the BIG-IP system have rate limits configured, the devices might start ignoring the ARPs sent by the BIG-IP system, which might cause the devices to miss the critical gratuitous ARPs sent on HA failover. This might affect HA functionality.
Fix:
The system no longer sends unnecessary gratuitous ARPs when pool member state changes cause virtual server status changes.
488917-1 : Potentially confusing wamd shutdown error messages
Component: WebAccelerator
Symptoms:
When shutting down, wamd might log debug messages that appear serious.
Conditions:
wamd shutdown.
Impact:
Unnecessary log messages generated, similar to the following:
-- WA Debug (17637): * WARNING: The server encountered an unexpected condition. -- WA Debug (17637): * Contact F5 support if you are experiencing problems and include -- WA Debug (17637): * the following diagnostic information. These messages are cosmetic and do not indicate a problem with the system.
Workaround:
None.
Fix:
The wamd process no longer generates potentially alarming debug log messages when shutting down.
488908-3 : In client-ssl profile which serves as server side, BIG-IP SSL does not initialize in initialization function.
Solution Article: K16808
Component: Local Traffic Manager
Symptoms:
In client-ssl profile that serves as the server side.
BIG-IP SSL does not initialize some parameters.
Conditions:
In client-ssl profile which serves as the server side and retransmitting fragmented datagrams.
Impact:
SSL handshake fails. Datagram Transport Layer Security (DTLS) crash while retransmitting fragmented datagrams.
Workaround:
None.
Fix:
In client-ssl profile which serves as server side, BIG-IP SSL now initializes parameters in initialization function as expected.
488892-4 : JavaRDP client disconnects
Component: Access Policy Manager
Symptoms:
JavaRDP client disconnects user's session when user interacts before the handshake is complete.
Conditions:
The might occur when the network connection is slow but the user is fast enough to click the mouse within the client area or press a key on the keyboard. In this case the RDP client attempts to send this input event to the server.
Impact:
Because the RDP handshake is not completed at this point, the server aborts the connection.
Workaround:
Do not interact within the client area before the window fills with an image from the server. When that occurs, the connection is clearly established and all handshakes are completed.
Fix:
JavaRDP client session starts correctly now, and the system does not process extraneous input that occurs before the handshake completes.
488811-4 : F5-prelogon user profile folder are not fully cleaned-up
Component: Access Policy Manager
Symptoms:
When a user logs on using Network Logon in Windows, it triggers access policy execution, and the policy creates a temporary user, f5 Pre-Logon User. This causes the operating system to create a profile folder on the computer. After several executions, these folders start to accumulate because they are not removed properly after policy execution is complete.
Each time the access policy runs, it creates a user folder of the form f5 Pre-Logon User.<HOSTNAME>.xyz in the C:\Users folder.
Conditions:
A user logs on to the computer using Network Logon in Windows. (Windows Logon Integration)
Impact:
Disk runs out of space and user is confused.
Workaround:
To work around the problem, delete folders manually.
488736-6 : Fixed problem with iNotes 9 Instant Messaging
Component: Access Policy Manager
Symptoms:
iNotes 9 IM (Sametime) is not working. There are errors in JS Console.
Conditions:
User is connected to iNotes 9 through Portal Access.
Impact:
Sametime in iNotes 9 is not accessible.
Workaround:
No
Fix:
iNotes 9 Sametime (instant messaging) is working now.
488686-4 : Large file transfer hangs when HTTP is in passthrough mode
Solution Article: K24980114
Component: Local Traffic Manager
Symptoms:
Large file transfer hangs when HTTP is in passthrough mode. The HTTP profile may switch into passthrough mode for a number of reasons, including enforcement (the http-transparent profile options), the CONNECT HTTP method, iRule, unknown method detection, or switching protocols.
Conditions:
-- Virtual server with HTTP profile configured.
-- HTTP profile goes into passthrough mode.
-- Large file transfer occurs.
Impact:
File transfer hangs.
Workaround:
None.
Fix:
Flow control implemented in HTTP profile when in passthrough mode.
488600-1 : iRule compilation fails on upgrade★
Component: Local Traffic Manager
Symptoms:
While upgrading, the configuration load fails and you see an error similar to the following:
localhost emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all" - failed. -- Syntax Error:(/config/bigip.conf at line: 40) "{" unknown property
Conditions:
Upgrade to 11.6.x versions may cause iRule compilation failures if the iRule contains whitespace instead of an opening brace after the event.
For example:
when CLIENT_ACCEPTED
{
Impact:
Configuration will fail to load on upgrade.
Workaround:
You can edit bigip.conf and manually correct the line in the iRule by putting the opening brace on tbe same line as the event, then reload the configuration with tmsh load sys config.
Example:
when CLIENT_ACCEPTED {
Fix:
Fix tcl parsing if there is a whitespace before the new line.
488374-3 : Mismatched IPsec policy configuration causes racoon to core after failed IPsec tunnel negotiation
Solution Article: K17019
Component: TMOS
Symptoms:
Mismatched IPsec policy configuration causes racoon to core intermittently after failed IPsec tunnel negotiation.
Conditions:
During IPsec Tunnel negotiation, IKE Phase 1 negotiation succeeds and ISAKMP security association is created, but phase 2 (Quick mode) for IPsec security associations fails due to mismatched IPsec policy configuration. This intermittent error occurs because of a memory issue that causes heap corruption.
Impact:
Intermittently, the racoon daemon cores and crashes when there are earlier failed phase 2 negotiations.
Workaround:
Make sure IPsec policies such as encryption/authentication algorithms for the data going through IPsec tunnel on the remote device match the IPsec policy configured on the BIG-IP system for the same IPsec Tunnel.
Fix:
The racoon daemon no longer crashes due to mismatched IPsec policy configuration.
488105-2 : TMM may generate core during certain config change.
Component: Access Policy Manager
Symptoms:
While the sandbox file is being used by data-plane, if the admin changes configuration to delete this sandbox file, the TMM may generate core due to accessing freed up memory.
Conditions:
While data-plane is handling requests for the sandbox files, if admin deletes it from the control plane.
Impact:
TMM may core, which may cause APM service to become unavailable for some time.
Fix:
Access whitelist entries are refcount-ed to prevent freeing of the memory while it is still being used.
487859-2 : Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI.
Solution Article: K42022001
Component: Access Policy Manager
Symptoms:
Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI.
Conditions:
When importing the local DB user from the CSV file, with no UID value provided.
Impact:
All users imported without UIDs will be mapped to one user's detail entry (that is, fname, lname, email, and so on). So all such users show the same first name, last name, email, and other user details.
Workaround:
There is no workaround.
Fix:
Importing local db users with no UID set now generates a Unique ID and stores each user's details in the database.
487660-1 : LSN translation failures when persistence is enabled, cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN and using a small port range
Solution Article: K16268
Component: Carrier-Grade NAT
Symptoms:
LSN Translation failures in persistence mode when cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN.
Conditions:
Persistence is enabled on the LSN pool, and cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN, when the lsn-pool port range is relatively small (under 1000), or a blade is added or removed. Translation mode is NAPT or PBA.
Impact:
Translation failures. The system posts an error similar to the following: debug tmm9[25268]: 01670012:7: [0.9] Translation failed client 200.200.200.101,10096.
Workaround:
Adequately provision the LSN pool.
Fix:
This release resolves CGNAT translation failures in persistence mode when cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN.
487625-4 : Qkview might hang
Component: TMOS
Symptoms:
A corrupted filestore causes qkview to hang.
Conditions:
This occurs due to filestore mapping issues. This might also occur when there are files listed in the filestore are missing.
Impact:
Qkview hangs and sync attempts silently fail due to filestore mapping issue. The system might post error messages similar to the following: err mcpd[4596]: 0107134e:3: Failed while making snapshot: (Failed to link files existing(/config/ssl/ssl.crt/ca-bundle.crt) new(/config/.snapshots_d/certificate_d/1389867940_:Common:ca-bundle.crt_1) errno(2)(No such file or directory).) errno(2) errstr(No such file or directory).
Workaround:
None.
Fix:
A corrupted filestore no longer causes qkview to hang.
487567-3 : Addition of a DoS Profile Along with a Required Profile May Fail
Component: TMOS
Symptoms:
Certain DoS Profiles require a preliminary profile to be attached as well. For example DNS enabled DoS profile may require DNS profile to be attached first. However in cases where both profiles are being attached at the same time, an error may be thrown telling the user that the required profile is not attached.
Conditions:
A DoS profile needs to be attached at the same time with its required profile. For example, Application DoS Profile requires HTTP profile to be attached as well.
Impact:
If you have such DoS profiles in use and attach such profiles in single transaction you may be affected (GUI operations or iControl REST api).
Workaround:
None
Fix:
It is now possible to attach a DoS Profile and a required supporting profile in a single transaction.
487420-3 : BD crash upon stress on session tracking
Component: Application Security Manager
Symptoms:
An ASM bd process crash occurs in a specific scenario that involves system stress and session tracking, or the crash can be reached rarely from slow responses/servers with session tracking.
Conditions:
ASM under heavy load, session tracking is running.
Impact:
A bd process crash, failover, and/or traffic resets.
Workaround:
None.
Fix:
This release fixes a system crash scenario that occurred with session tracking.
487399-3 : VDI plugin crashes when View client disconnects prematurely
Component: Access Policy Manager
Symptoms:
VDI plugin crashes when View client disconnects prematurely
Conditions:
View client disconnects prematurely
Impact:
VDI plugin crash
Fix:
VDI plugin does not crash when View client disconnects prematurely
487144-1 : tmm intermittently reports that it cannot find FIPS key
Component: Global Traffic Manager (DNS)
Symptoms:
You may see the following critical error message in /var/log/ltm: "FIPS acceleration device failure: cannot locate key"
Conditions:
There is FIPS card in the BIG-IP and the key is retrieved. It is not known the exact conditions that cause this, but it seems to be related to GTM being enabled.
Impact:
SSL can not locate the key from the FIPS card, and SSL will not function properly.
Workaround:
None known, but restarting tmm or rebooting might correct the condition.
Fix:
There is now additional information in the error message that can help resolve the issue.
486791-3 : Resolution of multiple wireshark vulnerabilities
Solution Article: K16939
486762-2 : lsn-pool connection limits may be invalid when mirroring is enabled
Solution Article: K05172346
Component: Carrier-Grade NAT
Symptoms:
A client may not be able to create as many connections as allowed because mirroring may cause a connection to be counted more than once against the connection limit.
Conditions:
An lsn-pool with connection limits enabled, assigned to a virtual server.
Impact:
Clients may not be able to open as many connections as they should be able to open. The connections will fail.
Workaround:
This issue has no workaround at this time.
Fix:
With the fix in place, clients may open the full number of allowable connections.
486725-1 : GUI creating key files with .key extensions in the name causing errors
Component: TMOS
Symptoms:
When using the GUI, if a user adds a '.key' extension to the name, the file will be created with an extra .key extension to the file.
Conditions:
When a key file name is 'test.key' entered from the GUI it is created with 'test.key.key'.
Impact:
The extra '.key' extension causes problems with deletion/Archive etc. GUI posts the following error: Not Found.
Workaround:
Delete the key and recreate without the .key in the name.
Fix:
The GUI will prevent names with reserved extensions such as '.key'.
486597-7 : Fixed Network Access renegotiation procedure
Component: Access Policy Manager
Symptoms:
Network Access reconnects on every SSL renegotiation attempt on Windows 7 for TLS1.2 and TLS1.1 if client cert is requested.
Conditions:
This occurs when the following conditions are met: Windows 7. -- TLS 1.1/TLS1.2. -- Client cert set to 'required' at Virtual Server's Client Cert profile.
Impact:
Reconnect on every SSL renegotiation attempt.
Workaround:
None.
Fix:
Fixed Network Access renegotiation procedure on TLS1.1 and TLS1.2 for Microsoft Windows 7.
486512-8 : audit_forwarder sending invalid NAS IP Address attributes
Component: TMOS
Symptoms:
Forwarded auditing messages contain the incorrect nas-ip-address attribute. It should be the local IP of the box. Instead nas-ip-address is another, random IP address.
Conditions:
This seems to work fine when the BIG-IP is a virtual machine.The issue reproduces only on the actual hardware.
Impact:
Cannot pass certification because config auditing is not working as expected (invalid NAS IP Address).
Workaround:
None.
Fix:
Forwarded auditing messages now contain the correct nas-ip-address attribute, so config auditing is now working as expected.
486485-2 : TCP MSS is incorrect after ICMP PMTU message.
Component: Local Traffic Manager
Symptoms:
After ICMP PMTU message, new TCP packets are well below the maximum size.
Conditions:
After receiving ICMP PMTU messages, which leads to use of undersized TCP packets.
Impact:
Reduced throughput of TCP connections.
Workaround:
Configure TCP MSS to the true value.
486450-5 : iApp re-deployment causes mcpd on secondaries to restart
Component: Local Traffic Manager
Symptoms:
iApp redeployment causes mcpd on secondaries to restart.
Conditions:
This occurs when redeploying iApps with the locally cached files in place.
Impact:
mcpd restarts on secondaries.
Fix:
iApp redeployment now works correctly, and no longer causes mcpd on secondaries to restart.
486346-2 : Prevent wamd shutdown cores
Component: WebAccelerator
Symptoms:
Under some circumstances, wamd cores while trying to exit.
Conditions:
wamd during shutdown.
Impact:
Unnecessary core files generated consuming some resources.
Workaround:
None.
Fix:
wamd no longer cores and now exits gracefully when shutting down.
486344-4 : French translation does not properly fit buttons in BIG-IP Edge client on Windows
Component: Access Policy Manager
Symptoms:
French translation does not properly fit buttons in BIG-IP Edge Client on Windows-based systems.
Conditions:
French translation in BIG-IP Edge Client on Windows.
Impact:
Text does not fit buttons.
Fix:
Translated French text has been corrected to properly fit buttons in BIG-IP Edge Client on Windows-based systems.
486268-7 : APM logon page missing title
Component: Access Policy Manager
Symptoms:
On the BIG-IP APM logon page, a title may not appear.
Conditions:
RSA error message contains newline symbols. (For example RSA 8.1 uses such message)
Impact:
May cause usability issues.
Fix:
Now the title displays correctly on the logon page; RSA error messages are now sanitized.
485939-8 : OSPF redistributing connected subnets that are configured in the network element with infinity metric in a HA pair.
Solution Article: K16822
Component: TMOS
Symptoms:
In a HA pair setup, the active node is sending an As_External Link-State Advertisement (LSA) with infinity metric value for the redistributed connected subnets that are configured in the network element of the OSPF.
Conditions:
HA pair with redistributed connected subnets and subnets configured in the network element in the OSPF.
Impact:
The active node in the HA pair sends an LSA with infinity metric that gets exchanged in the other networks affecting the routing process.
Workaround:
Clear ip ospf process fixes the issue. However, it is not an effective solution in a production environment.
Fix:
OSPF sessions in an HA pair doesn't send an As_External LSA for the subnets that are configured as network element and redistributed as connected subnets.
485917-5 : BIG/IP is vulnerable to Path MTU discovery attack (CVE-2004-1060)
Solution Article: K15792
485880-3 : Unable to apply ASM policy with forwarding CPM policy via GUI, generic error
Component: Advanced Firewall Manager
Symptoms:
When attempting to apply an ASM policy to a virtual server that is using LTM forwarding, the user interface spits back an error: "an error has occurred while trying to process your request."
Conditions:
Happens only in rare situations.
Impact:
Local Traffic Virtual Servers : Virtual Server List <http_vip> >> Security >> Policies...
Receive ERROR: "An error has occurred while trying to process your request"
Workaround:
This issue has no workaround at this time.
485771-2 : TMM crashes while executing multiple FLOW_INIT events and one of the event triggers an abort.
Component: Advanced Firewall Manager
Symptoms:
Critical system failure due to TMM process restarting.
Conditions:
Following conditions may suffice to trigger the TMM crash:
AFM rule match triggers an iRule execution with multiple FLOW_INIT events and one of the events will cause the connection to be aborted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
A crash bug when executing multiple FLOW_INIT events has been fixed.
485764-4 : WhiteHat vulnerability assessment tool is configured but integration does not work correctly
Solution Article: K17401
Component: Application Security Manager
Symptoms:
When the WhiteHat vulnerability assessment tool is configured on an already existing policy the proper response headers are not added to traffic that are needed for full integration.
Conditions:
The WhiteHat vulnerability assessment tool is configured on an already existing policy.
Impact:
Proper response headers are not added to traffic to integrate fully.
Workaround:
This issue has no workaround at this time.
Fix:
The system now adds correct response headers to traffic after the WhiteHat vulnerability assessment tool is configured.
485702-7 : Default SNMP community 'public' is re-added after the upgrade
Component: TMOS
Symptoms:
If the SNMP default community (public) has been removed from the configuration, and a new version of the software is installed, the default community will be added to the new configuration.
Impact:
The impact of this issue is that the SNMP default community will be added to the new configuration.
Workaround:
After upgrading to versions after 11.4.0, delete the default 'public' community again.
Fix:
The default community string 'public' is not add to the SNMP configuration on upgrade if it has been deleted in the previous software configuration
485472-4 : iRule virtual command allows for protocol mismatch, resulting in crash
Component: Local Traffic Manager
Symptoms:
iRule 'virtual' command allows for protocol mismatch.
Conditions:
A virtual server with an iRule which leverages the 'virtual' command targeting a virtual server that differs in protocol. For example, a UDP virtual server targeting a TCP virtual server.
Impact:
tmm might crash with assert: 'Must be syncookie'. Traffic is interrupted.
Workaround:
This is the result of a misconfiguration. Modify iRules to ensure L4 protocols match between virtual servers.
Fix:
Resolved issue where TMM might crash with assert: 'Must be syncookie' when the iRule 'virtual' command leads to a protocol mismatch.
485355-4 : Click-to-Run version of Office 2013 does not work inside PWS (Protected WorkSpace)
Component: Access Policy Manager
Symptoms:
Click-to-Run Office 2013 applications fail to start inside Microsoft Windows Protected Workspace without any error message.
Conditions:
Click-to-Run version of Office 2013 is used under PWS
Impact:
Click-to-Run version of Office 2013 does not work inside PWS
Workaround:
To work around the problem, use the full installation of Office 2013.
Fix:
Click-to-Run Office 2013 applications can start inside Microsoft Windows Protected Workspace (PWS) now.
485182-4 : wom_verify_config does not recognize iSession profile in /Common sub-partition
Solution Article: K19303084
Component: Wan Optimization Manager
Symptoms:
The wom_verify_config does not recognize iSession profile in /Common sub-partition.
Conditions:
iApps creates some objects (virtual, profiles) under /Common/DMZPrimary.vysbank.com.app/. These objects are invisible to wom_verify_config.
Impact:
wom_verify_config cannot verify the system configuration.
Fix:
The wom_verify_config now recognizes objects in sub-partitions.
485176-5 : RADIUS::avp replace command cores TMM when only two arguments are passed to it
Solution Article: K07324064
Component: Local Traffic Manager
Symptoms:
The RADIUS::avp replace iRule command will core when only two arguments are passed to it.
Conditions:
Must be running an iRule that executes a RADIUS::avp replace command with only two arguments.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores when only two arguments are passed to the RADIUS::avp replace command.
484861-10 : A standby-standby state can be created when auto failback acts in a CRC disagreement scenario
Solution Article: K16919
Component: TMOS
Symptoms:
A standby-standby state can occur after a failback if there is a CRC disagreement between peers.
Conditions:
HA pair using auto failback. There must be a CRC disagreement between peers. The failback preferred system must have a lower traffic group score than its peers. NOTE: CRC disagreements may lead to other issues and the customer is strongly advised to sync the devices to remove the disagreement.
Impact:
It's a site down situation as all the objects in the traffic group will become unreachable.
Workaround:
Sync devices to remove the CRC disagreement.
Fix:
Ensure that the preferred system goes active after auto failback, even if its traffic group score is lower than that of its peers.
484847-13 : DTLS cannot be disabled on Edge Client for troubleshooting purposes
Component: Access Policy Manager
Symptoms:
There is no client side option to disable DTLS. This option can be very useful in troubleshooting client connectivity issues.
Conditions:
It is required to debug DTLS versus TLS connections.
Impact:
Troubleshooting connectivity issues becomes difficult.
Workaround:
Disable DTLS on server side.
Fix:
Now you can add new registry keys and use them to disable DTLS on both BIG-IP Edge Client and browsers. Using these keys, you can disable DTLS on a particular client without changing the BIG-IP system configuration.
To disable DTLS on a client machine:
Create registry DWORD value (keys are both valid for both x64 and x86 systems):
HKEY_LOCAL_MACHINE\Software\F5 Networks\RemoteAccess\EnableDTLSTransport
or
HKEY_CURRENT_USER\Software\F5 Networks\RemoteAccess\EnableDTLSTransport
and set to 0
484733-5 : aws-failover-tgactive.sh doesn't skip network forwarding virtuals
Component: TMOS
Symptoms:
When there are forwarding virtual servers with SNATs defined in the configuration, the reassignment of IP addresses for virtual servers does not happen correctly in Amazon Web Services (AWS).
Conditions:
Forwarding virtual servers with SNATs defined.
Impact:
HA failover is impacted.
Fix:
The reassignment of IP addresses for forwarding virtual servers with SNATs defined in the configuration now occurs as expected in Amazon Web Services (AWS).
484706-7 : Incremental sync of iApp changes may fail
Solution Article: K16460
Component: TMOS
Symptoms:
Incremental sync of the deletion of an iApp instance may fail, with the error message indicating that certain objects owned by the application are still in use. Alternatively, child objects that should have been deleted when reconfiguring an iApp instance may remain on peer devices after incremental sync has completed.
Conditions:
Incremental sync of the deletion of an iApp instance. Incremental sync of deleting a child object, if the iApp implementation script creates the parent object without child objects, and then separately adds the replacement child objects.
Impact:
An attempt to delete an iApp may cause a sync failure. An attempt to reconfigure an iApp without a previously existing child object (pool member, etc.) may cause the object to continue to exist on peer devices.
Workaround:
Full load sync (either the 'Overwrite Configuration' option on the Device Management Overview page, or temporarily setting the device group to full load only), and then performing the sync operation completes successfully.
Fix:
Incremental sync of the deletion of an iApp instance now completes successfully. Incremental sync of iApp changes, where the iApp template creates a parent object separately from child objects now syncs correctly.
484582-3 : APM Portal Access is inaccessible.
Component: Access Policy Manager
Symptoms:
APM Portal Access is inaccessible.
Conditions:
One of sessions reaches 64 KB of Portal Access application cookie storage.
Impact:
Rewrite plugin crashes; APM Portal Access becomes inaccessible. Shortly after this plugin crashes with *** glibc detected *** memory-corruption-message. The rewrite daemon log contains following lines:
- notice rewrite - cookie.cpp:543 : updateCookieSessionStore : expiring cookie ...
Workaround:
None.
Fix:
Rewrite plugin no longer crashes when Portal Access application cookies require more than 32 KB of storage.
484534-5 : interface STP state stays in blocked when added to STP as disabled
Component: TMOS
Symptoms:
When two interfaces are disabled and added to Spanning Tree Protocol (STP) in the VLAN configuration, the second interface stays in 'blocked' STP state.
Conditions:
At least two interfaces exist in disabled state, added to STP.
Impact:
The blocked port does not send out data.
Workaround:
If the STP flag is disabled and re-enabled on the blocked interface, after the port is enabled, the port STP status is re-evaluated to the correct state.
Fix:
Spanning Tree Protocol (STP) now checks for the disabled state of the port before adding it as an STP member.
484454-7 : Users not able to log on after failover
Solution Article: K16669
Component: Access Policy Manager
Symptoms:
Users fail the access policy check after failover happens. The command 'configdump -allkeys' does not display any entry for the access profile.
Conditions:
The issue will show up after the following events:
1. The TMM on the active node restarts or crashes, the node become standby.
2. TMM and APD restart. APD re-creates config snapshots in the SessionDB.
3. The snapshots just created get deleted.
4. Failover happens again and the node becomes active.
5. Users fail to log on
Impact:
Users cannot log on
Workaround:
Run 'bigstart restart apd' to re-create config snapshots.
Fix:
APM checks config snapshots periodically and recreates them if any are missing.
484305-5 : Clientside or serverside command with parking command crashes TMM
Solution Article: K16733
Component: Local Traffic Manager
Symptoms:
Any parking iRule command used inside clientside or serverside crashes TMM.
Conditions:
Parking command used inside clientside or serverside.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
See if you really need to run the parking command inside clientside/serverside, if not, move the command outside.
Fix:
TMM no longer crashes when an iRule executes a parking command inside a 'clientside' or 'serverside' context-switching command.
484278-3 : BIG-IP crash when processing packet and running iRule at the same time
Solution Article: K16734
Component: Policy Enforcement Manager
Symptoms:
The BIG-IP system sometimes crashes if it is processing packets and iRules at the same time.
Conditions:
Conditions leading to this issue include having iRule scripts and processing iRule tasks, and processing incoming traffic along with the iRule tasks.
Impact:
The impact of this issue is that the BIG-IP system goes to crash intermittently.
Workaround:
This issue has no workaround at this time.
Fix:
Fixed the iRule processing problem that is causing the BIG-IP to crash while processing incoming packets.
484214-3 : Nitrox got stuck when processed certain SSL records
Component: Local Traffic Manager
Symptoms:
During decryption, Nitrox queue got stuck when processed certain SSL records.
Conditions:
Nitrox device is used to decrypt SSL records.
Impact:
The Nitrox device queue got stuck.
Fix:
Ensure SSL record is not malformed before sending it to Nitrox for decryption.
484079-5 : Change to signature list of manual Signature Sets does not take effect.
Solution Article: K90502502
Component: Application Security Manager
Symptoms:
When the signature list of a manual Attack Signature Set is modified, the change does not affect enforcement or remote logging.
Conditions:
The signature list of a manual Attack Signature Set is modified (with no other change to the Signature Set).
Impact:
The change does not take effect in signature enforcement or remote logging.
Workaround:
Any spurious change to the signature set (such as unchecking/checking 'Assign to Policy by Default'), or unassigning and reassigning the signature set to the affected policy.
Fix:
When the signature list of a manual Attack Signature Set is modified, enforcement and remote logging are now updated correctly.
483792-6 : when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources
Component: Access Policy Manager
Symptoms:
Customers running into iSession related issues.
Conditions:
This happens when APM has been running.
Impact:
Some of the Network Access resources may not run properly when iSession control channel is disabled.
Workaround:
None
Fix:
When the iSession control channel is disabled through db variable, then some of the Network Access resources, including App tunnel, Microsoft RDP, and optimized tunnel resources, will not be assigned to the session.
483719-4 : vlan-groups configured with a single member VLAN result in memory leak
Solution Article: K16260
Component: Local Traffic Manager
Symptoms:
If a vlan-group contains only a single member VLAN, tmm begins to leak memory as observed in 'tmctl memory_usage_stat'.
Conditions:
Configure a vlan-group with a single member VLAN.
Impact:
Continuous memory leaks might eventuallyresult in traffic disruptions.
Workaround:
Remove vlan-groups containing a single member VLAN or configure at least two member VLANs per vlan-group
Fix:
Single-member vlan-groups no longer leak memory.
483699-5 : No Access error when trying to access iFile object in Local Traffic :: iRules : iFile list
Solution Article: K16888
Component: TMOS
Symptoms:
After uploading a file to the system and creating the iFile object, the user is unable to access the object.
Conditions:
Uploading a file to the system and creating the iFile object.
Impact:
The system posts a No Access error, and the user is unable to access the iFile object
Workaround:
This issue has no workaround at this time.
Fix:
Accessing iFile object in Local Traffic :: iRules : iFile list now works correctly and no longer produces No Access error.
483683-7 : MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error
Solution Article: K16210
Component: TMOS
Symptoms:
The mcpd configuration errors on secondary blades of a VIPRION platform may disrupt data plane functionality.
As a result of this issue, you may encounter the following symptom:
The system logs messages in the /var/log/ltm file that appear similar to the following example:
-- err mcpd[7624]: 01070935:3: Unexpected exception caught in MCPProcessor::rm_DBLowHighWide().
-- err bcm56xxd[5081]: 012c0010:3: Error trunk <trunk_name> on unit 0 does not exist bsx.c(2429).
Conditions:
This issue occurs when all of the following conditions are met:
-- The mcpd process is restarted on a secondary blade of a VIPRION platform.
-- The mcpd process receives an error when attempting to load the configuration.
For example:
err mcpd[7624]: 010717b5:3: HA group (HA) cannot be removed. It is used by traffic group (/Common/traffic-group-1 ).
Impact:
VLAN and trunk members are not programmed correctly, resulting in disrupted traffic flow. If a trunk has members spanning multiple blades, and if the trunk hashing algorithm selects a member port on a secondary blade for a given traffic flow, that traffic flow will be disrupted.
Workaround:
None.
Fix:
The system now handles these conditions so that the issue no longer occurs.
483665-3 : Restrict the permissions for private keys
Component: Local Traffic Manager
Symptoms:
Use security best practices for keys on BIG-IP.
Impact:
Protected keys to industry best practices.
Fix:
The permissions for SSL keys are more restricted.
483601-4 : APM sends a logout Bookmarked Access whitelist URL when session is expired.
Solution Article: K16895
Component: Access Policy Manager
Symptoms:
You will see a logout page for bookmarked APM whitelist URL after session is expired.
Conditions:
This condition will occur if the user has bookmarked a APM whitelist entry and tries to access this bookmarked URL after some time (Access session is expired).
Impact:
User sees a logout page instead of a logon to revalidate themselves.
Workaround:
This issue has no workaround at this time.
Fix:
If a session is expired and a query is made with an Access whitelist and query parameters, APM code did not handle the case properly and sent a logout page. APM now enables the user to revalidate by starting the Access policy again.
483539-6 : With fastL4, incorrect MSS value might be used if SYN has options without MSS specified
Component: Local Traffic Manager
Symptoms:
Due to the incorrect MSS value, TMM might core because based on the MSS value the outgoing packet attempts to use TSO, which is not correct. This can result in a crash.
Conditions:
A virtual using fastL4 where a SYN packet with options is received, but the SYN packet does not contain an MSS option.
Impact:
If this issue occurs, then TMM will core resulting in a failover/reboot of the system.
Workaround:
None.
Fix:
The correct MSS value is now used when SYN has options without MSS specified, so TMM no longer cores.
483508-2 : Large values may display as negative numbers for 32-bit integer variables in the MIB
Solution Article: K70333230
Component: TMOS
Symptoms:
Some gauges in the MIB are incorrectly typed as 32-bit integers. This might cause large values to display as negative numbers.
Conditions:
Values that are incorrectly typed may display incorrectly.
Impact:
Display of values is incorrect.
Workaround:
None.
Fix:
MIB variables have been correctly typed as Gauge32, which is unsigned, and will not display as a negative number when it grows large.
Behavior Change:
before fix
[root@localhost:Active:Standalone] images # tmsh modify ltm pool bob queue-depth-limit 4000000000
[root@localhost:Active:Standalone] images # snmpwalk -v 2c -c public localhost F5-BIGIP-LOCAL-MIB::ltmPoolQueueDepthLimit
F5-BIGIP-LOCAL-MIB::ltmPoolQueueDepthLimit."/Common/bob" = INTEGER: -294967296
[root@localhost:Active:Standalone] images #
after fix
[root@localhost:Active:Standalone] config # tmsh create ltm pool test
[root@localhost:Active:Standalone] config # tmsh modify ltm pool test queue-depth-limit 4000000000
[root@localhost:Active:Standalone] config # snmpwalk -v 2c -c public localhost F5-BIGIP-LOCAL-MIB::ltmPoolQueueDepthLimit
F5-BIGIP-LOCAL-MIB::ltmPoolQueueDepthLimit."/Common/test" = Gauge32: 4000000000
[root@localhost:Active:Standalone] config #
483373-1 : Incorrect bash prompt for created admin role users
Component: TMOS
Symptoms:
Users created with admin or resource-admin roles with access to bash shell might show an incorrect prompt on the bash command line.
Conditions:
Created user with:
- admin or resource-admin roles.
- Bash command line access.
Impact:
Users might see the command line prompt referring to 'root' instead of the created user.
Workaround:
None.
Fix:
The BIG-IP system now shows the correct bash prompt for admin and resource admin roles for created users on the bash command line.
483286-2 : APM MySQL database full as log_session_details table keeps growing
Component: Access Policy Manager
Symptoms:
APM stores session reporting data in "apm" MySQL database, under log_session_details table, but never does any cleanup. This causes the table to continuously grow. Eventually this consumes all disk, potentially corrupting the SQL data, and stopping services on the BIG-IP system that rely on MySQL.
Conditions:
Conditions leading to this issue include: APM is provisioned; and 350M APM sessions are created over any period of time (each row in log_session_details consumes ~20 bytes).
Impact:
MySql volume (12G) will fill with data, potentially stopping or degrading services in the box that rely on MySQL. Including: ASM, AVR, APM Reporting, Web UI, and QkView.
Workaround:
Workaround is to manually clean up the log_session_details table in MySQL database.
First, retrieve the randomly generated MySQL password per box, using the following shell command as the root user. For example,
# perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw
PjL7mq+fFJ
where PjL7mq+fFJ is the random password at MySQL installation in this example. Use this password in the following command for clean-up.
# /usr/bin/mysql -uroot -pPjL7mq+fFJ --database=apm -e "delete from log_session_details where active = 'N';"
This will delete all those rows that are referred to by an inactive session.
483257-2 : Cannot delete keys without extension .key (and certificates without .crt) using iControl SOAP
Solution Article: K17051
Component: Local Traffic Manager
Symptoms:
Cannot delete keys without extension .key (and certificates without extension .crt) using iControl SOAP.
Conditions:
You attempt to delete SSL certificates or keys without the .crt or .key extensions. Such objects may have been previously created using the tmsh utility.
Impact:
Cannot delete keys without extension .key (and certificates without extension .crt) using iControl SOAP.
Workaround:
Delete affected certificates or keys using the tmsh utility, with commands similar to the following example:
tmsh delete sys crypto cert example
tmsh delete sys crypto key example
Fix:
It is now possible to delete keys without extension .key (and certificates without extension .crt) using iControl SOAP.
483228-8 : The icrd_child process generates core when terminating
Component: TMOS
Symptoms:
A race condition in the terminate handler of the icrd_child process causes it to crash and generate a core.
Conditions:
This is an intermittent issue that is caused by a race condition.
Impact:
This does not impact functionality, but the system posts messages to icrd log similar to the following: notice icrd: 5823,14414, RestServer, INFO, Connection idle too long fd:11.
Workaround:
None.
Fix:
This release fixes an intermittent race condition in the terminate handler of the icrd_child process, so the process no longer crashes and generates a core.
483104-6 : vCMP guests report platform type as 'unknown'
Solution Article: K17365
Component: TMOS
Symptoms:
vCMP guests report 'unknown' as platform type.
Conditions:
This occurs on vCMP guests.
Impact:
You will be unable to remotely determine exactly which platform is being monitored.
Workaround:
None.
Fix:
vCMP guests now report bigipVcmpGuest as platform type, which is correct behavior.
482915-7 : Learning suggestion for the maximum headers check violation appears only for blocked requests
Solution Article: K17510
Component: Application Security Manager
Symptoms:
There are no learning suggestions for the Maximum headers sub-violation if the HTTP protocol compliance violation is in Alarm only (not in Blocking).
Conditions:
If the HTTP compliance is in Alarm only (not in Blocking) and the Maximum number of headers sub-violation is enabled, and there is a violation for the maximum number of headers (which is not blocking) and no other violation in the request is blocking.
Impact:
There will not be a learning suggestion for this violation and no automated learning will happen for the number of headers.
Workaround:
This issue has no workaround at this time.
Fix:
Previously, manual learning of the sub-violation Maximum number of headers happened only for blocked requests. The system now produces learning suggestions for the Maximum number of headers sub-violation even if the HTTP protocol compliance violation is in Alarm only (not in Blocking).
482699-2 : VPE displaying "Uncaught TypeError"
Component: Access Policy Manager
Symptoms:
VPE displaying "Uncaught TypeError"
Conditions:
While editing on Chrome ver >=37
Impact:
Really hard to Edit VPE on chrome
Workaround:
Use different browser
Fix:
Visual policy editor works correctly on Google Chrome.
482436-9 : BIG-IP processing of invalid SIP request may result in high CPU utilization
Solution Article: K16973
Component: Service Provider
Symptoms:
See SOL16973: BIG-IP processing of invalid SIP request may result in high CPU utilization, available here: https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16973.html.
Conditions:
See SOL16973: BIG-IP processing of invalid SIP request may result in high CPU utilization, available here: https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16973.html.
Impact:
See SOL16973: BIG-IP processing of invalid SIP request may result in high CPU utilization, available here: https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16973.html.
Fix:
See SOL16973: BIG-IP processing of invalid SIP request may result in high CPU utilization, available here: https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16973.html.
482373-5 : Can not delete and re-create a new virtual server that uses the same virtual address in the same transaction
Component: TMOS
Symptoms:
A create followed by a delete of a virtual server in a transaction fails
Conditions:
A virtual server must be deleted in the same transaction as another virtual server being created where both share the same destination address. This applies to operations performed via iControl REST and tmsh.
Impact:
Transaction may fail
Workaround:
Use create and delete in separate transactions
Fix:
Transactions where virtual servers are deleted and re-created with the same virtual IP address will now complete successfully.
482269-2 : APM support for Windows 10 out-of-the-box detection
Component: Access Policy Manager
Symptoms:
APM does not support out-of-the-box detection for Windows 10 in visual policy editor configuration.
Conditions:
Windows 10, APM
Impact:
Windows 10 cannot be detected in visual policy editor rules.
Fix:
APM now supports out-of-the-box detection of Microsoft Windows 10 in visual policy editor action items, such as, Client OS and Client Type.
482266-1 : Windows 10 support for Network Access / BIG-IP Edge Client
Component: Access Policy Manager
Symptoms:
Connection fails with "Network Access Connection Device was not found." message.
Conditions:
1. Clean installation of Windows 10 (not upgrade)
OR
2. Windows has been upgraded from previous version of Windows OS and it did not have NA driver installed.
Impact:
User running Windows 10 can not establish a VPN connection.
Fix:
Users running on Windows 10 running the BIG-IP Edge Client will no longer see a "Network Access Connection Device was not found." error message.
482251-2 : Portal Access. Location.href(url) support.
Solution Article: K95824957
Component: Access Policy Manager
Symptoms:
Some pages cannot be loaded in specific web applications.
Conditions:
This happens in Microsoft Internet Explorer browser-specific code that contains: Location.href(some_url).
Impact:
Web application cannot load some web pages.
Workaround:
None.
Fix:
The Microsoft Internet Explorer browser-specific code Location.href(some_url) now works correctly, so web applications can load previously unloadable web pages.
482241-5 : Windows 10 cannot be properly detected
Component: Access Policy Manager
Symptoms:
Windows 10 cannot be properly detected by BIG-IP
Conditions:
Windows 10 desktop operating system and BIG-IP APM access policy with client OS and Windows info agents.
Impact:
Windows 10 will not be detected out-of-the-box by BIG-IP client OS and Windows info agents.
Workaround:
User agent can be parsed in access policy for windows 10 tokens.
Fix:
Windows 10 can now be detected out-of-the-box by Client OS and Windows Info agents.
482202-2 : Very long FTP command may be ignored.
Component: Carrier-Grade NAT
Symptoms:
FTP commands are delimited with carriage returns. If the BIG-IP system receives a large buffer with no carriage returns, then it passes the data through without inspecting for or acting on commands. Since the only commands the system acts on should be delimited within a reasonable size, this does not affect FTP behavior and protects the BIG-IP system against large amounts of data that is not FTP command data is passed across FTP.
Conditions:
If the FTP profile encounters command buffers that contain many carriage returns without valid command data.
Impact:
Then the buffers are passed on without inspection. Under normal conditions there is no impact. If there is invalid data followed by valid data, however, then the valid data may be ignored.
Workaround:
Do not use the FTP profile for traffic other than FTP.
Fix:
The FTP profile does not process invalid command data
482177-2 : Accessing Sharepoint web application portal interferes with IdP initiated SAML SSO
Solution Article: K16777
Component: Access Policy Manager
Symptoms:
Accessing SharePoint web application portal with SSO configured for path /* (as part of portal access resource item) first will break IdP intiated Security Assertion Markup Language (SAML) single sign-on (SSO).
Conditions:
Having SharePoint Portal Access resource as well as SAML resource on full webtop. Access SharePoint application by clicking first on SharePoint icon on full webtop and then SAML resource causes SAML SSO to break.
Impact:
End user will see 404 NotFound page.
Workaround:
Disable SSO to Portal Access application SharePoint.
Fix:
Accessing a SAML resource on the webtop after a SharePoint resource no longer causes SSO to break.
482145-4 : Text in buttons not centered correctly for higher DPI settings
Component: Access Policy Manager
Symptoms:
When high DPI setting are used in Windows, text in buttons is not centered correctly and may run outside the boundaries of buttons.
Conditions:
User interface is displayed and user has set a higher DPI setting for Windows.
Impact:
Button text does not look correct.
Workaround:
Set DPI settings back to default.
Fix:
Buttons are now correctly scaled for Windows DPI setting.
482134-6 : APD and APMD cores during shutdown.
Component: Access Policy Manager
Symptoms:
When apd and apmd shutdown while they are still processing, the system cores while accessing policy configuration data.
Conditions:
This occurs with a second apd or apmd process while an apd or apmd process is already running. The second apd or apmd process goes down (because one process is already up).
Impact:
During this shutdown process, the system cores.
Workaround:
None.
Fix:
APD and APMD no longer core during shutdown of a second occurrence of APD or APMD.
481844-4 : tmm can crash and/or use the wrong CRL in certain conditions
Component: Local Traffic Manager
Symptoms:
tmm can crash and/or use the wrong certificate revocation list (CRL) in certain conditions.
Conditions:
Several client-ssl profiles are configured with different CRLs. Then, either the CRLs are configured or the client-ssl profiles are deleted.
Impact:
tmm might crash and/or use the wrong CRL. Traffic disrupted while tmm restarts.
Fix:
When adding and deleting multiple client-ssl profiles configured with differing certificate revocation lists (CRLs), tmm no longer crashes and/or uses the wrong CRL.
481820-2 : Internal misbehavior of the SPDY filter
Component: Local Traffic Manager
Symptoms:
The SPDY filter incorrectly handles the error case in which a child flow is aborted.
Conditions:
A child flow that is aborted for any reason would trigger an superfluous ABORT event to be sent by SPDY.
Impact:
Potential disruption of valid client traffic, in theory.
Workaround:
None.
Fix:
SPDY no longer sends superfluous aborts to an already aborting child flow.
481806-4 : Java Runtime Environment vulnerability CVE-2013-4002
Solution Article: K16872
481696-5 : Failover error message 'sod out of shmem' in /var/log/ltm
Component: TMOS
Symptoms:
You might see a failover error message 'sod out of shmem' in /var/log/ltm.
Conditions:
The conditions under which this occurs vary based on the configured shared memory usage.
Impact:
Failover might not function fully. System posts the message 'err sod[6300]: 01140003:3: Out of shmem, increment amount' in /etc/ha_table/ha_table.conf.
Workaround:
Manually modify /etc/ha_table/ha_table.conf as follows: Change this line: 'ha segment path: /sod table pages: 2' to this: 'ha segment path: /sod table pages: 4'. Save the file and reboot the system.
Fix:
Amount of shmem for sod has been increased.
481677-5 : A possible TMM crash in some circumstances.
Component: Local Traffic Manager
Symptoms:
If TCP::Close is called during the SSL handshake, the TMM might crash.
Conditions:
TCP::close is called during an SSL handshake
Impact:
Traffic disrupted while tmm restarts.
Workaround:
When closing the connection before or during an SSL/TLS handshake, use the "drop" or "reject" command instead of the TCP::close command.
Fix:
TMM no longer produces a core file when the TCP::close iRule command is executed during an SSL handshake.
481476-10 : MySQL performance
Component: Application Security Manager
Symptoms:
MySQL usage would spike to 100% for extended periods of time.
Conditions:
Occurs after several thousand policy configuration changes have been made to the system.
Impact:
Slow ASM GUI pages.
Workaround:
There is no workaround at this time.
Fix:
A MySQL performance issue was fixed.
481216-5 : Fallback may be attempted incorrectly in an abort after an Early Server Response
Component: Local Traffic Manager
Symptoms:
After an Early Server Response, the BIG-IP system might attempt to generate a fallback response if an error occurs. However, the response has already partially egressed, so this does not work correctly.
Conditions:
Fallback configured or enabled by an iRule. An early server response triggers an error that leads to an Abort being raised. The Abort triggers a fallback response inappropriately.
Impact:
The server-side might read HTTP data structures after they have already been freed. A fallback can be generated on the server-side, leading to a use-after-free if the client side has already aborted.
Fix:
A fallback response is no longer inappropriately generated after an error after an Early Server Response.
481162-6 : vs-index is set differently on each blade in a chassis
Solution Article: K16458
Component: Local Traffic Manager
Symptoms:
The vs-index field on virtual servers differs on each blade in a chassis.
Conditions:
This occurs on chassis systems when creating a virtual server on a multi-blade VIPRION and on multi-blade vCMP guests.
Impact:
The recently created virtual server holds different vs_index across blades (typically, the virtual servers differ by one, when compared with the active blade). From that point on, every newly created virtual server carries that inconsistency, so that vs-index is set differently on each blade in a chassis.
Workaround:
Follow the procedure in SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) to clear the configuration cache and reload configuration after reboot.
Fix:
The vs-index is now the same on each blade in a chassis on a multi-blade VIPRION and on multi-blade vCMP guests.
481089-6 : Request group incorrectly deleted prior to being processed
Component: TMOS
Symptoms:
After performing a full sync, sometimes the BIG-IP systems remain out of sync.
Conditions:
A full sync must be performed. There must be more than one active connection to mcpd, and one of them must get disconnected before the sync completes.
Impact:
The BIG-IP systems remain out of sync even after a sync operation.
Workaround:
There are 2 possible workaround: 1) Reset device trust and then re-associate peer devices. 2) Set sync-leader using the following tmsh command. (You might need to run the command more than once until the cid.id of the lagging device is equal or greater than the peer unit.) 'tmsh modify cm device-group fail_over_group_name devices modify { name_of_standby_device { set-sync-leader } }'.
Note: You can run the following command from the active device to view any cid.id mismatch, and if further set-sync-leader commands are necessary: 'tmsh run cm watch-devicegroup-device'.
Fix:
After performing a full sync, BIG-IP systems remain in sync as expected, even when active mcpd connections are deleted before the sync completes.
481003-1 : 'General database error' trying to view Local Traffic :: Pools :: Pool List.
Component: TMOS
Symptoms:
'General database error' trying to view Local Traffic :: Pools :: Pool List.
Conditions:
Be in the Nodes List section with columns ordered by Address, and then navigate to Local Traffic :: Pools :: Pool List.
Impact:
Cannot view pool list. System posts 'General database error'.
Workaround:
Order the Nodes List by a column other than Address.
Fix:
'General database error' no longer occurs when trying to view Local Traffic :: Pools :: Pool List from Nodes List when the nodes are sorted by address.
480817-4 : Added options to troubleshoot client by disabling specific features
Component: Access Policy Manager
Symptoms:
It is impossible to turn off specific features on specific clients for troubleshooting purposes.
Conditions:
Always using Edge client
Impact:
Lack of these options made client troubleshooting difficult as the options could only be set on the server.
Fix:
Added following features:
DWORD key Default value HKLM only
------------------------------------------------------------------
UseLocalProxy false yes
EnableEdgeClientUpdate true yes
EnableWebComponentsUpdate true yes
EnableDTLSTransport (Bug484847) true no
EnableNACompression true no
EnableOptimizedTunnelCompression true no
SessionChecksInterval 10000 no
------------------------------------------------------------------
("false" == 0, "true" - any value except 0);
Key: HKLM( or HKCU)\Software\F5 Networks\RemoteAccess
Zero value for SessionChecksInterval disables this features completely.
"HLKM only" means that that feature can be only be disabled/enabled by value located at HKLM sub-tree, features with "no" can be disabled using both HKLM (Local Machine) and HKCU (current User).
CLIENT control channel is not yet implemented
480761-2 : Fixed issue causing TunnelServer to crash during reconnect
Component: Access Policy Manager
Symptoms:
TunnelServer may crash in rare conditions during reconnect.
Conditions:
Crash may happens when PC wakes up after hibernate
Impact:
User sees confusing message about crashed TunnelServer.
Workaround:
This issue has no workaround at this time.
Fix:
Fixed issue that caused TunnelServer to crash during reconnect.
480370-7 : Connections to virtual servers with port-preserve property will cause connections to leak in TMM
Solution Article: K17147
Component: Local Traffic Manager
Symptoms:
Connections leak, exhausting the memory over time and causing TMM to re-start.
Conditions:
Virtual server with port-preserve setting. Tunneled APM connections in a CMP environment (many TMM processes).
Impact:
TMM process re-starts causing traffic disruption. Low performance is also seen due to the high number of leaked connections.
Workaround:
None.
Fix:
The internal listeners that are created to forward the connections between TMM processes are now deleted when no longer needed, so new connections are not created, which prevents a memory leak.
480311-4 : ADAPT should be able to work with OneConnect
Solution Article: K47143123
Component: Service Provider
Symptoms:
The request-adapt and response-adapt profiles are unable to work with the OneConnect profile, and so those combinations are not allowed in the same virtual server.
Conditions:
Attempt to combine request-adapt or response-adapt profile with OneConnect profile on the same virtual server.
Impact:
When adaptation is being used, the connection cannot be kept open and reused for multiple HTTP transactions.
Fix:
The OneConnect profile can be combined with either or both of request-adapt and response-adapt profiles on a virtual server. Both client and server HTTP connections are reused.
480272-8 : During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID
Solution Article: K17117
Component: Access Policy Manager
Symptoms:
OAM ObConfig Initialization returns wrong accessgate ID, and that resulted in EAM setting wrong domain for the ObSSOCookie.
Conditions:
After network connection failure with backend OAM server, ObConfig initilization returned past Accessgate ID.
Impact:
The impact of this issue is that ObConfig initialization returns the wrong accessgate ID.
Workaround:
This issue has no workaround at this time.
Fix:
AccessGate init should now fail initialization and retry in case of an AccessGate ID mismatch. If all retries fail, then the AccessGate remains uninitialized. The administrator should clear the config cache for all the AccessGates and restart the EAM process.
480242-7 : APD, APMD, MCPD communication error failure now reported with error code
Component: Access Policy Manager
Symptoms:
When an unexpected error is received during communication between apd, apmd, and mcpd, it throws an exception.
Conditions:
Rarely reproducible, failed communication between apd, apmd, and mcpd.
Impact:
The system cores without an error code indicating the reason. This hampers finding the actual cause for the error.
Workaround:
None.
Fix:
Now, when an error occurs, the system prints an error code in HEX, which facilitates finding the reason for the error.
480119-5 : Vague error - Error ERR_BOUNDS connflow ... processing pullup of control message.
Solution Article: K16112
Component: Carrier-Grade NAT
Symptoms:
PPTP filter emits a vague error message in the ltm log, for example: 'Error ERR_BOUNDS connflow 74.14.223.32:1723 -- 121.54.54.11:34976 processing pullup of control message,' or
'Error ERR_BOUNDS connflow 65.93.152.110:1723 -- 121.54.54.11:2004 processing egress message.'
Conditions:
PPTP ALG is configured. CGNAT is configured. Non-PPTP traffic is being directed to port 1723.
Impact:
These messages are cosmetic only, and can be ignored safely, but may indicate that another protocol is using port 1723.
Workaround:
None.
Fix:
Error ERR_BOUNDS loglevel has changed from ERR to DEBUG, which is correct behavior.
479682-5 : TMM generates hundreds of ICMP packets in response to a single packet
Solution Article: K16862
Component: Local Traffic Manager
Symptoms:
TMM generates hundreds of ICMP packets in response to a single packet.
Conditions:
This occurs on a VIP2VIP configuration when the server on the second virtual server becomes unreachable.
Impact:
tmm sends hundreds of ICMP packets to the client upon receiving single packet from client.
Fix:
TMM no longer generates hundreds of ICMP packets when the server on the second virtual server in a VIP2VIP configuration becomes unreachable.
479553-6 : Sync may fail after deleting a persistence profile
Component: TMOS
Symptoms:
After syncing configuration, the following error occurs:
'One or more persistence attributes are incompatible with the persistence mode for profile'.
Conditions:
This happens if automatic sync is disabled on a device group and a user both creates and deletes a persistence profile before manually syncing the configuration.
Impact:
Peer boxes fail to load the configuration.
Workaround:
There are two possible workarounds: 1. Perform a full sync instead of an incremental sync. 2. Create the profile, then perform a sync, and then delete the profile, and perform a separate sync.
Fix:
This was an invalid error case being handled internally and was removed.
479543-8 : Transaction will fail when deleting pool member and related node
Component: TMOS
Symptoms:
Removing a pool and the related nodes in the same transaction will fail. It will output an error message similar to the following:
01070110:3: Node address '/Common/12.33.22.2' is referenced by a member of pool '/Common/mypool'.
Conditions:
Create a pool, add a single pool member (which creates the associated node). If you then delete the pool and node in the same transaction, the transaction will fail.
Impact:
A pool and related nodes cannot be deleted within the same transaction.
Workaround:
If you delete the pool and nodes in 2 separate transactions, the process will succeed.
Fix:
The pool-member reference check for the node was moved to a later stage of validation, allowing the pool and pool members to be updated/deleted. This ensures that when the delete code for the node checks for references from a pool, there will be none.
479460-4 : SessionDb may be trapped in wrong HA state during initialization
Component: TMOS
Symptoms:
An error case may happen on BIG-IP if the following conditions are met:
1. There are two BIG-IPs configured as inter-cluster HA.
2. These two BIG-IPs are multi-blade chasis system.
3. Master record with independent subkeys is added to SessionDB.
The observed symptom this that you can explicitly deleted such a master record, but auto expiration mechanisms (timeout & lifetime) will not work on it, and this record will live forever until it is explicitly deleted.
Conditions:
Inter-chassis mirroring
Chassis w/ multiple blades
Impact:
an inconsistent state between systems can cause persistence entries to never timeout.
This will impact CGNAT records stored in SessionDB such as persistence records and PBA blocks.
479451-2 : Different Outlook users with same password and client IP are tied to a single APM session when using Basic auth
Solution Article: K16737
Component: Access Policy Manager
Symptoms:
Different Outlook users are tied to a single APM session.
Conditions:
Users have identical passwords and come from the same client IP address.
Impact:
The impact of this issue is APM does not validate Outlook credentials.
Workaround:
This issue has no workaround at this time.
Fix:
APM correctly validates Outlook credentials and creates new APM session for users that come from the same IP and have identical passwords.
479334-4 : monpd/ltm log errors after Hotfix is applied
Component: Application Visibility and Reporting
Symptoms:
When you apply a hotfix on an already configured and working volume, many errors are logged in the monpd/ltm logs.
Note: The system uses the monpd process in conjunction with the avrd process (Analytics) for reporting application performance data.
As a result of this issue, you may encounter one or more of the following symptoms:
In the /var/log/ltm file, you observe error messages similar to the following example:
err DB[10860]: monpd|ERR|Jan 01 09:00:00.123|12345| [DB::mysql_query_safe, query failed] Error (error number 1243) executing SQL string :
EXECUTE stmt_select_table_with_too_many_partitions USING @table_name,@table_name
Because : Unknown prepared statement handler (stmt_select_table_with_too_many_partitions) given to EXECUTE
err DB[10860]: monpd|ERR|Sep 02 09:00:00.123|12345| [DB::run_sql_query, mysql_query_safe] Error executing SQL query:
EXECUTE stmt_select_table_with_too_many_partitions USING @table_name,@table_name
Because : Unknown prepared statement handler (stmt_select_table_with_too_many_partitions) given to EXECUTE
In the /var/log/avr/monpd.log file, you observe error messages similar to the following example:
monpd|ERR|Jan 1 09:00:00.123|12345| [DB::mysql_query_safe, query failed] Error (error number 1243) executing SQL string :
EXECUTE stmt_select_table_with_too_many_partitions USING @table_name,@table_name
Because : Unknown prepared statement handler (stmt_select_table_with_too_many_partitions) given to EXECUTE
monpd|ERR|Jan 1 09:00:00.123|12345| [DB::run_sql_query, mysql_query_safe] Error executing SQL query:
EXECUTE stmt_select_table_with_too_many_partitions USING @table_name,@table_name
Because : Unknown prepared statement handler (stmt_select_table_with_too_many_partitions) given to EXECUTE
Conditions:
This issue occurs when all of the following conditions are met:
-- You have provisioned the Application Visibility and Reporting module.
-- You have recently installed a software hotfix.
-- You have rebooted the BIG-IP system into the newly hotfixed boot location.
-- You have provisioned one of the following modules: AFM, APM, ASM, AVR, CGN, DNS, FPS, PEM, PSM, SWG, or vCMP.
Impact:
The BIG-IP system consumes a small amount of additional disk space. These are cosmetic, benign errors.
Workaround:
There is no workaround for this issue. However, you can stop the system from logging the monpd errors by rebuilding the Application Visibility and Reporting database. To do so, perform the following procedure:
Impact of workaround: The following procedure does not disable monpd logging. Normal monpd log entries will continue to be written to the /var/log/avr/monpd.log file.
Log in to the BIG-IP command line.
Type the following command:
mysql -p`perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw` AVR < /var/avr/avr_srv_code.sql
To restart the monpd process, type the following command:
bigstart restart monpd
479147-5 : Cannot create VXLAN tunnels with the same local-address and different multicast addresses.
Component: TMOS
Symptoms:
MCP throws an validation error when attempting to create VXLAN tunnels with the same local-address and different multicast addresses.
Conditions:
Create VXLAN tunnels with the same local-address and different multicast addresses.
Impact:
Cannot create VXLAN tunnels with the same local-address and different multicast addresses.
Workaround:
Use a different local-address for each multicast group when creating multicast VXLAN tunnels.
Fix:
Can create VXLAN tunnels with the same local-address and different multicast addresses.
Behavior Change:
You can now create multicast VXLAN tunnels with the same local-address and different multicast addresses.
479142-8 : Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD)
Solution Article: K16173
Component: Global Traffic Manager (DNS)
Symptoms:
The resource record (RR) in ZoneRunner Daemon (ZRD) is not deleted when the associated Virtual Server is deleted from the Global Traffic Manager (GTM) server object.
Conditions:
Conditions that lead to this issue include a GTM server object with a Virtual Server; a pool with the above virtual server; a wideip using the above pool as resources; and deleting the virtual server from the GTM server object.
Impact:
BIND will contain and return RRs that were intended to be deleted.
The RR is orphaned and could only be deleted manually from ZRD.
Workaround:
To workaround this issue you can delete the GTM server associated with the virtual server to be deleted, but this would delete other associated virtual servers too. Alternatively, you can manually delete the RR in ZRD.
Fix:
Deleting a virtual server now correctly deletes the resource record (RR) in ZoneRunner Daemon (ZRD).
479084-3 : ZoneRunner can fail to respond to commands after a VE resume.
Component: Global Traffic Manager (DNS)
Symptoms:
The ZoneRunner GUI can become unresponsive after a VE resume.
Conditions:
This is due to the "lo:" interface not being recreated during the resume processing.
ZoneRunner relies on this interface to communicate with the on box BIND server.
Impact:
ZoneRunner cannot create/modify/delete/query records from the on box BIND server
Workaround:
Restart ZoneRunner after a VE resume with the command:
bigstart restart zonerunner.
Fix:
ZoneRunner now uses the tmm0 interface to communicate with BIND.
478812-4 : DNSX Zone Transfer functionality preserved after power loss
Component: Local Traffic Manager
Symptoms:
Zone transfer daemon, zxfrd, will restart endlessly until it is stopped. On the console there will be emergency system alerts every few seconds saying that zxfrd is restarting. Because of the frequency of these alerts, it will be impossible to use the console for anything.
In addition, zone transfers initiated by the BIG-IP will not succeed.
Conditions:
If BIG-IP loses power in the middle of a DNS zone transfer, zone data may be corrupted upon booting up. This results in a nonfunctional zxfrd.
Impact:
The BIG-IP will not be able to transfer zone data from other servers and the TMOS console will be unusable until zxfrd is stopped.
Workaround:
Run the following commands in the console of your affected BIG-IP:
bigstart stop zxfrd
cd /var/db && rm -f tmmdns.bin zxfrd.bin
bigstart start zxfrd
Fix:
With this fix, zone data is no longer susceptible to corruption from power loss.
478734-4 : Incorrect 'FIPS import for failed for key' failure when operation actually succeeds
Component: Local Traffic Manager
Symptoms:
Incorrect debug failure log.
Conditions:
Found internally by test, conditions for this issue are unknown.
Impact:
False failure logged.
Workaround:
None.
Fix:
Fix debug failure log found by internal F5 testing.
478674-10 : ASM internal parameters for high availability timeout was not handled correctly
Solution Article: K08359230
Component: Application Security Manager
Symptoms:
The internal parameters bd_hb_interval and bd_hb_interval_low_platforms are not handled correctly and a different value is registered against the high availability (HA) system. This causes the system to have faster than expected failovers. Also, when bypass asm is turned on and a bigstart restart asm was applied, a failover happens.
Conditions:
Two possible conditions:
1. An internal parameter is configured for the timeout to the HA system. When ASM does not send a lifesign to the HA system for 10 seconds (instead of the configured time)
2. bypass asm is internal parameter is applied and a bigstart restart asm happens.
Impact:
A failover happens.
Workaround:
This issue has no workaround at this time.
Fix:
This release fixes internal parameter processing for the high availability lifesign timeout.
478617-7 : Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
Solution Article: K16451
Component: Local Traffic Manager
Symptoms:
TCP segment size is 40 bytes less.
Conditions:
ICMP implementation using Path MTU (PMTU)
Impact:
The impact of this issue is less data per TCP segment.
Workaround:
Disable Path MTU Discovery by doing the following,
"tmsh modify sys db tm.enforcepathmtu value disable"
Fix:
BIG-IP no longer includes maximum TCP options length in calculating MSS on ICMP PMTU.
478592-5 : When using the SSL forward proxy feature, clients might be presented with expired certificates.
Solution Article: K16798
Component: Local Traffic Manager
Symptoms:
When SSL forward proxy feature is enabled, the certificates cached might not expire at the right time resulting in expired certificates being presented to the clients.
Conditions:
When using the SSL forward proxy feature.
Impact:
Incorrect certificates are presented to the clients.
Workaround:
Manually delete the cached certs in: show ltm clientssl-proxy cached-certs.
Fix:
Cached certificates are now handled correctly.
478492-5 : Incorrect handling of HTML entities in attribute values
Solution Article: K17476
Component: Access Policy Manager
Symptoms:
If an HTML tag attribute contains HTML entities inside its value, this value may not be processed correctly by Portal Access.
Conditions:
For example, if a form action begins with '/' instead of '/', it will be rewritten although absolute action path should be left untouched. This leads to incorrect behavior of this web application.
Impact:
Web application may not work correctly.
Workaround:
This issue has no workaround at this time.
Fix:
Now HTML tag attributes with HTML entities inside their values are processed correctly.
478470 : AFM Online Help updated: DoS Detection Threshold Percentage
Component: Advanced Firewall Manager
Symptoms:
AFM Online Help was not updated after 11.4.0 to reflect a change in behavior. Prior to 11.4.0 the DoS Detection Threshold Percentage function would drop packets if an attack was detected. This was regarded as unintuitive when there was a separate rate-limit configuration element that customers could use to drop traffic when an attack was detected.
Conditions:
Anyone referring to OLH for a DoS vector Threshold Percentage Increase.
Impact:
Inaccurate description of feature behavior.
Workaround:
Disregard erroneous information in OLH.
Fix:
AFM Online Help has been updated to reflect a change in behavior in the DoS Detection Threshold Percentage. After 11.4.0 the DoS Detection Threshold Percentage function no longer drops packets if an attack was detected. OLH now reflects this.
478439-5 : Unnecessary re-transmission of packets on higher ICMP PMTU.
Solution Article: K16651
Component: Local Traffic Manager
Symptoms:
LTM re-transmits TCP segments even when ICMP Path maximum transmission unit (PMTU) is higher than existing MTU.
Conditions:
ICMP PMTU is higher than existing MTU.
Impact:
Burst traffic generated.
Workaround:
Disable Path MTU Discovery by entering the command: tmsh modify sys db tm.enforcepathmtu value disable.
Fix:
Fixed unnecessary re-transmission of packets on higher ICMP Path maximum transmission unit (PMTU).
478399-6 : PEM subscriber sessions are created without PEM licensed, if "radiusLB-subscriber-awre" profile is configured.
Component: Policy Enforcement Manager
Symptoms:
If LTM virtual server has the RADIUS profile 'radiusLB-subscriber-awre' configured, the PEM subscriber session will be created, even if the BIG-IP system is not licensed for PEM, which can cause 100% TMM usage due to the overhead of processing RADIUS messages.
Conditions:
The RADIUS profile 'radiusLB-subscriber-awre' is configured on the LTM virtual server for non-PEM configurations.
Impact:
100% TMM usage due to PEM subscriber session being created, even when the BIG-IP system is not licensed for the PEM module.
Workaround:
The workaround is to avoid the misconfiguration by not associating the RADIUS profile 'radiusLB-subscriber-awre' to LTM virtual servers for non-PEM configurations, such as when there is no PEM license for the BIG-IP system.
Fix:
A validation has been added to prevent the RADIUS profile 'radiusLB-subscriber-awre' from being mistakenly associated with the LTM virtual server, when the BIG-IP system is not licensed for PEM.
478351-2 : Changing management IP can lead to bd crash
Solution Article: K17319
Component: Application Security Manager
Symptoms:
A bd crashe after a management IP change.
Conditions:
Remote logger is configured, high traffic volume and a configuration changed for the management IP.
Impact:
The impact of this issue is a system outage as the bd restarts.
Workaround:
This issue has no workaround at this time.
Fix:
This release fixes a crash that could happen when management IP configuration was changed.
478333-4 : Edge-Client client shows an error about corrupted config file, when User's profile and temp folders located on different partitions
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Windows client shows an error about corrupted config file, when User's profile and temp folders are located on different partitions
Conditions:
Edge Client for Windows.
User's profile and temp folders are located on different partitions.
Impact:
Configuration will not be saved.
Fix:
Now BIG-IP Edge Client for Windows correctly handles a profile located on a different partition.
478257-6 : Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed
Component: Local Traffic Manager
Symptoms:
Re-transmission of fragment needed packets.
Conditions:
Multiple ICMP Destination Unreachable with Fragmentation needed code messages.
Impact:
Burst traffic generated.
Workaround:
Disable Path MTU Discovery by doing the following,
"tmsh modify sys db tm.enforcepathmtu value disable"
Fix:
BIG-IP no longer re-transmits packets if the MTU is not changed.
478215-5 : The command 'show ltm pool detail' returns duplicate members in some cases
Component: TMOS
Symptoms:
The command "show ltm pool <poolname> detail" may show duplicate pool members in some conditions.
Conditions:
The conditions required are that the same IP address must be used for multiple members and one member must have :0 port.
Impact:
Redundant pool members listed when running the command.
Workaround:
This issue has no workaround at this time.
Fix:
'show ltm pool detail' no longer returns duplicate entries for members where their IP matches that of another member whose port is 'any'.
477898-2 : Some strings on BIG-IP APM EDGE Client User Interface were not localized
Component: Access Policy Manager
Symptoms:
Some text in internationalized Edge Client was still shown in English.
Conditions:
Use of internationalized edge client
Impact:
Some strings were displayed in English instead of localized language.
Workaround:
None.
Fix:
BIG-IP APM Edge Client User Interface Translation has been updated. UI messages and labels have now been translated into several languages.
477795-4 : SSL profile passphrase may be displayed in clear text on the Dashboard
Component: Access Policy Manager
Symptoms:
Whenever there is a configuration change, it is indicated by a red dot in the dashboard. When the user clicks on it they can see the SSL passphrase, passwords, etc.
Conditions:
This happens whenever there is a config change event.
Impact:
Visible to any user who may not have the permission to see it
Workaround:
None.
Fix:
Now, passphrases, secrets, passwords, and so on, do not display in clear text and appear as "*****".
477789-2 : SSL Certificate can accommodate & (ampersand) in the Common Name, Organization Name, Division and SAN.
Component: TMOS
Symptoms:
When an & (ampersand) character is entered for Common Name, Organization Name, Division or SAN in an SSL Certificate, the ampersand is escaped and replaced with an & string.
Conditions:
Create or renew an existing certificate with an ampersand in the Common Name, Organization Name, Division, or SAN.
Impact:
The system escapes the ampersand with an & string. Names such as AT&T that generate certificates that escape the ampersand character do not work as expected.
Fix:
The system now correctly converts the '&' (ampersand) character in the Certificate and ensures that the Peer Device process is still operating.
477700-2 : Detail missing from power supply 'Bad' status log messages
Solution Article: K04116117
Component: TMOS
Symptoms:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, no detail is included which indicates which characteristic of the power supply's state is resulting in a 'Bad' overall status for the power supply.
In this scenario, the message logged at default logging level contains information similar to the following:
... crit chmand[...]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV03G): Bad
Conditions:
BIG-IP 2000-/4000-/5000-/7000-/10000-series appliances or VIPRION B2100-/B2200-series blades, in which one or more installed power supplies triggers an internal hardware sensor alert indicating a 'Bad' power supply status.
Impact:
Unable to diagnose cause of 'Bad' power supply status at default logging level to determine whether the probable cause is due to a power supply hardware fault or a possible external power source issue.
Workaround:
If power supply errors continue to be logged:
1. Set the libhal logging level to 'Debug':
tmsh mod sys db log.libhal.level { value "Debug" }
2. Let the system run in this configuration for at least a few minutes to collect a number of chmand error logs, such as:
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x3 pin:0x2 action:0xd
... debug chmand[...]: 012a0007:7: Received Sensor Alert: sensor id 0x16f slot 0xff
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x1 pin:0x2 action:0x3.
3. Set the libhal logging level back to 'Notice':
tmsh mod sys db log.libhal.level { value "Notice" }
4. Take a qkview or an archive of /var/log/ltm, and engage F5 Professional Services for further analysis.
Fix:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, additional detail is now logged to help identify the cause of the 'Bad' overall status for the power supply.
477281-9 : Improved XML Parsing
Solution Article: K15605
477278-11 : XML Entity Injection vulnerabilities CVE-2014-6032 and CVE-2014-6033
Solution Article: K15605
477274-12 : Buffer Overflow in MCPQ
Solution Article: K16196
477218-6 : Simultaneous stats query and pool configuration change results in process exit on secondary.
Component: TMOS
Symptoms:
Simultaneous stats query and pool configuration change results in process exit on secondary.
Conditions:
Running parallel operations in tmsh/GUI or multiple tmsh operations on pool objects. For example, running 'tmsh show' command while simultaneously updating the monitor on the pool in the GUI.
Impact:
The primary restarts, and the slot goes down, resulting in potential traffic impact. The ltm logs display error messages similar to the following: -- err mcpd[29041]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool (/Common/CYBS-P-UBC-43) was not found. -- notice mcpd[8487]: 0107092a:5: Secondary slot 1 disconnected.
Workaround:
Use the absolute name of the pool in the tmsh command: /partition_name/pool_name.
Fix:
TMSH command now automatically issues the absolute path by using the context for the current connection to MCPd, so there are no MCPd restarts in this case.
477195-1 : OSPFv3 session gets stuck in loading state
Component: Local Traffic Manager
Symptoms:
When running tmsh ipv6 ospf neighbor, you see one or more neighbors stuck at Loading. Other adjacent network equipment might report the neighbor at Full.
Conditions:
This occurs when using OSPFv3
Impact:
Neighbor discovery fails to complete
Fix:
OSPFv3 sessions no longer get stuck in loading state.
477064-5 : TMM may crash in SSL
Solution Article: K17268
Component: Local Traffic Manager
Symptoms:
When SSL is configured in TMM, a crash might occur if events happen in a specific (unknown) order.
Conditions:
ClientSSL is configured on a virtual.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
The TMM exit and restart that occurred in certain circumstances when processing SSL traffic has been fixed.
476476-9 : Occasional inability to cache optimized PDFs and images
Component: WebAccelerator
Symptoms:
Restarting the datastor service can result in some optimized PDFs or optimized images becoming un-cacheable
Conditions:
If WAM has a handle to cached content in datastor which no longer exists because datastor restarted or evicted it, and if this content is an image or PDF which WAM optimized, and if two requests for such content arrive on the same TCP connection, the second can get incorrectly cached such that it can not be served or replaced until tmm is restarted.
Impact:
Certain URLs become uncacheable, thus reducing effectiveness of WAM.
Workaround:
Disable client keep-alive in the HTTP profile (change Maximum Requests in the HTTP profile from 0 to 1)
or disable PDF linearization and image optimization.
A partial workaround is to use wa_clear_cache instead of restarting datastor to clear the cache. Content which datastor evicts might still suffer (but this is unlikely).
Fix:
Restarting datastor no longer results in the possibility of some optimized PDFs or optimized images becoming uncacheable.
476460-4 : WAM Range HTTP header limited to 8 ranges
Component: WebAccelerator
Symptoms:
When doing a request with multiple ranges, depending on the current state of the document in the cache (due to previous requests), WAM responds with 'HTTP 416 Requested range not satisfiable'.
Conditions:
Client requesting more than 8 ranges in a single HTTP Range request for a document that has an active cache record.
Impact:
Document is not possible retrieve, even with valid range values.
Workaround:
Force the document to not be cached in the Policy and to be always proxied to the OWS.
Fix:
Use db variable Wam.Cache.Range.MaxRanges to increase the number of max allowed sub-ranges in a HTTP range request. It defaults to a maximum of 8 sub-ranges, however it can be increased up to 32.
476288-5 : Tmrouted restarted after a series of creating/deleting route domains and adding/deleting protocols due to seg fault
Component: TMOS
Symptoms:
When multiple route domains and multiple routing protocols per route domain are repeatedly created and deleted, the tmrouted crashes and restarts.
Conditions:
multiple route domains with multiple routing protocols per each route domain are created and deleted repeatedly in a short time intervals.
Impact:
The routing information is lost and the tables need to be built again. This might cause packet loss.
Workaround:
None.
Fix:
Repeated creation and deletion of route domains and routing protocols led to a race condition between the start timer of the routing protocols and inconsistent memory state of the deleted routing protocols. This fix resolves the race condition.
476097-3 : TCP Server MSS option is ignored in verified accept mode
Solution Article: K15274113
Component: Local Traffic Manager
Symptoms:
After enabling 'verified-accept' in the TCP profile, window scaling is not working on server side connection. More specifically, the BIG-IP system ignores window scaling from the back-end server.
Conditions:
Enabling 'verified-accept' in TCP profile.
Impact:
the BIG-IP system ignores window scaling from the back-end server.
Workaround:
Disable 'verified-accept' in the TCP profile.
Fix:
Window scaling with back-end server now works when 'verified-accept' is enabled in the TCP profile.
476038-9 : Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Mac crashes on OS X 10.7 if a user adds a new server using its IP address rather than its DNS name.
Conditions:
Create an APM virtual server IP address using the Edge Client for Mac
Impact:
Edge Client crashes
Workaround:
Use DNS name rather than IP address when adding a new server.
Fix:
On BIG-IP Edge Client for Mac on OS X 10.7, a user can successfully add a new server using IP address.
476032-6 : BIG-IP Edge Client may hang for sometime when disconnecting from Firepass server
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client hangs in "Disconnecting" state for some time if the backend server is FirePass.
Conditions:
FirePass server as backend
Impact:
User has to wait
Fix:
Issue fixed. Now BIG-IP Edge Client disconnects from FirePass smoothly without delays.
475819-6 : BD crash when trying to report attack signatures
Solution Article: K17325
Component: Application Security Manager
Symptoms:
The Enforcer rarely crashes when logging attack signatures.
Conditions:
A rare issue that happens suddenly when reporting attack signatures to the logs.
Impact:
Traffic resets, failover.
Workaround:
This issue has no workaround at this time.
Fix:
This release fixes an issue that rarely caused the Enforcer to crash when logging attack signatures.
475743-2 : Improve administrative login efficiency
Solution Article: K92140924
475735-2 : Failed to load config after removing peer from sync-only group
Solution Article: K30145457
Component: Access Policy Manager
Symptoms:
Load sys config fails.
Conditions:
Loading config after removing peer from sync-only device group.
Impact:
Failed to load config.
Workaround:
Remove peer device from the sync-only device group on which policy sync has been performed previously.
Fix:
A user can now load sys config even after removing the peer from the sync-only group.
475649-6 : HTTP::respond in explicit proxy scenarios may cause TMM crash due to assert
Solution Article: K17430
Component: Local Traffic Manager
Symptoms:
Use of HTTP::respond in HTTP_REQUEST iRule event in explicit proxy scenarios may cause TMM to assert and crash due to improper handling of HTTP::respond.
HTTP:collect doesn't work properly in explicit proxy scenarios.
Conditions:
This issue occurs with use of HTTP::respond or HTTP::collect in explicit proxy scenarios.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
HTTP::respond no longer asserts and HTTP::collect now works as expected when used from HTTP_REQUEST in explicit proxy scenarios.
475647-3 : VIPRION Host PIC firmware version 7.02 update
Component: TMOS
Symptoms:
Correctly report part numbers of current-manufacture VIPRION B4300 series blades (part numbers 400-0076-00 and 400-0077-00).
Conditions:
Affects VIPRION B4300 series blades.
Impact:
Features of current-manufacture VIPRION B4300 series blades (part numbers 400-0076-00 and 400-0077-00) may not be properly supported by the BIG-IP software.
Workaround:
None.
Fix:
VIPRION Host PIC firmware version 7.02 update now supports all expected BIG-IP software features on VIPRION B4300 blades.
475599-3 : full "/shared" filesystem prevents tmsh from running
Component: TMOS
Symptoms:
Example:
[root@localhost:/S1-green-P:Active:Standalone] config # tmsh show sys hardware
Unexpected Error: Can't create temp directory, /var/tmp/tmsh/DfRf5Z, errno 28] No space left on device
Conditions:
Typical activity that will fill up the "/shared" filesystem is storage of too many software images in "/shared/images", or leaving too many configuration archives in "/var/tmp".
(/var/tmp is a symlink to /shared/tmp)
Impact:
The system cannot be managed.
Workaround:
Remove some files
Fix:
'tmsh' remains functional even if the "/shared" filesystem is full.
475551-5 : Flaw in CSRF protection mechanism
Component: Application Security Manager
Symptoms:
Flaw in Cross-site request forgery (CSRF) protection mechanism.
Conditions:
CSRF protection is configured.
Impact:
Flaw in Cross-site request forgery (CSRF) protection mechanism.
Workaround:
None.
Fix:
Internal testing found and resolved a flaw in the CSRF mechanism
475549-2 : Input handling error in GTM GUI
Component: Global Traffic Manager (DNS)
Symptoms:
Certain input sequences are not processed correctly in the GTM WebUI
Conditions:
GTM provisioned
Impact:
Incorrect output from GTM UI web pages
Fix:
Correctly process input in the GTM WebUI
475505-8 : Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system.
Component: Access Policy Manager
Symptoms:
Windows Phone 8.1 built-in browser is not properly detected by the BIG-IP system.
Conditions:
Windows Phone 8.1 built-in browser.
Impact:
Built-in browser is not properly detected.
Fix:
Microsoft Windows Phone 8.1 built-in browser is now properly detected by the BIG-IP system.
475460-6 : tmm can crash if a client-ssl profile is in use without a CRL
Solution Article: K16581
Component: Local Traffic Manager
Symptoms:
TMM can crash if a client-ssl profile is in use without a certificate revocation list (CRL) configured.
Conditions:
A client-ssl profile is in use without a configured CRL, and the customer has an Engineering Hotfix installed that includes the fix for ID384451.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
TMM no longer crashes if a client-ssl profile is in use without a certificate revocation list (CRL) configured.
475125-2 : Use of HTTP::retry may cause TMM crash
Solution Article: K17428
Component: Local Traffic Manager
Symptoms:
Use of HTTP::retry may cause TMM to crash in certain scenarios.
Conditions:
Use of HTTP::retry may cause TMM to crash in certain scenarios.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
HTTP::retry no longer causes TMM to crash.
474974-2 : Fix ssl_profile nref counter problem.
Component: Local Traffic Manager
Symptoms:
ssl_profile memory leak.
Conditions:
This occurs after several iterations of the following steps:
(1) Create ssl_profiles
(2) Use ssl_profiles to complete a number of handshake operations.
(3) Delete ssl_profiles.
Impact:
ssl_profile memory leak.
Workaround:
None.
Fix:
ssl_profile no longer leaks memory when creating and deleting a number of profiles that have completed handshake operations.
474797-1 : Malformed SSL packets can cause errors in /var/log/ltm
Component: Local Traffic Manager
Symptoms:
If malformed SSL packets are sent to the BIG-IP system, the following errors can be logged to /var/log/ltm:
Device error: cn9 core general.
crypto codec cn-crypto-4 queue is stuck.
Conditions:
Malformed SSL packets being sent to the BIG-IP system.
Impact:
Error logs in /var/log/ltm. This is a cosmetic issue only, and the errors can be safely ignored.
Workaround:
None.
474779-2 : EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails.
Component: Access Policy Manager
Symptoms:
On EAM process initialization, the plugin is unable to register a thread (MPI channel) with TMM on rare occasions. A subsequent system call to end the process fails.
Conditions:
Unknown.
Impact:
EAM plugin is up but the access gates are not initialized correctly.
Workaround:
Establish connection to OAM server.
bigstart stop eam
Clear config.cache from each accessgates by deleting /config/aaa/oam/<partition_name>/<aaa_oam_obj_name>/<accessgate_name>/config.cache using commandline.
bigstart restart eam
Fix:
EAM plugin initialization is fixed, now the plugin register with TMM process will not fail.
474698-5 : BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions.
Component: Access Policy Manager
Symptoms:
When client initiates Single Logout (SLO) on the BIG-IP system as IdP which is associated with multiple SP connectors, IdP will send SLO request message to each SP to which user has connected within this session.
If user has connected to multiple SP (bound to different IdP) within the same session, the SLO messages f is sent with 'Issuer'element referencing the name of the last IdP service user has accessed.
Conditions:
This issue occurs when:
1.BIG-IP is configured as IdP.
2.BIG-IP has more then one IdP configuration object.
3.IdP objects are assigned as resources to the same Access Policy.
4.Each IdP configuration is bound to at least one SP-connector.
5.Client initiated SLO on IdP.
Impact:
Impact is based on recipient of the message. Recipient (SP) may reject the SLO request, or process it successfully based on implementation.
Workaround:
Disable SLO on BIG-IP.
474613-2 : Upgrading from previous versions★
Component: Application Visibility and Reporting
Symptoms:
Configuration upgrade from versions 11.2, 11.1, or 11.0 fails when two analytics profiles on different partitions are configured with the same remote login server IP address.
Conditions:
Upgrading from versions 11.2, 11.1, or 11.0 when two analytics profiles on different partitions are configured with the same remote login server IP address.
Impact:
Upgrade process fails.
Workaround:
Remove the external logging configuration on the source partition, upgrade, and then restore the configuration as needed.
Fix:
Configuration upgrade from versions 11.2, 11.1, or 11.0 now succeeds and works correctly even when two analytics profiles on different partitions are configured with the same remote login server IP address.
474601-4 : FTP connections are being offloaded to ePVA
Component: Local Traffic Manager
Symptoms:
FTP connections are offloaded to acceleration hardware embedded Packet Velocity Acceleration (ePVA) chip.
Conditions:
SNAT listener
Impact:
FTP data connections fail due to lack of translation in PORT commands.
Workaround:
Use FTP virtual instead of SNAT listener.
Fix:
FTP connections will no longer be offload to ePVA hardware when traversing through a SNAT listener.
474582-2 : Add timestamps to logstatd logs for Policy Sync
Component: Access Policy Manager
Symptoms:
Log messages in /var/tmp/logstatd.log used for Policy Sync do not have timestamps which makes troubleshooting very difficult.
Conditions:
Run Policy Sync.
Impact:
Serviceability. logstatd.log used for Policy Sync do not have timestamps.
Workaround:
None.
Fix:
A timestamp is now prepended to each log message line in logstatd.log for Policy Sync.
474445-3 : TMM crash when processing unexpected HTTP response in WAM
Component: WebAccelerator
Symptoms:
TMM crash when processing unexpected HTTP response in WAM
Conditions:
Three conditions:
WAM enabled virtual server
WAM disabled during request phase
WAM enabled during response phase
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not disable WAM during request processing unless it will also be disabled during response processing. If WAM is disabled, close the connection after the response with HTTP::Close to ensure it cannot be used for future requests.
Fix:
TMM no longer crashes when processing unexpected HTTP response in WAM.
474388-4 : TMM restart, SIGSEGV messages, and core
Solution Article: K16957
Component: Local Traffic Manager
Symptoms:
Certain conditions might produce error messages similar to the following, in the core file/tmm.log: -- RVAvpBigIP01 notice RIP=0x8cc872 -- RVAvpBigIP01 notice session_process_pending_event_callback ERROR: could not send callback to 192.168.96.27:50441 - 192.168.96.28:443 ERR_NOT_FOUND.
Conditions:
This occurs because of a race condition, for example, one between the HTTP and APM-related profiles during which an APM-profile-related action completes after the HTTP-profile closes the connection.
Impact:
Traffic disrupted while tmm restarts.
Fix:
The race condition that occurred has been fixed, so no APM-profile-related actions complete after the HTTP-profile closes the connection.
474194-4 : iControl GlobalLB::PoolMember get_all_statistics and get_monitor_association cause memory leaks
Component: TMOS
Symptoms:
iControl methods GlobalLB::PoolMember::get_all_statistics and get_monitor_association can cause memory leaks, which can quickly become problematic when querying large GTM configurations often.
Impact:
Memory leak can become very large with big configurations.
Workaround:
Restart the iControlPortal (bigstart restart httpd).
Fix:
GlobalLB::PoolMember get_all_statistics and get_monitor_association methods no longer cause memory leak.
474058-7 : When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions
Solution Article: K16689
Component: Access Policy Manager
Symptoms:
When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions.
Conditions:
This issue occurs when the BIG-IP system is configured as a SAML Service Provider and BIG-IP receives a signed assertion that contains empty "Reference URI" in Signature element.
Impact:
The impact of this issue is that APD restarts.
Workaround:
This issue has no workaround at this time.
Fix:
Fixed issues that caused APD to restart when the BIG-IP system is configured as a SAML Service Provider and BIG-IP receives a signed assertion that contains an empty Reference URI in the Signature element.
473685-2 : Websso truncates cookie domain value
Component: Access Policy Manager
Symptoms:
Cookies assigned during back end authentication may not be returned to back end servers. The failures require the set-cookie header contain a domain assignment and the domain value must begin with a dot.
Conditions:
401 response from a back end has Set-Cookie headers containing domain assignments that begin with a dot.
Impact:
Applications protected by the above authorization may not work.
Workaround:
An iRule can be used to catch the 401 response. If it contains one or more Set-Cookie headers, check each for a domain attribute. Remove the initial dot in the domain value, if present.
Fix:
WebSSO processes domain fields in Set-Cookie headers correctly.
473589-1 : Error at attempt to add GeoIP with parentheses.
Component: Advanced Firewall Manager
Symptoms:
You will get an error if you attempt to add GeoIP with parentheses to a rule. For example one GeoIP code is Cocos (Keeling) Islands (CC), where you will see this error:
Error: 0107179c:3: The specified Geo Location Country Code(Keeling) on (TCP) is invalid
Conditions:
Attempting to add a GeoIP string that contains a parenthesis
Impact:
Unable to ad the GeoIP
Fix:
You can now add GeoIP regions containing parenthesis.
473386-13 : Improved Machine Certificate Checker matching criteria for FQDN case
Solution Article: K17540
Component: Access Policy Manager
Symptoms:
Machine cert check agent might fail if the certificate was issued with extended fields or to a domain machine.
Conditions:
This issue occurs when the machine is outside of domain and the certificate is issued to a domain machine.
Impact:
Machine cert check agent might fail on MAC OS X/Windows for the machines currently outside of domain.
Workaround:
This issue has no workaround at this time.
Fix:
Machine cert check agent matching criteria for FQDN has been improved.
473348-5 : SNMP hbInterval value not set to 300 sec after upgrade from 11.2.x to 11.3.0 or later
Solution Article: K16654
Component: TMOS
Symptoms:
The hbInterval determines the amount of time the snmpd daemon can wait for a response. Software versions 11.2.x use an hbInterval of 60 sec. Software versions 11.3.0 and later use an hbInterval of 300 sec.
Conditions:
When upgrading from version 11.2.x to version 11.3.0 or later.
Impact:
After upgrade, the hbInterval is still set to 60 sec and not set to 300 sec. An snmpd core is created.
Workaround:
Edit bigipTrafficMgmt.conf and set hbInterval value to 300 using the following procedure:
1. Run the command: bigstart stop snmpd.
2. Change the value of hbInterval in /config/snmp/bigipTrafficMgmt.conf and save the file.
3. Run the command: bigstart start snmpd.
Fix:
When upgrading from a release that did not have the hbInterval set to 300, the new release now has hbInterval set to 300.
473344-7 : Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.
Component: Access Policy Manager
Symptoms:
Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.
Conditions:
APM access policy is configured with Kerberos authentication and the attempted authentication session was was initially created on a different VIP.
Impact:
Error occurs with no error message. The system should post an error message similar to the following: (Failure VIP Name): Kerberos Request-Based Auth failed because session was initially created on a different VIP (Original VIP Name). Please either disable RBA on the originating access profile, or remove the domain cookie.
Workaround:
Either disable RBA on the originating access profile, or remove the domain cookie.
Fix:
With the fix, APMD correctly handles the request for Kerberos Request-Based Auth, and posts the proper error message.
473255-2 : Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement.
Solution Article: K41869058
Component: Access Policy Manager
Symptoms:
Portal Access could incorrectly rewrite Javascript submit() method if it's called in scope of 'with' statement and without object.
Impact:
Form cannot be submitted from script on page.
Workaround:
Create an iRule which adds explicit object reference to submit() call.
Fix:
Fixed an issue where Portal Access could incorrectly rewrite a form submit initiated from Javascript.
473163-9 : RAID disk failure and alert.conf log message mismatch results in no trap
Component: TMOS
Symptoms:
Due to a mismatch between the definition of an alert for RAID disk failure in alert.conf, and the actual log message syntax, the appropriate SNMP traps are not issued when a disk is failing.
Conditions:
This happens when there is a RAID disk failure and the definition RAID disk failure in alert.conf is similar to the following: alert BIGIP_RAID_DISK_FAILURE "raid[0-9]: Disk failure .*?" {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.96";
lcdwarn description="RAID disk failure." priority="3"
}
Impact:
Actual log message syntax matches the following: 'alert kernel: md/raid1:md12: Disk failure on dm-29, disabling device.' As a result, there is no SNMP trap for a failing disk, so no SNMP trap is issued, and the LCD message is not displayed.
Workaround:
For information about configuring custom traps, see SOL3727: Configuring custom SNMP traps, available here: https://support.f5.com/kb/en-us/solutions/public/3000/700/sol3727.html.
Fix:
RAID disk failure and alert.conf log message now match, so appropriate SNMP traps are now issued when a disk is failing.
473129-6 : httpd_apm access_log remains empty after log rotation
Solution Article: K15943
Component: Access Policy Manager
Symptoms:
The /var/log/httpd/access_log file remains empty after log rotation.
Conditions:
At least one log rotation which happens at 4:00am every day of the box time
Impact:
access_log are missing
Workaround:
"bigstart restart httpd_apm" must be part of the cronjob every day [around 4:30am] after log rotation.
Fix:
Logging to access_log continues after log rotation.
473037-7 : BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP
Solution Article: K16896
Component: TMOS
Symptoms:
BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP. If multiple connections are attempted, the same port is computed.
Conditions:
This occurs on BIG-IP 2000/4000 platforms with SCTP configured.
Impact:
This causes 'Inet port collision' log errors, and the connection is terminated.
Workaround:
None.
Fix:
BIG-IP 2000/4000 platforms now support RSS with L4 data on SCTP.
472969-3 : If you try to create more than 264 AVR profiles, avrd might crash.
Component: Application Visibility and Reporting
Symptoms:
The maximum number of AVR profiles in the system is 264.
If you try to create more than 264 AVR profiles, avrd might crash.
Conditions:
Creating more than 264 AVR profiles
Impact:
avrd crashes.
Fix:
The maximum number of AVR profiles in the system is 264.
If you try to create more than 264 AVR profiles, MCP now generates the following message:
"Can't generate more than 264 AVR profiles", and the system will not create the profiles.
472748-4 : SNAT pool stats are reflected in global SNAT stats
Component: Local Traffic Manager
Symptoms:
There is a virtual server with SNAT pool configured. And a global default SNAT also configured similar to SNAT pool configuration. Traffic that hits virtual and uses the virtual SNAT pool to translate the source address. The same traffic stats will be reflected in default global SNAT though the default SNAT is not being used.
Conditions:
A virtual server has a SNAT configured. There is a global default SNAT configured similar to the configured SNAT pool.
Impact:
SNAT pool stats are reflected in global SNAT stats.
Workaround:
Configure the default SNAT in a different VLAN.
Fix:
The system now releases the default SNAT from the virtual server if there is a SNAT configuration directly associated with the virtual server.
472585-5 : tmrouted crashes after a series configuration changes
Component: Local Traffic Manager
Symptoms:
When multiple route domains with multiple routing protocols with heartbeat enabled are repeatedly created and deleted, the tmrouted daemon may restart.
Conditions:
This occurs when the following conditions are met: -- Heartbeat is enabled. -- Multiple route domains and routing protocols are created and deleted in a short time interval.
Impact:
The tmrouted crashes and it might lead to packet loss with regard to forwarding.
Workaround:
None.
Fix:
The tmrouted functions normally when multiple route domains with multiple routing protocols, with heartbeat enabled, are created and deleted repeatedly.
472446-4 : Customization group template file might cause mcpd to restart
Component: Access Policy Manager
Symptoms:
A config sync or tmsh transaction might fail and make mcpd restart if the config sync or tmsh transaction includes a misconfigured object and simultaneously includes a customization group template file.
If strict updates are enabled on iApp and Adv Customization is performed that MCPd could crash tpp.
Conditions:
The config sync or tmsh transaction includes a misconfigured object and includes a customization group template file.
Impact:
The config sync or tmsh transaction fails, and mcpd exits. Note: Avoid configurations that put customization group template file objects through a config sync or tmsh transaction, when that transaction might contain an object configured with an invalid value. This results in a configuration error.
Here is one example of the types of messages that may be displayed when this occurs:
-- info mcpd[12395]: 01071528:6: Device group '/Common/f5omb' sync inconsistent, Incremental config sync may not be complete on one or more devices in this devicegroup, Sync status may not be consistent until incremental config sync is complete.
-- err mcpd[12395]: 01070734:3: Configuration error: Cannot apply template as cache path for (customization template file logon.inc customization group /Common/ap_deptSharePt_act_logon_page_ag) cannot be empty.
-- err mcpd[12395]: 01070596:3: An unexpected failure has occurred, - apm/validation/APMCustomizationFileObject.cpp, line 1825, exiting...
-- info sod[5467]: 010c0009:6: Lost connection to mcpd - reestablishing.
-- err zxfrd[12033]: 0153e0f7:3: Lost connection to mcpd.
Workaround:
None.
Fix:
This release corrects the configuration error that occurred in the config sync or tmsh transaction whose configuration included a misconfigured object and a customization group template file.
472365-5 : The vCMP worker-lite system occasionally stops due to timeouts
Component: TMOS
Symptoms:
The VCMP host side of the worker-lite system has a shorter timeout that the VCMP guest side. This can cause a worker-lite VCMP host to silently stop processing worker-lite requests for a VCMP guest.
Conditions:
This issue affects worker-lite based VCMP hosts running any version of VCMP guests that are processing SSL and compression traffic.
Impact:
SSL and compression traffic does not pass through VCMP guests running on an affected VCMP host. The system posts error messages in /var/log/ltm, similar to the following: Device error: crypto codec 'device-name' queue is stuck.
Workaround:
To resume processing of SSL and compression traffic in a VCMP guest, restart the guest tmm by issuing a 'bigstart restart tmm' from within the guest. Restarting a VCMP guest by setting its state from 'deployed' to 'provisioned' and then back to 'deployed' also resumes processing of SSL and compression traffic.
Fix:
Corrected a VCMP timeout issue that might have prevented a VCMP guests from processing SSL and compression traffic.
472256-4 : tmsh and tmctl report unusually high counter values
Solution Article: K17259
Component: Access Policy Manager
Symptoms:
When running the command 'tmctl profile_access_stat', the values displayed for sessions_eval_cur, sessions_active_cur, and/or sessions_estab_cur mignt be unusually high.
Conditions:
The issue might appear if the following events happen, in sequence:
1. Some sessions have been established.
2. On a chassis system, a blade restarts. On an appliance system, tmm restarts on the active system, which triggers failover.
3. Some of the existing sessions log out after the chassis or appliance is back online.
Impact:
The profile access stat might report inaccurate readings. The system returns results similar to the following: -- sessions_active_cur 18446744073709551615. -- sessions_eval_cur 18446744073709551615.
Workaround:
None.
Fix:
tmsh and tmctl now report the expected correct counter values.
472202-2 : Potential false positive report of DMA RX lockup failure
Component: TMOS
Symptoms:
Due to mixed traffic in the same ring, heartbeat message might not be received in time and therefore system report DMA RX lockup after a period of time.
Conditions:
Mixed traffic stressing into DMA ring 0 and have impacts to heartbeat healthy messages.
Impact:
TMM restart and report HSB DMA RX lockup
Workaround:
None.
Fix:
The false positive report of RX HSB DMA lockup had been eliminated as long as the ring is moving.
472125-3 : IP Intelligence report data is not roll-forwarded between installations as it should★
Component: Application Visibility and Reporting
Symptoms:
Upgrade process does not apply on AVR-DWBL tables, and thus will show no data after the upgrade.
Conditions:
Upgrading from 11.5.0 / 11.5.1 / 11.5.4
Impact:
AVR statistics for DWBL will lose their data.
Fix:
DWBL statistics tables are now backed-up to be used in the new version after the upgrade.
472106-1 : TMM crash in a rare case of flow optimization
Component: Policy Enforcement Manager
Symptoms:
During a special case of optimization the peer connflow is released. Subsequent references to connflow result in crash.
Conditions:
When PEM hudfilter is optimized & server sends a reset, the code checks a non-existent peer connection.
Impact:
Traffic disrupted while tmm restarts.
Fix:
The code path checks for NULL connflow before attempting to access the data structure.
472093-2 : APM TMUI Vulnerability CVE-2015-8022
Solution Article: K12401251
472092-6 : ICAP loses payload at start of request in response to long execution time of iRule
Component: Service Provider
Symptoms:
A long-running iRule in ICAP_REQUEST can cause the loss of payload while the iRule is running, resulting in the beginning of the payload being omitted in the request to the ICAP server. (Note that headers are unaffected.)
Conditions:
This issue occurs when the following conditions are met: -- request-adapt or response-adapt is used. -- IVS with ICAP. -- iRule on ICAP_REQUEST event that takes a long time to execute.
Impact:
ICAP request to ICAP server can lose the beginning of the payload.
Workaround:
When possible, keep iRule duration short by minimizing processing in ICAP_REQUEST and avoiding unnecessary processing, or move the processing elsewhere.
Fix:
The complete request payload is now sent to the ICAP server, even in the presence of a long-running iRule in ICAP_REQUEST.
472062-2 : Unmangled requests when form.submit with arguments is called in the page
Solution Article: K17480
Component: Access Policy Manager
Symptoms:
Expressions like form.submit(something) are not being rewritten by Portal Access.
This may cause direct URL or unmangled paths in request. Such request will fail and application could stop working.
Impact:
Web Application could send unmangled requests and stop working.
Workaround:
iRule workaround is possible, but it will be unique for each web application.
Fix:
Calls of form.submit with arguments are now correctly handled by Portal Access.
471874-6 : VDI plugin crashes when trying to respond to client after client has disconnected
Solution Article: K16850
Component: Access Policy Manager
Symptoms:
VDI plugin crashes when trying to respond to client after client has disconnected.
Conditions:
Client has disconnected, VDI plugin tries to send response to the client.
Impact:
VDI plugin crash.
Fix:
The VDI plugin does not crash when trying to respond to a client after the client has disconnected.
471860-2 : Disabling interface keeps DISABLED state even after enabling
Solution Article: K16209
Component: TMOS
Symptoms:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface still shows DISABLED.
Conditions:
This occurs when using both tmsh and the GUI.
Impact:
The state of the interface remains DISABLED. However, the interface passes traffic after enabling.
Workaround:
You can reboot correct the indicator.
Fix:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface now shows ENABLED.
471827-2 : Firstboot early syslog-ng log: /var/run/httpd.pipe does not exist★
Component: TMOS
Symptoms:
Early syslog-ng starts up with a config file that references /var/run/httpd.pipe, but it does not exist and syslog-ng logs the following:
<date> <host> notice syslog-ng: Error opening file for reading; filename=\'/var/run/httpd.pipe\', error=\'No such file or directory (2)\'
Conditions:
First boot of a newly installed system uses a different syslog-ng.conf file, but only on the first boot of a newly installed system.
After first boot, the real syslog-ng config file is used.
The following log appears in /var/log/boot.log
[only in 11.x releases]:
Sep 4 10:17:35 localhost notice syslog-ng: Error opening file for reading; filename=\'/var/run/httpd.pipe\', error=\'No such file or directory (2)\'
Impact:
There is no actual impact due to this behavior because:
(1) syslog-ng is restarted with the correct syslog-ng configuration later in the boot.
(2) httpd is not started until later which means there is no actual usage of /var/run/httpd.pipe.
Fix:
Prior to starting the early syslog-ng, create the missing file /var/run/httpd.pipe. This also happens later when etc/init.d/syslog-ng is run, but does nothing because the early syslog-ng startup script creates the missing file.
471819-1 : The big3d agent restarts periodically when upgrading the agent on a v11.4.0 or prior system and Common Criteria mode is enabled.
Component: Global Traffic Manager (DNS)
Symptoms:
The big3d agent restarts periodically if a v11.4.0 or earlier system with Common Criteria mode enabled is updated with a newer version of the big3d agent.
Conditions:
A v11.4.0 or earlier system is updated to run a newer version of the big3d agent and Common Criteria mode is enabled.
Impact:
The impact of this issue is periodic restarting of the big3d agent.
Workaround:
Disable Common Criteria mode.
Alternatively, restore the prior version of the big3d agent.
Fix:
The big3d agent has been modified to run in a mode that eliminates inconsistencies with version 11.4.0 and earlier.
471766-3 : Number of decoding passes configuration
Component: Application Security Manager
Symptoms:
The decoding passes number selected in the "Evasion technique detected" sub-violation setting affects URI and parameter input. However, this setting does not affect the number of decoding passes that the system performs on headers, which is always two.
Conditions:
Headers legally may have more than two or more levels of percent decoding
Impact:
A false positive violation is issued.
Fix:
The number of decoding passes for headers is now taken from the "Evasion technique detected" sub-violation setting.
471625-7 : After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM
Component: Local Traffic Manager
Symptoms:
After deleting external data-group, importing a new or existing external data-group does not propagate to TMM.
Although the import/modify individually seem to work as expected with no errors displayed in the web interface, the ltm log shows 'update queued', but does not show 'update finished' for the imported/modified datagroup.
tmctl ext_class_stat command shows that the deleted data-groups are still in the TMM and existing data-groups stay the same and do not reflect the modification that are made to them via GUI.
Conditions:
The issue occurs when working in an administrative partition other than Common.
Impact:
iRules associated with the data-groups do not behave as expected if data-group is deleted and afterwards when data-group modifications are made.
Workaround:
There are two options for workarounds: 1. Use short names for the data-group files. It is the long names that are problematic. This is the recommended workaround. 2. Reboot. This causes the mcpd to re-load the data-groups and corrects the situation.
Fix:
After deleting external data-group, importing a new or editing existing external data-group now works as expected.
471535-6 : TMM cores via assert during EPSV command
Component: Local Traffic Manager
Symptoms:
TMM cores via assert during EPSV command from clients when The FTP filter rewrites the commands.
Conditions:
This rarely encountered issue occurs with the use of line feed (NL) characters in rewritten commands.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use a TCP collect iRule to detect and insert the missing CR.
Fix:
FTP filter now accepts NL-only line-ending when rewriting EPSV command.
471467-1 : gtmparse segfaults when loading wideip.conf because of duplicate virtual server names
Component: Global Traffic Manager (DNS)
Symptoms:
gtmparse segfaults when loading wideip.conf with duplicate virtual server names, or whose names differ only by spaces.
Conditions:
wideip.conf contains duplicate virtual server name definitions, or the virtual server names are unique only because of leading or trailing spaces.
Impact:
gtmparse segfaults during a wideip.conf load, causing GTM configuration load to fail.
Workaround:
Change virtual server definitions so that there are no duplicate named virtual servers. Note that adding only leading or trailing spaces does not result in a unique virtual server name.
Fix:
gtmparse will now throw descriptive errors when encountering duplicate vs names in wideip.conf, for example:
./gtm/wideip.conf:61: "opt_vs_long_def: vs set name vs_1 on vs 10.221.43.28:1545 failed, duplicate name exists" at character '1545' in line:
name "vs_1"
address 10.221.43.28:1545
471117-3 : iframe with JavaScript in 'src' attribute not handled correctly in IE11
Solution Article: K17546
Component: Access Policy Manager
Symptoms:
If an HTML page contains an iframe with JavaScript code in the src attribute, some web applications might not work correctly through portal access in Internet Explorer 11.
Conditions:
Conditions leading to this issue include Internet Explorer 11 and iframe with JavaScript in the src attribute: <iframe src="javascript: some code...">
Impact:
Some Web applications may work incorrectly.
Workaround:
This issue has no workaround at this time.
Fix:
If an HTML page contains an iframe with JavaScript code in the src attribute, it is handled correctly in Internet Explorer 11 through Portal Access.
471059-7 : Malformed cookies can break persistence
Component: Local Traffic Manager
Symptoms:
Clients sending a malformed cookie (that is, a space character that precedes the persistence cookie) might prevent the parsing of a valid persistence cookie.
Conditions:
HTTP request contains malformed cookie value that occurs before the BIG-IP system persistence cookie, For example: Cookie:foo=bar =bar; BIGipServerhttp=60361226.20480.0001
Impact:
Persistence is ignored.
Workaround:
None.
Fix:
Cookie values containing space character are parsed properly.
470945-1 : Memory leak in Export Policy operation
Solution Article: K16891
Component: TMOS
Symptoms:
Performing the Export Policy operation creates a memory leak.
Conditions:
ASM is provisioned. A long-lived process exports many security policies without being restarted.
Impact:
If a long-lived process exports many security policies, the device can run out of memory.
Workaround:
Restart the long-lived process that exports many security policies with the following command:
# pkill -f asm_config_server_rpc_handler.pl
Fix:
A standard Perl package 'YAML::LibYAML' was upgraded to a newer version in order to prevent a memory leak that sometimes occurred after exporting a security policy.
470788-4 : Creating static ARP entry with unreachable IP address causes BIG-IP to be unreachable after reboot
Solution Article: K34193654
Component: TMOS
Symptoms:
Saved configuration may not load if static ARP entries are configured that do not match a self IP subnet.
Conditions:
Saved config with static ARP whose IP falls outside of any self IP subnet.
Impact:
The impact of this issue is that the config fails to load.
Workaround:
To work around this issue remove the static ARP entry from saved config by manually editing config file.
Fix:
Static ARP entries that fall outside of configured self IP addresses can now be loaded. However, this invalid configuration is now avoided by requiring static ARP entries in a self IP subnet to be removed before a self IP can be removed.
470779-3 : The Enforcer should exclude session awareness violations when counting illegal requests.
Component: Application Security Manager
Symptoms:
Getting False positive by blocking requests.
Conditions:
Session Awareness is enabled.
Impact:
Release session status from being blocked/logged can be renewed if illegal traffic runs at the same time even with 'Disallowed access...' violation only
Workaround:
N/A
Fix:
The Enforcer now excludes session awareness violations when counting illegal requests for session awareness actions.
Previously, these violations were counted and therefore prematurely caused the session status to be "Blocked".
470756-8 : snmpd cores or crashes with no logging when restarted by sod
Component: TMOS
Symptoms:
Prior to sod restarting snmpd following a heartbeat timeout, there are often no snmpd warning/error logs leading up to the restart condition that might indicate root-cause.
Conditions:
snmpd can be blocked waiting for mcpd responses to its database queries. This is typically experienced when CPU utilization is very high.
Impact:
sod continues restarting snmpd (and generating a core dump) as long as the blocking conditions continue for longer than the configured snmpd heartbeat interval. During this time, external MIB queries might timeout/fail.
Workaround:
Address CPU utilization issues.
Fix:
The snmpd daemon now periodically logs warning messages regarding slow query responses from mcpd. snmpd also attempts to maintain heart-beat communication with sod under these conditions.
470627-4 : Incorrect and benign log message of bandwidth utilization exceeded when licensed with rate limit in VE
Component: TMOS
Symptoms:
When Virtual Edition (VE) is licensed with limited throughput, tmm checks and enforces rate limits. However, due to the nature of clustering in data plane, individual tmm processes performs the check independently (that is, divided by the number of tmms on the system). Thus, the check result is not accurate from global rate perspective. In this case, the system log messages that indicates data rate exceeds licensed rate.
Conditions:
Multiple tmm in VE and licensed with limited date rate, when only some of the tmms are processing traffic.
Impact:
Message indicating data rate exceeds licensed rate.
Workaround:
None.
Fix:
Incorrect and benign log message of bandwidth utilization exceeded when licensed with rate limit in Virtual Edition no longer occurs.
470235-1 : The HTTP explicit proxy may leak memory in some cases
Component: Local Traffic Manager
Symptoms:
When the HTTP explicit proxy generates error pages it may leak memory in some cases.
Conditions:
The HTTP explicit proxy is used, and an error occurs that triggers an error page to be generated.
Impact:
The TMM's available memory will slowly decrease over time.
Workaround:
Using a smaller error page may make the memory leak less likely.
Fix:
The HTTP Explicit proxy feature will no longer leak memory when error pages are generated.
470205-4 : /config/.../policy_sync_d Directory Is 100% Full
Component: Access Policy Manager
Symptoms:
After a policy sync operation, the Policy Sync history file objects remain within the /config/.../policy_sync_d directory.
Conditions:
This issue is further exacerbated when customization an/or sandbox (hosted content) files are associated with the profiles being synced.
Impact:
Over time the saved number and size of the Policy Sync history files can grow to fill all available space.
Workaround:
The psync-history objects and related data files can be manually deleted by running the following commands from within tmsh context:
`cd /Common/PolicySyncHistory`
`delete apm policy psync-history all`
`save sys config partitions all`
Please note that the above steps will remove all psync-history and related file objects from your local device. Which means, you will no longer have entries within the history tab of your Policy Sync page of the Admin GUI.
Fix:
After a policy sync operation, the Policy Sync history file objects no longer remain within the /config/.../policy_sync_d directory as expected.
470184-1 : In Configuration Utility, unable to view or edit objects in Local Traffic :: iRules :: Data Group List
Solution Article: K17284
Component: TMOS
Symptoms:
Navigate to Local Traffic :: iRules :: Data Group List and click on any existing objects. User will see a No Access error, instead of the Data Group object.
Conditions:
Data Group objects exist.
Impact:
User will be unable to view or edit Data Group objects in the Configuration Utility.
Workaround:
View and edit objects in tmsh.
469824-9 : Mac Edge client on Mac mini receives settings for iOS Edge Client
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Mac on Mac mini receives settings for iOS Edge Client. Edge Client behavior might be different than expected if Mac Edge Client settings are different from iOS Edge Client settings.
Conditions:
Mac mini, iOS Edge and Mac Edge Client setting in connectivity profile on BIG-IP.
Impact:
Different than expected behavior of Edge Client for Mac.
Fix:
Edge Client for Mac on Mac mini now uses the settings for the Mac Edge Client in the connectivity profile on BIG-IP system.
469786-2 : Web Scraping Mitigation: Display of request status when configuration includes an ASM iRule
Solution Article: K04393808
Component: Application Security Manager
Symptoms:
A wrong display of the request status (as a blocked request) for requests that were only alarmed.
Conditions:
Web scraping in alarm mode, ASM iRules in place.
Impact:
A wrong display of the request status as if it is a blocked request when it was alarmed request.
Workaround:
This issue has no workaround at this time.
Fix:
When web scraping mitigation configuration mode is set to Alarm (log) and there is an ASM iRule, the iRule no longer displays requests as being blocked when they are actually logged and not blocked.
469770-3 : System outage can occur with MPTCP traffic.
Component: Local Traffic Manager
Symptoms:
System outage can occur when a pool member is unreachable for MPTCP traffic.
Conditions:
MPTCP traffic.
Serverside unreachable.
Impact:
System outage can occur.
Fix:
System correctly handles ICMP unreachable for MPTCP traffic.
469627-2 : When persistence is overriden from cookie to some other persistence method, the cookie should not be sent.
Component: Local Traffic Manager
Symptoms:
If cookie persistence is configured, then persistence cookies will be sent to the client. However, if the persistence profile is overridden by an iRule "persist" command, that cookie should not be sent.
Conditions:
1) A cookie persistence profile is used, and it is overridden to some other persistence method via an iRule.
2) Passive cookie persistence is used, the "always send" option is off, and cookie encryption is enabled.
Impact:
1) Extra persistence cookies may be included in a response even if they are not required by the current persistence method.
2) Passive cookies may not be encrypted in some situations.
Workaround:
1) The extra cookie can be removed by an iRule.
2) Turn the "always send" option on if using passive persistence cookies.
Fix:
1) Persistence cookies will not be inserted if the persistence method is changed from cookie persistence to some other persistence method.
2) Passive persistence cookies will be encrypted even if the "always send" option is off.
469297-2 : Address list summary page does not display the description for individual address list entries.
Component: Advanced Firewall Manager
Symptoms:
Description for an address list entry is not displayed in the address list summary page
Conditions:
'Description' for address list entry (created from tmsh) is not displayed in the address list summary page (in the GUI).
Impact:
The value for 'description' is not seen in the GUI
Workaround:
View the description in tmsh.
Fix:
Address list summary page displays the description for individual address list entries.
469033-15 : Large big3d memory footprint.
Component: Global Traffic Manager (DNS)
Symptoms:
The big3d process might take up a large amount of memory.
Conditions:
Using GTM in various configurations.
Impact:
Large big3d memory footprint. This is a configuration- and usage-dependent issue.
Workaround:
None.
Fix:
Reduced big3d memory footprint.
468949-1 : audit_forwarded started error message
Component: TMOS
Symptoms:
During system start you see the following error message in /var/log/ltm: bigip01 err audit_forwarder: audit_forwarder started"
Conditions:
This message can be displayed during either system start or system restart.
Impact:
None. This notice should be logged at the info log level, not error level.
Fix:
The audit forwarder starting message is now displayed at the info level.
468874-1 : Monpd errors appear when AVR loads data to MySQL
Solution Article: K17456
Component: Application Visibility and Reporting
Symptoms:
An error of the form "Too many partitions (4) defined for DB table..." will appear in both /var/log/ltm and /var/log/avr/monpd.log
Conditions:
This issue occurs when traffic is running and AVR is being used by any of the following provisioned modules: AVR, ASM, PEM, AFM, or SWG.
Impact:
No actual impact on data accuracy or performance - only errors in /var/log/ltm and /var/log/avr/monpd.log
Workaround:
This issue has no workaround at this time.
Fix:
Error messages such as "Too many partitions (4) defined for DB table..." no longer appear in the log files.
468820-2 : MPTCP Flows may hang whan an MTU mismatch occurs on the network.
Component: Local Traffic Manager
Symptoms:
System did not correctly handle the ICMP message reporting an MTU mismatch for MPTCP traffic.
Conditions:
MPTCP traffic
MTU mismatch.
Impact:
Degraded operation, some flows might hang.
Fix:
System correctly handles ICMP notification for MPTCP traffic.
468791-3 : Crash when using FIX tag maps and a FIX message arrives without a SenderCompID.
Component: Local Traffic Manager
Symptoms:
Crash when using FIX tag maps and a FIX message arrives without a SenderCompID.
Conditions:
LTM virtuals using the fix-map tcp profile.
Impact:
tmm can crash
Workaround:
None
Fix:
Fix crash when no SenderCompID is supplied
468710-3 : Using non-standard lettercasing for header name results in misleading error during commit of transaction
Solution Article: K32093584
Component: Device Management
Symptoms:
As part of adding commands to a transaction for iControl REST call, the header name to be used is "X-F5-REST-Coordination-Id." However, if you mix the letter casing to something else, such as: "x-f5-rest-coordination-id" then when you commit this transaction you will get this misleading error: "there is no command to commit in the transaction."
Your command and transaction will succeed, but the error implies it did not.
Conditions:
Using the non-standard letter casing for that header name during the iControl REST call to add commands to a transaction.
Impact:
It looks like the transaction failed, when in fact, it may have succeeded.
Workaround:
Use the proper letter casing for that header name as shown above.
Fix:
Use the proper letter casing for that header name as shown above.
468688-1 : Initial sync fails for upgraded pair (11.5.x to 11.6)★
Component: Advanced Firewall Manager
Symptoms:
Config sync fails immediately after upgrade from 11.5.x to 11.6.
Conditions:
Config sync fails immediately after upgrade from 11.5.x to 11.6.
Impact:
Configurations may not sync if the devices were upgraded from 11.5 to 11.6.
Workaround:
No consistent workaround.
Fix:
Fixed issue where config sync failed on 11.5.x devices after upgrading to 11.6.
468519-6 : BIG-IP DNS configuration load failure from invalid bigip_gtm.conf file.
Component: Global Traffic Manager (DNS)
Symptoms:
Config reload fails when renewing the license or performing a new install based on the current config.
This appears to be the result of a invalid bigip_gtm.conf which is used to load the config rather than the mcpdb.bin.
Conditions:
If any virtual servers are configured with a dependency list that includes other virtual servers from the same BIG-IP system, BIG-IP DNS creates an invalid bigip_gtm.conf file.
Impact:
BIG-IP DNS config will fail to load when triggered to load from config file
Workaround:
None.
Fix:
Depends-on block is populated correctly with the virtual server info and no error was thrown when reloading BIG-IP DNS config.
468473-5 : Monitors with domain username do not save/load correctly
Solution Article: K16193
Component: TMOS
Symptoms:
Using the Traffic Management Shell (tmsh) to create or modify an object with a string parameter may fail with an error.
Conditions:
This issue occurs when the following condition is met:
• You use the tmsh utility to create or modify an object with a string that uses a backslash (\) to escape a double quotation mark (") character.
Impact:
Users may not be able to modify strings by using the tmsh utility.
Workaround:
The username field must be adjusted in the /config/bigip.conf file to specify the username field with a domain using a \\ syntax. For example: domain\user would need to be configured as: domain\\user.
Fix:
tmsh utility does not process backslashes and embedded double quotation marks as expected.
468472-6 : Unexpected ordering of internal events can lead to TMM core.
Component: Local Traffic Manager
Symptoms:
TMM may core and failover with the following tcp4 assert: ../modules/hudfilter/tcp4/tcp4.c:937: %svalid pcb%s.
Conditions:
If the TCP profile receives a spurious event it can cause TMM to crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Unexpected ordering of internal events no longer leads to TMM core.
468471-1 : The output of DNS::edns0 subnet address command is not stored properly in a variable
Component: Local Traffic Manager
Symptoms:
When the iRule command "DNS::ends0 subnet address" is an IPv4 address and is stored in a variable, it might not be interpreted properly by other iRule commands that expect an IP address (for example, the "whereis" command).
Conditions:
The output of "DNS::ends0 subnet address" command returns an IPv4 address and it is stored in a variable.
Impact:
Other iRule commands that utilize the variable may not work as expected (for example, the "whereis" command).
Workaround:
When utilizing the variable, force a string interpretation of the value. For example, rather than:
set srcip [DNS::ends0 subnet address]
set srccountry [whereis $srcip country]
Use
set srcip [DNS::ends0 subnet address]
set srccountry [whereis [string tolower $srcip] country]
468441-2 : OWA2013 may work incorrectly via Portal Access in IE10/11
Component: Access Policy Manager
Symptoms:
JavaScript error appears if user tries to view/change settings in OWA2013 via Portal Access in Internet Explorer 10/11.
Conditions:
Internet Explorer 10 or 11
OWA2013
Impact:
User cannot change settings in OWA2013.
Workaround:
No workaround is known.
Fix:
Now it is possible to view and/or change settings in OWA2013 via Portal Access using Internet Explorer 10/11.
468433-2 : OWA2013 may work incorrectly via Portal Access in IE10/11
Solution Article: K16860
Component: Access Policy Manager
Symptoms:
JavaScript error appears if user tries to view or change settings in OWA2013 via Portal Access in Internet Explorer 10/11.
Conditions:
Conditions leading to this issue include: Internet Explorer 10 or 11 and OWA2013.
Impact:
User cannot change settings in OWA2013.
Workaround:
This issue has no workaround at this time.
Fix:
Now it is possible to view and/or change settings in OWA2013 via Portal Access using Internet Explorer 10/11.
468395-2 : IPv4 Allocation failure ... is out of addresses
Solution Article: K63044556
Component: Access Policy Manager
Symptoms:
Existing Network Access clients have problems reconnecting.
Conditions:
This occurs when all of the lease pool IP addresses are allocated to Network Access clients.
Impact:
Existing clients cannot reconnect. The system posts messages to the APM logs: IPv4 Allocation failure ... is out of addresses.
Workaround:
Assign more IP addresses in the lease pool.
Fix:
Network Access clients can reconnect now and the lease pool does not run out of IP addresses.
468387-2 : Enforcer core related to specific error condition in the session db
Component: Application Security Manager
Symptoms:
A bd restart, and failover if redundant configuration exists, may occur. The core file will show tm_untimeout () as the coring frame.
Conditions:
-- Load on the system.
-- Heavy usage of the sessiondb infrastructure.
Impact:
Traffic will reset while the bd restart or while the failover is happening.
Workaround:
Disable session tracking from the ASM policy.
Fix:
This release fixes an Enforcer crash related to a specific error condition in the session db.
468375-2 : TMM crash when MPTCP JOIN arrives in the middle of a flow
Solution Article: K16779
Component: Local Traffic Manager
Symptoms:
TMM crash when MPTCP JOIN arrives in the middle of a flow.
Conditions:
No workaround
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
A MPTCP JOIN arriving in the middle of a flow is now handled correctly.
468345-2 : Blocking page with harmful JavaScript can be run by system administrator
Solution Article: K16081
468300-3 : Filters may not work correctly with websockets or CONNECT
Component: Local Traffic Manager
Symptoms:
If filters that buffer messages exist on the chain, then when HTTP switches to pass-through mode, those filters may spuriously fail to see the headers of the response that cased that switch.
The problem is due to HTTP immediately switching into pass-through mode, and then sending the headers as raw data through the chain.
Conditions:
A filter on the chain that buffers a RESPONSE_DONE message, and HTTP switches to pass-through, combined with looking at the headers in a filter other than HTTP.
This is more likely to happen if the server sends data immediately after a successful CONNECT or transition to websockets. (Without waiting for a response from the client.)
Impact:
The TMM may core, or wrong information may be obtained from filters looking at the HTTP headers of a response that causes a switch to pass-through mode.
Workaround:
This issue has no workaround at this time.
Fix:
HTTP now waits until all filters have seen a 101 Switching Protocols or CONNECT 200 Connected response before switching into pass-through mode.
468235-3 : The worldwide City database (City2) does not contain all of the appropriate Proxy strings.
Component: TMOS
Symptoms:
Digital Element's proxy information is not available in the City2 database.
Conditions:
This occurs when using the City2 database available from an F5 partner.
Impact:
In the case of a customer obtaining and installing the city database, Digital Element's proxy information is not included.
Workaround:
None.
Fix:
The worldwide City database (City2) now includes Digital Element's proxy information.
468137-12 : Network Access logs missing session ID
Component: Access Policy Manager
Symptoms:
Without session ID in client logs, it's hard to correlate client and server-side logs.
Impact:
Hard to troubleshoot client logs
Fix:
Now Network Access components print session ID in four messages:
Starting pending session ID: %sessionid,
Session %sessionid established,
Session %sessionid closed:
Status, and Failed to open session %sessionid.
467945-4 : Error messages in AVR monpd log
Component: Application Visibility and Reporting
Symptoms:
The following errors (similar) appear in the monpd log:
monpd|INFO|Jun 18 13:40:08.947|12463| [stat_bridge_thread::load_file, ] Some rows of load_stat_asm_http_ip_1403124000.1 not loaded (18194 rows affected)
Conditions:
In rare cases that include stress traffic and other rare conditions.
Impact:
There can be very small percentage of lost statistics (approximately 0.002%).
Workaround:
No workaround.
Fix:
This release fixes an issue in which the system had duplicated data, leading to display of the following warning message in the AVR monpd log:
'Some rows of load_stat_asm_http_ip_xxxxxxxxxx.x not loaded (xxxxx rows affected)'.
467847-1 : passphrase visible in audit log
Component: TMOS
Symptoms:
With audit logging enabled, you notice that after updating a password for an account it is visible in /var/log/audit
Conditions:
This occurs when audit logging is enabled.
Impact:
Password is visible in the audit log.
Workaround:
Disable audit logging.
Fix:
The password is no longer logged in the audit log.
467551-5 : TCP syncookie and Selective NACK (profile option) causes traffic to be dropped
Solution Article: K17011
Component: Local Traffic Manager
Symptoms:
TCP syncookie and Selective NACK (profile option) causes traffic to be dropped.
Conditions:
This occurs when the following conditions are met: -- Selective NACK enabled in TCP profile. -- TCP syncookie mode. -- No Selective NACK option in TCP options from client SYN.
Impact:
Traffic might be dropped.
Workaround:
Disable Selective NACK option in TCP profile.
Fix:
TCP syncookie and Selective NACK (profile option) now works correctly.
467542-1 : TMM core in AAM assembly code during high memory utilization
Component: WebAccelerator
Symptoms:
TMM core is seen in AAM assembly code during high memory utilization.
Conditions:
AAM is provisioned. High memory utilization scenario resulting in sweeper aggressive mode being triggered. This results in connections getting reset. Inlining or smart client cache is enabled in AAM.
Impact:
Traffic disrupted while tmm restarts.
467256-1 : Deleting OPSWAT/Epsec packages from GUI does not delete files from disk causing UCS packages to bloat
Solution Article: K25633150
Component: Access Policy Manager
Symptoms:
If there were multiple EPSEC packages installed on a BIG-IP system and if a UCS backup is taken subsequently, that UCS backup will contain all the files causing the UCS to become huge. Installing this UCS may fail due to disk space limitations.
Conditions:
For this issue, multiple EPSEC packages have to be installed in the system and the UCS of this system is created.
Impact:
UCS fails to install due to its large size.
Workaround:
One can do the following:
1. Delete the EPSEC package from the GUI.
2. Then go the /config/filestore/files_d/Common_d/epsec_package_d/ Find the extra files for which there is no corresponding entry in /config/bigip.conf.
3. Delete those extraneous files manually using rm.
Fix:
When you delete EPSEC packages using the GUI, APM now correctly deletes the corresponding EPSEC ISO file from the filestore (/config/filestore/files_d/Common_d/epsec_package_d/).
Before creating archives, administrators are now required to delete non-active EPSEC packages using the GUI to make sure that non-active EPSEC ISO files are not included in the archives.
Although this issue has been resolved for newly downloaded EPSEC ISO files, you might still need to perform some cleanup:
1. You must remove previous leftover EPSEC ISO files as follows:
a. Delete the EPSEC package from the GUI: Select System > Software Management > Antivirus Check Updates; select an existing EPSEC package from the list and click Delete.
b. Go to /config/filestore/files_d/Common_d/epsec_package_d/ and find files for which there is no corresponding entry in /config/bigip.conf.
c. Delete those extraneous files manually using the rm command.
2. You cannot import huge previously created UCS archives. Instead, you should delete non-active
EPSEC packages prior to creating a UCS.
3. If you want to include only one (active)
EPSEC ISO in a UCS archive, you must first delete non-active EPSEC packages using the GUI.
467196-4 : Log files limited to 24 hours
Solution Article: K16015
Component: TMOS
Symptoms:
In this release, the max log size setting is 1024. This causes large systems (multiple blades, high-availability) to truncate log files, and often prevent log files from storing messages for more than 24 hours.
Conditions:
Multiple blades in a high-availability configuration.
Impact:
Cannot have log files spanning more than 24 hours. This makes it very difficult to use the log when diagnosing problems, because the system overwrites the files before the customer can report the issue.
Workaround:
Change the max-file-size for logrotate from '1024' (the default) to '0' to prevent logrotate from truncating log files. This workaround is also documented in SOL16015: The BIG-IP system may truncate log files, available here: https://support.f5.com/kb/en-us/solutions/public/16000/000/sol16015.html.
This can be done from tmsh by running a command such as:
tmsh modify /sys log-rotate max-file-size 0
Fix:
The max log size setting is now greater than 1024, which allows large systems (multiple blades, high-availability) to store messages for more than 24 hours.
467195-1 : Allow special characters importing SSL Key and Certificate except backslash.
Component: TMOS
Symptoms:
GUI validation does not allow for special characters in the SSL Key and Certificate names. Whereas tmsh allows for special characters.
Conditions:
Import an SSL Key or Certificate with a name that contains a question mark, colon, at sign, exclamation mark, ampersand, or pound sign (hashtag): ?:@!&#.
Impact:
Cannot use the GUI to manage Key or Certificate created in tmsh with special characters in their name.
Workaround:
Use tmsh to manage the Key or Certificate.
Fix:
The GUI now allows special characters when importing SSL Key and Certificate. Note that backslash, \ is not supported as a character in the name.
466875-3 : SNAT automap may select source address that is not attached to egress VLAN/interface
Component: Local Traffic Manager
Symptoms:
Egress packets have a source address that is not associated with the VLAN or interface.
Conditions:
Occurs when the following conditions are met:
- Virtual utilizes SNAT automap.
- There exists a route matching a self-ip on interface A to a VLAN on interface B.
Impact:
Packets may not be routed properly.
Workaround:
Use SNAT pool instead of automap.
Fix:
SNAT Automap now matches self-ip against selected SNAT pool member instead of the pool member route.
466761-5 : Heartbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss.
Component: Service Provider
Symptoms:
Heartbeat, UDP packet with only double CRLF, on existing SIP flow might result in connection loss.
Conditions:
SIP heartbeat message, a UDP packet with double CRLF, sent by the client to the server.
Impact:
Connection might be terminated.
Workaround:
None.
Fix:
The heartbeat SIP message, which is a UDP packet with CRLF, is ignored and connection is maintained.
466745-2 : Cannot set the value of a session variable with a leading hyphen.
Component: Access Policy Manager
Symptoms:
Cannot set the value of an ACCESS::session variable with a leading hyphen.
Conditions:
Using a leading hyphen for the value of the session variable, for example: ACCESS::session set data var_name -value.
Impact:
Cannot use hyphen in session variable value. The system posts and error message similar to the following: err tmm3[12741]: 01220001:3: TCL error: /Common/pass <ACCESS_POLICY_AGENT_EVENT> - bad option name (line 1)setting variable var_name for sid (null) failed (line 1)Illegal argument (line 1) (line 1) invoked from within "ACCESS::session data set var_name "-foo""
Workaround:
This issue has no workaround at this time.
Fix:
In this release, an extra parameter, made up of two dashes (--), was added. When -- is inserted before a value, the value can start with a hyphen; for example, "ACCESS::session set data var_name -- -value".
466612-2 : Missing sys DeviceModel OID for VIPRION C2200 chassis
Component: TMOS
Symptoms:
The SNMP sysObjectID OID returns a value of Unknown for VIPRION C2200 chassis.
Conditions:
Affected versions of BIG-IP running on VIPRION B2xxx-series blades in a VIPRION C2200 chassis.
Impact:
The VIPRION C2200 chassis is not identified as such by the SNMP sysObjectID OID.
Workaround:
None.
Fix:
The sys DeviceModel OID for VIPRION C2200 (Viprion2200) chassis is now present in the F5-BIGIP-SYSTEM-MIB.
466423-1 : ASM REST: Partial PATCH to User-Defined Signature-Set Filter Resets Other Fields to Defaults
Component: Application Security Manager
Symptoms:
Update any "filter" field for signature-set changes other unchanged "filter" fields to default.
Conditions:
REST Client is used to configure ASM and partial objects (only changed fields) are sent in a PATCH
Impact:
A User-Defined Filter Based Signature Set may not contain the expected signatures
Workaround:
When updating the object via a PATCH, send the fully populated object.
Fix:
Filter fields that are not explicitly specified in the PATCH call are correctly left unchanged.
466266-3 : In rare cases, an upgrade (or a restart) can result in an Active/Active state★
Component: TMOS
Symptoms:
After upgrading or restarting, the system starts up in an active state even if the peer system is already active.
Conditions:
An upgrade or system restart for an active/standby pair. The issue occurs intermittently and is timing-dependent. There is code executed during sod's initialization that attempts to detect when communication between mcpd and sod has gone bad; this code does this by checking for "end transaction" messages. If 30 or more messages from mcpd are received without an "end transaction" message, sod will reset its connection with mcpd. While the connection is being reset, it is possible for sod to miss messages from mcpd. Depending on which messages it misses, sod may end up in a bad state and exhibit the symptoms of this bug. If this occurs after an upgrade, it does not matter which version one is upgrading from.
Impact:
The impact of this issue is that both systems take traffic.
Workaround:
Restarting the 'sod' daemon on the system after an upgrade or reboot clears the condition. This causes the system to go offline and will disrupt traffic.
Standard BIG-IP appliance:
bigstart restart sod
VIPRION system:
clsh bigstart restart sod
Fix:
In this release, the system ensures that an upgrade or a restart can never result in an Active/Active state.
466007-3 : DNS Express daemon, zxfrd, can not start if its binary cache has filled /var
Solution Article: K02683895
Component: Local Traffic Manager
Symptoms:
DNS Express daemon, zxfrd, cannot start if its binary cache has filled the /var directory.
Conditions:
Using DNS Express and the /var directory is filled.
Impact:
Zxfrd will continually restart.
Workaround:
No workaround, but if in zxfrd restart loop due to this issue you can mitigate the issue by deleting /var/db/tmmdns.bin and then running the following command: bigstart restart zxfrd.
Fix:
DNS Express daemon, zxfrd, will now check to see if /var is full or if the tmmdns.bin database file is corrupted. If either of these conditions is true, zxfrd will not continually restart.
465951-1 : If net self description size =65K, gtmd restarts continuously
Solution Article: K12562945
Component: Global Traffic Manager (DNS)
Symptoms:
The gtmd process restarts continuously.
Conditions:
This issue occurs when the net self <IP> description >= <65K string>
'Description', 'Location', 'Contact', or 'Comment' field for the device (Device Management>Devices>Properties) > = <65K string>
Impact:
When this happens, gtmd is unable to perform its duties.
Workaround:
This issue has no workaround at this time.
Fix:
An issue that caused gtmd to restart because of long descriptions has been fixed.
465675-5 : Invalid MAX-ACCESS clause for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable.
Solution Article: K07816405
Component: TMOS
Symptoms:
Invalid MAX-ACCESS clause for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable.
Conditions:
Using deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable.
Impact:
User is unable compile MIB (using smidump) if deprecated objects are not ignored.
Workaround:
Modify MAX-ACCESS to read-only.
Fix:
MAX-ACCESS clause is now correct for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable.
465590-4 : Mirrored persistence information is not retained while flows are active
Solution Article: K17531
Component: Local Traffic Manager
Symptoms:
Mirrored persistence information is not retained. This is most visible on long-running flows, where the mirrored entry is removed while the flow is still active.
Conditions:
Mirrored flows with persistence profiles assigned to the VIP, or when persistence profiles are marked to mirror persistence entries.
Impact:
If a failover occurs, a new load balancing pick is made for new flows.
Fix:
Mirrored persistence records are now correctly retained.
465229-1 : Fix for Policy Rule Names Displaying Distorted in Rare Conditions
Component: Advanced Firewall Manager
Symptoms:
Policy rule names are same as firewall rules, except when a rule list is used, they also show the name for referencing rule to rulelist. In rare conditions, these names may show distorted data.
Conditions:
You have a firewall policy with a rule list in it.
Impact:
Referencing rule names may look distorted. No impact on performance or process.
Fix:
Upon investigation, a basic memory problem is diagnosed and fixed.
465181-4 : Unhandled connection error in iprepd causes memory leak in iprepd or merged
Component: Application Security Manager
Symptoms:
If the BIG-IP system fails to connect to the IP reputation database server (either using a proxy or not), it causes a memory leak in one of the internal daemons (iprepd and/or merged).
Conditions:
IP-reputation is enabled and it fails to connect to the database server (usually to the proxy of the database server or there is a bad/non-existent connection outside).
Impact:
This issue causes a slow memory leak in the iprepd or merged daemon.
Workaround:
Fix the proxy to the ipreputation or the connection to the IP reputation or turn off IP reputation.
Fix:
Even if the BIG-IP system fails to connect to the IP reputation database server (either using a proxy or not), it no longer causes a memory leak in one of the internal daemons.
465142-5 : iControl LocalLB::ProfileClientSSL::create and create_v2 methods result in crash when not in /Common
Solution Article: K16633
Component: TMOS
Symptoms:
The iControlPortal process crashes if the LocalLB::ProfileClientSSL::create or create_v2 methods are called outside of the /Common partition.
Conditions:
This occurs when using iControl to create Client SSL profiles in partitions other than /Common.
Impact:
The iControl portal crashes with a 500 Internal Server Error. The Client SSL profile is not created.
Workaround:
Create Client SSL profile in the /Common partition.
Fix:
LocalLB::ProfileClientSSL::create and create_v2 methods now work correctly when used in partitions other than /Common.
465012-5 : Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access
Component: Access Policy Manager
Symptoms:
Rewrite plugin may crash on large javascript files and tags when webtrace or debug log for Portal Access is enabled.
Conditions:
Portal Access log level is set to "Debug", or
Web Application Trace feature of Portal Access is active.
Impact:
Portal Access is temporarily unavailable.
Core file for 'rewrite' process is generated.
Workaround:
Disable webtrace
Change Portal Access log level to Notice
Fix:
Fixed an issue where Rewrite plugin could crash when collecting webtrace or debug logs for Portal Access.
465009-2 : VIPRION B2100-series LOP firmware version 2.10 update
Component: TMOS
Symptoms:
Booting the blade via PXE results in garbled PXE menu. (ID464614)
Conditions:
VIPRION B2100 and B2150 blades with LOP firmware version 2.09.
Impact:
PXE menu display is garbled, although responds correctly to correct inputs.
464992-8 : Mac Edge fails to pass machine certificate inspection if domain component is included in search criteria
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Mac fails to recognize DC component in certificate common name field. Edge Client fails to pass machine certificate inspection if domain component is included in search regular expression.
Conditions:
BIG-IP Edge Client for Mac, machine certificate agent, DC component in common name search regex
Impact:
BIG-IP Edge Client for Mac might fail to log in.
Fix:
BIG-IP Edge Client for Mac now passes Machine Certificate inspection when domain component is included in search criteria.
464972-2 : Wrong parsing of Country Code (Geo) from address region list if Country name contains parentheses.
Component: Advanced Firewall Manager
Symptoms:
Wrong parsing of Country Code (Geo) from address region list if Country name contains parentheses.
Conditions:
If Country name contains parentheses, then an error is thrown and it cannot be added to the address list
Impact:
Address List creation Page
Workaround:
Use tmsh to add the country Name with parentheses
Fix:
If the country Name contains parentheses, it can now be added to the address list page.
464966-1 : Active Rule page may display incorrectly if showing multiple rules and at least one rule list
Component: Advanced Firewall Manager
Symptoms:
The Active Rule page will truncate the display of active rules if there is more than one page worth of rules to display plus one or more rule lists.
Conditions:
More rules than will display on a single page and at least one rule list.
Impact:
Difficulty in reviewing and editing firewall rules.
Workaround:
It may be possible to review the assigned rules through the individual Policy pages.
Fix:
The Active Rule page now displays large numbers of rules correctly along with rule lists.
464801-1 : Intermittent tmm core
Component: Local Traffic Manager
Symptoms:
tmm intermittently cores. Stack trace signature indicates "packet is locked by a driver"
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed an intermittent tmm core
464762-1 : Rule lists may not display schedules for rules that have them
Component: Advanced Firewall Manager
Symptoms:
Rule lists may not display schedules for rules that have them.
Conditions:
This occurs when looking at Active Rules or policies if they have schedules assigned to them.
Impact:
The rule list will display that each rule with a schedule is scheduled, but will not show which schedule is associated with the rule.
Workaround:
none
Fix:
Rule lists now correctly display schedules for rules.
464735-1 : Errors and unavailable virtual server upon deactivation of ASM policy that is assigned to a non-default rule of L7 policy
Component: Application Security Manager
Symptoms:
When trying to deactivate a policy used in a non-default L7 policy, you get the following error, and the policy is deactivated:
"MCP Validation error - 01071726:3: Cannot deactivate policy action '/Common/vs126'. It is in use by ltm policy '/Common/l7_policy'."
In addition, the virtual server becomes unavailable after the deactivation.
Conditions:
ASM is provisioned.
ASM policy is assigned to a non-default L7 policy.
Impact:
Virtual server is unavailable.
ASM policy assigned to the LTM virtual server is broken.
Workaround:
Prior to the deactivation of such an ASM policy, remove it from all L7 policies from the following screen:
Local Traffic > Policies > Policy List > <L7_policy_name> > Properties.
Fix:
The deactivation of an ASM policy that is assigned to a non-default rule in an LTM policy produces a verbose and meaningful error message, and the virtual server is now available after the deactivation.
464687-1 : Copying Access Profile with Machine Cert Agent check fails
Component: Access Policy Manager
Symptoms:
When attempting to copy an Access Profile with Machine Cert Check Agent, it fails with no error message on the web interface nor in the a log file.
Conditions:
Copying of Profile Access with Access Policy that has Machine Cert Check Agent with cert assigned
Impact:
The copy fails, and no error message is displayed.
Workaround:
Edit access policy, remove machine certificate assignment
Copy
Edit access policy, set machine certificate back
Fix:
Now it is possible to copy an access profile that contains a Machine Cert access policy item.
464651-7 : Multiple root certificates with same 'subject' and 'issuer' may cause the tmm to core.
Solution Article: K16636
Component: Local Traffic Manager
Symptoms:
Two or more root certificates with the same 'subject' and 'issuer' but different serial numbers may cause the tmm to core.
The core was due to an assert failure in size caused by a loop in certificate chain construction.
Conditions:
When multiple certificates with the same 'subject' and 'issuer' are in a CA file, and the CA file is configured in SSL profile as trusted CAs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Keep only one certificate for a given 'subject' and 'issuer' in CA file.
Do not leave two certificates with the same 'subject' and 'issuer' in a CA file.
Fix:
Resolved a failure when the customer installs another self-signed certificate with same subject/issuer before a self-signed certificate expires.
464650-2 : Failure of mcpd with invalid authentication context.
Component: TMOS
Symptoms:
MCPd cores.
Conditions:
It is not known what triggers this core.
Impact:
Mcpd restarts
Workaround:
None.
Fix:
Failure of mcpd with invalid authentication context no longer occurs.
464547-5 : Show proper error message when VMware View client sends invalid credentials to APM
Component: Access Policy Manager
Symptoms:
The View client shows no information or error page if the user types the wrong password or username
Conditions:
Bad credentials supplied to Vmware View client connecting using APM.
Impact:
End user would not know if the failed login was caused by bad credentials or for another reason.
Fix:
VMware View client displays a proper message when a user enters invalid credentials.
464273-1 : PEM: CCR-I for the Gx session has only one subscriber ID type even if session created has more than one type
Component: Policy Enforcement Manager
Symptoms:
When a PEM session is created by radius/irule and there are more that one subscriber ID types associated to the session then only one of them is sent.
Conditions:
Subscriber session has more that one subscriber ID types but just one type sent.
Impact:
If PCRF is expecting all the subscriber IDs associated to the session then only one of them being sent.
Workaround:
here is no workaround at this time'
Fix:
All the associated subscriber ID types (imsi, e164, private) are sent of the CCR-I message for the session if they are present during session creation.
464225-6 : 'tmsh list ltm message-routing' and 'tmsh show ltm message-routing' fail for non-admin users
Solution Article: K16541
Component: TMOS
Symptoms:
Running the commands 'tmsh list ltm message-routing' and 'tmsh show ltm message-routing' fail for non-admin users, even though non-admin users have tmsh access to all partitions.
Conditions:
A non-admin user is logged in via tmsh.
Impact:
The non-admin user cannot run the command 'list ltm message-routing' or 'show ltm message-routing' via tmsh. The system posts an error message similar to the following: Unexpected Error: Can't display all items, can't get object count from mcpd.
Workaround:
None.
Fix:
Non-admin users can now successfully run the commands 'tmsh list ltm message-routing' and 'tmsh show ltm message-routing'.
464222-1 : Policy Rule Missing from TMSH Overlapping Status Output
Component: Advanced Firewall Manager
Symptoms:
Policy rule column which shows a referencing rule in policies which have rule-lists may be missing from the advanced rule status or a.k.a. overlapping-status mode.
Conditions:
This occurs when using rules that reference rule-lists
Impact:
You may not be able to see the real rules that reference the rule-lists. The impact is minimal.
Workaround:
In regular firewall rule modes, such as "show security firewall policy" or "show ltm virtual fw-enforced-policy", etc, you can still see Referencing Rule column.
Fix:
Missing Referencing Rule column is added to overlapping status mode.
464116-5 : HTTP responses are not cached when response-adapt is applied
Component: Service Provider
Symptoms:
When a response-adapt profile is applied on a virtual with ramcache, HTTP responses are not cached.
Conditions:
Both ramcache and response-adapt on a virtual.
Impact:
HTTP responses are not cached.
Fix:
HTTP responses modified by response-adapt are cached.
464043-4 : Integration of Firmware for the 2000 Series Blades
Component: TMOS
Symptoms:
Integration of Firmware for the 2000 Series Blades.
Conditions:
When firmware has changes that benefit platforms, it is internally released and updated in the latest version of software.
Impact:
This will improve functioning of the hardware.
Workaround:
None. This is an action item.
Fix:
Integration of Firmware for the 2000 Series Blades.
463468-9 : failed tmsh command generate double logs
Component: TMOS
Symptoms:
A single failed tmsh command generates two identical audit logs, and audit_forwarder sends two logs to audit server (TACACS+ in this example).
Conditions:
tmsh audit is on and tmsh command is failed from mcpd validation. This does not occur with successful commands.
Impact:
Here is an example of the failure:
tmsh create ltm pool pool20
01020066:3: The requested pool (/Common/pool20) already exists in partition Common
Tue May 20 16:27:17 2014 10.10.10.201 root unknown unknown update service=system protocol=ip task_id=130start_time=1400627369 event=cmd_acct reason=May 20 16:09:29 aftest notice tmsh[20175]: 01420002:5: AUDIT - pid=20175 user=root folder=/Common module=(tmos)# status=[01020066:3: The requested pool (/Common/pool20) already exists in partition Common.] cmd_data=create ltm pool pool20
Tue May 20 16:27:17 2014 10.10.10.201 root unknown unknown update service=system protocol=ip task_id=132start_time=1400627369 event=cmd_acct reason=May 20 16:09:29 aftest notice tmsh[20175]: 01420002:5: AUDIT - pid=20175 user=root folder=/Common module=(tmos)# status=[01020066:3: The requested pool (/Common/pool20) already exists in partition Common.] cmd_data=create ltm pool pool20
Workaround:
None.
Fix:
Failed tmsh command no longer generates double logs.
463380-4 : URIs with space characters may not work properly in ODATA query
Solution Article: K16693
Component: Device Management
Symptoms:
ODATA query strings such as: $filter=partition eq 'Common' may not work correctly unless the spaces are encoded with +.
Conditions:
ODATA query strings with spaces.
Impact:
The query will fail with a 400 error.
Workaround:
Encode the query string space characters with + as replacement.
Fix:
URIs with space characters now work properly in ODATA query.
463314-1 : Enabling ASM AJAX blocking response page feature causing cross domain AJAX requests to fail
Component: Application Security Manager
Symptoms:
When AJAX blocking response page feature is enabled, ASM's pre-injected javascript code adds a custom header to each outgoing ajax request. Adding the header to a cross domain ajax request forces browsers to send an OPTIONS preflight request, if a back-end server doesn't not treat the pre-flight request properly, the request will fail resulting in broken functionality of a web application.
Conditions:
Provision asm, attach asm policy to a virtual server and configure Enable AJAX blocking response page feature.
Impact:
Broken cross domain ajax requests
Workaround:
Disable AJAX blocking response page feature in ASM policy.
Fix:
Avoid adding custom headers to cross domain ajax request.
463202-6 : BIG-IP system drops non-zero version EDNS requests
Component: Local Traffic Manager
Symptoms:
If a query from a client contains a non-zero EDNS version, the query is dropped instead of sending an appropriate response.
Conditions:
This occurs with DNS profile/processing when a client sends a query with non-zero EDNS version.
Impact:
Dropped queries, retries, and then time-outs occur.
Fix:
If the EDNS version is not zero, the query passes through the filter and is not dropped.
462827-8 : Headers starting with X-F5 may cause problems if not X-F5-REST-Coordination-Id
Solution Article: K16634
Component: Device Management
Symptoms:
Some URIs passed to the BIG-IP system with X-F5 that are not X-F5-REST-Coordination-Id may improperly parse the HTTP request headers. These include iControl-REST URIs
/mgmt/tm/analytics/...
/mgmt/tm/vcmp/...
/mgmt/tm/actions/...
/mgmt/tm/gtm/...
/mgmt/tm/ltm/...
/mgmt/tm/net/...
/mgmt/tm/pem/...
/mgmt/tm/util/...
/mgmt/tm/sys/...
/mgmt/tm/cli/...
/mgmt/tm/secuirty/...
/mgmt/tm/ilx/...
/mgmt/tm/apm/...
/mgmt/tm/transaction/...
/mgmt/tm/auth/...
/mgmt/tm/wom/...
/mgmt/tm/cm/...
/mgmt/tm/wam/...
Conditions:
Headers prefixed with X-F5 that are not X-F5-REST-Coordination-Id.
Impact:
Headers are not parsed properly.
Workaround:
None
Fix:
The system now checks for the full header name to properly parse instead requiring X-F5 to determine whether or not it is the X-F5-REST-Coordination-Id header.
462714-3 : Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server
Solution Article: K66236389
Component: Local Traffic Manager
Symptoms:
A source address persistence record created on a virtual server with a FastL4 profile times out and is aged out even while traffic is flowing through that flow. The traffic that results in this issue is UDP with checksum of 0.
Conditions:
The profile has to be FastL4. Traffic that is either UDP with checksum of 0, or SCTP, or ESP, are definitely affected.
Impact:
Source address persistence is not usable as the entry ages out when it should not.
Workaround:
None.
Fix:
Source address persistence record no longer times out unexpectedly on FastL4 profile virtual server.
462598-3 : Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members.
Solution Article: K17184
Component: Access Policy Manager
Symptoms:
When the APM Access renderer or renderer pool (used for serving internal pages) goes down for an unknown reason, tmm goes into retry loop and sod kills the tmm.
Conditions:
For the problem to occur, at the very least, APM must be in use. The problem showed up in the past with a mangled iRule in place.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This has only been observed with an incorrectly formed iRule. So it is likely that fixing an associated iRule to operate as intended will resolve the problem. If this occurs without an associated iRule, there is no workaround.
Fix:
Now when an APM renderer or renderer pool (used for serving internal pages) goes down, APM detects the unavailability and sends a TCP Reset to the client.
462268-1 : long session var processing in variable assignment agent
Component: Access Policy Manager
Symptoms:
before the fix, there was no way to operate session variables > 4096 bytes in variable assignment agent
Conditions:
variable assignment agent uses session variable that is longer than 4Kb (value)
Impact:
cannot process some well known attributes of from active directory server like memberOf if user is a member of thousands groups OR member if group has thousands of members
Workaround:
None
Fix:
There is no limit on session variable value length in the variable assign agent.
462187-6 : 'tmsh list net tunnels' and GUI tunnel access fail for non-admin users
Solution Article: K16379
Component: TMOS
Symptoms:
'tmsh list net tunnels' and GUI tunnel access fail for non-admin users. Non-admin users have access to all partitions via tmsh.
Conditions:
This occurs for non-admin users on the tunnel list page when selecting a predefined tunnel or one that has been configured.
Impact:
The command or operation fails. The system displays the following error: Unexpected Error: Can't display all items, can't get object count from mcpd.
Fix:
Non-admin users can now use the GUI to access the tunnel list page or properties for a configured tunnel without error.
461715-2 : AVR: Collecting geolocation IDs
Component: Application Visibility and Reporting
Symptoms:
Long computation in geolocation handling might cause Keep-Alive timer to stop the bd process.
Conditions:
This bug occurred during stress run when bd is running.
Impact:
The bd process halts and restarts.
Workaround:
None.
Fix:
This release improves the way AVR collects geolocation information, so the long computation does not take place, and the Keep-Alive timer does not stop the bd process.
461597-10 : MAC edge client doesn't follow HTTP 302 redirect if new site has untrusted self-signed certificate
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Mac does not follow HTTP 302 redirect if new site has an untrusted self-signed certificate.
Conditions:
BIG-IP Edge Gateway and Mac Edge Client and HTTP 302 redirect to new site with untrusted certificate
Impact:
User might not be able to log in if HTTP 302 redirect is configured for a site with an untrusted certificate.
Workaround:
Configure APM with trusted certificate or configure client machine to trust APM's certificate
Fix:
BIG-IP Edge Client for Mac now follows HTTP 302 redirect if the new site has an untrusted self-signed certificate and the user will be able to log in successfully.
461587-6 : TCP connection can become stuck if client closes early
Component: Local Traffic Manager
Symptoms:
Connection remains half-open and appears in connflow table after receiving FIN/ACK from serverside. the BIG-IP system never sends FIN/ACK to serverside to indicate connection has been closed.
Conditions:
Clientside connection is closed before serverside completes 3-way handshake. Serverside never completes 3-way handshake and LB::reselect command is issue via iRule.
Impact:
Connection remains half-open and stuck in connflow table
Fix:
Serverside connections established due to LB::reselect will now correctly get closed after the 3-way handshake completes if the corresponding clientside connection has already been closed.
461560-6 : Edge client CTU report does not contain interface MTU value
Component: Access Policy Manager
Symptoms:
Client troubleshooting utility reports do not log the value of MTU on network interfaces.
Conditions:
This occurs on the APM client CTU report.
Impact:
Troubleshooting MTU related issues become difficult.
Workaround:
Use third party tools to capture MTU values.
461216-2 : Cannot rename some files using CIFS optimization of the BIG-IP system.
Component: Wan Optimization Manager
Symptoms:
Cannot rename some files using CIFS optimization of the BIG-IP system.
Conditions:
Happens with BIG-IP systems with WOM configuration and CIFS optimization enabled and the files names are very long.
Impact:
Unable to rename files with long filenames using CIFS optimization of the BIG-IP system. wocplugin core.
Workaround:
None.
Fix:
You can now rename files with long filenames using CIFS optimization of the BIG-IP system.
461084-2 : Kerberos Auth might fail if client request contains Authorization header
Solution Article: K48281763
Component: Access Policy Manager
Symptoms:
When the BIG-IP system is configured with Kerberos Auth agent and the client sends a request with an Authorization header prior to the "HTTP 401" challenge, authentication fails.
Conditions:
An auth request to the BIG-IP systems contains Authorization header; Kerberos Auth is configured.
Impact:
Authentication can fail and the client might see a login prompt again when the IP address changes.
Workaround:
None
Fix:
Client's Kerberos auth will succeed now.
460833-2 : MCPD sync errors and restart after multiple modifications to file object in chassis
Component: TMOS
Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:
1. Errors are logged to /var/log/ltm similar to the following:
err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..
2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.
Conditions:
This symptom may occur under the following conditions:
1. Two or more VIPRION chassis are configured in a device sync group.
2. File objects (such as SSL certificates) are added/modified/deleted on one chassis in the group.
3. These changes are synchronized to other members of the device sync group.
4. While the previous changes are still being synchronized to all blades in all chassis in the device sync group, an overlapping set of file objects are added/modified/deleted on a chassis in the group (typically the same chassis as in step 2).
5. While the previous sync operation is still in progress, these subsequent changes are synchronized to other members of the device sync group.
Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.
Workaround:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.
Fix:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.
460627-5 : SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists
Solution Article: K17059
Component: Local Traffic Manager
Symptoms:
When the SASP monitor starts up, it can attempt to open a new TCP connection to the GWM server when another connection exists to it.
Conditions:
This happens when a GWM server sends the SendWeight messages to SASP monitor immediately after the registration of the pool member is complete, but the registration of all the pool members is not complete.
Impact:
The SASP monitor fins an existing TCP connection to the GWM server.
Workaround:
This issue has no workaround at this time.
Fix:
The Send Weight messages are processed only after the registration of all the pool members is complete. Monitor logging has been vastly improved. In addition, there was a crashing bug that caused the SASPD_monitor process to be restarted. That bug has been fixed.
460456-3 : FW RELEASE: Incorporate 5000, 5050, 5250 BIOS 2.06.214.0
Component: TMOS
Symptoms:
This is a standard bug used for tracking the incorporation of Firmware changes.
Conditions:
The purpose of this change is to integrate a firmware package into the BIG-IP build.
Impact:
There is no impact to this fix.
Workaround:
None.
Fix:
Incorporated 5000, 5050, 5250 BIOS 2.06.214.0 into BIG-IP firmware.
460444-3 : VIPRION B4300 BIOS version 2.03.052.0 update
Component: TMOS
Symptoms:
1. The Disk Erase operation takes longer than expected, and may time out before completion. The Disk Erase progress bar may show 100% with 1 minute still remaining.
2. Pressing the ESC key at Disk Erase confirmation dialogs results in continuation. Pressing the ESC key in the Disk Erase intermittently causes the highlighted action to be performed. (ID458683-2)
Conditions:
Affects VIPRION B4300 series blades.
Impact:
1. The Disk Erase operation may time out before completion. The Disk Erase progress bar may show 100% completion prematurely.
2. Disk Erase operations may be initiated unintentionally. (ID458683-2)
460428-3 : BIG-IP 2000-/4000-series BIOS version 2.02.171.0 update
Component: TMOS
Symptoms:
1. The Disk Erase operation takes longer than expected, and may time out before completion. The Disk Erase progress bar may show 100% with 1 minute still remaining.
2. Pressing the ESC key at Disk Erase confirmation dialogs results in continuation. Pressing the ESC key in the Disk Erase intermittently causes the highlighted action to be performed. (ID458683-4)
Conditions:
Affects BIG-IP 2000-/4000-series appliances.
Impact:
1. The Disk Erase operation may time out before completion. The Disk Erase progress bar may show 100% completion prematurely.
2. Disk Erase operations may be initiated unintentionally. (ID458683-4)
460427-6 : Address collision reported when the Primary blade goes down or its TMM crashes in an Chassis IntraCluster environment.
Component: Access Policy Manager
Symptoms:
In Chassis IntraCluster environment; when the Primary blade or its TMM goes down for any reason, (e.g., crash, restart, or shut down) the system posts 'IPv4 Addr collision' messages in APM logs.
Conditions:
This happens when a Chassis platform is used in IntraCluster mode with APM's Network Access.
Impact:
Address collision is reported in the logs, and affected clients (that have duplicate IP addresses - both the original ones and the new ones) might intermittently lose connectivity.
Workaround:
None.
Fix:
Now the TMM leasepool IP information for the primary blade is mirrored on the oldest secondary blade, so the system no longer posts 'IPv4 Addr collision' messages.
460422-3 : BIOS 4.01.006.0 for BIG-IP 10000, 10250, 10350 platforms.
Component: TMOS
Symptoms:
BIOS 4.01.006.0 for BIG-IP 10000, 10250, 10350 platforms.
Conditions:
Firmware earlier than BIOS 4.01.006.0 on the BIG-IP 10000, 10250, 10350 platforms.
Impact:
Updated BIOS needed.
Workaround:
None.
Fix:
BIOS 4.01.006.0 has been incorporated into the BIG-IP 10000, 10250, 10350 platforms.
460406-3 : VIPRION B2100-series BIOS version 1.06.043.0 update
Component: TMOS
Symptoms:
1. The Disk Erase operation takes longer than expected, and may time out before completion. The Disk Erase progress bar may show 100% with 1 minute still remaining.
2. Pressing the ESC key at Disk Erase confirmation dialogs results in continuation. Pressing the ESC key in the Disk Erase intermittently causes the highlighted action to be performed. (ID458683-1)
Conditions:
Affects VIPRION B2100 and B2150 blades.
Impact:
1. The Disk Erase operation may time out before completion. The Disk Erase progress bar may show 100% completion prematurely.
2. Disk Erase operations may be initiated unintentionally. (ID458683-1)
460397-3 : FW RELEASE: Incorporate B2250 BIOS 1.26.012.0
Component: TMOS
Symptoms:
The purpose of this bug is to incorporate firmware into the BIG-IP Release.
Conditions:
The purpose of this bug is to incorporate firmware into the BIG-IP Release when there is a change to the maintenance firmware.
Impact:
There is no impact with this change.
Workaround:
None.
Fix:
FW RELEASE: Incorporated B2250 BIOS 1.26.012.0 into BIG-IP release.
460176-3 : Hardwired failover asserts active even when standalone
Component: TMOS
Symptoms:
In BIG-IP software versions 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.6.0, and 12.0.0, the serial failover 'Active' signal is asserted even if the unit is not configured to be in a high availability (HA) pair. A unit can become Standalone if the configuration is reset, or if a return merchandise authorization (RMA) is performed. If the serial cable is still connected to its peer, then the HA peer may defer the Active status to the Standalone system, which does not actually take over and process traffic.
Conditions:
Serial cable failover in-use between two members of an HA pair.
Impact:
Traffic is interrupted when the Active unit transitions to Standby.
Workaround:
During an RMA, the serial cable failover can be temporarily disabled on the Active unit by issuing the following command:
tmsh modify sys db failover.usetty01 value disable
Fix:
A Standalone unit does not spuriously assert that it is Active if the unit is not configured to be in a high availability (HA) pair when the serial cable is connected during failover. (This is the version 10.x behavior.)
460165-5 : General Database Error when accessing Clusters or Templates page
Component: TMOS
Symptoms:
On multi-blade chassis systems, the Templates and Clusters pages conflict. If you navigate to the Clusters page and then navigate to Templates, the Templates page will be blank and post a General Database Error, and vice versa.
Conditions:
This occurs only in a multi-blade chassis system (i.e., where there is a Clusters page).
Impact:
Ability to configure via the UI is degraded. System posts an error in catalina.out: ERROR [TP-Processor3] application_005ftemplate.list_jsp:_jspService - Column not found: SLOT_ID in statement [SELECT LIMIT 0 10 OPTIMIZED * FROM app_template ORDER BY slot_id ASC].
Workaround:
Restart tomcat each time you want to use these pages.
Fix:
Accessing Template and Cluster pages now load correctly.
459884-5 : Large POST requests are not handled well by APM.
Component: Local Traffic Manager
Symptoms:
Large (4 MB or more) POST requests cause APM to crash if the request is retried. (The default limit is 64 KB, but can be increased in the configuration.)
Conditions:
An unusually large POST limit in APM. A big POST that needs to be retried.
Impact:
The TMM may core. The TMM lacks the required contiguous block of memory due to fragmentation.
Workaround:
Make sure POST limit is 4 MB or lower.
Fix:
APM no longer cores when configured to accept large POST requests, and the POST cannot be buffered.
459671-1 : iRules source different procs from different partitions and executes the incorrect proc.
Component: Local Traffic Manager
Symptoms:
iRules source different procs from different partitions and executes the incorrect proc.
Conditions:
Multiple iRule procs defined in multiple admin partitions.
Impact:
iRules "proc" lookup algorithm is not deterministic, or Virtual Servers are improperly caching and sharing the lookup results.
Workaround:
To work around this issue, ensure all iRule proc names defined in the BIG-IP configuration are unique.
459584-2 : TMM crashes if request URI is empty or longer than 4096 bytes.
Solution Article: K11596702
Component: Access Policy Manager
Symptoms:
TMM crashes and restarts.
Conditions:
This occurs when using URL redirection on APM. If the request uri is empty or greater than 4096 bytes it can trigger this.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Insure the request URI is not empty or longer than 4096 bytes.
Fix:
TMM no longer crashes if request URI is empty or longer than 4096 bytes.
459100-6 : TMM may crash when offloading one-way UDP FastL4 flow
Solution Article: K16452
Component: Local Traffic Manager
Symptoms:
When handling UDP traffic on a FastL4 VIP, sometimes the TMM tries to offload both client and server flow when there is only one way traffic (either client-side or server-side). That would result TMM crashed on invalid pointer access.
Conditions:
HSBe2 platform, FastL4 VIP for UDP traffic, and one-way traffic during run time.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
TMM now handles one way UDP traffic offloading correctly.
459024-1 : Error L4 packets encounter configured whitelist entries that do not match the protocol
Component: Advanced Firewall Manager
Symptoms:
For error vectors, the system matches only VLAN keys and not the associated protocols.
Conditions:
If an error packet is sent that should be dropped.
Impact:
An error packet's protocol is not compared with configured whitelist protocol entries, so they are not getting dropped.
Workaround:
None.
Fix:
Error packet's protocol will now be matched with the specified protocol in the whitelist entries, so appropriate action will be taken.
458872-1 : Check SACK report before treating as dupack
Component: Local Traffic Manager
Symptoms:
TCP uses duplicate acks as a sign that data has left the network. When SACK is enabled, the SACK contains better information about this. When SACK indicates no data has left, do not execute duplicate ACK processing.
Conditions:
SACK is enabled and duplicate ACKs arrive.
Impact:
TCP sends data in excess of what is authorized by the congestion window.
Workaround:
It's a mild performance impact, so no workaround is necessary.
Fix:
Consider SACK information before dupack processing.
458823-2 : TMM Crash can lead to crash of other processes
Component: Application Visibility and Reporting
Symptoms:
When TMM is crashing abnormally, the restart procedure can lead to following crashes of other processes in the system.
Conditions:
Relates to cases in which TMM crashes abnormally as a result of other issues.
Impact:
The crash of the other processes has no impact on the system, as the fact that TMM already crashed is the main impact.
There is evidence of the other processes crash, since there are core dump files, so it is raising concerns about why several processes crashed and leads to customer escalations.
Fix:
The non-TMM processes are shut down more gracefully and are not crashing with core dumps during the system restart.
458822-5 : Cluster status may be incorrect on secondary blades
Component: Local Traffic Manager
Symptoms:
Cluster status may be out of date on secondary blades.
Conditions:
There is a race condition that becomes apparent when the cluster status is changed on the primary. This change may not be affected on the secondary.
Impact:
The cluster status when viewed on a secondary blade may not be up to date. clusterd's status will be correct, but mcpd's copy of the message may be out of date.
Workaround:
This is a cosmetic issue.
Fix:
Changes are now immediately reflected on secondary blades when the cluster status is changed on the primary blade.
458810-1 : Time field may not display correctly in log search function
Component: Advanced Firewall Manager
Symptoms:
On the event log page, searching by time and clicking on another field will cause the time field to not display.
Conditions:
Always
Impact:
Display temporarily omits the time field.
Workaround:
Clicking a second time causes the time field to display.
Fix:
The time field in the event log search function now displays correctly.
458770-4 : [Mac][Edge] Edge client doesn't handle ending redirects to the same box if second access policy assumes interaction
Component: Access Policy Manager
Symptoms:
Mac Edge Client doesn't work properly with ending redirects if the redirect is to the same box (another VS) and second access policy
contains agents that assume interaction (Logon page, Message box, Mac Process check).
Conditions:
Redirect not working when subsequent agent assumes interaction.
Impact:
Redirect not working.
Workaround:
N/A
Fix:
Redirect works when the subsequent agent assumes interaction.
458737-1 : non-printable characters are escaped before hexencoding
Component: Access Policy Manager
Symptoms:
In non-printable values of AD/LDAP attributes, BIG-IP processing escapes the "|" (pipe) character.
Conditions:
This occurs when there is an AD/LDAP query in use and the query returns binary attributes with the "|" (pipe) character.
Impact:
This creates a problem when the value is processed back to its previous value, a process that includes removing the escape characters. In this case, the resulting data does not match the original binary data.
Workaround:
Unescape binary attribute values after hexdecode manipulation to match the original value.
Fix:
When an AD or LDAP query is in use and the query returns binary attributes with the "|" (pipe) character, APM now checks whether the value contains non-printable characters, and if so, hex encodes the value. If the value is printable, APM escapes the "\" and "|" characters (because "|" is used as a separator for multivalue attributes).
458563-3 : A 'status down' message is logged when enabling a pool member that was previously disabled
Component: TMOS
Symptoms:
When a pool member is disabled and subsequently re-enabled, it logs a message saying that the monitor status is down for a very short time (just prior to coming back up). This is because the system is in the state 'forced down' when the pool member is disabled, and when it is re-enabled, it transitions to the state 'down', and then immediately to the state 'up', and each of these transitions is logged.
Conditions:
A pool member is disabled, then re-enabled.
Impact:
A potentially confusing log message. No other functional impact.
Workaround:
None.
Fix:
The system no longer logs the transition from 'forced down' to 'down.
458348-3 : RESOLV:: iRule commands and sFlow don't function correctly when using non-default CMP hashing.
Component: Local Traffic Manager
Symptoms:
Packets originating from the RESOLV:: iRule commands and sFlow are not routed correctly when using non-default CMP hashing on external and internal VLANs.
Conditions:
External and internal VLANs have, respectively, src-ip and dst-ip cmp hashing configured.
Impact:
Packets are dropped.
Fix:
RESOLV:: iRule commands and sFlow now function correctly when using non-default CMP hashing.
458104-6 : LTM UCS load merge trunk config issue
Solution Article: K16795
Component: TMOS
Symptoms:
Performing the ucs sys load command does not overwrite trunk interface configuration, it merges with the existent setting. When loading UCS with RMA flag, you may not get expected results. The expected outcome is that the trunk is overwritten, not merged.
Conditions:
Current configuration has a trunk with several interface members.
The UCS to be loaded contains the same trunk name but with other interfaces.
Impact:
The trunk incorrectly appears as merged, having both sets of interfaces.
The config on disk bigip_base.conf shows the correct config.
Reboot does not resolve the issue.
Workaround:
1. Restore the BIG-IP configuration to factory default settings using the command sequence: -- load sys config default. -- load sys ucs example.ucs no-license. -- save sys config.
2. Force the mcpd process to reload the BIG-IP configuration with the command sequence: touch /service/mcpd/forceload. -- load sys ucs example.ucs no-license. -- save sys config.
Fix:
Trunk config member interfaces are no longer merged during load. Only the trunk member interfaces defined in the config are present after a load.
457951-3 : openldap/ldap.conf file is not part of ucs backup archive.
Solution Article: K19305339
Component: TMOS
Symptoms:
/etc/openldap/ldap.conf is not saved as part of a UCS backup.
Conditions:
/usr/libdata/configsync/cs.dat file on the BIG-IP sysesm does not have the entry for /etc/openldap/ldap.conf.
Impact:
Any changes in /etc/openldap/ldap.conf will not get backed up.
Workaround:
None.
Fix:
Added /etc/openldap/ldap.conf file to cs.dat.
457902-5 : No EAM- log stacktrace in /var/log/apm on EAM crash event.
Component: Access Policy Manager
Symptoms:
On EAM crash event, stack trace or fault address were not logged in /var/log/apm.
Conditions:
EAM crash and the signal handler did not log much details on /var/log/apm
Impact:
Core debugging is made easier with improved signal handler to log stack trace, fault address etc.
Workaround:
No workaround
Fix:
[OAM] Improve signal handler to log stack trace, fault address etc. to /var/log/apm - this is now fixed.
457811-1 : CVE-2013-6438 : HTTPD Vulnerability
Solution Article: K15300
457760-6 : EAM not redirecting stdout/stderr from standard libraries to /var/log/apm
Component: Access Policy Manager
Symptoms:
Logs from standard libraries were not redirected to /var/log/apm in EAM plugin.
Conditions:
Stdout/stderr from standard libraries are affected.
Impact:
stderr/ stdout from standard libraries were not logged and that impacted troubleshooting effort.
Workaround:
No workaround to log stderr/stdout
Fix:
[OAM] Redirecting stdout/stderr from standard libraries to /var/log/apm. This is now fixed.
457603-3 : Cookies handling issue with Safari on iOS6, iOS7
Solution Article: K25117932
Component: Access Policy Manager
Symptoms:
Wrong cookies set send to backend with some requests. The issue is very intermittent.
Conditions:
Web-Application with Portal Access when Safari on iOS6, iOS7 is used.
Impact:
Web-Application misfunction.
Workaround:
This issue has no workaround at this time.
Fix:
Web applications with portal access using Safari on iOS now work correctly when an 'onbeforeunload' event occurs.
457568-1 : Loading of configuration fails intermittently due to WOC Plug-in-related issues.
Solution Article: K16966
Component: Wan Optimization Manager
Symptoms:
Loading of configuration fails intermittently due to WOC Plug-in-related issues.
Conditions:
This rarely encountered issue occurs when the BIG-IP system is configured with AAM (formerly WOM/WOC/WAM) objects when there is an attempt to change/load the configuration.
Impact:
Configuration load fails. Cannot change the configuration.
Workaround:
Manually change the configuration and restart/reboot the system.
Fix:
Loading of configuration no longer fails due to WOC Plug-in-related issues.
457525-3 : When DNS resolution for AppTunnel resource fails, the resource is removed
Solution Article: K17359
Component: Access Policy Manager
Symptoms:
App tunnel gets removed from webtop if one of items is not DNS resolvable.
Conditions:
This issue occurs when at least one of items in app tunnel resource is not DNS resolvable.
Impact:
If one of the items in app tunnel resource is not DNS resolvable, the app tunnel resource gets removed.
Workaround:
This issue has no workaround at this time.
Fix:
APM removes an app tunnel resource from a webtop only if all resource items are not DNS resolvable; otherwise, the app tunnel continues to work with resource items that are DNS resolvable.
457149-1 : Remotely authenticated users may still obey local password policy
Component: TMOS
Symptoms:
If a local password policy with password expiry is set, even remotely authenticated users are subject to the password policy. This may disallow users whose password has been remotely authenticated but who have an expired password.
Conditions:
Local password policy is set, but remote authentication used.
Impact:
some users may be locked out after the password policy expires their password.
Workaround:
Do not use a local password policy with remote authentication.
Fix:
User created when remote auth is configured will not have password expiry applied.
457109-3 : Traffic misclassified and matching wrong rule in CPM policy.
Component: Local Traffic Manager
Symptoms:
Traffic matches the wrong rule in Centralized Policy Management (CPM) policy. User traffic is matching either uri or host headers to rules that should not match the header.
Conditions:
This issue is caused by long list of hosts in certain rules resulting in wrong execution of statemachine due to wraparound in shifting.
Impact:
Misclassification and forwarding of traffic.
Workaround:
This issue has no workaround at this time.
Fix:
A range check has now been added to correctly classify and forward traffic in the case of incorrect rules in CPM policies.
456853-2 : DTLS cannot handle client certificate when client does not send CertVerify message.
Component: Local Traffic Manager
Symptoms:
For DTLS, CCS record will be held until all other handshake messages besides Finish are handled. When pcm is set to request, client may not send CertVfy message. BIG-IP system waits for CertVfy until the timeout.
Conditions:
-- Reordered DTLS handshake.
-- Client does not send CertVerify message
Impact:
BIG-IP waits for CertVfy until timeout.
Workaround:
None.
Fix:
This issue no longer occurs.
456766-2 : SSL Session resumption with hybrid handshake might fail
Solution Article: K17351
Component: Local Traffic Manager
Symptoms:
When using SSL session resumption during a hybrid handshake (sslv2 with tls1.0), the resumption might fail.
Conditions:
SSL session resumption is allowed, and is using a hybrid handshake.
Impact:
Session resumption would fail, necessitating a complete handshake to reconnect.
Workaround:
Disable SSL Session Cache
Fix:
SSL Session resumption now works in all expected cases.
456763-2 : L4 forwarding and TSO can cause rare TMM outages
Component: Local Traffic Manager
Symptoms:
In certain rare circumstances using L4 forwarding and TSO, the MSS sizes on client and server sides in combination with internal processing can cause an internal mismatch resulting in a TMM crash.
Conditions:
This applies only when using L4 forwarding virtuals with TSO; additional exact external conditions are still under investigation.
Impact:
This issue causes a failover or TMM outage.
Workaround:
This issue has no workaround at this time.
Fix:
TMM will properly handle cases when the MSS sizes would have led to underflow.
456608-5 : Direct links for frame content, with 'Frame.src = url'
Component: Access Policy Manager
Symptoms:
Direct links in web-application with Portal Access.
Conditions:
Direct links for frame content, when using 'Frame.src = url'.
Impact:
Web-Application misfunction.
Fix:
Correct rewriting for obj.src = some_url was added to support Web Applications.
456573-5 : Sensor read faults with DC power supply
Component: TMOS
Symptoms:
While running BIG-IP v11.5.0 or later on a BIG-IP 2000-/4000-/5000-/7000-/10000-series appliances using DC power supplies, error messages containing the following strings may appear in /var/log/ltm:
err chmand[####]: 012a0003:3: Sensor read fault for Power supply #1 fan-1
err chmand[[####]: 012a0003:3: Sensor read fault for Power supply #1 meas. inlet temp
err chmand[####]: 012a0003:3: Sensor read fault for Power supply #2 fan-1
err chmand[####]: 012a0003:3: Sensor read fault for Power supply #2 meas. inlet temp
Conditions:
- BIG-IP 2000-/4000-/5000-/7000-/10000-series appliances
- DC power supplies (FND850 for 10000-series, FND300 for 2000-/4000-/5000-/7000-series)
- Running BIG-IP v11.5.0 or later.
Impact:
These errors result from a mismatch in the list of power supply sensors queried by BIG-IP, and the sensors actually present in a DC power supply.
These errors do not indicate a problem with the power supply in question.
Workaround:
These errors, when occurring under the conditions described, can be safely ignored.
Fix:
Power supply sensor values are successfully read without errors on BIG-IP 2000-/4000-/5000-/7000-/10000-series appliances with DC power supplies.
456413-4 : Persistence record marked expired though related connection is still active
Component: Local Traffic Manager
Symptoms:
A persistence record might be marked expired even though its corresponding connection is still active and passing traffic.
Conditions:
This occurs when using persistence.
Impact:
Persist records disappear in spite of flow activity that is more recent than the persist timeout.
Workaround:
Set the timeout of persist to at least 33 seconds longer than the related flow timeout.
Fix:
Persistence records are maintained when connection and persistence timeouts are with 33 seconds of each other.
456263 : Platform marketing name for B4300 is incorrectly shown as A108
Component: TMOS
Symptoms:
When viewing the hardware information, the name will display as A108 instead of BIG-IP VPR-B4300
Conditions:
Running Viprion B4300 and reviewing the hardware information via one of the management consoles.
Impact:
Incorrect name displayed.
Fix:
Platform marketing name for BIG-IP VPR-B4300 is now correct when viewed from management console.
456175-3 : Memory issues possible with really long interface names
Component: Local Traffic Manager
Symptoms:
When an interface has a very long name, it is possible for various functions to overrun the memory allocated and cause other problems. The other problems will vary, depending on what is running at the time of the memory overrun.
Conditions:
This can occur if the interface is associated with a non-default route domain.
Impact:
Possible loss of client connectivity or random errors possibly resulting in cores. Traffic disrupted while tmm restarts.
Fix:
Long interface names no longer cause issues.
455980-6 : Home directory is purged when the admin changes user password.
Solution Article: K17210
Component: TMOS
Symptoms:
When an admin changes a user's password, the contents of the home directory are purged, that is, the system deletes some or all of the files in that user's home directory.
Conditions:
This happens whenever a user's password is modified. Can also be triggered by an upgrade from 10.x.
Impact:
Some or all of the files in that user's home directory are deleted.
Workaround:
This issue has no workaround for the basic case at this time. However, when this is caused by a 10.x-to-11.x upgrade, the original files can be recovered by booting back into the 10.x boot location and copying them off the system (or by extracting them from a UCS, or by mounting the root lvm volume from the previous boot location).
Fix:
On password change by an admin user for a user, the home directory of the user is left intact.
455840-5 : EM analytic does not build SSL connection with discovered BIG-IP system
Component: Local Traffic Manager
Symptoms:
EM analytic does not build SSL connection with discovered BIG-IP system.
Conditions:
When using management SSL client profile.
Impact:
EM analytic cannot connect to discovered BIG-IP system.
Fix:
Enterprise Manager analytics now works with BIG-IP systems running version 11.5.0 or later.
455762-3 : DNS cache statistics incorrect
Solution Article: K17094
Component: Local Traffic Manager
Symptoms:
DNS Cache statistics might skew high due to shared information between TMMs incrementing the same statistic multiple times.
Conditions:
Any DNS Cache might see this issue.
Impact:
DNS Cache Statistics are listed as higher than they should have been.
Workaround:
This issue has no workaround.
Fix:
DNS Cache Statistics are no longer being incremented multiple times for the same action.
455651-6 : Improper regex/glob validation in web-acceleration and http-compression profiles
Solution Article: K40300934
Component: TMOS
Symptoms:
The use of regex or glob patterns in certain MCP configuration objects leads to inconsistent parsing across MCP and TMM. For glob patterns, for example, the TMM produces an error indicating that the regex is invalid, while entries such as *.js are correctly treated as globs.
Conditions:
MCP configuration objects supporting regex and glob inclusion/exclusion patterns lead to inconsistent parsing across MCP/TMM.
Impact:
Cacheable objects are improperly cached or are not cached, or objects are deflated or are not deflated in opposition to the customer's intent.
Workaround:
None.
Fix:
The parsing of regex and glob patterns has been improved for consistent behavior across MCP and TMM.
455553-8 : ICMP PMTU handling causes multiple retransmissions
Component: Local Traffic Manager
Symptoms:
When an improperly large TCP Maximum Segment Size (MSS) triggers ICMP PMTU messages, TCP responds by resending
the entire send queue with the new MSS.
Conditions:
This occurs when you configure a path with an MTU less than 1500 Bytes and attempt a file transfer with initcwnd greater than 1.
Impact:
Large amounts of duplicate retransmission.
Fix:
No multiple retransmission of the entire send queue when the MSS size is improperly large.
455286-2 : BIG-IP might send both session ID and server certificate during renegotiation
Component: Local Traffic Manager
Symptoms:
When the BIG-IP initiates renegotiation, it might send both the session ID and the server certificate. This will cause the client to alert() with `unexpected message'
Conditions:
BIG-IP initiates renegotiation.
Impact:
The SSL connection will fail.
Workaround:
None.
Fix:
If BIG-IP intends to do a complete handshake it will not send a session ID. This is correct behavior.
455264-2 : Error messages are not clear when adding member to device trust fails
Solution Article: K54105052
Component: TMOS
Symptoms:
If you cannot reach the IP address of a device that you are adding to a device trust then the error message does not properly display in the GUI. For some errors the message is empty and for some errors the message contains unformatted xml data.
Conditions:
This problem occurs when adding a peer or subordinate to the device trust where the IP address cannot be reached.
Impact:
User cannot be sure what the problem with adding the device really is.
Workaround:
Verify that the address is correct and that you are able to route to the device you are trying to add to the device trust.
Fix:
During trust initiation when the peer is unreachable, the system now posts the error message is "This device is not found."
455006-6 : Invalid data is merged with next valid SIP message causing SIP connection failures
Solution Article: K50532341
Component: Service Provider
Symptoms:
SIP phone connections fail.
Conditions:
SIP over UDP.
Impact:
SIP phone connections fail.
Workaround:
Create a packet filter to discard the invalid UDP datagrams.
Fix:
Invalid UDP datagrams that interfered with SIP processing are now dropped.
454784-2 : in VPE %xx symbols such as the variable assign agent might be invalidly decoded.
Component: Access Policy Manager
Symptoms:
in VPE %xx symbols might invalidly decode
If user assignment string contains percent encoded symbols like: "%60", "%7E", "%21", "%40", "%23" etc
Saved string is written properly but re-readed and displayed as character "`", "~", "!", "@", "#"
Therefore new saving might cause uneeded re-encoding of such symbols
Conditions:
Variable assign agent. Assigned string contains %xx symbol
Impact:
Medium. Customer is confused and might not be able to modify saved and then loaded string
Workaround:
1. Direct bigip.conf editing
2. Saving proper string in other location and copy paste before modification so %xx encoded symbols would stay preserved
Fix:
Issue fixed, encoding doesn't reencode/redecode symbols anymore.
454583-4 : SPDY may cause the TMM to crash if it aborts while there are stalled streams.
Component: Local Traffic Manager
Symptoms:
If SPDY has a stalled stream and it is being aborted, it may cause the TMM to crash due to referencing cleared state.
100 Continue messages appeared in response bodies. 100 Continue responses sent in the same packet as the response could stall the stream.
Conditions:
SPDY aborts due to a miss-ordered event. SPDY then sees egress, and marks the stream as stalled. SPDY aborts the connection to the client, and marks the stream as unknown. Finally, the stream aborts again and dereferences the NULL pointer to the client when it tries to unstall itself.
A 100 Continue message in a response, either by itself, or in the same packet as the response body.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
SPDY will no longer cause a TMM crash when it aborts, followed by egress, followed by a second abort.
SPDY will handle 100 Continue messages correctly by ignoring them.
454492-2 : Improved handling of signature_algorithms extension to avoid using SHA1 in TLS handshake signatures
Component: Local Traffic Manager
Symptoms:
BIG-IP uses SHA1 in handshake signature, even though the client indicates support for stronger hash algorithms.
Conditions:
When BIG-IP acts as TLS server (applies to clientssl SSL Profile):
- SSL Profile "SSL Sign Hash" set to ANY. The use of other choices is not recommended.
- Client sends signature_algorithms extension that includes SHA256.
- ECDSA X.509 certificate has additional logic. If the TLS client doesn't send signature_algorithms, BIG-IP will choose SHA256.
Impact:
The updated code respects client signature_algorithms extension. If possible, BIG-IP now prefers SHA256 in the handshake signature based on the content of the signature_algorithms extension.
BIG-IP further upgrades the hash algorithm to SHA384 from SHA256 when P-384 is used, e.g. when P-384 ECDSA X.509 certificate is used in the handshake. This additional enhancement only applies to the code base starting from 12.0; it was not ported to the 11.x code base.
The signature_algorithms extension is defined in TLS 1.2. It's not not present in prior versions of the protocol.
This logic attempts to avoid the use of SHA1 in TLS handshake, whenever possible. This change does not affect signatures used in X.509 certificates as these signatures are created by the X.509 CAs and not by BIG-IP.
The only time SHA1 will be used in the handshake signature is when either of the following is true:
- RSA key is used and the signature_algorithms extension is missing or
- signature_algorithms is present and only lists SHA1.
These conditions are expected to not hold for modern TLS clients, resulting in the upgrade to the SHA256 or better.
Behavior Change:
Respect client signature_algorithms extension. If possible, prefer SHA256 in handshake signature.
454392-1 : Added support for BIG-IP 10350N NEBS platform.
Component: TMOS
Symptoms:
N/A
Conditions:
N/A
Impact:
N/A
Fix:
This release adds support for the BIG-IP 10350N NEBS platform.
454086-4 : Portal Access issues with Firefox version 26.0.0 or later
Solution Article: K15832
Component: Access Policy Manager
Symptoms:
Using Firefox version 26.0.0 or later with some web-applications can fail. The page may stop loading and/or rendering page.
Conditions:
Firefox version 26.0.0 or later, asynchronously loaded script which works with cookies and DOM in same time.
A good example is google analytics script in the page.
Impact:
Web-application stops loading/rendering.
Workaround:
No general workaround.
Fix:
When using portal access on Firefox with some applications, the browser would go into deadlock. This no longer occurs.
454071-1 : 'Show all' button has no effect or becomes hidden for short period of time
Component: Application Visibility and Reporting
Symptoms:
If you update the time scale with your mouse when looking at AVR statistics, a 'Show all' button will momentarily appear, then disappear after a few seconds. Clicking it does nothing. The button is not supposed to appear at all.
Conditions:
This occurs when viewing any statistics in Statistics :: Analytics and changing the time scale.
Impact:
Show All button appears but does not persist, and clicking Show All does nothing
Workaround:
Manually extend the time range to the full scope of time you wish to see
Fix:
The Show All button has been removed from the analytics pages.
454018-6 : Nexthop to tmm0 ref-count leakage could cause TMM core
Solution Article: K16540
Component: Local Traffic Manager
Symptoms:
Each use of the interface tmm0 for inter-TMM communication is supposed to increment its count of nexthop references. When the use of the interface is expired, the reference count is supposed to decrement, but in this case, the reference count is not decremented.
Conditions:
This occurs when TMM runs over an extended period of time, and internal communication between TMMs over tmm0 is heavy during the period.
Impact:
Reference count leaks, which causes the count to monotonically increase, which eventually might cause TMM to crash and restart.
Workaround:
This issue has no workaround.
Fix:
The nexthop reference count of the interface tmm0 is thoroughly examined and corrected, so it no longer leaks ref counts.
453949-3 : small memory leak observed in audit_forwarder
Component: TMOS
Symptoms:
some small memory leak observed in audit_fowarer
Conditions:
Audit_forwarder is used, especially in some error conditions.
Impact:
memory usage of audit_forwarder increases at a very slow pace.
Fix:
No more memory leak observed after fix.
453720-6 : clientssl profile validation fails to detect config with no cert/key name and no cert/key★
Component: Local Traffic Manager
Symptoms:
The system does not prevent creation of a clientssl profile with no cert-key-chain name and no cert/key (or a cert/key of 'default'), and does not post an error alerting the user to the condition. The system creates the profile without error. This can cause issues when upgrading.
Conditions:
This occurs when attempting to create a clientssl profile without a cert-key-chain name or cert/key, or a cert/key of 'default'. Note: The system should prevent this, but does not do so in versions 11.5.1, 11.5.2, or 11.5.3.
Impact:
The system incorrectly allows a blank cert-key-chain name and an empty cert/key in clientssl profiles. When upgrading such a profile to versions 11.5.4, 11.6.0, 12.0.0, or later, the configuration fails to load with a message similar to the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Workaround:
Use the following steps to work around this issue:
-- To correct the configuration, run the following command: sed -ie '/"" { }/d' /config/bigip.conf.
-- To load the modified configuration, run the following command: tmsh load sys config.
Note: To determine whether profiles are affected, run the following command: grep '"" { }' /config/bigip.conf -A2 -B1. On affected profiles, the system returns the following output: cert-key-chain { "" { }.
Fix:
The system now presents an error message when attempting to create a clientssl profile without a cert-key-chain name and a cert/key (or a cert/key of 'default'), and prevents the creation of the profile, so potential upgrade failures no longer occur.
453640-2 : Java core when modifying global-settings
Component: Device Management
Symptoms:
While modifying global settings, java cores.
Conditions:
This is a general problem related to low stack size, but was observed during internal testing of /sys global-settings.
Impact:
java crashes.
Fix:
JVM's default stack size per thread has been increased to 384KB
453489-3 : userauth_hostbased mismatch: warnings from VIPRION for localhost or slotN
Component: TMOS
Symptoms:
Error messages indicating userauth_hostbased mismatch are posted.
Conditions:
VIPRION-based system or VIPRION-hosted vCMP guest. This also occurs on a single slot.
Impact:
The sshd userauth_hostbased mismatch messages are innocuous only if they appear for the client sending one of the following: localhost, localhost.localdomain, slot1, slot2, slot3, slot4, slot5, slot6, slot7, or slot8. The system might post warning messages from sshd similar to the following: userauth_hostbased mismatch: client sends slot1, but the system resolves 127.3.0.1 to 127.3.0.1.
Workaround:
None.
Fix:
The system no longer posts extraneous warning messages caused by SSH connections from peers on the 127.0.0.0/8 subnet.
453455-9 : Added support of SAML Single Logout to Edgeclient.
Component: Access Policy Manager
Symptoms:
SAML single logout does not work on BIG-IP Edge Client. The BIG-IP (as IdP) system shows the session as active.
Conditions:
Edge client, BIG-IP as SAML.
Impact:
Edge client logout doesn't function correctly.
Workaround:
none
Fix:
SAML single logout is now supported on BIG-IP Edge Client.
452900-3 : IP iRules may cause TMM to segfault in low memory scenarios
Component: Local Traffic Manager
Symptoms:
TMM may core during low memory conditions when executing iRules containing the following commands:
IP::local_addr
IP::remote_addr
IP::client_addr
IP::server_addr
Conditions:
No memory available to allocate IP iRule objects.
Impact:
TMM will be restarted.
Workaround:
This issue has no workaround.
Fix:
Memory allocations are verified when using the following iRules:
IP::local_addr
IP::remote_addr
IP::client_addr
IP::server_addr
452659-1 : DNS Express zone creation, deletion or updates can slow down or stop other DNS services.
Component: Local Traffic Manager
Symptoms:
DNS Express zone creation, deletion or updates can slow down or stop other DNS services.
Conditions:
Any action that causes a the DNS Express zone database to be updated, including zone creation, deletion or zone transfer.
Impact:
Other DNS Services may stop working.
Workaround:
Restarting tmm will resolve the issue temporarily, until the next update. If DNS Express is not being used, removing any DNS Express config will prevent this issue from triggering.
Fix:
An issue with ann unclosed file descriptor that was impacting DNS Express zone modification has been fixed.
452656-4 : NVGRE tunnel traffic might stall if the sys db variable tm.tcplargereceiveoffload is set to 'enable'
Component: TMOS
Symptoms:
NVGRE tunnel traffic might stall if the sys db variable tm.tcplargereceiveoffload is set to 'enable'.
Conditions:
The sys db variable tm.tcplargereceiveoffload is set to 'enable'.
Impact:
NVGRE tunnel traffic might stall.
Workaround:
Set the sys db variable tm.tcplargereceiveoffload to 'disable'. The default value of this variable is 'disable', so it is very unlikely that you will encounter this error condition in normal operating conditions.
Fix:
NVGRE tunnel traffic no longer stalls when the sys db variable tm.tcplargereceiveoffload is set to 'enable'.
452527-2 : Machine Certificate Checker Agent always works in "Match Subject CN to FQDN" mode
Solution Article: K17178
Component: Access Policy Manager
Symptoms:
Limited/normal user cannot pass Machine Cert Auth through 'Successful' branch if Agent is configured to match certificate by any condition except Match FQDN.
Conditions:
Machine Cert Auth agent configured to match certificate by any condition except Match FQDN.
Current user has no rights to access private key directly (that means elevation or service is required).
Impact:
User cannot pass Machine Cert Authorization.
Fix:
Fixed issue that caused Machine Cert Checker service to always work in "Match Subject CN to FQDN" mode.
452487-5 : Incremental sync causes incorrect accounting of member count of pools
Component: TMOS
Symptoms:
If a sync-compatible pool is created and given pool members, pushing that sync operation will cause the member count to be incorrect on all other devices.
Conditions:
This only affects device groups where incremental sync is in use.
Impact:
The number of pool members will be displayed incorrectly at various points (GTM statistics, the ltmPoolMemberCnt SNMP variable, and the GUI).
Workaround:
Perform a sync between the creation of the pool and the pool members.
Fix:
The pool member count is now always calculated accurately, even across configuration synchronizations.
452464-6 : iClient does not handle multiple messages in one payload.
Solution Article: K28271912
Component: Access Policy Manager
Symptoms:
iClient does not handle multiple messages in one payload leading to possible memory leak symptoms.
Conditions:
If by chance multiple messages arrive as one from the BIG-IP Edge Client.
Impact:
Possible memory leak symptoms.
Workaround:
This issue has no workaround at this time.
Fix:
If multiple messages arrive from BIG-IP Edge Client in one payload, the system processes them correctly.
452443-3 : DNS cache resolver cannot send egress traffic on a VLAN with src-ip or dst-ip cmp hash configured
Component: Local Traffic Manager
Symptoms:
DNS cache resolver or validating resolver does not function properly and fails to resolve DNS requests.
Conditions:
BIG-IP system is using non-default cmp hashes configured on its egress VLANs.
Impact:
It is difficult to both use non-default cmp hashes on system VLANs and use a DNS cache resolver on the same BIG-IP system.
Workaround:
Configure a separate VLAN for the cache resolver's use that uses the default cmp hash. Set the system's default route to direct resolver traffic to this VLAN. This VLAN can be placed in a new route domain, if other features require route domain zero's default route pointing elsewhere.
Fix:
DNS cache resolver or validating resolver now functions properly, successfully resolving DNS requests when using non-default cmp hashes configured on its egress VLANs.
452439-4 : TMM may crash when enabling DOS sweep/flood if a TMM process has multiple threads
Solution Article: K15574
Component: Local Traffic Manager
Symptoms:
There is a bug caused by race condition in the library used by the AFM Sweep/flood feature. When the Sweep/flood feature is enabled, if one TMM process has multiple threads, one thread may attempt to access the memory released by another thread at some time. In this situation, TMM may crash due to access an invalid memory segment.
Conditions:
(1) AFM sweep/flood enabled
(2) A single TMM process has multiple threads.
(3) race condition occurs
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable thread or disable sweep/flood
Fix:
TMM will not crash when enabling DOS sweep/flood detection feature regardless of threading.
452416-6 : tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values
Component: Access Policy Manager
Symptoms:
On a multi-blade chassis, tmctl leasepool_stat for some slots may not be in sync. In addition, query of snmp apmLeasepoolStatTable returns values that do not match the tmctl leasepool_stat output for the current primary slot.
Conditions:
The issue occurs after a blade or tmm of a blade restarts.
Impact:
Incorrect stats only. No impact to fuctionality.
Fix:
The system now uses the correct system object to track current primary slot, which ensures that counters in leasepool_stat that have global context (that is, cur_member, cur_assigned, cur_free, max_assigned) are synced to all blades.
452318-2 : Apache Commons FileUpload vulnerability CVE-2014-0050
Solution Article: K15189
452246-4 : The correct cipher may not be chosen on session resumption.
Solution Article: K17075
Component: Local Traffic Manager
Symptoms:
During session resumption, the same cipher must be used as was during the original session. If the original session negotiates cipher A, and the resumed clienthello contains cipher A and B, the BIG-IP system might choose cipher B, which is incorrect.
Conditions:
The original ClientHello contains a different cipher list from the resuming one, and the resuming one contains a stronger cipher than was originally chosen.
Impact:
Not strictly RFC compliant.
Workaround:
This issue has no workaround.
Fix:
When the original ClientHello and resuming ClientHello contain different ciphers, if the original cipher is in the resuming ClientHello it will be chosen and the session resumed, otherwise a full handshake will be used.
452163-1 : Cross-domain functionality is broken in AD Query★
Component: Access Policy Manager
Symptoms:
Cross-domain functionality is broken in AD Query agent due to DNS resolving library upgrade.
Conditions:
AD Query is configured with cross-domain option enabled.
Impact:
Users from trusted domains cannot pass access policy because AD Query agent failure.
Fix:
AD Query parses DNS response properly and cross-domain functionality works as expected.
452010-4 : RADIUS Authentication fails when username or password contain non-ASCII characters
Solution Article: K16609
Component: Access Policy Manager
Symptoms:
RADIUS Authentication fails when the logon name contains non-ASCII characters.
The problem is caused due to failure in conversion from UTF-8 to Windows-1252.
Conditions:
RADIUS authentication is configured and username/password contain non-ASCII characters.
Impact:
Users are not able to log in.
Workaround:
There is no workaround for this issue.
Fix:
Now it is possible to configure charset decoding behavior. You can decode usernames and passwords into CP-1252 (original behavior) or use UTF-8 charset (in this case, RADIUS Auth sends the username and password unmodified).
451960-3 : HTTPS monitors do not work with FIPS keys
Component: Local Traffic Manager
Symptoms:
If HTTPS monitor is configured with FIPS key, the monitor connection to the backend server is unsuccessful and consequently, the corresponding pool is marked down.
Conditions:
BIG-IP FIPS platforms (except 6900F, 8900F) using FIPS keys with HTTPS monitor(s).
Impact:
Pool is incorrectly marked down.
Workaround:
This issue has no workaround.
Fix:
Monitors configured with FIPS keys now work and the pool status is marked correctly.
451602-6 : DPD packet drops with keyed VLAN connections
Component: TMOS
Symptoms:
The DPD (Dead Peer Detection) packets are dropped after the IPsec tunnel is up. This occurs because the BIG-IP system drops DPD packets because keyed VLAN connections are enabled. The system tries to match the VLAN ID along with other parameters for DPD packets.
Conditions:
Enable keyed VLAN connections and bring up IPsec tunnel.
Impact:
The tunnel does not stay up because of the DPD failure. The match should be done for the host interface instead of the actual VLAN interface.
Workaround:
None.
Fix:
Changed the interface match to look up host interface instead of VLAN interface.
451494-1 : SSL Key/Certificate in different partition with Subject Alternative Name (SAN)
Component: TMOS
Symptoms:
You are unable to create an SSL key/certificate in partition other than Common, with Subject Alternative Name (SAN)
Conditions:
In a partition other than Common, create a new SSL key/certificate with SAN.
Impact:
SSL key/certificate is not created.
Workaround:
Use tmsh to create an SSL key/certificate with SAN in a partition other than Common.
Fix:
You can now create an SSL Key/Certificate in partition other than Common, with Subject Alternative Name (SAN).
451469-3 : APM User Identity daemon doesn't generate core
Component: Access Policy Manager
Symptoms:
OMAPD is a daemon that stores all the IP->User mappings. It doesn't seem to generate cores. It will be hard to debug issues when it crashes.
Conditions:
Always
Impact:
Cores will not be generated.
Fix:
OMAPD now generates core files making debugging easy.
451433-2 : HA group combined with other failover (e.g., VLAN Failsafe or Gateway Failsafe)
Component: TMOS
Symptoms:
Combining HA group with other types of failover mechanism such as VLAN Failsafe or Gateway Failsafe results in traffic going to failed device.
Conditions:
HA-group should not be combined with other types of failover mechanism such as VLAN Failsafe or Gateway Failsafe. If these mechanisms are combined, the failsafe causes all traffic groups to go to standby on the failed device.
Impact:
Because the HA Group score might favor the failed device, there could be no active traffic group on any device.
Workaround:
Replace the failover VLAN or Gateway with an HA group. Note: HA group should not be combined with other types of failover mechanism such as VLAN Failsafe or Gateway Failsafe. If these mechanisms are combined, the failsafe causes all traffic groups to go to standby on the failed device.
Fix:
If a device goes to standby due to a failsafe operation, the HA Group Scores on that device are forced to zero, so that the traffic groups can become active on an active device. This is the correct behavior.
Behavior Change:
In the previous code, if a user configured both HA Group Score and an HA Failsafe, when the failsafe triggered, all traffic groups on the failed device would transition to Standby. However, the group score for that device would remain at the prior value so that the traffic group would not become active on another device. The result was a traffic group that was not active on any device.
With this change, the traffic group score on the failed device is forced to 0, since the failsafe condition indicates that the device is not acceptable to host any traffic group. The HA Group scoring algorithm then activates the traffic group on the best remaining non-failed device.
451301-2 : HTTP iRules break Citrix HTML5 functionality
Component: Access Policy Manager
Symptoms:
HTTP iRules break Citrix HTML5 functionality.
Conditions:
This issue occurs when HTTP iRule is used on the Citrix HTML5 virtual server.
Impact:
Citrix HTML5 functionality breaks
Workaround:
Use "priority 1" for HTTP iRules.
Fix:
Now HTTP iRules do not affect Citrix HTML5 functionality.
451224-2 : IP packets that are fragmented by TMM, the fragments will have their DF bit
Component: Local Traffic Manager
Symptoms:
IP packets that are fragmented by TMM, the fragments will have their DF bit set if tm.pathmtudiscovery is set to enable (this is the default setting for this dbvar). This is perfectly compliant with RFC standards, and it is the correct thing to do.
Conditions:
IP packet that needs to be fragmented by TMM due to MTU restriction on the egress VLAN/interface. Non RFC compliant downstream switches that do not want to see the DF bit set in IP fragments.
Impact:
Non-RFC compliant switches by other vendors may reject a fragment with DF bit leading to packet being dropped or treated as a bad packet by them.
Workaround:
Setting tm.pathmtudiscovery to disable results in DF bit not being set on the fragments.
Fix:
tm.pathmtudontfragoverride dbvar introduced. If the value is changed from 'disable' (this is the default) to 'enable', then DF bit will not be set in IP fragments generated by TMM.
451211-3 : Error using GUI when setting debug option on GTM SIP monitor.
Component: Global Traffic Manager (DNS)
Symptoms:
Error using GUI to set the debug option on GTM SIP monitor.
Conditions:
This occurs when no headers are configured for GTM SIP monitors.
Impact:
Cannot set debug using the GUI. System posts the following error: An error has occurred while trying to process your request.
Workaround:
Use tmsh to set the debug option for GTM SIP monitors.
Fix:
This release fixes an error that occurred when no headers were configured for GTM SIP monitors.
451118-8 : Fixed mistakes in French localization
Component: Access Policy Manager
Symptoms:
French localization contains mistakes
Conditions:
French locale configured on user machine
Impact:
User observes incorrect translation
Fix:
Mistakes in French localization were fixed.
451089-1 : ASM REST: Incorrect/Duplicate REST id for policy after a copy is made
Component: Application Security Manager
Symptoms:
When comparing two policies using Policy Diff, the system might make a copy of the policies being compared. When this happens, the copy will carry the same REST ID as the original policy.
This will confuse REST clients and block BIG-IQ discovery.
Conditions:
-- Compare two policies using Policy Diff.
-- The system creates a copy.
Impact:
The copy will carry the same REST ID as the original policy.
This will confuse REST clients and block BIG-IQ discovery.
Workaround:
Export the copied policy, delete the duplicate copy, and import the policy again.
Fix:
Copied policies now are correctly assigned a new REST ID.
451059-8 : SSL server does not check and validate Change Cipher Spec payload.
Component: Local Traffic Manager
Symptoms:
SSL server does not check and validate Change Cipher Spec payload.
Conditions:
This issue occurs when a clientssl profile is used.
Impact:
There is no impact to this issue.
Workaround:
This issue has no workaround.
Fix:
clientssl profile (SSL server) now checks the Change Cipher Spec payload received from the SSL client, and ensures that the Change Cipher Spec payload is a single byte of value '1'.
450814-9 : Early HTTP response might cause rare 'server drained' assertion
Component: Local Traffic Manager
Symptoms:
Early HTTP response from the server might cause 'server drained' assertion and traffic disruption.
Conditions:
This occurs when the server sends an early response, which might occur if the server responded before the system completed processing the entire incoming HTTP request data from the client.
A filter other than HTTP is also required on the chain.
Impact:
The system posts a 'server drained' assertion and traffic is disrupted.
Workaround:
None, however, this issue occurs very rarely.
Fix:
HTTP will not cause a "server drained" assertion if a server ends a connection in an early server response.
450779-1 : PEM source or destination flow filter attempts match against both source and destination IPs of a flow
Component: Policy Enforcement Manager
Symptoms:
In the event that the source and destination IPs fall in the same range, it is possible that a source-IP (or destination-IP) based flow-filter may match against the destination-IP (or source-IP) of the packet resulting in potentially wrong flows receiving a policy.
Conditions:
Source and Destination networks must have overlapping prefix(es)
Impact:
A wrong flow may have inappropriate policies applied to it.
Fix:
The bug is fixed and given to the customer as 11.5.0-18 HF.
450765-1 : tmm segfault: hud_mptcp_handler HUDCTL_PERFORM_METHOD
Component: Local Traffic Manager
Symptoms:
TMM segmentation fault in hud_mptcp_handler when servicing HUDCTL_PERFORM_METHOD.
Conditions:
This happens when "tmsh show sys conn" command issued with connections in "forwarding" state.
Impact:
The tmm will crash and restart.
Workaround:
Do not issue "tmsh show sys conn" command.
Fix:
This problem is fixed by proper connection queue usage.
450314-1 : Portal Access / JavaScript code which uses reserved keywords for object field names may not work correctly
Component: Access Policy Manager
Symptoms:
JavaScript code with object field names equal to reserved keywords is not handled correctly by Portal Access.
Conditions:
JavaScript code with objects containing fields with reserved keywords as a name, for example:
a.default = 1;
Impact:
JavaScript code is not rewritten and may not work correctly.
Workaround:
It is possible to use iRule to rename field names in original code.
Fix:
Now JavaScript with reserved keywords as field names is handled correctly by Portal Access.
449848-5 : Diameter Monitor not waiting for all fragments
Component: Local Traffic Manager
Symptoms:
When the server returns response in two fragments, the Diameter monitor sends an ACK for the first fragment followed by a FIN and then a reset.
Conditions:
Server returns response in two fragments.
Impact:
Pool member is marked down.
Workaround:
None.
Fix:
Diameter Monitor now handles fragments as expected.
449643-2 : Error message 'Gx uninit failed!' and 'Gy unint failed!' received during boot of the system
Component: Policy Enforcement Manager
Symptoms:
During booting of the system, error message "Gx uninit failed!' and 'Gy unint failed!' is received repeatedly.
Conditions:
-- Gx or Gy is not licensed for PEM to use.
-- Rebooting the system.
Impact:
Undesired error message is received.
Workaround:
None.
Fix:
In debug mode only, the system posts 'Gx not initialized' or 'Gy not initialized' for the purpose of alerting users to unlicensed Gx and Gy.
449525-1 : apd and apmd constantly restarting
Component: Access Policy Manager
Symptoms:
If mcpd fails to start for some reason, apd and apmd will continuously crash. Symptoms in /var/log/ltm: err tmsh[892]: 01420006:3: "apm" unexpected argument and there will be an apmd and apd core.
Conditions:
This occurs if mcpd fails to start or crashes on the standby.
Impact:
Multiple core files, system will not pass traffic
Fix:
Fixed a condition where apd and apmd would try to start if mcpd was not running.
449231-1 : ASM REST: Updating multiple items in a list only make one change
Component: Application Security Manager
Symptoms:
When attempting to add several items to a list (ex. urlContentProfiles for urls), the one of the new values is added to the list.
Conditions:
ASM REST is used to PATCH a resource to add/update multiple items in an array field.
Impact:
The resource is not updated as expected and Policy enforcement may not be as expected.
Workaround:
Send the same request multiple times, or make only one modification at a time.
Fix:
List values are now correctly updated via ASM REST.
448493-11 : SIP response from the server to the client get dropped
Component: Service Provider
Symptoms:
SIP responses are not forwarded to the client. Instead, the system drops those SIP responses.
Conditions:
This occurs when using SIP OneConnect with an iRule that uses the node/snat command in SIP_RESPONSE event in the iRule to direct the SIP response from the server.
Impact:
Some SIP flows do not complete, which affects the SIP clients.
Workaround:
Remove the node/snat command from SIP_RESPONSE event processing in the iRule.
Fix:
iRules node/snat command in the iRule SIP_RESPONSE event now works correctly.
448409-5 : 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle
Solution Article: K15491
Component: TMOS
Symptoms:
The commands 'load sys config from-terminal verify' and 'load sys config file <filename> verify' causes loss of sync configuration and initiates a provisioning cycle. The 'verify' option on the 'load sys config' command is designed to ensure that a configuration (either from a file or pasted to the terminal) is valid, but not have it take effect.
Conditions:
This affects the ConfigSync communication channel if configured.
Impact:
The ConfigSync connection, including the connections to other devices, might be lost. In addition, provisioning might be impacted.
Workaround:
You can avoid this issue by using the 'load sys config from-terminal verify' and 'load sys config file <filename> verify' commands 'merge' option, which keeps the current configuration during the validation step. Once affected by this issue, the workaround is to re-load the full configuration using the following command: tmsh load sys config partitions all.
Fix:
Previously, the commands 'load sys config from-terminal verify' and 'load sys config file <filename> verify' did some operations related to sync and provisioning, though they are supposed to check only the validity of the configuration (without changing it). This has been resolved.
447570-1 : tmm sigsegv
Component: Traffic Classification Engine
Symptoms:
A tmm crash was encountered during normal operation.
Conditions:
It is not known all of the conditions that trigger this, but it is related to use of the internal string cache in certain deployments such as PEM and LTM's DNS resolver.
Impact:
Traffic disrupted while tmm restarts.
447565-4 : Renewing machine-account password does not update the serviceId for associated ntlm-auth.
Solution Article: K33692321
Component: Access Policy Manager
Symptoms:
Renewing machine-account password does not update the serviceId for associated ntlm-auth.
Because of this issue, you might see the following symptoms:
-- End users report that they cannot access email.
-- NTLM logons stop working for all users.
-- Log file shows errors similar to the following:
err nlad[12384]: 01620000:3: <0x566d4b90> nlclnt[71601c70a] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC.
Conditions:
This occurs when the system has an NTLM machine account configured, but it is not known exactly what triggers the error. It can be triggered if the machine account credentials change, but the symptom might not show up for days since the connection can be reused.
Impact:
End users will be unable to connect.
Workaround:
Correct the problem by running the following command:
bigstart restart eca.
447483-7 : CVE-2014-3959
Solution Article: K15296
447364-2 : BIG-IP may report getLopSensorData warnings at boot time or when changing a PSU
Component: TMOS
Symptoms:
When booting a BIG-IP device, or performing a hot swap operation of one of its power supplies, the following kind of log messages may be displayed for a brief time:
localhost warning chmand[7059]: 012a0004:4: getLopSensorData: LopDev: sendLopCmd: Lopd status: 1 packet: action=1 obj_id=115 sub_obj=0 slot_id=ff result=24 len=0 crc=6576 payload= (error code:0x24)
localhost warning chmand[7059]: 012a0004:4: getLopSensorData: LopDev: sendLopCmd: Lopd status: 1 packet: action=1 obj_id=16f sub_obj=1 slot_id=ff result=1 len=0 crc=acaf payload= (error code:0x1)
These messages should not persist, and when a real error occurs it should be accompanied by additional warnings and alerts from the system.
Conditions:
The condition occurs when the sensor monitoring process tries to obtain information from power supply model types that are supported but not actually installed. It does this until it discovers the actual model type installed, or that no power supply is installed. The specific conditions under which this is likely to happen are when the BIG-IP software is re-started or a power supply is changed while the system is running.
Impact:
A few additional log messages that indicate a warning when there is no legitimate failure.
Workaround:
None. This is cosmetic.
Fix:
BIG-IP no longer logs getLopSensorData warnings with error code 0x24 for newly-inserted power supplies (PSUs).
447272-4 : Chassis with MCPD audit logging enabled will sync updates to device group state
Solution Article: K17288
Component: Local Traffic Manager
Symptoms:
If mcpd audit logging is enabled on a chassis, updates to device group state will be recorded on every configuration change, even if CMI is not configured or no synchronizable object was modified.
Conditions:
This only applies on chassis systems with at least one secondary blade, and the log messages only appear if mcpd audit logging is enabled.
Impact:
Updates to device group state will be recorded on every configuration change.
Workaround:
This issue has no workaround at this time.
Fix:
If mcpd audit logging is enabled on a chassis, updates to device group state were in past versions recorded on every configuration change, even if CMI was not configured or no synchronizable object was modified. This no longer happens, and these log messages are now only generated if the state actually changes.
447075-3 : CuSFP module plugged in during links-down state will cause remote link-up
Component: TMOS
Symptoms:
If a CuSFP module is plugged into a port that is in a links-down state while connected via a cable to a remote switch or other network connection, the remote switch will report a links-up state.
A port on the BIG-IP or VIPRION device may be in a links-down state while BIG-IP is not in a running state, or if the network interface has been administratively disabled.
Conditions:
Issue has been primarily observed with VIPRION B2100 or B2150 blades.
However, the problem could potentially occur on other VIPRION blades or BIG-IP appliances which employ a Broadcom hardware switch (i.e., most F5 hardware products).
BIG-IP appliances which do NOT employ a Broadcom hardware switch include:
BIG-IP 2000-/4000-series appliances.
Impact:
The remote switch may erroneously attempt to direct traffic to what is seen as an active link, which the BIG-IP or VIPRION device will not be able to process.
Workaround:
You may work around this problem by any of the following methods:
1. Unplug the cable connecting the CuSFP (Copper SFP) module to the remote network connection before plugging the CuSFP into the port on the BIG-IP or VIPRION device.
2. Wait until the port on the BIG-IP or VIPRION device is in an enabled/links-up state before plugging in the CuSFP.
3. Enable the port on the BIG-IP or VIPRION device after plugging in the CuSFP.
Fix:
A remote network connection no longer shows as Up/Link when a CuSFP module is plugged into a port on a BIG-IP or VIPRION device that is in a links-down state, while connected via a cable to the remote switch/other network connection.
447043-11 : Cannot have 2 distinct 'contains' conditions on the same LTM policy operand
Solution Article: K17095
Component: Local Traffic Manager
Symptoms:
Cannot express conditions such as 'user-agent contains 'Android' AND 'Mobile'. LTM policies have operands that can be matched against a set of values, causing a match when the operand matches one of these values. There is no way to use current functionality to match all of the values. One specific situation in which this is needed is to configure 'contains'.
Conditions:
Specify an ltm rule with 2 conditions with the same operand and match type, for example:
conditions {
0 {
http-header
name User-Agent
contains
values { Android }
}
1 {
http-header
name User-Agent
contains
values { Mobile }
}
Impact:
The policy does not work. The system posts an error message similar to the following: Failed to compile the combined policies.
Fix:
LTM policies now allow for rules to have multiple conditions on the same operand and same match type so that 'user-agent contains 'Android' AND 'Mobile' can now be expressed by specifying:
conditions {
0 {
http-header
name User-Agent
contains
values { Android }
}
1 {
http-header
name User-Agent
contains
values { Mobile }
}
446860-6 : APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348
Component: Access Policy Manager
Symptoms:
APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348 (ActiveSync client fails to login to APM with large POST body)
Conditions:
ActiveSync client large POST body tries to log into APM.
Impact:
ActiveSync client with large POST body cannot log in even when tmm.access.maxrequestbodysize DB variable is configured
Workaround:
This issue has no workaround at this time.
Fix:
Now APM Exchange Proxy honors the tmm.access.maxrequestbodysize DB variable.
Modify the tmm.access.maxrequestbodysize DB variable with a value larger than the maximum email body size you would like to support.
The maximum supported value is 25000000 (25MB).
446830-2 : Current Sessions stat does not increment/decrement correctly.
Component: Local Traffic Manager
Symptoms:
Current Sessions stat does not increment/decrement correctly.
Conditions:
On a virtual server with an HTTP filter, if either side closes the connection after the HTTP request has been forwarded to the server but before the server has sent its response, the pool member's cur_sessions stat is incremented but not decremented.
Impact:
Difficult to determine an accurate number of Current Sessions. Current Sessions stat appears unexpectedly large, for example, Current Sessions : 18446744073709551615, rather than as expected, Current Sessions : 0.
Workaround:
None.
Fix:
On a virtual server with an HTTP filter, Current Sessions stat now increments/decrements correctly if either side closes the connection after the HTTP request has been forwarded to the server but before the server has sent its response.
446755-5 : Connections with ramcache and clientssl profile allowing non-SSL traffic may stall
Solution Article: K70440102
Component: Local Traffic Manager
Symptoms:
Connections with both ramcache and clientssl profile allowing non-SSL traffic connection may stall under certain unusual conditions.
Conditions:
Virtual server with ramcache and clientssl profile allowing non-SSL traffic.
Impact:
The connection stalls until reset by the client or expired by the sweeper. The client may see a response from the server.
Workaround:
No practical workaround.
Fix:
Connections no longer stall on virtual servers with ramcache and clientssl profile allowing non-SSL traffic.
446493-3 : foreign key index error on local traffic-only group★
Component: TMOS
Symptoms:
When running the load verify command (tmsh load sys config verify) on a scf file, an error is thrown: 01070712:3: Values (/Common/traffic-group-local-only) specified for self IP (/Common/10.7.7.3_24): foreign key index (traffic_group_fk) do not point at an item that exists in the database.
Unexpected Error: Validating configuration process failed.
However, the config will still successfully load when the verify parameter is not specified.
Conditions:
Running tmsh load sys config file verify on a scf file with a local traffic group in it. traffic-group-local-only groups are not loaded during config verify which triggers the error.
Impact:
Config verify fails.
Workaround:
If there are otherwise no other errors in the configuration, it should be able to load successfully using tmsh load sys config file filename.
Fix:
Running tmsh load sys config file verify no longer throws a foreign key error on traffic-only group.
445984-1 : Wrong overlapping status is shown if there are firewall rules with source or destination port range that begins with "1"
Component: Advanced Firewall Manager
Symptoms:
Wrong overlapping status is shown if there are rules with source or destination port range that begins with "1" configured in the system.
Conditions:
Firewall rules with source or destination port range that begins with "1" configured in the system.
Impact:
Rules that are not overlapped or conflicting will be shown as overlapped or conflicting.
Fix:
Fix the overlapping detection function to properly handle the port ranges.
445633-2 : Config sync of SecurID config file fails on secondary blades
Component: TMOS
Symptoms:
If APM is provisioned, after uploading a new SecurID config file via the GUI, mcpd restarts and fails to sync on device group peers.
Conditions:
This happens on a device group peer with APM provisioned, only after using the GUI to update the SecurID configuration. This can also happen on chassis secondary blades.
Impact:
The peer receiving the sync restarts mcpd, which in turn restarts several other daemons. The peer never receives the config file properly.
Workaround:
Use tmsh: tmsh modify apm aaa securid <name> config-files modify { sdconf.rec { local-path /path/to/sdconf.rec } }.
Fix:
The fix changes the behavior of transactions. Previously, if a single transaction contained a delete operation and a modify of the object just deleted, the outcome was that the object was deleted and the modify was silently ignored. This was different behavior from a delete followed by a create, which ignored the delete and internally modified the object. Since that modify is sent to the peer as a modify, the object must have the same behavior as a delete-plus-create operation. So the new behavior is that, when a single transaction contains a delete followed by a modify of the same object, then the delete is ignored and the modify is applied.
Behavior Change:
With this release, there is a change to the behavior of transactions. Previously, if a single transaction contained a delete operation and a modify of the object just deleted, the outcome was that the object was deleted and the modify was silently ignored. This was different behavior from a delete followed by a create, which ignored the delete and internally modified the object. Since that modify is sent to the peer as a modify, the object must have the same behavior as a delete-plus-create operation. So the new behavior is that, when a single transaction contains a delete followed by a modify of the same object, then the delete is ignored and the modify is applied.
445483-2 : SSO does not work with Password with '+' character for Citrix Storefront integration mode
Component: Access Policy Manager
Symptoms:
A password containing a '+' (plus) character is not accepted, and authentication error is shown to the end-user.
Conditions:
Virtual server is configured in Citrix integration mode.
Storefront is configured in Passthrough gateway authentication mode.
Impact:
Password with special character '+' can not be used.
Workaround:
Use password with no '+' character.
Fix:
Accept password with '+' character correctly.
445471-1 : DNS Express zone creation, deletion or updates can slow down or stop other DNS services.
Component: Local Traffic Manager
Symptoms:
DNS Express zone creation, deletion or updates can slow down or stop other DNS services.
Conditions:
Any action that causes a the DNS Express zone database to be updated, including zone creation, deletion or zone transfer.
Impact:
Other DNS Services may stop working.
Workaround:
Restarting tmm will resolve the issue temporarily, until the next update. If DNS Express is not being used, removing any DNS Express config will prevent this issue from triggering.
Fix:
An improperly handled file descriptor caused the issue. This file description is now properly closed preventing the problem.
445329-2 : DNS cache resolver connections can be slow to terminate
Solution Article: K17273
Component: Local Traffic Manager
Symptoms:
An excessive number of DNS cache resolver connections can build up if local configuration errors (routing, interfaces, VLANs) exist.
Conditions:
Local networking configuration errors exist.
Impact:
An excessive number of outbound DNS cache connections are present.
Workaround:
Ensure default routes for IPv4 and IPv6 are properly configured and operational.
Fix:
Local connection errors now cause immediate connection termination.
445327-1 : OpenJDK 1.7 vulnerabilities
Solution Article: K53146535
444710-8 : Out-of-order TCP packets may be dropped
Component: Local Traffic Manager
Symptoms:
Out-of-order TCP packet will be dropped if it occurs during 3-way handshake.
Conditions:
Client initiates TCP connection to BIG-IP with ACK segment arriving after (i.e., out-of-order) a second packet.
Resultant sequence:
1. Client - BIG-IP : SYN
2. BIG-IP - Client : SYN-ACK
3. Client - BIG-IP : PSH, ACK (w/Segment #2) =-- Out-of-order ; Must be retransmitted.
4. Client - BIG-IP : ACK (w/Segment #1)
Impact:
Packet must be retransmitted by client.
Workaround:
None.
Fix:
Out-of-order segments received before 3WHS is completed are no longer dropped.
443298-3 : FW Release: Incorporate VIPRION 2250 LOP firmware v1.20
Component: TMOS
Symptoms:
This is a standard bug used for tracking the incorporation of Firmware changes.
Conditions:
The purpose of this change is to integrate a firmware package into the BIG-IP build.
Impact:
None expected.
Workaround:
None.
Fix:
FW Release: Incorporated VIPRION 2250 LOP firmware v1.20 into BIG-IP.
443157-1 : zxfrd might crash when the zone file (zxfrd.bin) is deleted from the directory /var/db
Component: Local Traffic Manager
Symptoms:
zxfrd might crash when the zone file zxfrd.bin is deleted and zxfrd is restarted.
Conditions:
Manually delete zxfrd.bin and restart zxfrd.
Impact:
The zxfrd daemon might crash.
Workaround:
Never manually delete zxfrd.bin.
Fix:
Manually deleting zxfrd.bin should no longer crash the zxfrd daemon.
442869-7 : GUI inaccessible on chassis when var/log/audit log is full
Component: Local Traffic Manager
Symptoms:
When MCP logging on a chassis is set to Enabled, Verbose, or Debug for Audit Logging, the system sends numerous messages to the var/log/audit log. This causes the log to fill, which might render the GUI inaccessible.
Conditions:
This occurs on chassis only when the Audit Logging option MCP is set to Enabled, Verbose, or Debug.
Impact:
When the var/log/audit log is full, the GUI might become inaccessible.
Workaround:
The workaround is to specify Disabled for the MCP option in Audit Logging (available under the System :: Logs).
Fix:
The primary blade formerly sent a message to all secondaries every second telling them to change the primary selection time. (The actual timestamp is correct and is the same every second.) Over time, this might fill up the audit log. This no longer occurs, and the message is now sent only when the primary actually changes.
442698-9 : APD Active Directory module memory leak in exception
Component: Access Policy Manager
Symptoms:
The APD Active Directory module might leak memory if an exception happens.
Conditions:
exception happens when request is being processed
Impact:
session request failed, apd leaks a memory
Workaround:
NA
Fix:
APD is now more robust and handles exceptions in AD module properly.
442686-1 : DNSX Transfers Occur on DNSX authoritative server change
Component: Local Traffic Manager
Symptoms:
DNS Express authoritative servers do not update zone information when you change the authoritative server for that zone until the next successful zone transfer from the new server.
Conditions:
Create a DNS Express zone and provide an authoritative DNS Express server for that zone, wait for zone transfer to occur, and then change the authoritative server.
Impact:
Data from the original server is still served until the next successful zone transfer from the new server or the zone expires.
Workaround:
Delete and recreate the DNSX zone with the new server information.
Fix:
Changing a DNSX authoritative server for a zone will cause the BIG-IP to stop serving data from the original server and trigger a transfer request to the new server to obtain new data.
442647-4 : IP::stats iRule command reports incorrect information past 2**31 bits
Solution Article: K04311130
Component: Local Traffic Manager
Symptoms:
Due to a mistaken internal object-size conversion, the statistical data used by the IP::stats iRule command reports a negative number when the data exceeds 2**31.
Conditions:
Transferring more than 2 gigabytes or 2 billion packets on a connection that then uses IP::stats commands in an iRule will show a negative number.
Impact:
iRules cannot rely on the validity of the IP::stats counters when more than 2 gigabytes have been transferred.
Workaround:
Upgrade to a fixed version.
Fix:
iRules now uses a 64-bit object
442539-3 : OneConnect security improvements.
Component: Local Traffic Manager
Symptoms:
OneConnect security improvements.
Conditions:
OneConnect security improvements.
Impact:
OneConnect security improvements.
Workaround:
None.
Fix:
OneConnect security improvements.
442528-5 : Demangle filter crash
Component: Access Policy Manager
Symptoms:
Demangle filter crashes with a SIGBUF.
Conditions:
Very long URLs must be used and the demangle filter must be in the chain.
Impact:
HTTP requests with very long URL cannot be processed.
Workaround:
To work around the problem, add this code to the iRule:
when HTTP_REQUEST {
log local0. "Refer length is [string length [HTTP::header Referer] ]"
if { [string length [HTTP::header Referer] ] > 4000 } {
HTTP::header remove Referer
}
}
Fix:
Long URLs (up to 16K long) are handled correctly.
442455-4 : Hardware Security Module (HSM) CSR and certificate fields constraints: 15 characters and no spaces.
Component: Local Traffic Manager
Symptoms:
While using the tmsh command or fipskey.nethsm utility to create HSM keys/csr/cert, Locality, Province, Organization names cannot be longer than 15 characters.
While using the tmsh command to create HSM keys/csr/cert, Locality, Province, Organization names, common name cannot process multiple words. The system accepts only the content up to the first space character.
Conditions:
HSM keys/csr/cert, Locality, Province, Organization names, common name are longer than 15 characters or consists of strings separated by space characters.
Impact:
The system truncates field content to 15 characters or to the string up to the first space character.
Workaround:
Use strings shorter than or equal to 15 characters. Use strings without spaces. To use strings containing spaces, quote the entire string and delimit spaces with a backslash character (\). For example, for the string F5 Networks Inc, use this: "F5\ Networks\ Inc". Note that the delimiting slash still counts as a character.
Fix:
You can now create HSM CSR and certificate fields containing space characters and use strings longer than 15 characters for keys/csr/cert, Locality, Province, Organization names, common name fields.
442313-6 : Content length header leading whitespaces should not be counted as digits
Component: Application Security Manager
Symptoms:
A customer has reported that they are seeing a non-trivial number of requests blocked with "HTTP Protocol compliance failed - Unparsable content length".
Conditions:
The customer has a proxy before ASM that adds whitespaces before the content-length.
Impact:
False positive of blocked requests upon content length headers with leading whitespaces.
Workaround:
N/A
Fix:
The system no longer blocks content length headers with leading whitespaces, because it is legal. The system used to issue the "HTTP protocol compliance failed" sub-violation: "Unparsable request content".
442231-1 : Pendsect log entries have an unexpected severity
Component: TMOS
Symptoms:
Pendsect logs non-errors with a 'warning' severity.
Conditions:
This occurs when pendsect is executed.
Impact:
Unexpected log entries. When pendsect is executed and does not find any disk errors, it logs the following at the warning level: warning pendsect[21788]: pendsect: /dev/sdb no Pending Sectors detected. This is not an error. The message is posted at the incorrect severity level and does not indicate a problem with the BIG-IP system.
Workaround:
None needed. This is cosmetic.
Fix:
Adjusted severity level of various logs generated by pendsect script, so that informational messages are not logged as warnings.
442157-2 : Incorrect assignment of ASM policy to virtual server
Component: Application Security Manager
Symptoms:
Incorrect assignment of ASM policy to LTM virtual server occurs when it is managed from the
Local Traffic > Virtual Servers > Virtual Server List > <vs_name> > Security > Policies screen when the same ASM policy is assigned to multiple LTM virtual servers by the means of a single LTM policy (L7 policy).
Conditions:
ASM is provisioned, and an ASM policy is assigned to multiple LTM virtual servers by the means of a single LTM policy (L7 policy).
Impact:
Changes are applied to all LTM virtual servers that are assigned with the relevant LTM policy (L7 policy) instead of changing only the currently managed LTM virtual server.
Workaround:
Assignment of ASM policies to LTM policies and to LTM virtual can be handled from the following screens:
1) LTM policies:
Local Traffic > Policies > Policy List > <L7_policy_name> > Properties
1) LTM virtuals:
Local Traffic > Virtual Servers > Virtual Server List > <vs_name> > Resources
Fix:
The assignment of an ASM policy to an LTM virtual server at from Local Traffic > Virtual Servers > Virtual Server List > <vs_name> > Security > Policies is now NOT available when there is a one-to-many relationship between the underlying LTM policy to LTM virtual servers/ASM policies.
In addition, the message 'Manual Configuration (Advanced)' is displayed in the 'Application Security Policy' field on that screen.
441790 : Logd core formed, while executing provisioning run script(mod_combo_7000_12721.py) on 5000 and 7000 series platforms
Component: Access Policy Manager
Symptoms:
Logd core formed while executing provisioning run script(mod_combo_7000_12721.py) on 5000 and 7000 series platforms.
Conditions:
While executing provisioning run script(mod_combo_7000_12721.py) on 5000 and 7000 series platforms.
Impact:
logd restarts.
Workaround:
Run the tmsh command: logd restart.
Fix:
Fixed a threading pitfall that could cause deadlock between DB rotation and loading threads.
441642-4 : /etc/monitors/monitors_logrotate.conf contains an error
Solution Article: K16107
Component: TMOS
Symptoms:
The primary symptom will be unrotated monitor log files. Other symptoms include:
- Error messages:
-- error: /etc/monitors/monitors_logrotate.conf:6 unknown unit 'B'
-- error: found error in /var/log/monitors/*.log , skipping
- No disk space
Conditions:
This occurs in /etc/monitors/monitors_logrotate.conf.
Impact:
Monitor logs will not consider file size for rotation criteria. An email notification is generated periodically, which references an error in /etc/monitors/monitors_logrotate.conf.
Workaround:
edit /etc/monitors/monitors_logrotate.conf to be "size=5M" instead of "size=5MB"
the file should look like this once edited:
/var/log/monitors/*.log {
compress
missingok
notifempty
rotate 7
size=5M
olddir=/var/log/monitors
}
Fix:
Monitor log rotation functionality has been restored, so that emails with error statements sent to the postmaster every 30 minutes have been stopped.
441638-9 : CACHE::header insert fails with 'Out of bounds' error for 301 Cache response
Solution Article: K14972
Component: Local Traffic Manager
Symptoms:
Notice the following log message in /var/log/ltm,
err tmm3[12122]: 01220001:3: TCL error: /Common/set_xcache_header <CACHE_RESPONSE> - Out of bounds (line 1) invoked from within "CACHE::header insert Via F5-CACHE"
Also, notice the missing header in the HTTP response.
Conditions:
1. Enabled Web Acceleration profile
2. Handling CACHE_RESPONSE iRule event
3. 301 response is cached
Impact:
Missing header in the HTTP response
Workaround:
Remove the header insert command from the iRule
Fix:
Keep the cache information in sync with packet data
441613-8 : APM TMUI Vulnerability CVE-2015-8022
Solution Article: K12401251
441214-3 : monpd core dumps in case of MySQL crash
Solution Article: K17353
Component: Application Visibility and Reporting
Symptoms:
When MySQL crashes, the monpd process creates a core dump.
Conditions:
This issue occurs when MySQL crashes or does not start correctly.
Impact:
Reports not available for the duration of MySQL going down.
Workaround:
This issue has no workaround at this time.
Fix:
This release fixes an issue where monpd would intermittently do a core dump due to a MySQL crash, and reports would not be available during the crash.
441100-1 : iApp partition behavior corrected
Component: TMOS
Symptoms:
Since 11.4, iApps have looked for the non-existence of "/Common/cookie" as the indicator of Edge licensing, since cookie persistence is not provided with Edge Gateways. This test reads incorrectly if the iApp is run from a partition other than /Common, and has been replaced with a direct test for the appropriate license features.
Impact:
Affects customers using partitions on BIG-IP in association with the following iapps: f5.http, f5.bea_weblogic, f5.sap_erp, f5.peoplesoft_9, f5.sharepoint_2010, f5.dns, f5.diameter, f5.radius, f5.ldap, f5.oracle_ebs, f5.microsoft_iis.
Workaround:
To workaround, make a copy of the iapp template and change 2 instances of the "set is_edge" statement to "set is_edge 0"
Fix:
Certain iApps now operate normally when executed from an administrative partition. f5.http, f5.bea_weblogic, f5.sap_erp, f5.peoplesoft_9, f5.sharepoint_2010, f5.dns, f5.diameter, f5.radius, f5.ldap, f5.oracle_ebs, and f5.microsoft_iis were affected.
441079-4 : BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved
Solution Article: K55242686
Component: Local Traffic Manager
Symptoms:
The BIG-IP system is modifying the source port on NAT connections.
Conditions:
This occurs when NAT is configured on the BIG-IP system. This occurs on BIG-IP 2000/4000 hardware platforms.
Impact:
This impacts any applications where the source port is expected to be preserved.
Workaround:
None.
Fix:
The source port is always preserved for NAT connections.
Behavior Change:
The source port is always preserved for NAT connections.
441075-6 : Newly added or updated signatures are erroneously added to Manual user-defined signature sets.
Component: Application Security Manager
Symptoms:
You encounter unexpected violation when you assign a user defined signature to an unblocking signature set.
Conditions:
This occurs when the signature is added to another blocking signature set simultaneously.
Impact:
'Unexpected' violation occurs
Workaround:
N/A
Fix:
Newly added or updated signatures are no longer erroneously added to Manual user-defined signature sets that were created by policy import.
441058-5 : TMM can crash when a large number of SSL objects are created
Solution Article: K17366
Component: Local Traffic Manager
Symptoms:
Administrative operations which trigger a full reload of SSL cert, key, or CRL files can cause TMM to abort. TMM will miss its heartbeat, at which time it will be killed by sod daemon via SIGABRT.
Conditions:
Configuration contains a large number of SSL certs, keys and/or CRLs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove any unused SSL objects from configuration.
Fix:
The system now loads the virtual IP addresses and associated SSL Certs/Keys in batches, so that TMM config load no longer exceeds its allowed CPU time.
440913-2 : Apply Policy Fails After Policy Diff and Merge
Component: Application Security Manager
Symptoms:
Merging global extractions with references to URLs or File Types from one security policy to another introduces a data inconsistency that prevents Apply Policy actions on the target policy.
Conditions:
A security policy with global extractions that has references to URLs or File Types is merged to another security policy.
Impact:
A data inconsistency is introduced that prevents Apply Policy actions on the target policy.
Workaround:
Remove the extractions from the list of found changes before using auto-merge, and add the extraction manually if desired.
Fix:
Global extractions now merge correctly using Policy Diff.
440841-4 : sso and apm split tunnelling log message is at notice level
Component: Access Policy Manager
Symptoms:
This split tunnelling log message is written at the notice level: "Username used for SSO contains domain information. Please enable 'Split domain from full Username' option in the Logon Page if domain info should be separated from username for SSO to work properly".
Conditions:
Username used for SSO contains domain information
Impact:
logged at notice level for each request in /var/log/apm
Fix:
This split tunnelling log message is no longer written at the notice level: "Username used for SSO contains domain information. Please enable 'Split domain from full Username' option in the Logon Page if domain info should be separated from username for SSO to work properly" The log is now written at the informational level.
440752-2 : qkview might loop writing output file if MCPD fails during execution
Component: TMOS
Symptoms:
If qkview is executed, and while it is executing, a problem arises with MCPD, it is possible that qkview may enter a loop where it continually writes the following lines to the file ./mcp_module.xml: end_transaction.
Conditions:
1. qkview is run while mcpd is executing properly.
2. mcpd enters unstable state while qkview is running.
Impact:
Disk can fill up, causing a system failure.
Workaround:
Do not run qkview if mcpd has been acting unpredictably.
Fix:
Qkview MCP module has been corrected to prevent qkview from looping infinitely when failing to connect to MCPD.
440605-4 : Unknown BigDB variable type 'port_list'
Component: TMOS
Symptoms:
You see the following in /var/log/ltm: notice dag.roundrobin.udp.portlist: Unknown BigDB variable type 'port_list'
This can also be observed by running tmsh modify sys db dag.roundrobin.udp.portlist value
A tmm crash could also occur if it is doing round robin load balancing of udp and attempts to load balance a fragmented udp payload.
Conditions:
The error will occur when tmm starts.
Impact:
Traffic disrupted while tmm restarts.
Fix:
BIG-IP will now recognize dag.roundrobin.udp.portlist
439514-6 : Different time-stamps are translated to the same time (due to DST clock change) and causes database errors
Component: Application Visibility and Reporting
Symptoms:
Due to DST (Daylight Savings Time) - Different timestamps can be translated to the same (local) time
Conditions:
DST clock change has occurred
Impact:
Analytics database cannot create new partition after DST clock change
Fix:
Appending the time-stamp to the partition name, so that if time is the same, the time-stamp will make the partition name different.
439343-9 : Client certificate SSL authentication unable to bind to LDAP server
Component: TMOS
Symptoms:
When LDAP Client Certificate SSL Authentication is configured to bind to the LDAP server with a password, the bind fails due to an incorrect password.
Conditions:
LDAP client certificate SSL authentication enabled
LDAP server requires password to bind
Impact:
Client certificates cannot be authenticated
Fix:
LDAP client certificate SSL authentication sends correct bind password to LDAP server
439299-5 : iApp creation fails with non-admin users
Component: TMOS
Symptoms:
This error message may occur when Application Editor or Manager users try to create an iApp instance:
Error parsing template:Tcl_Init failed: (invalid command name "file" while executing "file join $i init.tcl" (procedure "tclInit" line 21) invoked from within "tclInit" line:46)
Conditions:
This issue occurs when an iApp instance is being created by a non-admin user. Application Editor and Manager users have been specifically tested.
Impact:
The iApp creation fails.
Workaround:
iApp creation will succeed if performed by an admin user.
Fix:
iApp creation by non-admin users previously could fail with this error:
Error parsing template:Tcl_Init failed: (invalid command name "file" while executing "file join $i init.tcl" (procedure "tclInit" line 21) invoked from within "tclInit" line:46)
This no longer occurs.
439249-1 : PEM:Initial quota request in the rating group request is not as configured.
Component: Policy Enforcement Manager
Symptoms:
When quota request is being sent for the rating group for the first time the initial quota request in the request is not as configured.
Conditions:
Quota request for a rating group is sent for the first time for the session and initial quota request for the rating group not as configured.
Impact:
If not initial quota request then OCS may not allocate right quota for the the session.
Workaround:
here is no workaround at this time
Fix:
Initial quota request is sent the request for quota as configured.
439013-5 : IPv6 link-local vlan tag handling incorrect
Solution Article: K15162
Component: Local Traffic Manager
Symptoms:
Validation is not allowing IPv6 link-local address with vlan tag
Conditions:
Trying to create IPv6 link-local with vlan tag notation, or bits in the second group of the IPv6 address.
Impact:
When trying to use the same IPv6 address on multiple vlans
Workaround:
Put the desired IPv6 link-local address with the vlan tag notation in bigip_base.conf, and run "tmsh load sys config"
Fix:
Validation now allows IPv6 link-local address with %vlan notation.
Behavior Change:
It's no longer possible to use %vlan notation with non-link-local IPv6 address as object name.
438969-2 : HTML5 VMware View Client does not work with APM when Virtual Server is on non-default route domain
Component: Access Policy Manager
Symptoms:
HTML5 VMware View Client does not work with APM when Virtual Server is on non-default route domain.
Conditions:
HTML5 VMware View client is used on APM Webtop to access VMware View desktops through a Virtual Server that is on non-default route domain.
Impact:
HTML5 VMware View Client does not work.
Fix:
HTML5 VMware View Client now works with APM when the virtual server is on a non-default route domain.
438792-10 : Node flapping may, in rare cases, lead to inconsistent persistence behavior
Component: Local Traffic Manager
Symptoms:
If persistence is used, and a node is marked down and then up in quick succession (less than about 7 seconds), then persistence may act inconsistently (meaning, not all connections expected to persist to a server will do so). Further requests in certain circumstances may hang (the client will be left waiting for a response).
Conditions:
Persistence, rapid node flapping, new connection (via a TMM with an existing connection) after node has been re-marked as up.
Impact:
Inconsistent persistence behaviors. If persistence records are examined, you might find multiple, conflicting entries. This is an intermittent issue.
Workaround:
Add an iRule command to the PERSIST_DOWN event that deletes the persistence entry for this connection. One example might be:
when PERSIST_DOWN {
persist delete source_addr [IP::client_addr]
}
For more information, see SOL14918: Node flapping may cause inconsistent persistence records, available here: http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14918.html.
Fix:
The system now deletes a persist entry from all peer TMMs when it is deleted in any TMM, so no conflicts occur.
438773-1 : Network Firewall event logs page pops up date/time picker automatically during drag-and-drop
Component: Advanced Firewall Manager
Symptoms:
Network Firewall event logs page pops up date/time picker automatically during drag-and-drop of the time field in the table to the custom search area.
Conditions:
This occurs in AFM when dragging and dropping a time
from the log event list table
Impact:
Datetime picker pops up automatically
Fix:
Datetime picker no longer pops up date/time picker during drag and drop.
438674-4 : When log filters include tamd, tamd process may leak descriptors
Solution Article: K14873
Component: TMOS
Symptoms:
The log filter functionality in TMOS allows users to publish logs from a specific set of processes to various log destinations.
Conditions:
Configure log filter that includes tamd.
Impact:
Client authentication might fail. When a log filter includes tamd, the tamd process might start to leak descriptors.
Workaround:
Do not define log filters that include tamd (tamd is included in 'all').
Fix:
The BIG-IP system no longer sends tamd log messages to the configured remote log destinations.
438608-1 : PEM: CCR-U triggered during Gy session may not have Request Service Unit (RSU)
Component: Policy Enforcement Manager
Symptoms:
CCR-U triggered by PEM when managing Gy session may not have Requested-service-unit (RSU) in the message.
Conditions:
When rating group is idle for a while and periodically quota request is sent after the timeout then this request will not Requested-Service-Unit (RSU) in the CCR-U message.
Impact:
If no RSU being encoded then OCS may not allocate right quota the the session.
Workaround:
there is no workaround at this time
Fix:
RSU is now being encoded in all rating groups in CCR-U except the one which are marked as Final reporting.
438092-2 : PEM: CCR-U triggered by RAR during Gy session will have not have Requested Service Unit(RSU)
Component: Policy Enforcement Manager
Symptoms:
When RAR message is triggered by OCS to reauthorize rating groups associated in the Gy session then corresponding CCR-U will not have any requested service unit (RSU)
Conditions:
RAR triggered by OCS and CCR-U will not have any RSU in the message for the rating group.
Impact:
if no RSU in the CCR-U then OCS may not grant correct quota for the rating groups.
Workaround:
here is no workaround at this time'
Fix:
Requested Service Unit (RSU) is present in the CCR-U triggered by OCS
437744-7 : SAML SP service metadata exported from APM may fail to import.
Solution Article: K15186
Component: Access Policy Manager
Symptoms:
SAML SP service metadata exported from APM contains elements in incorrect order which might cause it to fail to be imported by other implementations.
Conditions:
When SAML metadata is exported from BIG-IP when it is acting as SAML Service Provider, the order of
'SingleLogoutService' and 'AssertionConsumerService' are not right.
Impact:
Import of SAML metadata with SAML IdP from BIG-IP as SP might fail.
Workaround:
Edit exported metadata: change the order of elements in the SPSSODescriptor so that SingleLogoutService element goes first in the sequence.
Fix:
SAML metadata elements are exported in correct order.
437743-8 : Import of Access Profile config that contains ssl-cert is failing
Component: Access Policy Manager
Symptoms:
An access profile configuration that uses an SSL Certificate fails to import. This happens because of a change in the method to import SSL certificates.
Conditions:
Access Profile configuration contains (SSL) Certificate File object, that is configurations that include OCSP responder, Certificate Authority Profile or ServerSSL Profile.
Impact:
Serious. It's not possible to import configs that contain above mentioned objects to another box, which might prevent users from distributing profiles manually or properly importing a backup/
Workaround:
You can either exclude above-\ mentioned objects prior to export and then recreate them after the import or (not recommended) edit the config manually and import the SSL certificate prior to import.
Fix:
You can import an access profile that includes an SSL certificate object in its configuration objects.
437670-2 : Race condition in APM windows client on modifying DNS search suffix
Component: Access Policy Manager
Symptoms:
Race condition in APM client have a potential to leave "SearchList" registry key (DNS search suffix) in corrupted state.
Conditions:
Windows user connecting and disconnecting network access connection to BIG-IP APM.
Impact:
Windows can get incorrect DNS search suffix after using using network access connection to BIG-IP APM server. This issue is a race condition and may happen at random.
Workaround:
n/a
Fix:
Addressed race condition in APM client on modifying DNS search suffix on Windows-based systems.
437637-2 : Sensor critical alarm: Main board +0.9V_CN35XX
Component: TMOS
Symptoms:
TMOS may log a critical alarm for the 0.9 volt sensor even though the voltage is in the nominal range.
Bug 447349 is a duplicate of this bug. The log message reads "Blade 0 hardware sensor critical alarm: Main board +0.9V_CN35XX voltage: 888 mV"
Conditions:
When the host is powered off using the AOM menu, the LBH will detect an under voltage condition for all non-standby voltage rails. This puts the sensors in the critical state. When the host powers the voltage rails turn on and the sensors transition back to the nominal state as the voltage rises. The 0.9 volt rail on some systems does not get high enough to clear the alert even though the voltage makes it into the nominal range.
Impact:
There will be a single ltm log message indicating this critical alarm, however the voltage reported in the log message will be in the nominal range.
Workaround:
Do not power cycle the host with the AOM menu. This error does not occur with an AC power cycle.
Fix:
The 7000 Series platform no longer reports a false positive sensor out-of-range error when the Host is powered off using the AOM.
437611-3 : ERR_NOT_FOUND. File: ../modules/hudfilter/access/access_license.c, Function: access_read_license_settings, Line: 204
Solution Article: K16104
Component: Access Policy Manager
Symptoms:
The system posts this error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access_license.c, Function: access_read_license_settings, Line: 204.
Conditions:
This benign error occurs with an LTM Base license or APM standalone license in the following circumstances: -- APM is provisioned. -- License is upgraded. -- System is booted up or restarted.
Impact:
This error does not indicate any error condition, and you can safely ignore it.
Fix:
An error referencing the access_license.c file is no longer logged during provisioning, system startup, reboot, or license upgrade.
437285-4 : Multiple socat vulnerabilities
Solution Article: K14919
437256-1 : clientssl profile has no key/cert pair
Component: Local Traffic Manager
Symptoms:
After starting tmm, you notice the following critical error in /var/log/tmm, but the system otherwise boots and performs normally:
crit tmm[11621]: 01260000:2: Profile profile-name: clientssl profile has no key/cert pair.
Conditions:
This can occur during start-up of tmm (usually during system boot-up).
Impact:
If the system otherwise performs normally (i.e., you do have the correct clientssl certificate installed), this error is benign; during initial start-up it is possible that the clientssl profile data has not yet been loaded at the right time. In this case the critical log message is misleading.
Workaround:
None.
Fix:
The BIG-IP system now logs a critical error 'clientssl profile has no key/cert pair' only if the clientssl profile truly does not have a certificate configured.
437025-5 : big3d might exit during loading of large configs or when a connection to mcpd is dropped.
Solution Article: K15698
Component: Global Traffic Manager (DNS)
Symptoms:
If big3d loses its connection to MCPD and cannot reconnect immediately, big3d retries too often and re-uses timer IDs incorrectly.
This might result in a core dump with either SIGABRT or SIGSEV.
One way this can happen is that while processing very large configs, the mcpd process does not respond to queries from the big3d process.
Conditions:
A large configuration file (for example, larger than 10 MB) or a very busy MCPD/control plane.
Impact:
big3d core errors.
Workaround:
This issue has no workaround at this time.
Fix:
Very large configuration files (for example, larger than 10 MB) or a very busy MCPD/control plane no longer causes big3d core errors.
436682-6 : Optical SFP modules shows a higher optical power output for disabled switch ports
Component: TMOS
Symptoms:
Some optical SFP/SFP+ modules may continue to provide optical power output higher than the specified detection threshold when the port has been disabled. As a result, the remote connected device may indicate a false positive link state.
Conditions:
The SFP or SFP+ module switch port has been disabled on the BIG-IP system. The problem occurs due to the optical transmitter in the SFP/SFP+ module not being disabled when the switch port itself is in a disabled state.
The problem may occur with certain optical SFP/SFP+ modules, including all or a subset of individual modules with the following part numbers:
OPT-0010-00 (1G-SR)
OPT-0011-00 (1G-LR)
OPT-0016-00 (10G-SR)
OPT-0017-00 (10G-LR)
For a list of F5 supported Fiber Gigabit Ethernet SFP, XFP, SFP+ and QSFP+ modules, see SOL6097: Specifications of the Fiber Gigabit Ethernet SFP, XFP, SFP+ and QSFP+ module ports on BIG-IP system platforms, available here: https://support.f5.com/kb/en-us/solutions/public/6000/000/sol6097.html.
Impact:
Link status may be incorrectly reported as up on remote connected device.
Workaround:
To work around this issue, when disabling an affected switch port on the BIG-IP system, you can also disable the connected port on the remote device.
Fix:
Optical SFP/SFP+ modules now show the correct optical power output for disabled switch ports, which no longer attributes to false link states.
436489-3 : Session variables defined within the "Relay State" parameter of an SP initiated SSO session may fail.
Component: Access Policy Manager
Symptoms:
Session variables, such as, %{session.server.landinguri}, are not processes as part of Relay State parameter in BIG-IP SP service configuration.
Conditions:
Session variable configured as part of Relay State parameter in BIG-IP SP service configuration and SP initiated SAML SSO is used.
Impact:
Session variables are not processed
Workaround:
Do not use session variables inside Relay State configuration for BIG-IP SP service.
Fix:
The BIG-IP system SAML Service Provider (SP) service now supports and processes session variables as part of the RelayState parameter.
436468-2 : DNS cache resolver TCP current connection stats not always decremented properly
Component: Local Traffic Manager
Symptoms:
DNS cache resolver TCP current connection stats are not always decremented properly.
Conditions:
This occurs when gathering statistics.
Impact:
Indirectly causes max connections to be wrong.
Fix:
DNS cache resolver TCP current connection stats are now decremented properly.
436201-15 : JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11
Component: Access Policy Manager
Symptoms:
JavaScript can misbehave when encountering the 'X-UA-Compatible' META tag from clients using Microsoft Internet Explorer 11.
Conditions:
Internet Explorer 11 and meta http-equiv='X-UA-Compatible' content='IE=10'.
Impact:
Web application malfunction.
Workaround:
Use an iRule.
Fix:
JavaScript now correctly handles the X-UA-Compatible meta tag from clients using Microsoft Internet Explorer 11.
435335-6 : SSL proxy session ID cache does not respect limit set by tmm.proxyssl.cachesize
Solution Article: K16038
Component: Local Traffic Manager
Symptoms:
After setting tmm.proxyssl.cachesize to a non-default value and restarting TMM, the new maximum size is not respected, either causing too many or too few entries to be retained. This can lead to memory exhaustion over time.
Conditions:
Proxy SSL feature enabled with non-default tmm.proxyssl.cachesize value set.
Impact:
The setting has no effect, so if it is being used to avoid low-memory conditions, the low-memory conditions persist.
Fix:
The tmm.proxyssl.cachesize and tmm.proxyssl.bucketcount settings are now respected when set and TMM has been restarted after the new values have been set.
435055-2 : ECDHE-ECDSA ciphers with hybrid certificate (RSA signed EC cert)
Solution Article: K17291
Component: Local Traffic Manager
Symptoms:
ECDHE-ECDSA cipher does not work with hybrid certificate (RSA signed EC cert).
Log files may indicate SSL handshake error or a 'no shared ciphers' error.
Conditions:
Using a hybrid certificate (RSA signed EC cert).
Impact:
ECDHE-ECDSA cipher does not work with hybrid certificate (RSA signed EC cert).
Workaround:
None.
Fix:
The system now supports ECDHE-ECDSA ciphers with hybrid certificate (RSA signed EC cert).
435044-4 : Erroneous 'FIPS open failed' error on platforms without FIPS hardware
Solution Article: K22006218
Component: Local Traffic Manager
Symptoms:
The following error may be logged on BIG-IP platforms which do not contain a FIPS hardware device:
date_and_time hostname err iControlPortal.cgi[30667]: Checking for FIPS card.. FIPS open failed.
Conditions:
This error occurs when the iControl get_certificate_bundle function is invoked on BIG-IP platforms that do not contain a FIPS hardware device.
The F5 Enterprise Manager product makes frequent use the iControl get_certificate_bundle function.
Impact:
This error message does not indicate a functional problem and should be ignored.
Workaround:
None.
Fix:
The following error is no longer logged erroneously on BIG-IP platforms which do not contain a FIPS hardware device:
date_and_time hostname err iControlPortal.cgi[30667]: Checking for FIPS card.. FIPS open failed.
434096-5 : TACACS log forwarder truncates logs to 1 KB
Component: TMOS
Symptoms:
TACACS log forwarder truncates logs to 1 KB.
Conditions:
When the log size is bigger than 1 KB.
Impact:
Log text will be truncated.
Workaround:
None.
Fix:
The BIG-IP system now allows up to an 8 KB log message size.
433466-5 : Disabling bundled interfaces affects first member of associated unbundled interfaces
Component: TMOS
Symptoms:
When the bundled interface (e.g., 2.1) is disabled, it might result in link issues observed with the first member of the associated unbundled interfaces (e.g., 1.1).
Conditions:
Disabling bundled interfaces affects first member of associated unbundled interfaces.
Impact:
Traffic unable to pass due to ports 'Down' status.
Workaround:
Do not disable the associated bundled interface (e.g., 2.1) when intending to use the first member of the associated unbundled interfaces (e.g., 1.1). Same for the interface bundle/unbundle relationships for 2.2/1.5, 2.3/1.9, vice-versa, etc.
Fix:
Disabling bundled interfaces no longer affects the first member of associated unbundled interfaces.
432900-12 : APM configurations can fail to load on newly-installed systems★
Component: Access Policy Manager
Symptoms:
APM upgrades fail if the /shared/apm directory is not present before you load the configuration. APM writes a configuration loading error to the /var/log/ltm file with content similar to this:
Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: EPSEC::In copy_file - src (/config/filestore/files_d/Common_d/epsec_package_d/:Common:EPSEC:Images:epsec-1.0.0-160.0.iso_14866_1) dst (/shared/apm/images/epsec-1.0.0-160.0.iso)
Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: Failed in file copy errno=(No such file or directory)
....
01071558:3: EPSEC - File Copy to /shared location failed Unexpected Error: Loading configuration process failed.
Conditions:
If the system is fresh from manufacturing or has had a recent formatting installation, it is vulnerable to this upgrade defect. The failure is only observed if the configuration being applied contains elements of APM.
Impact:
After booting into an upgraded system, the configuration will fail to load. A load failure can also be observed when manually loading a UCS file.
Workaround:
Create the directory /shared/apm and try to load the configuration again.
Fix:
Releases with this fix will load the configuration properly. There is no need for users to first create the /shared/apm directory.
432423-8 : Need proactive alerts for APM license usage
Component: Access Policy Manager
Symptoms:
Customer would like APM to generate proactive alerts when license usage reaches a certain threshold
Conditions:
N/A
Impact:
Without proactive alert, customer will not know that license consumption is near the maximum allowed and, hence, will not be prepared for the event of license being exhausted.
Workaround:
N/A
Fix:
Support for generating a license usage alert when a threshold is crossed has been added.
431980-2 : SWG Reports: Overview and Reports do not show correct data.
Solution Article: K17310
Component: Access Policy Manager
Symptoms:
When traffic is very sparse, the report may be incorrect and omit information due to skipped aggregation process of collected data.
The original fix caused heavy spikes to the CPU every 5 minutes.
Conditions:
Very sparse traffic with significant gaps.
Impact:
AVR reports may be incorrect.
Workaround:
This issue has no workaround at this time.
Fix:
Aggregation of data when traffic is very sparse with significant gaps is now done correctly, and also occurs when data is queried, instead of every 5 minutes in order to avoid a 5 minute CPU spiking issue.
431283-3 : iRule binary scan may core TMM when the offset is large
Component: Local Traffic Manager
Symptoms:
Binary command does not check if the offset argument is beyond the internal buffer boundary, this may core TMM. Here is an example:
binary scan [TCP::payload] @${offset_num}c var1
if "offset_num" is larger than payload buffer length, TMM may core.
Conditions:
Here is an example:
binary scan [TCP::payload] @${offset_num}c var1
if "offset_num" is larger than payload buffer length, TMM may core.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Check payload length and compare with the offset argument before using the command.
Fix:
Check the offset value before moving the cursor.
431149-8 : APM config snapshot disappears and users see "Access Policy configuration has changed on gateway"
Solution Article: K17217
Component: Access Policy Manager
Symptoms:
In scenarios where there are multiple slots on a chassis in an HA pair (in both vCMP and chassis only mode), the error "Access Policy configuration has changed on gateway" might be displayed when a user connects to a virtual server.
Conditions:
It can occur in conditions when :
- right after when the whole chassis is rebooted
- secondary/slave slot's tmm cores.
- disabling a slot on chassis
Impact:
Customer would see following message when they connect to virtual server "Access Policy configuration has changed on gateway"
Workaround:
To work around the problem, type the command "bigstart restart apd" on the primary slot.
Fix:
The issue is fixed by having the primary blade of the chassis/vCMP to recreate config snapshots if a secondary blade transitions from online to offline and vice versa.
430799-5 : CVE-2010-5107 openssh vulnerability
Solution Article: K14741
430323-3 : VXLAN daemon may restart when 8000 VXLAN tunnels are configured
Component: TMOS
Symptoms:
VXLAN daemon may restart when 8000 VXLAN tunnels are configured.
Conditions:
8000 VXLAN tunnels are configured.
Impact:
VXLAN daemon restart.
Fix:
VXLAN daemon does not restart when 8000 VXLAN tunnels are configured.
429011-8 : No support for external link down time on network failover
Solution Article: K15554
Component: Local Traffic Manager
Symptoms:
For switch based platforms, the bcm56xxd daemon monitors the active/standby state using the failover.bigipunitmask DB variable and if this indicates a transition from Active to Standby, it downs external links and starts a timer for re-enabling the links after a customer-specified delay as per the failover.standby.linkdowntime DB variable.
Conditions:
This occurs on BIG-IP 2000 series and 4000 series platforms.
Impact:
No support for external link down time on network failover.
Workaround:
None.
Fix:
External link down time on network failover is now supported on BIG-IP 2000 series and 4000 series platforms. You can find the Link Down Time on Failover option in the GUI under Device Management :: Device Groups :: [device_group_name] :: Failover.
428387-9 : SAML SSO could fail if SAML configuration contains special XML characters (&,<,>,",')
Component: Access Policy Manager
Symptoms:
SAML AuthRequest and Assertion generation could fail if the configuration (IdpEntityID, ACS, SAML Attributes, and so on) contain special XML characters, such as [&,<,>,",'].
Conditions:
- Assertion signing is enabled on BIG-IP as IdP.
- SAML Configuration (IdpEntityID, ACS, not-encrypted SAML Attributes, ACS URL, SP Entity ID, SLO URL) contains special characters, e.g. [&,<,>,",']
Impact:
SAML AuthRequest and Assertion generation could fail.
Workaround:
You can replace special XML character with XML-escape codes in the configuration:
" " ' ' < < > > & &
For example, replace "http://f5.com/acs_url?user=5&password=pass"
with "http://f5.com/acs_url?user=5&password=pass"
Fix:
The BIG-IP system, when configured as an Identity Provider (IdP), can now successfully create SAML assertions even when the BIG-IP configuration contains special XML characters.
428163-2 : Removing a DNS cache from configuration can cause TMM crash
Component: Local Traffic Manager
Symptoms:
Removing a DNS cache from the configuration with outstanding packets on the server side can cause a TMM crash if those responses time out after the resolver removed.
Conditions:
This occurs with DNS traffic in progress when removing a configured DNS cache from the configuration.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This occurs with DNS traffic in progress. Disabling the listener using that cache and waiting 60 seconds before removing the cache prevents this from occurring.
Fix:
Deleting a cache resolver no longer results in outstanding packet issues.
428068-2 : Insufficiently detailed causes for session deletion.
Component: Access Policy Manager
Symptoms:
When a session is deleted for a reason unrelated to explicit admin action, a generic log message appears: 'Session deleted due to user inactivity or errors.' The message does not distinguish user inactivity from 'error', so the log message indicates a possible error when perhaps none had occurred.
Conditions:
Normal user inactivity is indistinguishable from numerous other causes related to policy actions.
Impact:
Cannot troubleshoot a session termination cause because there is no ability to determine whether the session was deleted because of normal user inactivity or due to some other cause.
Workaround:
None.
Fix:
The session deletion cause has been added as an enhancement to the session deletion log functionality.
427174-6 : SOL15630: TLS in Mozilla NSS vulnerability CVE-2013-1620
Solution Article: K15630
425980-2 : Blade number not displayed in CPU status alerts
Component: TMOS
Symptoms:
Messages displayed on the VIPRION chassis LCD display always reference the blade number of the Primary blade in the chassis at the time that the message was issued.
The slot number where the blade-specific condition is not included in message in the LCD display.
In the case of CPU status alerts, where the CPU temperature is too high or the CPU fan speed is too low, the identification of the blade is not included in the console output or log messages produced by the system_check utility.
Conditions:
Affects:
VIPRION B4100 (PB100), B4200 (PB200) and B4300-series blades in VIPRION C4400, C4480 and C4800 chassis.
VIPRION B2100, B2150 and B2250 blades in VIPRION C2400 and C2200 chassis with external LCD displays attached.
Impact:
It may not be possible to accurately determine which blade has actually experienced a blade-specific condition reported on the chassis LCD display.
Workaround:
Use one of the following commands to examine the CPU measurements to determine which CPU on which blade is experiencing excessive temperature and/or slow fan speed:
1. tmsh show sys hardware
2. tmctl cpu_status_stat
Fix:
The system_check utility now logs the blade number as part of CPU status alerts to the system console and log messages.
Such detail is not made available on the LCD display.
425882-4 : Windows EdgeClient's configuration file could be corrupted on system reboot/sleep
Component: Access Policy Manager
Symptoms:
User is prompted for message box prompt about corrupted config file on system start up.
Conditions:
Undefined. Somehow related to improper shutdown/hibernate/poweroff.
Impact:
Profile is reset to default values.
User is annoyed.
Workaround:
http://support.f5.com/kb/en-us/solutions/public/10000/900/sol10935
Fix:
Configuration file handling for the BIG-IP Edge Client was improved to prevent configuration corruption.
425729-1 : mcpd debug logging hardening
Component: TMOS
Symptoms:
mcpd should obfuscate sensitive information even in debug logging mode
Conditions:
mcpd log level set to Debug
Impact:
Certain commands can log too much information
Workaround:
MCP logging is at the Notice level by default. You should only use the Debug log level for certain troubleshooting efforts.
Fix:
Fixed an issue with mcpd debug logging.
425331-1 : On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports Chassis ID not Blade ID
Component: TMOS
Symptoms:
On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports the ID of the Chassis.
This differs from the behavior on VIPRION 4xxx-series platforms, where the SNMP sysObjectID OID reports the ID of the Blade.
Conditions:
This occurs on VIPRION 2xxx-series platforms:
- C2xxx-series chassis
- B2xxx-series blades
Impact:
SNMP queries to identify the System ID of VIPRION platforms will identify different classes of hardware component on VIPRION 2xxx-series vs. 4xxxx-series platforms.
Fix:
On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID now reports the ID of the Blade, to match the behavior on VIPRION 4xxx-series platforms.
Previously, SNMP sysObjectID reported the ID of the Chassis on VIPRION 2xxx-series platforms.
Behavior Change:
On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID now reports the ID of the Blade, to match the behavior on VIPRION 4xxx-series platforms.
Previously, SNMP sysObjectID reported the ID of the Chassis on VIPRION 2xxx-series platforms.
424936-1 : apm_mobile_ppc.css has duplicate 1st line
Component: Access Policy Manager
Symptoms:
An extra line (that consists of "<?") appears at the top of the apm_mobile_ppc.css file and
causes an error like this one:
Jul 9 08:37:10 roeislfl4gm err httpd_sam[13917]: [error] [client 127.1.1.4] PHP Parse error: syntax error, unexpected '&lt;' in /var/sam/www/php_include/webtop/renderer/customization/general_ui/Common/tmsproext-apm_general_ui/en/apm_mobile_ppc.css on line 2
Impact:
Generate an error message in /var/log/http_errors log file.
Workaround:
To work around the problem, remove the extra line
("<?") from var/sam/www/php_include/webtop/renderer/customization/general_ui/Common/tmsproext-apm_general_ui/en/apm_mobile_ppc.css.
424831-4 : State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover
Solution Article: K14573
Component: Local Traffic Manager
Symptoms:
Failovers between devices in a HA pair might result in an unexpected disruption of traffic (for instance, if virtual servers are configured for mirroring).
Persistence / session table information would similarly be missing on the newly-active system.
Conditions:
Platform that supports hardwired failover, configured for hardwired failover. (Note: this excludes chassis-based platforms, as well as VCMP guests and VEs)
Network failover disabled.
Impact:
- Failovers may result in unexpected disruption of traffic that failed to be mirrored.
- Session database (SessionDB things, iRule session table, persistence table, etc) will not be mirrored, as expected, which may result in unknown unexpected traffic failures.
Workaround:
Enable network failover, then restart all TMMs.
Note: workaround will temporarily disrupt traffic.
Fix:
State Mirroring now works for HA configurations that use only hardwired (serial) failover, without network failover.
424542-2 : tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments
Component: TMOS
Symptoms:
tmsh modify net interface commands with either invalid interface names, or invalid attribute names will appear to create new interfaces.
An invalid interface will show up in "show net interfaces"
Conditions:
Only happens on clustered or virtual environments, not on appliances.
Impact:
Cosmetic only - extraneous interfaces show up in tmsh show net interface.
Workaround:
guishell -c "delete from interface where name='12345/is_this_correct'"
424368-3 : parent.document.write(some_html_with_script) hangs up parent frame for IE browsers
Component: Access Policy Manager
Symptoms:
A statement such as: parent.document.write(some_html_with_script) hangs the parent frame for Internet Explorer browsers
Conditions:
Internet Explorer 10 through Internet Explorer 11
Impact:
Some web-applications are affected by this bug.
Fix:
Parent HTML page dynamic re-writing is supported in case of Internet Explorer 10-11: JavaScript statements like parent.document.write(some_html_with_script) are handled correctly.
423928-1 : syslog messages over 8 KB in length cause logstatd to exit
Solution Article: K42630383
Component: TMOS
Symptoms:
Creating a syslog longer than 8 KB in length might cause logstatd to issue an exception and exit.
Conditions:
This occurs when the system processes a syslog message that is longer than 8 KB.
Impact:
logstatd exits and posts a message similar to the following: localhost emerg logger: Re-starting logstatd.
Workaround:
Configure syslog smaller than (or equal to) 8 KB using a command similar to the following in bigip_base.conf:
sys syslog {
include "options { ... log_msg_size(8192); };"
}.
Fix:
syslog messages over 8 KB can now be processed, and the system does not exit. Note that the system does not process any log entry that is three times the buffer length or greater than 12 KB.
423392-7 : tcl_platform is no longer in the static:: namespace
Component: Local Traffic Manager
Symptoms:
In previous versions of iRules, the variable tcl_platform was readable as: 'set myvar static::tcl_platform'. However with recent changes, the variable is in the global, not static namespace and should be accessed as '::tcl_platform'.
Conditions:
This occurs on pre-11.4.0 iRules that use the variable 'static::tcl_platform'.
Impact:
iRules that worked properly under earlier versions can result in runtime Tcl exceptions (disrupting traffic) after an upgrade to v11.4.0 or later, if those iRules reference static::tcl_platform.
Workaround:
To map tcl_platform into the static namespace in an iRule, use the following: when RULE_INIT { upvar #0 tcl_platform static::tcl_platform }. Or you can use ::tcl_platform instead of static::tcl_platform. Note: The latter workaround might demote a virtual server from CMP. For more information, see K14544: The tcl_platform iRules variable is not in the static:: namespace, available here: https://support.f5.com/csp/#/article/K14544.
423282-7 : BIG-IP JavaScript includes can be improperly injected in case of conditional commment presence
Solution Article: K17116
Component: Access Policy Manager
Symptoms:
JavaScript does not work if a page contains conditional comments inside its head tag.
Conditions:
Presence of conditional comments contain very first script tag.
Example:
<html>
<!--[if lt IE 9]>
<script src="foo.js"></script>
<![endif]-->
<script>
document.write("foo");
</script>
</html>
Impact:
JavaScript does not work.
Workaround:
To work around the problem, use an iRule. The exact commands to use depend on the situation.
Fix:
The issue has been fixed by adding necessary JavaScript includes into every conditional branch.
422107-7 : Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set
Solution Article: K17415
Component: Local Traffic Manager
Symptoms:
DNS transparent cache may have RRSIG in the responses for queries without DO bit set.
Conditions:
DNS transparent cache receives a DNS query without DO bit set.
If the query is answered by a DNSSEC zone of a pool member. The response returned to the client will contain RRSIG.
Impact:
Responses contain unnecessary RR sets. Not RFC compliant.
Workaround:
None.
Fix:
Queries answered by DNS transparent cache will no longer add RRSIG to the response if DO bit is not set in the query.
422087-4 : Low memory condition caused by Ram Cache may result in TMM core
Solution Article: K16326
Component: Local Traffic Manager
Symptoms:
As a result of this issue, you may encounter the following symptoms:
- The TMM process crashes with a SIGABRT
- The BIG-IP system fails over to the peer system in a high-availability configuration.
- The BIG-IP system generates a TMM core file in the /var/core directory.
Conditions:
- Associating a Web Acceleration profile with a virtual server
- TMM has become deficient in memory.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround for this issue.
Fix:
Tmm no longer crashes in certain low memory conditions with Ram Cache enabled.
421971-7 : Renewing certificates with SAN input in the GUI leads to error.
Component: TMOS
Symptoms:
Renewing an existing certificate fails using the GUI if a user provides Subject Alternative Name (SAN) as input.
Conditions:
Using the GUI, provide SAN while renewing certificate.
Impact:
Cannot renew certificate using the GUI.
Workaround:
Do not provide SAN information while renewing certificates. As an alternative, you can create a new certificate with a SAN.
Impact of workaround: Performing the suggested workaround should not have a negative impact on your system.
Fix:
Renewing an existing certificate now succeeds if a user provides Subject Alternative Name (SAN) as input in the GUI.
421791-4 : Out of Memory Error
Solution Article: K15559
Component: WebAccelerator
Symptoms:
TMM crashes due to a segmentation violation early in a WAM interface.
Most likely, before the crash occurs the logs should show messages indicating that the sweeper was activated one or more times.
Conditions:
Only happens when free memory is very low to non-existent.
Impact:
TMM crashes.
Workaround:
Reduce load on box if possible.
Fix:
Guards were placed on the module interfaces to bypass the module when the necessary memory could not be allocated for a connection.
420512-1 : All Messages report does not display any data when the Log Levels are selected to filter data based on Log levels
Component: Access Policy Manager
Symptoms:
When an admin runs All Messages report and selects some Log Level checkbox in Report Parameters popup to filter out messages by log level, the report does not bring any data.
Impact:
User cannot filter out the All Messages report by Log level
Workaround:
None
Fix:
The ability to filter out the messages in the All Messages Report was restored with this fix. The All Messages Report now displays data correctly when the log level filter is used.
420440-7 : Multi-line TXT records truncated by ZoneRunner file import
Solution Article: K14413
Component: Global Traffic Manager (DNS)
Symptoms:
Checking your TXT record in the web interface causes the system to give an error. Querying for the data against a listener for the record reveals that the TXT rdata is incorrect.
Conditions:
GTM enabled and a zone file with a TXT record that has multi-line rdata has been imported via the GUI into ZoneRunner.
Impact:
Your DNS TXT records will be incorrect.
Workaround:
Enter your multi-line TXT records via the web interface as single line, quote separated lines.
Fix:
Multi-line TXT records are no longer truncated.
420438-2 : Default routes from standby system when HA is configured in NSSA
Component: TMOS
Symptoms:
In an NSSA configuration with a DR, BDR, and HA-configured BIG-IP systems, there are three default routes, one each from DR, BDR, and the standby BIG-IP system. The standby BIG-IP system should not send out any default routes.
Conditions:
This occurs when using OSPF in an NSSA configuration with a DR, BDR and HA pair BIG-IP systems.
Impact:
Traffic is incorrectly directed to the standby and dropped.
Workaround:
None.
Fix:
There are now no default routes from the standby BIG-IP system in an HA pair. This is correct behavior.
420341-5 : Connection Rate Limit Mode when limit is exceeded by one client also throttles others
Solution Article: K17082
Component: Local Traffic Manager
Symptoms:
Connection Rate Limit Mode is set to Per Virtual Server and Source Address, you might encounter unexpected results. Once a particular client is above the limit, other clients (other source IP addresses) are also throttled by the system.
Conditions:
This occurs in the following manner: There is a configured connection rate limit per virtual server per client; one client exceeds the configured rate limit; and the virtual server also throttles other, unrelated clients.
Impact:
The virtual server throttles clients that are not exceeding the connection rate limit.
Workaround:
None.
Fix:
Connection Rate Limit Mode when limit is exceeded by one client no longer throttles others.
420204-2 : FIPS key deletion by-handle does not post an error if corresponding key object exists but the keyname is more than 32 characters long
Component: TMOS
Symptoms:
Starting 11.4.0, 'tmsh delete sys crypto fips by-handle handle#' command is expected to throw an error if the key object corresponding to this FIPS key handle exists in BIG-IP config. However, this does not work if the key name is longer than 32 characters because the operation relies on key name being the same as the FIPS key label, which is not the case for keynames of greater than 32 chars.
Conditions:
BIG-IP contains a FIPS key object with a name that is longer than 32 characters. User attempts 'tmsh delete sys crypto fips by-handle handle#' for this FIPS key handle. The expected error does not occur, and the operation deletes the FIPS key from the FIPS card, which makes the BIG-IP key object invalid.
Impact:
The corresponding BIG-IP key object is now invalid with no corresponding FIPS key in FIPS card. Traffic using this key object will fail.
Workaround:
Use keynames shorter than 32 characters for FIPS keys.
Fix:
The BIG-IP system now posts an error if the user tries to manually delete a particular FIPS key by-handle while its corresponding key object exists in BIG-IP configuration, regardless of the length of the key name. IMPORTANT: FIPS key deletion by-handle should still be executed with caution because the FIPS handle might belong to keys in different boot locations of the BIG-IP configuration. Deleting those FIPS keys does not throw an error, but will make FIPS keys in the other boot locations invalid and unusable.
420107-3 : TMM could crash when modifying HTML profile configuration
Component: TMOS
Symptoms:
Modification of configuration for a virtual with HTML profile attached may cause a tmm crash if there are open connections with html content.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable virtual server (or make sure that it does not have open connections in any other way) before modifying configuration.
Fix:
Fixed an issue in HTML profile which could cause a tmm crash during configuration change on a virtual with open connections.
419458-3 : HTTP is more efficient in buffering data
Component: Local Traffic Manager
Symptoms:
Expiration of HTTP connections.
Conditions:
If many small packets are received, then the HTTP filter may buffer those packets inefficiently.
Impact:
Excessive memory usage for buffering data.
Workaround:
None.
Fix:
HTTP is more efficient in buffering data so that HTTP connections do not get expired early.
419217-1 : LTM policy fails to decompress compressed http requests
Component: Local Traffic Manager
Symptoms:
Administrator configures LTM policy to decompress http request (so, for example, that ASM can check it). However compressed requests are not decompressed.
Conditions:
Issue occurs always when there is a decompress action on an LTM policy.
Impact:
Requests and/or responses are not decompressed as desired.
Workaround:
An iRule can be added to the virtual server to override policy setting. (DECOMPRESS::enable, DECOMPRESS::disable).
Fix:
A coding change has been made to cause LTM decompress action to work as expected.
418890-5 : OpenSSL bug can prevent RSA keys from rolling forward★
Solution Article: K92193116
Component: Local Traffic Manager
Symptoms:
When trying to upgrade from version 10.x to version 11.x, SSL keys can fail to roll forward. The roll-forward process does not handle what appears to be an OpenSSL bug (tested through OpenSSL 1.0.1c).
Conditions:
This occurs when rolling forward RSA keys from version 10.x to 11.x.
Impact:
Rather than receiving the expected decrypt failure unable to load Private Key with a bad decrypt, approximately 0.3% respond differently, where the return is non-zero and does not contain 'bad decrypt'. In this case, the system considers the key bad even though it is fine.
Workaround:
None.
Fix:
All SSL keys from version 10.x can be loaded correctly using the UCS file.
418664-3 : Configuration utility CSRF vulnerability
Solution Article: K21485342
Component: TMOS
Symptoms:
For more information, see K21485342: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K21485342
Conditions:
For more information, see K21485342: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K21485342
Impact:
For more information, see K21485342: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K21485342
Fix:
For more information, see K21485342: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K21485342
417006-5 : Thales HSM support on Chassis cluster-mode.
Component: Local Traffic Manager
Symptoms:
Unable to correctly install and use Thales network-HSM in cluster-mode on BIG-IP chassis such as VIPRION.
Conditions:
Use Thales Network-HSM with BIG-IP chassis systems such as VIPRION in cluster mode.
Impact:
Unable to use Thales HSM with BIG-IP chassis system cluster-mode.
Workaround:
Follow manual install procedures for Thales install on each slot.
Fix:
Thales HSM install now needs to be done only on the primary slot on the BIG-IP cluster-mode chassis systems such as VIPRION. A single install on primary slot will take care of installing Thales on all active slots.
On any already-open sessions to the BIG-IP slot(s), the PATH environment variable will need to be reloaded by executing 'source ~/.bash_profile' in order to be able to use Thales utilities.
If at a later stage, a new blade is added or a disabled or powered-off blade is made active or is powered-on, the user will have to run 'thales-sync.sh -v' *only* on the new secondary slot. If the new slot is made primary before running thales-sync.sh on it, then the regular install procedure using nethsm-thales-install.sh will be required on the new primary slot.
416734-2 : Multiple Perl Vulnerabilities
Solution Article: K15867
416372-3 : Boost memory allocator vulnerability CVE-2012-2677
Solution Article: K16946
416115-13 : Edge client continues to use old IP address even when server IP address changed
Component: Access Policy Manager
Symptoms:
Edge client goes in reconnect loop if the server it connected to went down and DNS assigned a new IP Address to server host name.
Conditions:
1) Edge clients connected successfully to a server.
2) Server goes down and DNS resolves the server host name to a different IP address
Impact:
- Client goes in a reconnect loop and needs to be restarted to successfully connect to new IP address.
Workaround:
Restart Edge Client
Fix:
Now BIG-IP Edge Client resolves the host name during reconnection and initiates full reconnection after an IP address change is detected.
415358-6 : Remote login shell hardening
Component: Local Traffic Manager
Symptoms:
The expected behavior is for privilege roles such as admin, resource-admin, etc. to have capability for root access when required.
Impact:
Potential for local privilege escalation.
Workaround:
Restrict any users in the affected roles to GUI access, i.e. remoteconsoleaccess none.
Fix:
Console login now consistent with ssh.
413708-7 : BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response.
Solution Article: K31302478
Component: TMOS
Symptoms:
When SNMP IPv6 UDP queries are directed from client to self-ip, response from the BIG-IP system does not preserve source port. An ephemeral source port will be used, instead of the source port 161.
Conditions:
SNMP IPv6 UDP query only.
Impact:
SNMP query fails.
Fix:
A problem of SNMP IPv6 UDP response from the BIG-IP system with an ephemeral source port has been solved.
412160-4 : vCMP provisioning may cause continual tmm crash.
Solution Article: K90882247
Component: TMOS
Symptoms:
vCMP provisioning may cause continual tmm crash. In rare cases, tmm cores when VCMP is provisioned/deprovisioned.
The tmm log file presents messages similar to the following: panic: ../dev/cn1120/n3_compress.c:555: Assertion 'enough n3_comp_dev structs' failed.
Conditions:
1) LTM is provisioned.
2) Provision vCMP.
3) View the tmm log file/system process table/etc.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
1) Save the system configuration.
2) Reboot
3) After reboot, ensure that the device stays active and has only twoNitrox 3 Compression Devices listed in /var/log/tmm:
-- notice n3-compress0 PASS 0.1: Nitrox 3 Compression Device
-- notice n3-compress1 PASS 0.1: Nitrox 3 Compression Device
Fix:
The system now prevents the tmm from starting up in the case where vCMP is provisioned/deprovisioned. This is correct behavior.
411233-2 : New pool members take all requests until lb_value catches up.
Component: Local Traffic Manager
Symptoms:
When a new pool member is added, the system assigns it a lb_value of 0, which causes new pool members to take all requests until the lb_values for all pool members are reset to accommodate the new member.
Conditions:
This occurs in a pool that uses predictive or observed load balancing modes, typically with a slow ramp time that is small or zero.
Impact:
When the pool member goes out of slow ramp before handling a connection, that pool member becomes the preferred pick for every request until its lb_value is reset in order with the other members.
Workaround:
Add the pool member disabled, and then enable it. If a member is added disabled and then enabled, the lb_values are correctly set, and the problem does not occur.
Fix:
The system now initializes lb_value to the minimum current lb_value for unused pool members. This is correct behavior.
410398-8 : sys db tmrouted.rhifailoverdelay does not seem to work
Component: TMOS
Symptoms:
The problem is that the sys db tmrouted.rhifailoverdelay value <value> does not seem to take any effect, and the route is being withdrawn, sometimes before the newly active device is able to advertise the virtual address, leaving a blackhole route.
Conditions:
This occurs during a failover.
Impact:
Temporary black hole for a route.
Fix:
Fixed tmrouted to not bypass rhifailoverdelay during op-state change.
410101-4 : HSBe2 falls off the PCI bus
Component: TMOS
Symptoms:
While restarting the host tmm on a VCMP capable platform, an HSB on one of the blades stops responding and cannot be found, causing all tmms on the blade to fail to pass traffic. A large packet burst may be observed when this happens. Restarting the blade will clear the condition.
Conditions:
It is not known what triggers this condition. It was observed on BIG-IP 10000 and 12000 platforms, as well as B4300 blades. This is an intermittent issue that was seen rarely, restarting the host tmm seemed to trigger it more frequently.
Impact:
Traffic is interrupted, tmms non responsive on the blade or VCMP instance with the affected HSBe2
Fix:
Fixed a lockup issue with HSBe2
409323-2 : OnDemand cert auth redirect omits port information
Component: Access Policy Manager
Symptoms:
On-Demand Cert Auth redirect does not honor a port other than 443 in virtual server.
Conditions:
On-Demand Cert Auth is used in an access policy that's assigned to a virtual server with non-standard port.
Impact:
The redirect URL is missing the port information, hence subsequent client connections aren't successful.
Workaround:
N/A
Fix:
On Demand Cert Auth support for non standard port has been added to include the port information from VS as part of redirect URL.
408851-3 : Some Java applications do not work through BIG-IP server
Component: Access Policy Manager
Symptoms:
Some Java applications do not work through the BIG-IP server.
Impact:
Users are unable to use some web applications that use Java applets.
Fix:
Fixed bug that resulted in incorrect loading of Java applets (Java applications).
406001-5 : Host-originated traffic cannot use a nexthop in a different route domain
Component: Local Traffic Manager
Symptoms:
If a route uses a nexthop in a different route domain, traffic originating from the host will not be forwarded to that nexthop.
Conditions:
Multiple route domains, gateway route that matches traffic using a nexthop in a different route domain.
Impact:
Nodes reached by the route cannot be monitored.
Workaround:
none
Fix:
Host-originated traffic can now use a nexthop in a different route domain.
405752-2 : TCP Half Open monitors sourced from specific source ports can fail
Solution Article: K22040410
Component: TMOS
Symptoms:
TCP Half Open monitors; when sourced from ports 1097 (except on some platforms), 1098, 1099, and 3306; will fail. Upon receipt of SYN-ACK from the monitored device, TMOS will filter the packet and respond with ICMP port unreachable.
Conditions:
Use one or more TCP Half Open monitors. Port 1097 will not be affected on the BIG-IP 800, 1600, 3600, 3900, 6900, 8900 (and derivative), 11000, or 11050 platforms.
Impact:
May result in false monitor failures.
Workaround:
1. Use a monitor type other than TCP Half Open.
2. Modify iptables by removing the relevant iptable rules.
For all platforms:
-- /sbin/iptables -D INPUT -p tcp --dport 3306 -j REJECT --reject-with icmp-port-unreachable.
-- /sbin/iptables -D INPUT -p tcp -m tcp --dport 3306 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset.
-- /sbin/iptables -A INPUT -p tcp -m tcp --dport 3306 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset.
Then, for platforms where port 1097 is affected:
-- /sbin/iptables -D INPUT -p tcp --dport 1097:1099 -j REJECT --reject-with icmp-port-unreachable
-- /sbin/iptables -D INPUT -p tcp -m tcp --dport 1097:1099 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset
-- /sbin/iptables -A INPUT -p tcp -m tcp --dport 1097:1099 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset
Or for platforms where port 1097 is not affected:
-- /sbin/iptables -D INPUT -p tcp --dport 1098:1099 -j REJECT --reject-with icmp-port-unreachable
-- /sbin/iptables -D INPUT -p tcp -m tcp --dport 1098:1099 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset
-- /sbin/iptables -A INPUT -p tcp -m tcp --dport 1098:1099 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset
Fix:
TCP Half Open monitors sourced from certain ports now handle traffic as expected.
405635-5 : Using the restart cm trust-domain command to recreate certificates required by device trust.
Component: TMOS
Symptoms:
The device trust manages the certificates and keys SSL connections require between devices used for configuration synchronization. You should always have the necessary certificates and keys. If they are not present, device trust fails.
Conditions:
This might occur after manually removing the 'cm' stanzas from the config file, and reloading the configuration.
Impact:
No certificates and keys exist. If there are no certificates and keys, device trust cannot be set up, and the system cannot complete the SSL connections necessary for config synchronization.
Workaround:
To recreate the certs and keys, run the command: restart cm trust-domain.
Fix:
This release contains a new tmsh command 'restart cm trust-domain' to restart device trust in this circumstances.
405611-2 : Configuration utility CSRF vulnerability
Solution Article: K61045143
Component: TMOS
Symptoms:
For more information, see K61045143: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K61045143
Conditions:
For more information, see K61045143: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K61045143
Impact:
For more information, see K61045143: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K61045143
Workaround:
None.
Fix:
For more information, see K61045143: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K61045143
404141-3 : Standby system offers option to Apply Access Policy even though it has been synced
Component: Access Policy Manager
Symptoms:
After syncing an access policy from the active system to the standby, the standby system will still prompt you to apply the access policy, even though it is in sync with the primary
Conditions:
Device group configured and an access policy is synced from the active device to the standby device(s).
Impact:
The message is erroneous on the standby, as the policy was already synced.
Workaround:
The standby device will no longer prompt to sync the access policy if it has already been synced from the active device.
403991-9 : Proxy.pac file larger than 32 KB is not supported
Component: Access Policy Manager
Symptoms:
Proxy.pac file larger than 32 KB is not downloaded and edge client may fail to provide network access.
Conditions:
BIG-IP APM, MAC Edge Client, network access, proxy.pac URL pointing to the file greater than 32 KB.
Impact:
User might not be able to access internal resources and Edge Client might go into connect/disconnect loop.
Fix:
BIG-IP Edge Client for Mac now supports Proxy.pac file size of up to 1 MB; previously, the limit was 32KB.
402793-13 : APM Network Accces tunnel slows down and loses data in secure renegotiation on Linux and Mac clients
Component: Access Policy Manager
Symptoms:
VPN connection on Linux and Mac clients can slow down and may loose some packets while performing secure re-negotiation on TLS or DTLS Network Access tunnel.
Conditions:
Secure re-negotiation configured on APM virtual server.
Impact:
Users can experience disconnects or traffic loss on APM Network Access connection.
Workaround:
n/a
Fix:
APM clients for Linux and Mac modified to perform better during secure re-negotiation.
402412-10 : FastL4 tcp handshake timeout is not honored, connection lives for idle timeout.
Component: Local Traffic Manager
Symptoms:
When FastL4 performs hardware acceleration at TCP handshake, FastL4 handshake timeout is not honored.
Conditions:
When FastL4 performs hardware acceleration at SYN time, once a flow is offloaded to hardware, the flow switches to using idle timeout instead of standard established timeout.
Impact:
FastL4 tcp handshake timeout is not honored, connection lives for idle timeout.
Workaround:
None.
Fix:
FastL4 no longer switches to idle timeout before data is received, so the 5-second TCP handshake timeout holds until the first data arrives, at which time it switches to idle timeout.
401893-2 : Allowing tilde in HTTP Profile fields Response Headers Allowed and Encrypt Cookies
Component: TMOS
Symptoms:
You will be unable to use the tilde (~) character in the fields Response Headers Allowed and Encrypt Cookies when using the GUI.
Conditions:
Attempting to use the tilde character in HTTP Profile fields Response Headers Allowed and Encrypt Cookies in HTTP Profiles.
Impact:
The GUI errors out with an error: Bad Characters. Only the following special characters are allowed: period, dash and underscore (.-_). Multiple arguments should be separated by spaces."
Workaround:
Use tmsh to create/update HTTP Profile fields Response Headers Allowed and Encrypt Cookies that need a tilde character.
Fix:
The tilde character can now be used in HTTP Profile fields Response Headers Allowed and Encrypt Cookies.
400456-2 : HTTP monitors with long send or receive strings may not save or update
Component: TMOS
Symptoms:
HTTP monitors with long send or receive strings may not save or update. When you attempt to save or update an affected monitor configuration, a warning message similar to the following example appears on the Configuration utility screen:
Some Fields below contain errors. Correct them before continuing.
Value may not contain literal newline characters.
Conditions:
You use a Google Chrome or Safari web browser.
You attempt to configure a long send or receive string that contains word wraps within the text box of the Configuration utility.
Impact:
You are unable to create or update affected HTTP monitors using the Configuration utility.
Workaround:
To work around this issue, you can use the Internet Explorer or Firefox browser. Alternatively, you may use the Traffic Management Shell (tmsh) to create the HTTP monitor.
399732-2 : SAML Error: Invalid request received from remote client is too big
Component: Access Policy Manager
Symptoms:
Some SAML deployments will produce SAML Assertions or SAML Authentication Requests in POST data that are larger than 64KB.
When this occurs, an error message will be produced in the APM log:
"Invalid request received from remote client is too big."
Conditions:
When a BIG-IP systems acts as a SAML service provider, it supports only assertions of size 64K or less. Also, when a BIG-IP system acts as a SAML IdP, it supports only authentication requests of size 64K or less.
Impact:
SAML cannot be used in BIG-IP as IdP or BIG-IP as SP with deployments that cause large POST data from clients.
Workaround:
No workaround possible.
397431-8 : Improved security for Apache.
Component: TMOS
Symptoms:
Improved security for Apache.
Conditions:
Improved security for Apache.
Impact:
Improved security for Apache.
394236-4 : MCP unexpectedly exits, "failure has occurred, There is no active database transaction, status: 0 -
Component: TMOS
Symptoms:
MCP exits unexpectedly and you see a trace in the ltm log file similar to:
Feb 9 12:54:41 localhost err mcpd[9995]: 01070596:3: An unexpected failure has occurred, There is no active database transaction, status: 0 - EdbDbConnection.cpp, line 133, exiting...
Conditions:
Unexpected MCP exit.
Impact:
MCP is already exiting, so there is no impact.
Fix:
Changed ordering of shutdown operations to avoid MCP error message for benign condition.
393647-1 : Objects configured with a connection rate-limit and yellow status
Component: Local Traffic Manager
Symptoms:
The availability status for objects configured with a connection rate-limit can remain yellow even if the object is available to handle traffic.
Conditions:
This occurs when using objects configured with a connection rate-limit.
Impact:
Once the connection rate falls below the configured value, the object's status continues to show unavailable until the object receives additional traffic.
Fix:
Objects configured with a connection rate-limit will now show status available whenever the connection rate falls below the configured value.
393270-3 : Configuration utility may become non-responsive or fail to load.
Component: TMOS
Symptoms:
While doing normal operations via the configuration utility, the status indicators may become non-responsive or fail to load, the GUI could become very sluggish, and you could be unable to load the GUI, or you could be taken to the license activation screen.
Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.
Impact:
Unable to log into the GUI or GUI shows blank page
Workaround:
Run the command 'bigstart restart tomcat' or reboot the BIG-IP system.
Fix:
Configuration utility now responds as expected when deleting local users (Access Policy :: Local User DB : Manage Users), or under other conditions in which an internal timeout results in GUI non-responsiveness because of an incomplete transaction close.
389484-5 : OAM reporting Access Server down with JDK version 1.6.0_27 or later
Component: Access Policy Manager
Symptoms:
Cannot connect to Access Server.
When running eamtest tool to check the functionality between OAM and the access server are working correctly, the following error is seen:
Preparing to connect to Access Server. Please wait.
Access Server you specified is currently down. Please check your Access Server.oamconfig[2368]: Could not configure OAM
Conditions:
The problem occurs only when OAM server is installed with JDK version 1.6.0_27 or later.
Impact:
Cannot connect to backend OAM server using BIG-IP AccessGate.
Workaround:
Install older version of JDK than v1.6.0_27.
Fix:
Applied OAM ASDK patch given by Oracle, so OAM no longer reports Access Server down with JDK version 1.6.0_27 or later.
388274-2 : LTM pool member link in a route domain is wrong in Network Map.
Component: TMOS
Symptoms:
Pool member link in a route domain in Network Map is broken.
Conditions:
This occurs for pool members that exist in a route domain.
Impact:
System cannot correctly read the % used with route domains.
Workaround:
None.
Fix:
LTM pool member link in a route domain is now in the correct Network Map.
384451-8 : Duplicated cert/keys/chain might cause SIGABRTs and low-memory conditions
Component: Local Traffic Manager
Symptoms:
SSL per-virtual stats might cause SSL profile cert/keys/chain to be instantiated per-virtual server.
Conditions:
This occurs when using cert/keys/chain in SSL profile virtual servers.
Impact:
In this case, cert/keys/chain are duplicated and those duplicates might cause excessive memory use and disk activity which might lead to SIGABRTs and low-memory conditions.
Workaround:
None.
Fix:
Improved memory management when there are duplicated keys or certs.
384072-5 : Authorization requests not being cached when allowed.
Solution Article: K10442159
Component: WebAccelerator
Symptoms:
Requests containing authorization headers are not cached under any circumstance, not complying with RFC 2626 14.8.
Conditions:
-- Requests containing Authorization headers.
-- OWS returning responses with either cache-control:public, must-revalidate or s-maxage.
Impact:
The cache benefit is not seen in objects that should be cached that are requested using authentication headers.
Workaround:
None.
Fix:
Now the authentication header handling complies with RFC 2616 14.8, based on the OWS response headers.
382157-2 : Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats
Solution Article: K17163
Component: TMOS
Symptoms:
Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats.
Conditions:
Running the following command returns data inconsistent with sflow statistics: snmpwalk -v2c -c public localhost F5-BIG-IP-SYSTEM-MIB::sysVlanStatTable.
Impact:
Incorrect interpretation of vlan stats. As a result of fixing this issue, F5-BIG-IP-SYSTEM-MIB::sysVlanStatTable is obsoleted, IF-MIB::ifXTable should be used instead.
Workaround:
None.
Fix:
The IF-MIB::ifXTable was implemented to use the same stats as sflow. The F5-BIG-IP-SYSTEM-MIB::sysVlanStatTable is obsolete.
Behavior Change:
F5-BIGIP-SYSTEM-MIB::sysVlanStatTable is obsoleted, IF-MIB::ifXTable should be used instead.
375887-5 : Cluster member disable or reboot can leak a few cross blade trunk packets
Solution Article: K17282
Component: Local Traffic Manager
Symptoms:
Using the cluster member 'disable' command with a trunk that spans blades might cause a brief period where received broadcast and multicast packets egress out the enabled trunk members of the cluster.
Conditions:
This occurs on a trunk that spans blades.
Impact:
To an external device running spanning tree protocol or variant, this can look like a loop.
Workaround:
None.
Fix:
Cluster member disable or reboot no longer leaks a few cross-blade trunk packets.
375246-11 : Clarification of pool member session enabling versus pool member monitor enabling
Component: TMOS
Symptoms:
In previous documentation of LocalLB::Pool::set_member_monitor_state and set_member_session_enabled_state lead to some confusion for those using the API.
Conditions:
Reading the documentation.
Impact:
Confusion in the expected behavior for both functions.
Workaround:
Experimentation with the SOAP api and observation of BIG-IP behavior.
Fix:
When set_member_session_enabled_state sets a pool member to disabled, then current connections will be maintained, but no more connections will be allowed.
When set_member_monitor_state sets a pool member to disabled, then all connections will be killed immediately and no more connections will be allowed.
374339-5 : HTTP::respond/redirect might crash TMM under low-memory conditions
Component: Local Traffic Manager
Symptoms:
HTTP::respond/redirect might crash TMM under low-memory conditions.
Conditions:
Under low-memory conditions, if a new HTTP connection triggers an HTTP::respond/redirect event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Reduce memory usage
Fix:
HTTP::respond/redirect no longer crashes TMM under low-memory conditions.
374067-2 : Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections
Solution Article: K14098
Component: Local Traffic Manager
Symptoms:
Using the 'snatpool' command in the CLIENT_ACCEPTED iRule event causes keepalive requests to originate from the self-IP of the BIG-IP system.
Conditions:
An iRule using the 'snatpool' command in CLIENT_ACCEPTED.
Impact:
Keepalive connections occasionally source from the BIG-IP system's self-IP address.
Workaround:
Use the HTTP_REQUEST event to set the SNAT pool.
Fix:
A virtual server no longer intermittently causes HTTP Keep-Alive connections to use a self IP address as the secure network address translation (SNAT) address.
Behavior Change:
The persistence record attached to a connection is no longer reset upon pool member detachment when using OneConnect. When using OneConnect, the pool member detaches on the completion of every response.
This causes subsequent requests to be load balanced to the original pool member.
372473-3 : mcp error 0x1020003 may be logged to /var/log/tmm when TMM crashes
Component: Local Traffic Manager
Symptoms:
A message beginning with 'mcp error: 0x1020003' may be logged to /var/log/tmm when TMM crashes.
Conditions:
TMM crashes.
Impact:
This is an MCP error that is logged erroneously upon TMM shutdown, and does not indicate an issue with MCP.
Workaround:
None.
Fix:
The message is no longer logged when TMM crashes.
372118-1 : import_all_from_archive_file and import_all_from_archive_stream does not create file objects.
Component: TMOS
Symptoms:
An attempt to transition certs/keys/etc. from a 10.2.x configuration to version 11.5.4, 11.6.0, 11.6.1, or 12.0.0 configuration using import_all_from_archive_stream results in the files being copied to the directories under /config/ssl/, but no file-objects are created on the target system.
Conditions:
This occurs when you attempt to transition certs/keys/etc. from a 10.2.x configuration to version 11.5.4, 11.6.0, 11.6.1, or 12.0.0 configuration using import_all_from_archive_stream.
Impact:
Files being copied to the directories under /config/ssl/, but no file-objects are created on the target system.
Workaround:
None.
Fix:
Attempting to transition certs/keys/etc from a 10.2.x configuration to version 11.5.4, 11.6.0, 11.6.1, or 12.0.0 configuration using import_all_from_archive_stream now creates the file-objects on the target system in addition to the files being copied to the directories under /config/ssl/.
368824-1 : There is no indication that a failed standby cannot go active.
Solution Article: K24050031
Component: TMOS
Symptoms:
There is no indication that a failed standby cannot go active.
One example is if pool-min-up-members fails. In this case the device will go standby and since this condition may persist, it will not be able to go active.
Conditions:
When a standby fails, there is no indication that it cannot go active.
Impact:
It is not apparent that the standby cannot go active.
Workaround:
None.
Fix:
-- The chassis display state of 'failed' is shown when a chassis is in the Standby state and one or more global fail-safe(s) is active on the chassis.
-- The traffic group state of 'failsafe-fault' is displayed when a traffic group is in the Standby state and one or more global fail-safe(s) is active on the chassis.
-- The commands 'show cm traffic-group' and 'show cm device' display the Standby state.
-- Updated GUI to show failover status, as well updates to the overview and device screens under device management.
Behavior Change:
The system now provides indication that a failed standby cannot go active.
-- The chassis display state of 'failed' is shown when a chassis is in the Standby state and one or more global fail-safe(s) is active on the chassis.
-- The traffic group state of 'failsafe-fault' is displayed when a traffic group is in the Standby state and one or more global fail-safe(s) is active on the chassis.
-- The commands 'show cm traffic-group' and 'show cm device' display the Standby state.
-- Updated GUI to show failover status, as well updates to the overview and device screens under device management.
366605-2 : response_log_size_limit does not limit the log size.
Component: Application Security Manager
Symptoms:
The internal parameter response_log_size_limit does not limit the log size.
Conditions:
The internal parameter response_log_size_limit is configured.
Impact:
Response log size limit is not applied.
Workaround:
None.
Fix:
response_log_size_limit now correctly limits the log size.The internal parameter name was changed from response_logging_size_limit to response_log_size_limit .
365219-3 : Trust upgrade fails when upgrading from version 10.x to version 11.x.★
Component: TMOS
Symptoms:
Trust upgrade fails when upgrading from version 10.x to version 11.x. The upgrade fails without apparent error, but there will be one of the two following error messages in /var/log/ltm log:
-- com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:425): Trust configuration update for HA Pair has failed: [STACK TRACE: {java.lang.Exception: Config sync password is invalid.}{ at com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:200)}.
-- devmgmtd[7983]: 015a0000:3: Trust Config Update: [TrustConfigUpdateForHAPair.cpp:521 ] Skipping already-completed trust.
Conditions:
Upgrading high availability version 10.x configurations that use the factory default admin password.
Impact:
Trust upgrade for version 10.x high availability configuration fails.
Workaround:
Change the default admin password in the 10.x configuration before upgrading to 11.0.0.
Fix:
Upgrades of high availability configurations from version 10.x to version 11.x or later now succeed, even if the 10.x system was still using the factory default admin password. It is recommended that you change the default admin password before deployment.
364994-14 : TMM may restart or disabled connections may be reused when a OneConnect profile is configured and OneConnect reuse is disabled be an iRule.
Solution Article: K16456
Component: Local Traffic Manager
Symptoms:
Version 11.3.0 and earlier, TMM may restart.
Version 11.4.0 and later, disabled connections may be reused.
Conditions:
A virtual server with an associated OneConnect profile.
A server side connection is disabled on the client side by the iRule ONECONNECT::reuse disable command.
Impact:
Version 11.3.0 and earlier, tmm can crash.
Version 11.4.0 and later, disabled connections may be reused.
Workaround:
Version 11.3.0 and earlier:
If HTTP::disable is being called in a client-side event, OneConnect must be disabled in a server-side event. This can be done by including 'ONECONNECT::reuse disable' in the client-side event (so a new connection is created), setting a variable, and then invoking ONECONNECT::reuse disable in SERVER_CONNECTED
Example:
set oc_reuse_ss_disable 1
ONECONNECT::reuse disable
CACHE::disable
COMPRESS::disable
HTTP::disable
Add this (or merge with an existing SERVER_CONNECTED event in the iRule):
when SERVER_CONNECTED {
if { [info exists oc_reuse_ss_disable] } {
ONECONNECT::reuse disable
ONECONNECT::detach disable
}
}
11.4.0 and later:
Replace "ONECONNECT::reuse disable" with "set oc_reuse_ss_disable 1" in the iRule client-side event.
Add this (or merge with an existing SERVER_CONNECTED event in the iRule):
when SERVER_CONNECTED {
if { [info exists oc_reuse_ss_disable] } {
ONECONNECT::reuse disable
}
}
Fix:
TMM no longer restarts when a OneConnect profile is applied to a virtual server and OneConnect reuse is disabled on the server side by an iRule.
364978-2 : Active/standby system configured with unit 2 failover objects★
Component: TMOS
Symptoms:
If an active/standby system is misconfigured with unit 2 failover objects, two traffic groups are automatically created: traffic-group-1 and traffic-group-2.
Conditions:
This occurs when an active/standby system is misconfigured with unit 2 failover objects.
Impact:
For traffic-group-2, the default device points toward the unit 2 box. Instead, it should point to the unit 1 box, because it is an active/standby pair.
Workaround:
To work around this, modify the default device to point to unit 1 using a command similar to the following: tmsh modify /cm traffic-group traffic-group-2 default-device unit_1_device_name.
Fix:
Active/standby system configured with unit 2 failover objects now create one traffic group, which is correct behavior.
362267-2 : Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors★
Solution Article: K17488
Component: TMOS
Symptoms:
If a user configures network failover on a VIPRION that uses a blade's management address as the unicast address, the other blades cannot use this address and issues an error message. This is correct operation.
Conditions:
System is configured with per-blade management addresses as unicast network failover addresses.
Impact:
The system posts error messages that appear severe. However, there is no impact to system functionality.
Workaround:
No workaround is needed (under these conditions, message is cosmetic), but the use of multicast failover avoids the messages.
Fix:
The system now tracks the set of active self-ips and management addresses, only issues errors when the unicast source ip is invalid, or does not behave as expected.
359774-5 : Pools in HA groups other than Common★
Component: TMOS
Symptoms:
In v11.x, pools used in an HA group must be in Common. If the user has a v10.x configuration that has pools in different partitions that are used in an HA group, an upgrade to v11.x fails.
Conditions:
HA group pools in administrative partitions other than Common.
Impact:
Upgrade fails.
Workaround:
None, except ensuring that all pools used in HA groups exist in the Common administrative partition.
Fix:
Upgrade script has been updated to append the full partition path names to pools in ha-groups when upgrading from 10.x to 11.x and ha-groups are defined. If the same pool name is used in multiple partitions, the pool in /Common will be used first. If the name exists in multiple partitions other than /Common, the first match is used, and a warning will be logged by the upgrade script.
356841-2 : Don't unilaterally set Connection: Keep-Alive when compressing
Component: Local Traffic Manager
Symptoms:
The Connection HTTP header is unilaterally set to "Keep-Alive" when compressing. This may overwrite a "Connection: Close" header set elsewhere.
Conditions:
Compression enabled with the INFLATE/DEFLATE filter, and the content length is altered by compression.
Impact:
The client may try to use pipelining when the server doesn't support it. This may result in the client receiving an unexpected RST.
Fix:
Compression no longer unilaterally sets a Connection: Keep-Alive header.
355806-2 : Starting mcpd manually at the command line interferes with running mcpd
Component: TMOS
Symptoms:
Starting mcpd at the command line while mcpd is running causes issues.
Conditions:
Having a running mcpd and executing mcpd at the command line.
Impact:
Various issues on the system, such as some utilities may no longer interact with mcpd, etc.
Workaround:
Don't try to use the mcpd directly.
Fix:
You are now told the PID of the current mcpd and the executed command will exit abnormally.
355661-2 : sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address
Solution Article: K85476133
Component: TMOS
Symptoms:
During system startup, particularly after an upgrade or 'load sys config', the sod daemon will repeatedly log errors failing to bind() to the appliance management address to listen for network failover packets. This is caused by a race condition between the chassis management daemon programming the management port address and the failover daemon attempting to access that address.
Conditions:
The management address is configured as a device unicast address.
Impact:
Excessive logging traffic at error level for a valid configuration.
Workaround:
None.
Fix:
The sod daemon has been modified to validate the unicast addresses against the configured management addresses and non-floating self-IPs, and retries the bind() without logging an error if a race condition occurs. The daemon now reports when it is successfully listening on each of the configured unicast addresses, and only logs bind() errors if the configured address is invalid, which is correct behavior.
355199-5 : ePVA flow not removed when connection closed
Component: TMOS
Symptoms:
An ePVA flow might stay accelerated when the connection is closed.
Conditions:
If the idle-timeout in the fastl4 is lower than the default pva-aging timeout, then it's possible for the ePVA flow to stay accelerated.
Impact:
Accelerated flows will continue to pass traffic while not being tracked by software.
Workaround:
Increase the idle-timeout.
Fix:
ePVA flow now removed when connection is closed.
353556-2 : big3d https monitor is unable to correctly monitor the web server when SSL protocol is changed
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d keeps a SSL session cache for HTTPs monitors to improve performance, when the web server changes the SSL protocol, big3d fails to connect to the web server since it was using the cached SSL session.
Conditions:
Modify SSL protocol at the server side and restart the web server.
Impact:
Big3d is unable to correctly monitor the https web server.
Workaround:
restart big3d
Fix:
Fixed, now when big3d fails to connect to the https web server it will clear the session entry from the session cache and initiate a new SSL negotiation.
353229-4 : Buffer overflows in DIAMETER
Solution Article: K54130510
352925-4 : Updating a suspended iRule and TMM process restart
Solution Article: K16288
Component: Local Traffic Manager
Symptoms:
Updating a suspended iRule assigned via a profile causes the TMM process to restart when trying to return to the suspended iRule.
Conditions:
This occurs when the iRule is suspended and the TMM process is trying to restart.
Impact:
TMM restarts.
Workaround:
Assign the iRule to the virtual server instead of assigning it to the profile.
Fix:
Updating a suspended iRule no longer results in TMM process restart.
348000-16 : HTTP response status 408 request timeout results in error being logged.
Component: Local Traffic Manager
Symptoms:
HTTP response status 408 request timeout results in error being logged.
Conditions:
HTTP profile is attached to a virtual server. 408 response status is received from server and is not preceded by request from the client.
Impact:
The 408 response status received is consumed and the connection is reset. The response never makes it to the client. The following error is reported in the log: http_process_state_prepend - Invalid action EV_INGRESS_DATA during ST_HTTP_PREPEND_HEADERS.
Workaround:
None.
Fix:
HTTP response status 408 request timeout no longer results in error being logged.
342013-5 : TCP filter doesn't send keepalives in FIN_WAIT_2
Solution Article: K27445955
Component: Local Traffic Manager
Symptoms:
TCP filter does not send keepalives in FIN_WAIT_2 (half close state). This may result in connections to remain open when they should be closed.
Conditions:
The problem is the BIG-IP stops sending keepalives once the connection enters half close state, and the server sends keep-alives. This ends up keeping connections open indefinitely if the client disappears, or a firewall drops its flow entry, etc. It is never swept as the server keepalives reset the idle timeout.
Impact:
Possible open idle never ending connections.
Workaround:
None.
Fix:
This is fixed by sending keepalives even in half close state, as idle connections intentionally left open will still be allowed, and clients will be detected disappearing.
341928-6 : CMP enabled virtual servers which target CMP disabled virtual servers can crash TMM.
Component: Local Traffic Manager
Symptoms:
TMM daemon crashes with accompanying log message: Assertion 'cmp dest set on incorrect listener type' failed.
Conditions:
A CMP enabled virtual targets (e.g. via 'virtual' iRule command) a CMP disabled virtual.
Impact:
Failover or network outage. Traffic disrupted while tmm restarts.
Workaround:
Avoid use of CMP disabled virtual servers.
Fix:
A CMP redirected looped virtual (i.e., VIP targeting VIP on different cluster node) no longer crashes TMM.
339825-2 : Management.KeyCertificate.install_certificate_from_file failing silently
Component: TMOS
Symptoms:
If the iControl function Management.KeyCertificate.install_certificate_from_file fails, it does not return error.
Conditions:
Using iControl to install a certificate from a file.
Impact:
The method fails, but appears to succeed.
336255-8 : OneConnect Connection Limits with Narrow Source Address Masks
Solution Article: K52011109
Component: Local Traffic Manager
Symptoms:
If a OneConnect profile with a narrow source address mask (e.g., 255.255.255.255) is applied to a virtual server with a SNAT pool, existing, idle, server connections cannot be reused (because of the SNATted source address and narrow source address mask). New connections, therefore, will be created.
Effectively, the pool member connection limits will be interpreted as applying to active connections, with in-flight (HTTP) requests or responses.
Conditions:
This can happen when OneConnect is used with SNAT pools and narrow OneConnect source address masks.
Impact:
More TCP connections to pool members than expected will occur.
Workaround:
Relax the OneConnect source address mask width.
Fix:
This fix introduces a 'limit-type' OneConnect profile option (currently supported only via TMSH and iControl/REST -- GUI and iControl/SOAP support in progress). The limit-type can take the following values:
none: behaviour is as before, "connections" are counted toward the pool member limit based on whether they have active, in-flight, requests or responses.
strict: a hard TCP pool member connection limit is enforced. No attempt will be made to try to find a connection to reuse if at the TCP connection limit, even if one might be available. This mode of operation is not recommended.
idle: if a client connection is accepted and the system is at or above the TCP connection limit, a random idle connection will be dropped.
291469-3 : SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries.
Solution Article: K10643
Component: TMOS
Symptoms:
The SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries.
Conditions:
The following error message is reported in the /var/log/messages file: snmpd[1748]: Error allocating more space for arpcache. Cache will continue to be limited to 2048 entries.
Impact:
The ARP entries up to the boundary are returned. Any ARP entries after the boundary is reached are not returned.
Workaround:
None.
Fix:
Memory validation now allows arpcache to expand, so The SNMP query no longer fails to return ARP entries when the ARP table exceeds 2,048 entries.
248914-5 : ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address
Component: Local Traffic Manager
Symptoms:
When self IP or virtual addresses are configured on a vlangroup, ARP replies for that address will have the locally administered bit set in the ARP payload, but the source MAC of the frame will have this bit clear.
Conditions:
vlangroup in translucent mode with self IP and/or virtual addresses configured.
Impact:
This may cause destination lookup failures on the layer 2 network.
Workaround:
Use transparent mode instead of translucent mode on the vlangroup.
Fix:
ARP and NDP replies sent from the BIG-IP to a vlangroup use the vlangroup MAC address as the layer 2 source address.
226043-5 : Add support for multiple addresses for audit-forwarder.
Component: TMOS
Symptoms:
The BIG-IP system supports only one destination address for audit-forwarder.
Conditions:
Audit forwarder.
Impact:
Cannot use multiple destinations for audit forwarder.
Workaround:
None.
Fix:
This release adds support for multiple destination addresses for audit-forwarder. There is one new db variable added for audit_forwarder: 'config.auditing.forward.multiple'. There are three options: 'broadcast', 'failover' and 'none'. The default is 'none'. When set to 'none', the behavior is the same as in previous releases.
When db variable 'config.auditing.forward.multiple' is set to 'broadcast' or 'failover', db variable 'config.auditing.forward.destination' can be set to multiple IP addresses, separated by commas ( , ), such as '192.0.2.1,198.51.100.53,www.example.com'. This provides more than one destination IP address to the BIG-IP system audit_forwarder. Note that a single IP address works as well.
When 'config.auditing.forward.multiple' is set to 'broadcast', the audit message is sent to all destinations. When it is set to failover, audit_forwarder sends the message to the first destination. If that fails, audit_forwarder tries the next destination until it finds a successful destination, or fails all destinations. Note that 'failover' mode is not supported for RADIUS server since it is UDP and there is no notion of failing to connect. For RADIUS server, if config.auditing.forward.multiple' is set to 'failover', audit_forwarder treats it as 'none'.
When there is a failure to send the audit message, the system logs errors in '/var/log/ltm'.
Behavior Change:
There is one new db variable added for audit_forwarder: 'config.auditing.forward.multiple'. There are three options: 'broadcast', 'failover' and 'none'. The default is 'none'. When set to 'none', the behavior is the same as in previous releases.
When db variable 'config.auditing.forward.multiple' is set to 'broadcast' or 'failover', db variable 'config.auditing.forward.destination' can be set to multiple IP addresses, separated by commas ( , ), such as '192.0.2.1,198.51.100.53,www.example.com'. This provides more than one destination IP address to the BIG-IP system audit_forwarder. Note that a single IP address works as well.
When 'config.auditing.forward.multiple' is set to 'broadcast', the audit message is sent to all destinations. When it is set to failover, audit_forwarder sends the message to the first destination. If that fails, audit_forwarder tries the next destination until it finds a successful destination, or fails all destinations. Note that 'failover' mode is not supported for RADIUS server since it is UDP and there is no notion of failing to connect. For RADIUS server, if config.auditing.forward.multiple' is set to 'failover', audit_forwarder treats it as 'none'.
When there is a failure to send the audit message, the system logs errors in '/var/log/ltm'.
225634-6 : The rate class feature does not honor the Burst Size setting.
Solution Article: K12947
Component: Local Traffic Manager
Symptoms:
The rate class feature does not honor a Burst Size setting other than the default of 0 (zero).
The Burst Size setting is intended to specify the maximum number of bytes that traffic is allowed to burst beyond the base rate configured for the rate class. When the burst rate is set to zero, no bursting is allowed.
Conditions:
When using a non-default Burst Size setting for a single rate class, the setting does not have the intended effect of allowing traffic to burst beyond the base rate configured for the rate class. When using a non-default Burst Size setting for a rate class referencing a hierarchical rate class (a child class referencing a parent class), traffic processed by the rate class may cause TMM to panic and generate a core file.
Impact:
Traffic does not burst beyond the base rate configured for the rate class. In the case of hierarchical rate classes, the BIG-IP may temporarily fail to process traffic.
Workaround:
To work around this issue, you can disable the Burst Size setting by changing the value to zero. To do so, perform the following procedure:
Impact of workaround: None.
Log in to the Configuration utility.
Click Network.
Click Rate Shaping.
Click the appropriate rate class.
Change the Burst Size to 0.
Click Update.
225443-6 : gtmparse fails to load if you add unsupported SIP monitor parameters to the config
Component: Global Traffic Manager (DNS)
Symptoms:
Customers could either manually or via tmsh add unsupported properties to a GTM SIP monitor. Examples of properties that are supported by LTM SIP monitor but not GTM SIP monitor are "headers" and "filter neg". If these are added to a GTM SIP monitor definition in wideip.conf, gtmparse will fail to load the configuration.
Conditions:
Unsupported GTM SIP monitor properties like "headers" and "filter neg" are added either manually or via tmsh to wideip.conf and then customer runs gtmparse to load the config and/or the config is gtm sync'd to another box and fails to load there.
Impact:
Gtmparse will fail to load the configuration.
Workaround:
none
Fix:
Gtmparse will now successfully load a configuration that contains GTM SIP monitors that include the following properties: "headers" and "filter neg".
Please note that if a single box in a GTM sync group is upgraded to this hotfix version and the "headers" or "filter neg" gtm sip monitor options are used, all of the boxes in the sync group must be upgraded to this version as well in order for the config to sync successfully between boxes in a sync group.
Known Issues in BIG-IP v11.5.x
TMOS Issues
| ID Number | Severity | Solution Article(s) | Description |
| 641390-3 | 1-Blocking | K00216423 | Backslash removal in LTM monitors after upgrade |
| 723722-5 | 2-Critical | MCPD crashes if several thousand files are created between config syncs. | |
| 716391-5 | 2-Critical | K76031538 | High priority for MySQL on 2 core vCMP may lead to control plane process starvation |
| 693996-1 | 2-Critical | K42285625 | MCPD sync errors and restart after multiple modifications to file object in chassis |
| 689437-4 | 2-Critical | K49554067 | icrd_child cores due to infinite recursion caused by incorrect group name handling |
| 689002-5 | 2-Critical | Stackoverflow when JSON is deeply nested | |
| 685458-3 | 2-Critical | merged fails merging a table when a table row has incomplete keys defined. | |
| 664894-4 | 2-Critical | K11070206 | PEM sessions lost when new blade is inserted in chassis |
| 653376-4 | 2-Critical | bgpd may crash on receiving a BGP update with >= 32 extended communities | |
| 652877-1 | 2-Critical | Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades | |
| 625456-1 | 2-Critical | Pending sector utility may write repaired sector incorrectly | |
| 613415-5 | 2-Critical | K22750357 | Memory leak in ospfd when distribute-list is used |
| 593536-3 | 2-Critical | Device Group with incremental ConfigSync enabled can report "In Sync" when devices have differing configurations | |
| 591104-4 | 2-Critical | ospfd cores due to an incorrect debug statement. | |
| 587698-1 | 2-Critical | bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured | |
| 581851-5 | 2-Critical | mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands | |
| 571635 | 2-Critical | K12010393 | VIPRION B2100 or B2150 blade Optic OPT-0016-00 is ON during BIG-IP system boot sequence causing errors with connected equipment |
| 555464-1 | 2-Critical | HA channel flapping will cause SessionDB memory leak on standby due to unexpired entries | |
| 528343-1 | 2-Critical | Loading cli preference that does not contain the user attribute will fail | |
| 517589-1 | 2-Critical | 'array' command not functional from within MOS context | |
| 515764-3 | 2-Critical | PVA stats only being reported on virtual-server and system-level basis. | |
| 511868-2 | 2-Critical | Management port loses connectivity during AOM reset | |
| 511006-2 | 2-Critical | K79414444 | Virtual address is advertised to ZebOS (as visible via imi shell) while unavailable. |
| 505323-3 | 2-Critical | K17349 | NSM hangs in a loop, utilizing 100% CPU |
| 475728-1 | 2-Critical | BCM56xxd might restart due to parity errors | |
| 473641-2 | 2-Critical | Missing a tunnel FDB endpoint configuration in VXLAN tunnels could result in memory leak | |
| 464870-6 | 2-Critical | K94275315 | Datastor cores and restarts. |
| 457252-2 | 2-Critical | tmm crash when using sip_info persistence without a sip profile | |
| 451458-6 | 2-Critical | K16384 | The leasepool stat query should only return primary blade data. |
| 447542-3 | 2-Critical | K51222549 | TMM crashes at startup when reprovisioning. |
| 442199-4 | 2-Critical | HA group must be set up before running ccmode★ | |
| 436674-2 | 2-Critical | K17271 | The msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime values contained in SNMPv3 trap message may be incorrect after the SNMP agent reboot. |
| 435555-4 | 2-Critical | Cannot load UCS from different BIG-IP system using Secure Vault | |
| 423061-1 | 2-Critical | Creating an SNMP v3 user using the Configuration utility or tmsh adds passwords in plain text to the snmpd.conf file | |
| 418734-3 | 2-Critical | vCMP guest unit_key empty★ | |
| 376120-6 | 2-Critical | K15726 | tmrouted restart after reconfiguration of previously deleted route domain |
| 725791-1 | 3-Major | Potential HW/HSB issue detected | |
| 725646 | 3-Major | TMSH core on v11.5.x or v11.6.x when multiple TMSH instances are spawned and terminated quickly | |
| 723794-1 | 3-Major | PTI (Meltdown) mitigation should be disabled on AMD-based platforms | |
| 723579-1 | 3-Major | OSPF routes missing | |
| 720269-5 | 3-Major | TACACS audit logging may append garbage characters to the end of log strings | |
| 719749 | 3-Major | BGP last update timer incorrectly resets to 0 when 'max paths ebgp' is configured | |
| 718277 | 3-Major | Deployed guests inoperative after host and guest master-key reset without rebooting host after host master-key is reset. | |
| 716166-1 | 3-Major | Dynamic routing not added when conflicting self IPs exist | |
| 713708-1 | 3-Major | Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI | |
| 709786 | 3-Major | K21241697 | 'bandwidth utilization exceeded' log messages may not be output in all cases |
| 707929-1 | 3-Major | 2000/4000 series platform after applying performance upgrade license does not show correct name in show sys hardware | |
| 707740-1 | 3-Major | Fixed issue preventing GTM Monitors from being deleted when used on mulitple Virtual Servers with the same ip:port combination | |
| 707445-5 | 3-Major | K47025244 | Nitrox 3 compression hangs/unable to recover |
| 705655-1 | 3-Major | Virtual address not responding to ICMP when ICMP Echo set to Selective | |
| 705037-6 | 3-Major | K32332000 | System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart |
| 704449-6 | 3-Major | Orphaned tmsh processes might eventually lead to an out-of-memory condition | |
| 701722-4 | 3-Major | Potential mcpd memory leak for signed iRules | |
| 700426-3 | 3-Major | K58033284 | Switching partitions while viewing objects in GUI can result in empty list |
| 698933-5 | 3-Major | Setting metric-type via ospf redistribute command may not work correctly | |
| 698038-2 | 3-Major | K05730807 | TACACS+ system auth file descriptor leaks when servers are unreachable |
| 698013-6 | 3-Major | K27216452 | TACACS+ system auth and file descriptors leak |
| 694696-1 | 3-Major | On multiblade Viprion, creating a new traffic-group causes the device to go Offline | |
| 691749-5 | 3-Major | Delete sys connection operations cannot be part of TMSH transactions | |
| 691485-1 | 3-Major | K47635484 | System fails to boot when syslog-ng is not running. |
| 690890-5 | 3-Major | Running sod manually can cause issues/failover | |
| 688406-5 | 3-Major | K14513346 | HA-Group Score showing 0 |
| 686626-1 | 3-Major | The BIG-IP system may connect to an OCSP server using an unexpected source IP address | |
| 681782-2 | 3-Major | K30665653 | Unicast IP address can be configured in a failover multicast configuration |
| 679605-3 | 3-Major | Device groups with no members will cause upgrade to fail | |
| 678925-3 | 3-Major | Using a multicast VXLAN tunnel without a proper route may cause a TMM crash. | |
| 674957-3 | 3-Major | If a certificate is stored in DER format, exporting it using the GUI corrupts the output. | |
| 671774 | 3-Major | LTM v11.5.4 f5.http iApp Cannot Deploy if VS IP is an existing Node IP | |
| 671553-4 | 3-Major | iCall scripts may make statistics request before the system is ready | |
| 671447-4 | 3-Major | ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form | |
| 671261-4 | 3-Major | K32306231 | MCP does not recognize 'Notify Status to Virtual Address' when using 'Selective' setting of ICMP Echo |
| 671236-4 | 3-Major | K27343382 | BGP local-as command may not work when applied to peer-group |
| 670044 | 3-Major | High Speed Logging can crash TMM on TCP pool member down. | |
| 667223-2 | 3-Major | The merge option for the tmsh load sys config command removes existing nested objects | |
| 666117-2 | 3-Major | Network failover without a management address causes active-active after unit1 reboot | |
| 664017-1 | 3-Major | OCSP may reject valid responses | |
| 658636-5 | 3-Major | K51355172 | When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped. |
| 657834-4 | 3-Major | K45005512 | Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent |
| 652671-2 | 3-Major | K31326690 | Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit. |
| 651432 | 3-Major | When mcpd on a secondary blade crashes, after it comes back up, the virtual_disk entries are missing for that blade | |
| 651136-4 | 3-Major | K36893451 | ReqLog profile on FTP virtual server with default profile can result in service disruption. |
| 650002-4 | 3-Major | tzdata bug fix and enhancement update | |
| 648621-3 | 3-Major | SCTP: Multihome connections may not expire | |
| 648544-3 | 3-Major | K75510491 | HSB transmitter failure may occur when global COS queues enabled |
| 647834-2 | 3-Major | Failover DB variables do not correctly implement 'reset-to-default' | |
| 644979-4 | 3-Major | Errors not logged from hourly 1k key generation cron job | |
| 643799-3 | 3-Major | Deleting a partition may cause a sync validation error | |
| 643459-1 | 3-Major | K81809012 | Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy |
| 642923-4 | 3-Major | K01951295 | MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system |
| 641450-2 | 3-Major | K30053855 | A transaction that deletes and recreates a virtual may result in an invalid configuration |
| 639774-3 | 3-Major | K30598276 | mysqld.err rollover log files are not collected by qkview |
| 638091-2 | 3-Major | Config sync after changing named pool members can cause mcpd on secondary blades to restart | |
| 633512-5 | 3-Major | HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION. | |
| 632825-3 | 3-Major | bcm56xxd crash following 'silent' port-mirror configuration failure | |
| 630610-4 | 3-Major | K43762031 | BFD session interface configuration may not be stored on unit state transition |
| 629834-3 | 3-Major | istatsd high CPU utilization with large number of entries | |
| 629499-3 | 3-Major | tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found" | |
| 628202-1 | 3-Major | Audit-forwarder can take up an excessive amount of memory during a high volume of logging | |
| 627760-1 | 3-Major | gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card | |
| 626721-2 | 3-Major | "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart | |
| 626589-3 | 3-Major | K73230273 | iControl-SOAP prints beyond log buffer |
| 624626-2 | 3-Major | Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility | |
| 623391-2 | 3-Major | cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★ | |
| 623371-4 | 3-Major | After changing from remote auth to local auth, if SSH keys are used, SSH attempts from nonexistent users result in a connection closed | |
| 623367-3 | 3-Major | K57879554 | When RADIUS remote authentication is enabled, a nonexistent user is able to ssh into the BIG-IP if they present the root's key. |
| 623336-1 | 3-Major | After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★ | |
| 623265-1 | 3-Major | K15645547 | UCS upgrade from v10.x to v11.4.x or later incorrectly retains v10.x ca-bundle.crt★ |
| 622619-2 | 3-Major | BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD | |
| 622183-2 | 3-Major | The alert daemon should remove old log files but it does not. | |
| 621909-6 | 3-Major | K23562314 | Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members |
| 621259-1 | 3-Major | Config save takes long time if there is a large number of data groups | |
| 620969-2 | 3-Major | iControl doesn't give correct valid key sizes for FIPS keys on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards. | |
| 620954-1 | 3-Major | Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable | |
| 620658 | 3-Major | Existence of /mprov_firstboot with vcmp can set improper tmmcount | |
| 619854 | 3-Major | Duplicate entry for bigipPb200 in F5-BIG-IP-SYSTEM-MIB | |
| 619210 | 3-Major | [FIPS] High CPU usage (11.5.4) or memory error messages (11.6.1) during stress test using FIPS keys | |
| 618319-2 | 3-Major | K58255321 | HA pair goes Active/Active, and reports peer as 'offline' if network-failover service is blocked |
| 614493-3 | 3-Major | BIG-IP reset on ePVA accelerated flow may contain stale TCP window information. | |
| 614486-4 | 3-Major | BGP community lower bytes of zero is not allowed to be set in route-map | |
| 609772-2 | 3-Major | Tilde character does not work on GET requests via iControl REST | |
| 609186-1 | 3-Major | TMM or MCP might core while getting connections via iControl. | |
| 609119-3 | 3-Major | Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3: | |
| 607961-5 | 3-Major | Secondary blades restart when modifying a virtual server's route domain in a different partition. | |
| 606330-1 | 3-Major | The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family. | |
| 605840-1 | 3-Major | HSB receive failure lockup due to unreceived loopback packets | |
| 605800-1 | 3-Major | Web GUI submits changes to multiple pool members as separate transactions | |
| 605792-5 | 3-Major | Installing a new version changes the ownership of administrative users' files★ | |
| 605775 | 3-Major | Config sync fails after creating local user matching previously logged in remote user | |
| 602566-3 | 3-Major | sod daemon may crash during start-up | |
| 602193-1 | 3-Major | iControl REST call to get certificate fails if | |
| 601414-3 | 3-Major | Combined use of session and table irule commands can result in intermittent session lookup failures | |
| 601220 | 3-Major | Multi-blade trunks seem to leak packets ingressed via one blade to a different blade | |
| 600944-4 | 3-Major | tmsh does not reset route domain to 0 after cd /Common and loading bash | |
| 598650-3 | 3-Major | apache-ssl-cert objects do not support certificate bundles | |
| 597729-2 | 3-Major | Errors logged after deleting user in GUI | |
| 596826-1 | 3-Major | Don't set the mirroring address to a floating self IP address | |
| 596815-2 | 3-Major | System DNS nameserver and search order configuration does not always sync to peers | |
| 596067-1 | 3-Major | GUI on VIPRION hangs on secondary blade reboot | |
| 596020-1 | 3-Major | Devices in a device-group may report out-of-sync after one of the devices is rebooted | |
| 595868 | 3-Major | HSB TX HGM lockup on 3900, 8900, and 10000-series platforms. | |
| 595317-5 | 3-Major | Forwarding address for Type 7 in ospfv3 is not updated in the database | |
| 592194-1 | 3-Major | Rarely, an HSB transmitter failure occurs | |
| 590938-1 | 3-Major | The CMI rsync daemon may fail to start | |
| 590904-4 | 3-Major | New HA Pair created using serial cable failover only will remain Active/Active | |
| 588646-4 | 3-Major | Use of Standard access list remarks in imish may causes later entries to fail on add | |
| 587821-4 | 3-Major | K91818030 | vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor. |
| 587668-4 | 3-Major | LCD Checkmark button does not always bring up clearing prompt on VIPRION blades. | |
| 587457-1 | 3-Major | REST API does not allow modification of AFM address list | |
| 586938-3 | 3-Major | K57360106 | Standby device will respond to the ARP of the SCTP multihoming alternate address |
| 583754-4 | 3-Major | When TMM is down, executing 'show ltm persist persist-records' results in a blank error message. | |
| 583475-3 | 3-Major | The BIG-IP may core while recompiling LTM policies | |
| 582084-4 | 3-Major | BWC policy in device sync groups. | |
| 580832 | 3-Major | mcpd core during config push from Enterprise Manager | |
| 579694-3 | 3-Major | Monitors may create invalid configuration files | |
| 579035-1 | 3-Major | K46145454 | Config sync error when a key with passphrase is converted into FIPS. |
| 578551-1 | 3-Major | bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot | |
| 577440-3 | 3-Major | audit logs may show connection to hagel.mnet | |
| 575368-1 | 3-Major | Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card | |
| 572375 | 3-Major | K36870345 | Race condition in the terminate handler of the icrd_child process causes the process to become unresponsive, and generates a core file |
| 571333-11 | 3-Major | K36155089 | fastL4 TCP handshake timeout not honored for offloaded flows |
| 569281-5 | 3-Major | K33242855 | L2 loop on the BIG-IP system's management port network might cause VIPRION to reboot |
| 567774-3 | 3-Major | ca-devices and non-ca-devices addition/deletion has been removed from restart cm trust-domain Root | |
| 566507-1 | 3-Major | Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment | |
| 561444-2 | 3-Major | LCD might display incorrect output. | |
| 559916 | 3-Major | Corrupt MCP message causes crash in MCPConnection::sendMessage | |
| 559584-4 | 3-Major | K23410869 | tmsh list/save configuration takes a long time when config contains nested objects. |
| 559100-1 | 3-Major | K60804782 | Unable to Import Certificate to a partition subfolder, message: Name cannot contain '/' nor '\'. |
| 559080-2 | 3-Major | High Speed Logging to specific destinations stops from individual TMMs | |
| 558944-3 | 3-Major | HSB debug registers needed | |
| 557155-1 | 3-Major | K33044393 | BIG-IP Virtual Edition becomes completely unresponsive under very heavy load. |
| 557079 | 3-Major | 'gtmd' daemon is not visible in daemon-ha list command | |
| 553446-2 | 3-Major | K44842083 | Interface bfd session does not appear in configuration file or in show running-config |
| 552585-2 | 3-Major | K32030059 | AAA pool member creation sets the port to 0. |
| 552278 | 3-Major | K07441245 | Inconsistent behavior on IP TTL handling between ePVA and tmm for Fast L4 flows. |
| 549872-4 | 3-Major | K55535322 | REST API command to create a new pool member on an existing pool returns a 404 error |
| 548175-3 | 3-Major | K74474731 | Idle timeout may be tcp handshake timeout on CMP demoted Fast L4 virtual servers. |
| 545946-3 | 3-Major | Vlangroup may have its MAC address set to 02:00:00:00:00 on first configuration load★ | |
| 545799-3 | 3-Major | K48550324 | Dashboard fails to export derived throughput history |
| 545214-4 | 3-Major | K54734184 | OSPF distance command does not persist across restarts. |
| 542347-4 | 3-Major | Denied message in audit log on first time boot | |
| 542191-3 | 3-Major | K53938810 | Snmpd V1 and V2c view based access. |
| 539199-2 | 3-Major | HTML filter is truncating the server response when sending it to client | |
| 528987-2 | 3-Major | Benign warning during formatting installation | |
| 528295-9 | 3-Major | K40735404 | Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later. |
| 528083-3 | 3-Major | K12055204 | On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown. |
| 528056-2 | 3-Major | VCMP: Large vdisk was unable to migrate in 15 minute timeout | |
| 527206-4 | 3-Major | Management interface may flap due to LOP sync error | |
| 526708-1 | 3-Major | system_check shows fan=good on removed PSU of 4000 platform | |
| 525580-2 | 3-Major | K51013874 | tmsh load sys config merge file filename.scf base command does not work as expected |
| 524193-3 | 3-Major | Multiple Source addresses are not allowed on a TMSH SNMP community | |
| 524123-4 | 3-Major | iRule ISTATS::remove does not work | |
| 523985-2 | 3-Major | Certificate bundle summary information does not propagate to device group peers | |
| 523797-4 | 3-Major | Upgrade: file path failure for process name attribute in snmp.★ | |
| 522993-1 | 3-Major | K17638180 | tmsh crashes when trying to perform a wildcard delete of iRules |
| 522024-4 | 3-Major | K17214 | Config sync of SecurID config file fails on secondary blades |
| 521828-1 | 3-Major | K78693459 | CMI device credentials (device name or password) containing XML special charactersresults in peer discovery error |
| 517578-2 | 3-Major | statsd crash when failed to open stats files | |
| 516167-4 | 3-Major | K21382264 | TMSH listing with wildcards prevents the child object from being displayed |
| 512853-3 | 3-Major | Kerberos SSO fails if KDC is not specified | |
| 512130-5 | 3-Major | Remote role group authentication fails with a space in LDAP attribute group name | |
| 510436-4 | 3-Major | K94250670 | TMM logs carry a generic hostname at startup |
| 506548-1 | 3-Major | Mgmt port does not link with correct speed or duplex when using fixed media on AOM-based platforms | |
| 505123-6 | 3-Major | K59284293 | sysObjectID returns 'unknown' platform on the VIPRION 4400 |
| 501947-1 | 3-Major | K01521766 | Cannot delete keys/certificates whose names start with 0 (zero). |
| 501418-3 | 3-Major | K17534 | OSPF: Multiple ECMP default routes not distributed to TMM |
| 499694-3 | 3-Major | LTM v10.2.x to v11.x upgrade misses partition name on node specific monitor★ | |
| 496663 | 3-Major | iRule object in non-Common partition referenced from another partition breaks upgrade/config load★ | |
| 496346-2 | 3-Major | K02274323 | TMM crash when moving to standby |
| 496155-1 | 3-Major | tmsh show ltm persistence persist-records sometimes shows an incorrect number of entries on VIPRION chassis | |
| 496038-1 | 3-Major | system_check shows stale chassis fan tray data after the chassis is removed | |
| 496018-3 | 3-Major | Deleting a rewrite profile fails to delete the dependent objects. | |
| 493250-3 | 3-Major | K36428111 | BGP disabling graceful-restart in ZebOS does not persist and is automatically enabled |
| 489499-1 | 3-Major | chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd | |
| 488610-1 | 3-Major | K46331880 | Navigating to iApps :: Templates :: MyTemplate :: Properties in the GUI presents a blank page |
| 488262-5 | 3-Major | moving VLAN from route-domain being deleted in the same transaction can cause errors | |
| 485352-2 | 3-Major | TMM dumps core file when loading configuration or starting up | |
| 485164-3 | 3-Major | MCPD cores when the Check Service Date in the license is not current. | |
| 480983-5 | 3-Major | tmrouted daemon may core due to daemon_heartbeat | |
| 476708-9 | 3-Major | K34225935 | ZebOS using BGP ECMP may not correctly update the ECMP paths when one of the paths goes down and comes back up |
| 474149-3 | 3-Major | K83100432 | SOD posts error message: Config digest module error: Traffic group device not found |
| 473415-2 | 3-Major | K93511901 | ASM Standalone license has to include URL and HTML Rewrite★ |
| 473088-7 | 3-Major | K17091 | Virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile |
| 472308-2 | 3-Major | K10569796 | Management IP address change interaction with HA heartbeat / failover traffic |
| 469549-1 | 3-Major | User Modification Denied error on initial bootup★ | |
| 469366-1 | 3-Major | K16237 | ConfigSync might fail with modified system-supplied profiles |
| 468559-1 | 3-Major | K94314095 | Config fails to load after upgrade to 11.5.1 when iApp requires PSM module.★ |
| 465555-1 | 3-Major | K53914592 | GUI unable to open and configure iApp Application. |
| 464252-3 | 3-Major | Possible tmm crash when modifying html pages with HTML profile. | |
| 461818-2 | 3-Major | Occasional extreme large value reported for tmm-info five-min-avg-usage-ratio | |
| 452660-3 | 3-Major | SNMP trap engineID should not be configsynced between HA-pairs | |
| 446713 | 3-Major | Initial boot from non-Primary blades causes daemon restarts and error messages on VIPRION B4300/B4300N blades and on the VIPRION C2200 chassis. | |
| 441482-3 | 3-Major | SWG is seen on platforms with less than 8 GB of memory | |
| 441297-2 | 3-Major | K16493 | Trunk remains down and interface's status is 'uninit' after mcpd restart |
| 439399-4 | 3-Major | K17483 | Discrepancy between Throughput and Detailed Througput data |
| 433380-1 | 3-Major | qkview files may contain truncated configuration files | |
| 433055-5 | 3-Major | BFD GTSM IMI shell commands don't work | |
| 427924-8 | 3-Major | K14667 | ipport hash type is not programmed in new blade |
| 423482-1 | 3-Major | Removing the gateway failsafe pool in web interface does not set the pool::gateway failsafe device property to none | |
| 421797-2 | 3-Major | ePVA continues to accelerate IP Forwarding VS traffic even in Standby | |
| 416292-8 | 3-Major | MCPD can core as a result of another component shutting down prematurely | |
| 384995-3 | 3-Major | K43346407 | Management IP changes are not synced to the device group. |
| 378967-2 | 3-Major | Users are not synchronized if created in a partition | |
| 375434-3 | 3-Major | HSB lockup might occur when TMM tries unsuccessfully to reset HSB. | |
| 373949-3 | 3-Major | Network failover without a management address causes active-active after unit1 reboot | |
| 369596-1 | 3-Major | show ltm pool doesn't show the most updated info | |
| 369352-12 | 3-Major | No verification prompt when executing 'load sys config default' for resource administrator role | |
| 351130-2 | 3-Major | iApp templates are visible with only vCMP provisioned. | |
| 337934-14 | 3-Major | remoterole: attributes ending in 'role' or 'deny' will be parsed incorrectly | |
| 225094-2 | 3-Major | When changing expired password, user is dictionary restricted even with password policy disabled | |
| 224903-4 | 3-Major | K71296207 | CounterBasedGauge64 MIB values do not work with Network Management Systems. The MIB should be Gauge32. |
| 723988-5 | 4-Minor | IKEv1 phase2 key length can be changed during SA negotiation | |
| 714576 | 4-Minor | Removing a Copper SFP on certain platforms incorrectly retains info about the SFP | |
| 692172-4 | 4-Minor | rewrite profile causes "No available pool member" failures when connection limit reached | |
| 691491-1 | 4-Minor | K13841403 | 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces |
| 685582-4 | 4-Minor | Incorrect output of b64 unit key hash by command f5mku -f | |
| 683029-4 | 4-Minor | Sync of virtual address and self IP traffic groups only happens in one direction | |
| 674145-5 | 4-Minor | chmand error log message missing data | |
| 668964-4 | 4-Minor | K81873940 | 'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group |
| 663911-4 | 4-Minor | When running out of memory, MCP can report an incorrect allocation size | |
| 652981 | 4-Minor | tmipsecd aborts | |
| 647812-1 | 4-Minor | /tmp/wccp.log file grows unbounded | |
| 636823-1 | 4-Minor | Node name and node address | |
| 636031-2 | 4-Minor | K23313837 | GUI LTM Monitor Configuration String adding CR for type Oracle |
| 634014-3 | 4-Minor | Absolute timers may fire one second early during the leap second event | |
| 632668-2 | 4-Minor | When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds | |
| 624909-4 | 4-Minor | Static route create validation is less stringent than static route delete validation | |
| 623536-5 | 4-Minor | SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent | |
| 616021-4 | 4-Minor | K93089152 | Name Validation missing for some GTM objects |
| 611054-4 | 4-Minor | Network failover "enable" setting is sometimes ignored on chassis systems | |
| 609107-3 | 4-Minor | mcpd does not properly validate missing 'sys folder' config in bigip_base.conf | |
| 608348-1 | 4-Minor | Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system | |
| 606799-4 | 4-Minor | K16703796 | GUI total number of records not correctly initialized with search string on several pages. |
| 598498-6 | 4-Minor | Cannot remove Self IP when an unrelated static ARP entry exists. | |
| 598289-1 | 4-Minor | TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port> | |
| 594647-1 | 4-Minor | No iControl functions to get and set master key. | |
| 591733-1 | 4-Minor | K83175883 | Save on Auto-Sync is missing from the configuration utility. |
| 591732 | 4-Minor | Local password policy not enforced when auth source is set to a remote type. | |
| 589862-3 | 4-Minor | HA Grioup percent-up display value is truncated, not rounded | |
| 588946 | 4-Minor | K72351284 | BIG-IP v11.5.4 successfully installs on 12250v platform but is not supported. |
| 586348-3 | 4-Minor | Network Map Pool Member Parent Node Name display and Pool Member hyperlink | |
| 585097-4 | 4-Minor | Traffic Group score formula does not result in unique values. | |
| 584788-3 | 4-Minor | Directed failover of HA pair using only hardwire failover will fail | |
| 583777-1 | 4-Minor | K33230520 | [TMSH] sys crypto cert missing tab completion function |
| 583084-3 | 4-Minor | K15101680 | iControl produces 404 error while creating records successfully |
| 582595-1 | 4-Minor | K52029952 | default-node-monitor is reset to none for HA configuration. |
| 581865 | 4-Minor | K11053914 | 6900, 8900, 8950, or 11050 platforms missing swap storage★ |
| 575848-3 | 4-Minor | K03803451 | Traffic statistics on a SNAT object might not be updated if traffic is ePVA accelerated. |
| 575176-4 | 4-Minor | Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic | |
| 573031-2 | 4-Minor | qkview may not collect certain configuration files in their entirety | |
| 571424 | 4-Minor | Topology Records: Longest Match Sorting in Unexpected Order | |
| 563560-2 | 4-Minor | Intermittent iStats reset | |
| 559911 | 4-Minor | Nondescriptive error when an application template upload fails on iApp load. | |
| 559837-7 | 4-Minor | Misleading error message in catalina.out when listing certificates. | |
| 559571 | 4-Minor | Temporary negative bit-count on mgmt interface after LBH reset | |
| 557452-3 | 4-Minor | Messages logged when the CAN daemon (cand) receives unsolicited data | |
| 556616-1 | 4-Minor | K75634982 | Unable to install from hotfix on platform with SSD via the GUI |
| 542292-3 | 4-Minor | K11051722 | GUI might cause MIB files to be uncompressed when downloading from GUI with Chrome. |
| 541693-1 | 4-Minor | K32391836 | Monitor inheriting time-until-up and up-interval from parent incorrectly via GU |
| 541320-4 | 4-Minor | K50973424 | Sync of tunnels might cause restore of deleted tunnels. |
| 533790-2 | 4-Minor | Creating multiple address entries in data-group might result in records being incorrectly deleted | |
| 532915-2 | 4-Minor | No validation error attempting to modify a record in an external data-group using iControl SOAP. | |
| 530927-1 | 4-Minor | Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed | |
| 528894-4 | 4-Minor | Config sync after sub-partition config changes results extra lines in the partition's conf file | |
| 527720-3 | 4-Minor | Rare 'No LopCmd reply match found' error in getLopReg | |
| 526642-5 | 4-Minor | iRule with HTML commands inside can be attached to Virtual server without HTML profile | |
| 525847-1 | 4-Minor | SNMP manager doesn't accept community name in double quotes in packet capture. | |
| 524185-1 | 4-Minor | Unable to run lvreduce | |
| 523992-6 | 4-Minor | K12604540 | tmsh error map not included in /etc/alertd |
| 505003 | 4-Minor | SSLv3 is disabled by default on the management interface of BIG-IP on AWS Marketplace | |
| 503960-5 | 4-Minor | The requested unknown (1936) was not found. | |
| 499348-3 | 4-Minor | System statistics may fail to update, or report negative deltas due to delayed stats merging | |
| 495227-4 | 4-Minor | tmsh displays wrong cert expiration date on 'show gtm iquery' (later than Jan 18 2038). | |
| 483242-3 | 4-Minor | GUI LTM Profile ClientSSL unable to recognize certificates/key with short names. | |
| 479262-1 | 4-Minor | 'readPowerSupplyRegister error' in LTM log | |
| 476544-1 | 4-Minor | mcpd core during sync | |
| 475896-3 | 4-Minor | K50710744 | 'tmsh load /sys config from-terminal' (or from file) with a reference to an external file fails |
| 473213-5 | 4-Minor | Emergency alert treated as critical on the 10000s, 10200v, 10250v, and 10350vN platforms. | |
| 473212-2 | 4-Minor | Systems which do not use RAID show confusing RAID status on the LCD | |
| 472581-1 | 4-Minor | Cannot use 'default' as the FIPS security officer password. | |
| 472310-3 | 4-Minor | BIG-IP may report getLopSensorData warnings at boot time or when changing a PSU | |
| 467703-3 | 4-Minor | K17340 | Management interface sending erroneous IPv6 MLD or IPv4 IGMP packets |
| 466017-1 | 4-Minor | K50042218 | Tab-completion does not work for TCP/HTTP profiles with ltm virtual profiles |
| 451479-4 | 4-Minor | K16273 | ConfigSync over IPv6 fails due to wrong rsync formatting |
| 442322-3 | 4-Minor | vCMP guest names in statistics limited to 32 characters | |
| 700299 | 5-Cosmetic | Missing changelog entry for CVE-2015-5146 in ntp.spec | |
| 673701 | 5-Cosmetic | 'tmsh show sys software' can erroneously show status 'installing hotfix' after inserting new blade | |
| 673693 | 5-Cosmetic | 'tmsh show sys software' can erroneously show status 'installing hotfix' after inserting new blade | |
| 629207 | 5-Cosmetic | TMSH output shows dtca.crt certificate-key-size is 1 | |
| 603092-2 | 5-Cosmetic | "displayservicenames" does not apply to show ltm pool members | |
| 594228 | 5-Cosmetic | Resetting mgmt interface statistics doesn't work on VE or VCMP | |
| 589199 | 5-Cosmetic | CoS queue egress drop counts not reported in all drop counter stats. | |
| 572655-3 | 5-Cosmetic | Request Logging profile Template textarea wrapping set to soft wrap | |
| 479888-1 | 5-Cosmetic | K51292925 | BCM debug logging cannot be turned off once enabled |
| 476405-2 | 5-Cosmetic | BFD IPv6 session display command in IMI shell display the wrong remote port number. | |
| 466116-4 | 5-Cosmetic | Intermittent 'AgentX' warning messages in syslog/ZebOS log files | |
| 417045-2 | 5-Cosmetic | Error: 'err chmand[8873]: Error sending MCP system_information (err:1020003) | |
| 402414-2 | 5-Cosmetic | K07026135 | Configured flow control not applied to Copper SFPs |
| 396273-4 | 5-Cosmetic | Error message in dmesg and kern.log: vpd r/w failed |
Local Traffic Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 726239-1 | 2-Critical | TMM panic via SIGABRT from sod | |
| 705773 | 2-Critical | TMM may core with a virtual server configured with fastl4, http, and persistence | |
| 700393-6 | 2-Critical | Under certain circumstances a stale http2 stream can cause a tmm crash | |
| 686228-4 | 2-Critical | K23243525 | TMM may crash in some circumstances with VLAN failsafe |
| 676721-4 | 2-Critical | K33325265 | Missing check for NULL condition causes tmm crash. |
| 665732-4 | 2-Critical | FastHTTP may crash when receiving a fragmented IP packet | |
| 657713-4 | 2-Critical | K05052273 | Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart. |
| 648037-4 | 2-Critical | LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash | |
| 639744-4 | 2-Critical | K84228882 | Memory leak in STREAM::expression iRule |
| 639039-2 | 2-Critical | K33754014 | Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons |
| 634259-1 | 2-Critical | K50166002 | IP tuple nexthop object can be freed while still referenced by another structure |
| 620958 | 2-Critical | TMM crash with assertion failure of pkt type not already ETHERTYPE_ARP | |
| 619528-3 | 2-Critical | TMM may accumulate internal events resulting in TMM restart | |
| 618463-1 | 2-Critical | artificial low route mtu can cause SIGSEV core from monitor traffic | |
| 615303-4 | 2-Critical | K47381511 | bigd crash with Tcl monitors |
| 613088-2 | 2-Critical | pkcs11d thread has session initialization problem. | |
| 609199-2 | 2-Critical | Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join | |
| 607360-3 | 2-Critical | Safenet 6.2 library missing after upgrade★ | |
| 602326-2 | 2-Critical | Intermittent pkcs11d core when installing Safenet 6.2 software | |
| 583700-4 | 2-Critical | tmm core on out of memory | |
| 571651-2 | 2-Critical | K66544028 | Reset crypto accelerator queue if it becomes stuck. |
| 566071-6 | 2-Critical | network-HSM may not be operational on secondary slots of a standby chassis. | |
| 541916 | 2-Critical | tmm segfault: hud_process_upper | |
| 513310-4 | 2-Critical | TMM might core when a profile is changed. | |
| 511782-9 | 2-Critical | K16424 | The HTTP_DISABLED event does not trigger in some cases |
| 492352-4 | 2-Critical | SSL profiles using password protected SSL keys cause config utility error | |
| 491789-1 | 2-Critical | Better retransmit recovery in a lossy network. | |
| 489217-2 | 2-Critical | "cipher" memory can leak | |
| 481869-1 | 2-Critical | Certain blade failure events may result in a 10+ second delay in failover occurring | |
| 470880-2 | 2-Critical | Policy Sync cause target vCMP guest secondary slots to reboot when guest(s) is deployed on multiple slots. | |
| 469071-2 | 2-Critical | TMM segfault in mpctp_switch_conns | |
| 468204-1 | 2-Critical | TMM can crash with SIGFPE assertion 'valid ctx crule_cnt' when a firewall iRule and OneConnect are used together. | |
| 464437-2 | 2-Critical | K16525 | Quickly repeated external datagroup loads might cause TMM crash. |
| 459994-3 | 2-Critical | tmm may crash if default gateway pool contains members that it cannot route to | |
| 457034-3 | 2-Critical | Multipath TCP (MPTCP): TMM crash in stockpile management | |
| 452283-4 | 2-Critical | An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows | |
| 442620 | 2-Critical | MPTCP Timeout value configuration error checking is not working | |
| 423629-5 | 2-Critical | K08454006 | bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted |
| 726232-4 | 3-Major | iRule drop/discard may crash tmm | |
| 723306-6 | 3-Major | Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition | |
| 723112-2 | 3-Major | LTM policies does not work if a condition has more than 127 matches | |
| 718867-5 | 3-Major | tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades★ | |
| 714384-7 | 3-Major | DHCP traffic may not be forwarded when BWC is configured | |
| 712664-6 | 3-Major | IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address | |
| 711981-1 | 3-Major | BIG-IP system accepts larger-than-egress MTU, PMTU update | |
| 710028-6 | 3-Major | LTM SQL monitors may stop monitoring if multiple monitors querying same database | |
| 707691-1 | 3-Major | BIG-IP handles some pathmtu messages incorrectly | |
| 705794-6 | 3-Major | Under certain circumstances a stale http2 stream can cause a tmm crash | |
| 705112 | 3-Major | DHCP server flows are not re-established after expiration | |
| 704381-1 | 3-Major | SSL/TLS handshake failures and terminations are logged at too low a level | |
| 702450-6 | 3-Major | The validation error message generated by deleting certain object types referenced by a policy action is incorrect | |
| 701690-5 | 3-Major | K53819652 | Fragmented ICMP forwarded with incorrect icmp checksum |
| 700061-1 | 3-Major | Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file | |
| 700057-1 | 3-Major | LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved | |
| 695925-5 | 3-Major | tmm crash when showing connections for a CMP disabled virtual server | |
| 695707-1 | 3-Major | BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection | |
| 695109-5 | 3-Major | K15047377 | Changes to fallback persistence profiles attached to a Virtual server are not effective |
| 693582-5 | 3-Major | Monitor node log not rotated for icmp monitor types | |
| 691785-5 | 3-Major | The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes | |
| 690778-5 | 3-Major | K53531153 | Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule |
| 690042-5 | 3-Major | K43412307 | Potential Tcl leak during iRule suspend operation |
| 689449-5 | 3-Major | Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured | |
| 689089-5 | 3-Major | VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot | |
| 688586-1 | 3-Major | DTLS does not retransmit ServerHello message if it is lost | |
| 688570-1 | 3-Major | BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes | |
| 685519-5 | 3-Major | Mirrored connections ignore the handshake timeout | |
| 683706 | 3-Major | Pool member status remains 'checking' when manually forced down at creation | |
| 680972 | 3-Major | K73425254 | Hidden newlines within monitor parameters may silently load without error |
| 679854-1 | 3-Major | UIE persist may be inconsistent after a pool member is brought down | |
| 678450-5 | 3-Major | No 'F5RST port in use' sent when new connection arrives to port in use with strict preserve. | |
| 676828-4 | 3-Major | K09012436 | Host IPv6 traffic is generated even when ipv6.enabled is false |
| 674591 | 3-Major | K37975308 | Packets with payload smaller than MSS are being marked to be TSOed |
| 673621-1 | 3-Major | Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile. | |
| 670520-1 | 3-Major | FastL4 not sending keepalive at proper interval when other side gets response | |
| 668520 | 3-Major | csyncd does not handle an rsync stall | |
| 668196-4 | 3-Major | Connection limit continues to be enforced with least-connections and pool member flap, member remains down | |
| 662816-4 | 3-Major | K61902543 | Monitor node log fd leak for certain monitor types |
| 661881-4 | 3-Major | Memory and performance issues when using certain ASN.1 decoding formats in iRules | |
| 657883-4 | 3-Major | K34442339 | tmm cache resolver should not cache response with TTL=0 |
| 657795-3 | 3-Major | K51498984 | Possible performance impact on some SSL connections |
| 655767-1 | 3-Major | MCPD does not prevent deleting an iRule that contains in-use procedures | |
| 655724-1 | 3-Major | K15695 | MSRDP persistence does not work across route domains. |
| 655432-3 | 3-Major | K85522235 | SSL renegotiation failed intermittently with AES-GCM cipher |
| 655383-1 | 3-Major | Failure to extend database continues to execute rather than halting because of fragmented state. | |
| 654109-4 | 3-Major | K01102467 | Configuration loading may fail when iRules calling procs in other iRules are deleted |
| 653930-4 | 3-Major | K69713140 | Monitor with description containing backslash may fail to load. |
| 651901-5 | 3-Major | Removed unnecessary ASSERTs in MPTCP code | |
| 651889-1 | 3-Major | persist record may be inconsistent after a virtual hit rate limit | |
| 651541-4 | 3-Major | K83955631 | Changes to the HTTP profile do not trigger validation for virtual servers using that profile |
| 648954-4 | 3-Major | K01102467 | Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls |
| 647071-4 | 3-Major | Stats for SNATs do not work when configured in a non-zero route domain | |
| 645635-4 | 3-Major | Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests | |
| 645058-2 | 3-Major | Modifying SSL profiles in GUI may fail when key is protected by passphrase | |
| 643860-2 | 3-Major | Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly | |
| 643041-3 | 3-Major | K64451315 | Less than optimal interaction between OneConnect and proxy MSS |
| 642122 | 3-Major | Cannot delete a SNAT pool and SNAT translation address in a single transaction. | |
| 640369-4 | 3-Major | TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan | |
| 637613-1 | 3-Major | K24133500 | Cluster blade being disabled immediately returns to enabled/green |
| 635173-4 | 3-Major | Standby BIG-IP TMM uses unexpectedly large amount of memory | |
| 634201-1 | 3-Major | POST requests get reset on early server response. | |
| 632156 | 3-Major | A standby system can send gratuitous ARPs using both the VLAN and VLAN group MAC addresses | |
| 632001-2 | 3-Major | For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys | |
| 628721-4 | 3-Major | In rare conditions, DNS cache resolver outbound TCP connections fail to expire. | |
| 626434-3 | 3-Major | K65283203 | tmm may be killed by sod when a hardware accelerator does not work |
| 625807 | 3-Major | tmm cored in bigproto_cookie_buffer_to_server | |
| 624917-2 | 3-Major | First few handshakes fail after chassis/appliance reboot when using HSM | |
| 624616-4 | 3-Major | Safenet uninstall is unable to remove libgem.so | |
| 622260 | 3-Major | Some TCP connections do not work when hardware syncookies are being issued and certain options are enabled | |
| 622017-7 | 3-Major | K54106058 | Performance graph data may become permanently lost after corruption. |
| 621855 | 3-Major | TMM could use a lot of memory when an iRule calls parking command under AUTH events | |
| 621736-2 | 3-Major | statsd does not handle SIGCHLD properly in all cases | |
| 618546-1 | 3-Major | ClientSSL profile could incorrectly inherit cert-key-chain objects from parent profile | |
| 618104-4 | 3-Major | Connection Using TCP::collect iRule May Not Close | |
| 615553-2 | 3-Major | K51205306 | Reverse/transparent setting reverting to disabled on child monitor |
| 614410-1 | 3-Major | Unexpected handling of TCP timestamps in HA configuration | |
| 613912 | 3-Major | SSID filter may cause excessive buffering and high CPU | |
| 613618-3 | 3-Major | The TMM crashes in the websso plugin. | |
| 613079-1 | 3-Major | Diameter monitor watchdog timeout fires after only 3 seconds | |
| 611691-2 | 3-Major | Packet payload ignored when DSS option contains DATA_FIN | |
| 610302-3 | 3-Major | Link throughput graphs might be incorrect. | |
| 609244-7 | 3-Major | tmsh show ltm persistence persist-records leaks memory | |
| 608991-2 | 3-Major | BIG-IP retransmits SYN/ACK on a subflow after an MPTCP connection is closed | |
| 607246-1 | 3-Major | Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires | |
| 607166-4 | 3-Major | Hidden directories and files are not synchronized to secondary blades | |
| 605175-2 | 3-Major | Backslashes in monitor send and receive strings | |
| 604549-2 | 3-Major | MPTCP connection not closed properly when the segment with DATA_FIN also DATA_ACKs data | |
| 603236-3 | 3-Major | 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware | |
| 602366-3 | 3-Major | Safenet 6.2 HA performance | |
| 602329-2 | 3-Major | syncookie header of HA channel mirror packets is not cleared | |
| 602136-2 | 3-Major | iRule drop command causes tmm segfault or still sends 3-way handshake to the server. | |
| 601189-1 | 3-Major | The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode | |
| 601178-4 | 3-Major | HTTP cookie persistence 'preferred' encryption | |
| 600593-5 | 3-Major | Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests | |
| 600385-3 | 3-Major | K43295141 | BIG-IP LTM and BIG-IP DNS monitors are allowed to be configured with interval value larger than timeout |
| 598707-3 | 3-Major | Path MTU does not work in self-IP flows | |
| 598204-2 | 3-Major | K54284420 | In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK. |
| 597879-4 | 3-Major | CDG Congestion Control can lead to instability | |
| 597532-3 | 3-Major | iRule: RADIUS avp command returns a signed integer | |
| 595921-3 | 3-Major | VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses. | |
| 595854 | 3-Major | An incorrect MSS can be sent in client SYN/ACK packet for an accelerated connection | |
| 594751-5 | 3-Major | K90535529 | LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN |
| 593530-3 | 3-Major | In rare cases, connections may fail to expire | |
| 592497-3 | 3-Major | Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state. | |
| 590156-1 | 3-Major | Connections to an APM virtual server may be reset and fail on appliance and VE platforms. | |
| 589006-6 | 3-Major | SSL does not cancel pending sign request before the handshake times out or is canceled. | |
| 586621-2 | 3-Major | K36008344 | SQL monitors 'count' config value does not work as expected. |
| 584948-4 | 3-Major | Safenet HSM integration failing after it completes. | |
| 584865-2 | 3-Major | Primary slot mismatch after primary cluster member leaves and then rejoins the cluster | |
| 582234-3 | 3-Major | When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again. | |
| 582207-6 | 3-Major | MSS may exceed MTU when using HW syncookies | |
| 579252-1 | 3-Major | Traffic can be directed to a less specific virtual during virtual modification | |
| 578971-4 | 3-Major | When mcpd is restarted on a blade, cluster members may be temporarily marked as failed | |
| 575347-3 | 3-Major | Unexpected backslashes remain in monitor 'username' attribute after upgrade | |
| 574263 | 3-Major | keys remain on FIPS card after deletion | |
| 572180-3 | 3-Major | httpclass containing escaped backslashes are stripped on migration to LTM policy★ | |
| 572142-1 | 3-Major | Config sync peer may fail to monitor newly added pool member after it is added via sync | |
| 571482-1 | 3-Major | Unbalanced double-quotes may merge lines upon config save-then-load★ | |
| 567862-2 | 3-Major | intermittent SSL traffic failure with Safenet HSM on BIG-IP chassis and appliance | |
| 563933-3 | 3-Major | [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs | |
| 563687-1 | 3-Major | K10751444 | [DNS] dns64 behavior does not comply with RFC about how to treat RCODEs other than 'NO ERROR' |
| 562292-3 | 3-Major | Nesting periodic after with parking command could crash tmm | |
| 560685-3 | 3-Major | TMM may crash with 'tmsh show sys conn'. | |
| 560231-2 | 3-Major | Pipelined requests may result in a RST if the server disconnects | |
| 559554-3 | 3-Major | CHD congestion control can have erroneous very large cwnd. | |
| 557548-1 | 3-Major | TMM can continuously attempt to reset failing Nitrox | |
| 557513 | 3-Major | Monitor description containing escape characters could get double-escaped | |
| 555343-2 | 3-Major | tmm may crash in fastl4 tcp virtual server | |
| 554444-5 | 3-Major | LTM Policy resets connection when removing non-existant HTTP header | |
| 553830-3 | 3-Major | Use of OneConnect may result in stalled flows | |
| 553521-2 | 3-Major | TMM crash when executing route lookup in tmsh for multicast destination | |
| 548611-2 | 3-Major | Memory protection strategies can conflict | |
| 545796-1 | 3-Major | [iRule] [Stats] iRule is not generating any stats for executed iRules. | |
| 544958 | 3-Major | Monitors packets are sent even when pool member is 'Forced Offline'. | |
| 537209-1 | 3-Major | Fastl4 profile sends RST packet when idle timeout value set to 'immediate' | |
| 535857-1 | 3-Major | When binary database is not present, during mcp load, unexpected creation of VLAN membership in 'cist' STP singleton | |
| 534890-3 | 3-Major | K73310443 | When using session tickets, the session id sent might be incorrect |
| 532904-1 | 3-Major | K24219334 | Some HTTP commands fail validation when it is in a proc and the proc is called from another proc |
| 530266-2 | 3-Major | Rate limit configured on a node can be exceeded | |
| 527238-2 | 3-Major | Improvements to the Single DH use option in SSL profile | |
| 522620-2 | 3-Major | BIG-IP continues to monitor APM AAA pool with old monitor after monitor changed | |
| 517756-1 | 3-Major | Existing connections can choose incorrect route when crossing non-strict route-domains | |
| 516280-1 | 3-Major | bigd process uses a large percentage of CPU | |
| 512885-1 | 3-Major | https monitor fails to work with MD5 with RSA as signature hash algorithm | |
| 511324-4 | 3-Major | K23159242 | HTTP::disable does not work after the first request/response. |
| 510951-2 | 3-Major | K70436635 | Status of connection limited pool is reported incorrectly |
| 510395-2 | 3-Major | K17485 | Disabling some events while in the event, then running some commands can cause tmm to core. |
| 502129-1 | 3-Major | Hash Cookie Persistence interaction with persistence iRules | |
| 501984-1 | 3-Major | TMM may experience an outage when an iRule fails in LB_SELECTED. | |
| 499615-14 | 3-Major | RAM cache serves zero length documents. | |
| 499431-3 | 3-Major | K90250656 | Validation does not check that all keys/certificates are removed from the clientSSL profile★ |
| 499404-2 | 3-Major | K15457342 | FastL4 does not honor the MSS override value in the FastL4 profile with syncookies |
| 494084-3 | 3-Major | Certain rapidly-terminating UDP virtuals may core on standby | |
| 490121-2 | 3-Major | Incorrect reporting of PVA current and maximum connection with SERVER_CONNECTED event | |
| 486735-3 | 3-Major | Maximum connections is not accurate when TMM load is uneven | |
| 483653-3 | 3-Major | In some traffic situations, virtuals using SSL can excessively buffer client data instead of closing the TCP window | |
| 480982-3 | 3-Major | K37041313 | pkcs11d with a high thread count can result in high CPU utilization |
| 479872-2 | 3-Major | K16284 | Corresponding protocol profiles must exist on both clientside/serverside |
| 477897-1 | 3-Major | After modifying the protocol profile on an SCTP virtual, the logs may contain error messages | |
| 471288-9 | 3-Major | K00054154 | TMM might crash with session-related commands in iRules. |
| 471001-3 | 3-Major | K60650269 | Standby responds to traceroute on mirror enabled forwarding virtual server |
| 468083-1 | 3-Major | K16433 | An LB_FAILED iRule that references an undefined value can cause Traffic Management Microkernel (TMM) failover. |
| 462881-2 | 3-Major | K17006 | Configuration utility allows for mismatch in IP protocol and transport profile |
| 456378-1 | 3-Major | K15465 | On a virtual server with the ipother profile assigned, iRule firing on CLIENT_ACCEPTED with discard or reject action may cause TMM to core |
| 446526-9 | 3-Major | TCP virtual server/UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules might cause TMM crash. | |
| 440431-4 | 3-Major | K15353 | Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands. |
| 439540-5 | 3-Major | K16063 | Connection to a Self IP to network HSM may not be established after the BIG-IP system reboots. |
| 439490-8 | 3-Major | System does not reconnect to SafeNet HSM if connection is interrupted | |
| 437703-6 | 3-Major | K15544 | LTM policies do not accept special characters in HTTP header names |
| 434517-9 | 3-Major | HTTP::retry doesn't work in an early server response | |
| 433572-2 | 3-Major | DTLS does not work with rfcdtls cipher on the B2250 blade | |
| 433323-11 | 3-Major | Ramcache handling of Cache-Control: no-cache directive in Response | |
| 431480-3 | 3-Major | Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message | |
| 429810-4 | 3-Major | K15576 | 2000/4000 platforms can end up in indeterminate ARL/FDB state |
| 390514-1 | 3-Major | SNMP_DCA_BASE monitor does not recognize Threshold and Coefficient★ | |
| 385859-2 | 3-Major | K32493236 | iRule TCP::close on VIP with RAM cache can cause TMM restart |
| 369640-3 | 3-Major | K17195 | Folder path objects in iRules can have only a single context per script |
| 360557-2 | 3-Major | K01146549 | Multiple 'memory exhausted' core files in a configuration containing multiple leading wildcard repetition matches regexes |
| 352957-3 | 3-Major | K03005026 | Route lookup after change in route table on established flow ignores pool members |
| 343561-2 | 3-Major | The Set-Cookie2 header should supersede the Set-Cookie header. | |
| 343455-2 | 3-Major | HTTP state management (cookie) mechanism may detect wrong version | |
| 251162-5 | 3-Major | The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name | |
| 248424-10 | 3-Major | Content length doesn't get updated during replacement using stream profile | |
| 246726-3 | 3-Major | K8940 | System continues to process virtual server traffic after disabling virtual address |
| 222117-2 | 3-Major | CACHE::enable in HTTP_RESPONSE event does not force items into cache. | |
| 713533-5 | 4-Minor | list self-ip with queries does not work | |
| 700433-4 | 4-Minor | K10870739 | Memory leak when attaching an LTM policy to a virtual server |
| 693901-1 | 4-Minor | Active FTP data connection may change source port on client-side | |
| 689351-1 | 4-Minor | Unclear fipskey event | |
| 684319-1 | 4-Minor | iRule execution logging | |
| 677270-4 | 4-Minor | K76116244 | Trailing comments in iRules are removed from the config when entered/loaded in TMSH |
| 675911-3 | 4-Minor | K13272442 | Dashboard CPU history file may contain incorrect values |
| 653746-4 | 4-Minor | K83324551 | Unable to display detailed CPU graphs if the number of CPU is too large |
| 652577-4 | 4-Minor | Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address | |
| 651005-1 | 4-Minor | FTP data connection may use incorrect auto-lasthop settings. | |
| 639970-1 | 4-Minor | GUI - Client SSL profile certificate extensions names switch to numbers in case of validation error | |
| 628016-4 | 4-Minor | MP_JOIN always fails if MPTCP never receives payload data | |
| 627764-4 | 4-Minor | Prevent sending a 2nd RST for a TCP connection | |
| 626577 | 4-Minor | HTTP monitor log file is recreated after being deleted | |
| 625892-4 | 4-Minor | Nagle Algorithm Not Fully Enforced with TSO | |
| 622148-1 | 4-Minor | flow generated icmp error message need to consider which side of the proxy they are | |
| 621843-2 | 4-Minor | the ipother proxy is sending icmp error messages to the wrong side | |
| 618884-4 | 4-Minor | Behavior when using VLAN-Group and STP | |
| 618024-4 | 4-Minor | software switched platforms accept traffic on lacp trunks even when the trunk is down | |
| 611161-2 | 4-Minor | K28540353 | VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default. |
| 603380-3 | 4-Minor | Very large number of log messages in /var/log/ltm with ICMP unreachable packets. | |
| 594064-3 | 4-Minor | K57004151 | tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows. |
| 593396-4 | 4-Minor | Stateless virtual servers may not work correctly with route pools or ECMP routes | |
| 592620-4 | 4-Minor | iRule validation does not catch incorrect 'after' syntax | |
| 586138-2 | 4-Minor | K84112154 | Inconsistent display of route-domain information in administrative partitions. |
| 584772-2 | 4-Minor | ssldump may crash when decrypting bad records | |
| 574020-1 | 4-Minor | Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}') | |
| 572015-4 | 4-Minor | HTTP Class profile is upgraded to a case-insensitive policy★ | |
| 564899 | 4-Minor | During shutdown, csyncd may dump core | |
| 564634-2 | 4-Minor | Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool | |
| 558893-1 | 4-Minor | TMM may fail to forward FTP data connections when multiple PORT/EPRT commands are used in succession referring to the same IP/PORT | |
| 553614-2 | 4-Minor | Modification to parent clientssl CKC does not consistently reflected in the child clientssl profile | |
| 549569-1 | 4-Minor | tmm may crash in the case of mem alloc fails. | |
| 545856 | 4-Minor | Java VM crash while monitoring DB | |
| 544033-1 | 4-Minor | K30404012 | ICMP fragmentation request is ignored by BIG-IP |
| 539026-2 | 4-Minor | Stats refinements for reporting Unhandled Query Actions :: Drops | |
| 535122-7 | 4-Minor | [tmsh/iCRD/GUI] Do not automatically add extensions to SSL key/cert/crl/csr file objects | |
| 530877-6 | 4-Minor | K13887095 | TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances. |
| 527907-3 | 4-Minor | TCP reject Virtual Servers may not respond with TCP reset | |
| 525133-2 | 4-Minor | Restarting TMM or failover offline causes causes bigd 'emerg logger' error message | |
| 523814-6 | 4-Minor | When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections | |
| 517393-5 | 4-Minor | K17507 | Spurious RTO Detection Triggers Early Exit from Fast Recovery. |
| 517202-3 | 4-Minor | Applications including Internet Explorer using Microsoft's Secure Channel (Schannel) may fail SSL/TLS handshakes | |
| 503795-3 | 4-Minor | K37104180 | [LTM] [DNS] [LOG] debug log information is logged even when "dnscacheresolver.loglevel" set to higher than debug |
| 500402-1 | 4-Minor | K33178590 | 'Data publisher not found or not implemented' mcpd error message when iRule is loaded from tmsh. |
| 490139-3 | 4-Minor | Loading iRules from file deletes last few comment lines | |
| 489572-1 | 4-Minor | Sync fails if file objects are created and deleted in same transaction. | |
| 477992-1 | 4-Minor | K07450534 | Instance-specific monitor logging fails for pool members created in iApps |
| 450671-1 | 4-Minor | K15537 | BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable). |
| 402115-3 | 4-Minor | K16272 | System does not report tmm memory with consideration of threading |
| 368610-1 | 4-Minor | TCP sends RST when regular close might succeed | |
| 360485-2 | 4-Minor | Statistics for a lasthop pool member node may be inaccurate | |
| 222409-3 | 4-Minor | K9952 | The HTTP::path iRule command may return more information than expected |
| 222034-5 | 4-Minor | HTTP::respond in LB_FAILED with large header/body might result in truncated response | |
| 524277-3 | 5-Cosmetic | Missing power supplies issue warning message that should be just a notice message. |
Performance Issues
| ID Number | Severity | Solution Article(s) | Description |
| 473485-7 | 2-Critical | Fixed a few issues in HTTP Auth module |
Global Traffic Manager (DNS) Issues
| ID Number | Severity | Solution Article(s) | Description |
| 692941-5 | 2-Critical | GTMD and TMM SIGSEGV when changing wide IP pool in GTMD | |
| 649564-4 | 2-Critical | Crash related to GTM monitors with long RECV strings | |
| 587656-4 | 2-Critical | GTM auto discovery problem with EHF for ID574052 | |
| 726255-5 | 3-Major | dns_path lingering in memory with last_access 0 causing high memory usage | |
| 712500-4 | 3-Major | Unhandled Query Action Drops Stat does not increment after transparent cache miss | |
| 689583-5 | 3-Major | Running big3d from the command line with arguments other than '-v' or '-version' may cause a GTM disruption. | |
| 688335-1 | 3-Major | K00502202 | big3d may restart in a loop on secondary blades of a chassis system |
| 680069-5 | 3-Major | K81834254 | zxfrd core during transfer while network failure and DNS server removed from DNS zone config★ |
| 679316-2 | 3-Major | iQuery connections reset during SSL key renegotiation | |
| 672491-4 | 3-Major | K10990182 | net resolver uses internal IP as source if matching wildcard forwarding virtual server |
| 671326-4 | 3-Major | K81052338 | DNS Cache debug logging might cause tmm to crash. |
| 660263-2 | 3-Major | DNS transparent cache message and RR set activity counters not incrementing | |
| 655807-4 | 3-Major | K40341291 | With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score |
| 653775-1 | 3-Major | K05397641 | Ampersand (&) in GTM synchronization group name causes synchronization failure. |
| 648286-3 | 3-Major | GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button. | |
| 637227-2 | 3-Major | K60414305 | DNS Validating Resolver produces inconsistent results with DNS64 configurations. |
| 636790-1 | 3-Major | Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete. | |
| 629421-3 | 3-Major | Big3d memory leak when adding/removing Wide IPs in a GTM sync pair. | |
| 628180-3 | 3-Major | DNS Express may fail after upgrade★ | |
| 620215-2 | 3-Major | TMM out of memory causes core in DNS cache | |
| 619158-3 | 3-Major | iRule DNS request with trailing dot times out with empty response | |
| 613045-2 | 3-Major | Interaction between GTM and 10.x LTM results in some virtual servers marked down | |
| 601180-3 | 3-Major | K73505027 | Link Controller base license does not allow DNS namespace iRule commands.★ |
| 595293-2 | 3-Major | Deleting GTM links could cause gtm_add to fail on new devices. | |
| 588289-5 | 3-Major | GTM is Re-ordering pools when adding pool including order designation | |
| 574052-5 | 3-Major | GTM autoconf can cause high CPU usage for gtmd | |
| 567743 | 3-Major | K70663134 | Possible gtmd crash under certain conditions. |
| 550653 | 3-Major | Errant DNS Express database log message. | |
| 517609-1 | 3-Major | K77005041 | GTM Monitor Needs Special Escape Character Treatment |
| 511865-2 | 3-Major | K16670 | [GTM] GTM external monitor is not correctly synced in GTM sync group without device group |
| 499719-3 | 3-Major | Order Zones statistics would cause database error | |
| 463216-1 | 3-Major | 'tmsh load sys config gtm-only' resets link assignments | |
| 456047 | 3-Major | Explicit links lost after adding server IP addresses using GUI | |
| 370131-1 | 3-Major | Loading UCS with low GTM Autoconf Delay drops pool Members from config | |
| 366695-6 | 3-Major | Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed | |
| 718110 | 4-Minor | MCP high CPU usage after clicking on GTM Listener name to view its properties in the Web GUI. | |
| 693007-5 | 4-Minor | Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC | |
| 688266-1 | 4-Minor | big3d and big3d_install use different logics to determine which version of big3d is newer | |
| 674754-4 | 4-Minor | ZoneRunner: GUI "Email Contact" field silently ignores invalid char '@' in Email Contact | |
| 669262-4 | 4-Minor | K91122850 | [GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record |
| 666258-4 | 4-Minor | GTM/DNS manual resume pool member not saved to config when disabled | |
| 665117-4 | 4-Minor | K33318158 | DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping |
| 659969-3 | 4-Minor | tmsh command for gtm-application disabled contexts does not work with none and replace-all-with | |
| 620346-1 | 4-Minor | When auto-refresh is enabled on the statistics screen for wideip / pools, it refreshes to the wrong screen. | |
| 609402 | 4-Minor | K59134660 | When upgrading from v10.2.4 to v11.5.x or v11.6.x, with fallback set to null in a wideip pool, the new pool will have fallback-ipv4 set to any6.★ |
| 591705-2 | 4-Minor | K14861154 | Domain-name-strict has been deprecated, but is still present in GUI, GUI OLH, and TMSH CLI help. |
| 514431-2 | 4-Minor | [TMSH][GTM] Add validation for special characters like Ctrl+k for gtm object names | |
| 506423-1 | 4-Minor | K17361 | [GTM] [ZoneRunner] Silent failure when adding a resource record is not successful |
| 474215-2 | 4-Minor | Period characters in GTM virtual server naming★ | |
| 423930-2 | 4-Minor | GTM might mark down LTM virtual servers in non-zero RDs named with special characters | |
| 588229-3 | 5-Cosmetic | DNS protocol default profiles can be deleted after being modified. |
Application Security Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 681109-4 | 2-Critical | K46212485 | BD crash in a specific scenario |
| 637252-3 | 2-Critical | K73107660 | Rest worker becomes unreliable after processing a call that generated an error |
| 636669-1 | 2-Critical | K37300224 | bd log are full of 'Can't run patterns' messages |
| 618771-3 | 2-Critical | Some Social Security Numbers are not being masked | |
| 611154-3 | 2-Critical | BD crash | |
| 582003-3 | 2-Critical | BD crash on startup or on XML configuration change | |
| 576123-1 | 2-Critical | K23221623 | ASM policies are created as inactive policies on the peer device |
| 518959 | 2-Critical | BIG-IQ Discovery of an 11.5.2 EHF1-19 BIG-IP fails | |
| 476616-1 | 2-Critical | Set active fails after accept learning suggestion for illegal metachar Policy with encoding iso-8859-1 | |
| 474252-5 | 2-Critical | K17344 | Applying ASM security policy repeatedly fills disk partition on a chassis |
| 694934-5 | 3-Major | bd crashes on a very specific and rare scenario | |
| 670501-3 | 3-Major | K85074430 | ASM policies are either not (fully) created or not (fully) deleted on the HA peer device |
| 630929-2 | 3-Major | K69767100 | Attack signature exception list upload times-out and fails |
| 625832-3 | 3-Major | A false positive modified domain cookie violation | |
| 618693-1 | 3-Major | Web Scraping session_opening_anomaly reports the wrong route domain for the source IP | |
| 617841 | 3-Major | Using iControl REST to create ucs archive results in a "500 internal server error" response when unit has ASM provisioned | |
| 605616-4 | 3-Major | Creating 256 Fundamental Security policies will result in an out of memory error | |
| 604923-2 | 3-Major | REST id for Signatures change after update | |
| 604893-1 | 3-Major | ComplexType child elements in XML schema cannot have different values set in "fixed" attribute | |
| 590851-1 | 3-Major | "never log" IPs are still reported to AVR | |
| 561595-1 | 3-Major | Guest user cannot see Event Correlation details | |
| 559048 | 3-Major | "Request violation" details are blank in /var/log/asm | |
| 537213-3 | 3-Major | Second push is required after deactivating Active Security Policy and Sync flag indicates "In Sync" status | |
| 535904-3 | 3-Major | BD crashes when attempting to access a closed connection | |
| 530102-3 | 3-Major | Illegal meta characters on XML tags -★ | |
| 529535-3 | 3-Major | MCP validation error while deactivating a policy that is assigned to a virtual server | |
| 523522-2 | 3-Major | In a device group, installing a UCS (on any one of the peers in group) does not propagate the ASU file (that is bundled with UCS) to other peers | |
| 520732-2 | 3-Major | XML policy import adds default entities if the relevant element list (in policy xml doc) is specified and empty | |
| 515190-1 | 3-Major | Event Logs -> Brute Force Attacks can't show details after navigating to another page | |
| 513887-6 | 3-Major | The audit logs report that there is an unsuccessful attempt to install a mysql user on the system | |
| 513787-2 | 3-Major | CSRF doesn't apply web application callback registered as XMLHttpRequest.onload in IE8-10 | |
| 512000-2 | 3-Major | Event Log Filter using Policy Group isn't accurate | |
| 498433-2 | 3-Major | Upgrading with ASM iRule and virtual server with no websecurity profile★ | |
| 465927-1 | 3-Major | Response is halted or reset when the request has an ignore profile | |
| 456120-4 | 3-Major | K34139426 | Policy History Files are missing after device group sync |
| 451705-1 | 3-Major | Illegal metachar override can be added to policy which prevents Apply Policy★ | |
| 450241-4 | 3-Major | K21100172 | iControl error when discover ASM from EM |
| 438045-4 | 3-Major | K48130340 | Web Services signature verification failed. |
| 720938 | 4-Minor | Policy is marked as modified upon change of virtual server association when no other changes are made | |
| 699898-1 | 4-Minor | Wrong policy version time in policy created after synchronization between active and stand by machines. | |
| 688833-1 | 4-Minor | Inconsistent XFF field in ASM log depending violation category | |
| 685743-1 | 4-Minor | When changing internal parameter 'request_buffer_size' in large request violations might not be reported | |
| 675232-1 | 4-Minor | Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction | |
| 625602-1 | 4-Minor | ASM Auto-Sync Device Group Does Not Sync | |
| 617658 | 4-Minor | Attack Signature Update with only 1 active policy logs "Please apply policy" error message | |
| 605649-5 | 4-Minor | K28782793 | The cbrd daemon runs at 100% CPU utilization |
| 572885-3 | 4-Minor | Policy automatic learning mode changes to manual after failover | |
| 563587 | 4-Minor | Javascript error in Safari browser when working with framed Cross-Domains website | |
| 519011-1 | 4-Minor | K01287948 | Auditor role: Exporting the Request Log |
Application Visibility and Reporting Issues
| ID Number | Severity | Solution Article(s) | Description |
| 615696 | 2-Critical | TMM crash during AVR data cleaning timer | |
| 575170-6 | 2-Critical | Analytics reports may not identify virtual servers correctly | |
| 475439-2 | 2-Critical | K16434 | Synchronization problem in AVR lookups sometimes causes TMM and other daemons, such as the Enforcer, to crash |
| 470559-2 | 2-Critical | TMM crash after traffic stress with rapid changes to Traffic capturing profiles | |
| 721408-1 | 3-Major | Possible to create Analytics overview widgets in "[All]" partition | |
| 713283 | 3-Major | Missing transaction count in = application security report under view by IP Intelligence | |
| 703196-1 | 3-Major | Reports for AVR are missing data | |
| 700035-1 | 3-Major | /var/log/avr/monpd.disk.provision not rotate | |
| 636104-5 | 3-Major | If pool member is defined with port 0, member may not be visible on the HTTP dimension pane. | |
| 635561-4 | 3-Major | Heavy URLs statistics are not shown after upgrade. | |
| 601536-5 | 3-Major | Analytics load error stops load of configuration★ | |
| 574160-1 | 3-Major | Publishing DNS statistics if only Global Traffic and AVR are provisioned | |
| 527058 | 3-Major | TMM Crash, at AVR lookup mechanism | |
| 508341-3 | 3-Major | Scheduled-reports are not syncing the 'first-time' value on a sync group |
Access Policy Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 707738-7 | 1-Blocking | K84747528 | Network Access cannot be established on Windows 10 RS4 |
| 649234-2 | 2-Critical | K64131101 | TMM crash from a possible memory corruption. |
| 637308-6 | 2-Critical | K41542530 | apmd may crash when HTTP Auth agent is used in an Access Policy |
| 614364 | 2-Critical | Linux client NA components cannot be installed neither using sudo password nor root password | |
| 580225-4 | 2-Critical | K24604331 | WEBSSO::select may crash tmm. |
| 546231 | 2-Critical | Aced crashed occasionally while shutting down | |
| 474532-7 | 2-Critical | K16357 | TMM may restart when SLO response is received on SLO request URL (.../post/sls) |
| 450136-6 | 2-Critical | Occasionally customers see chunk boundaries as part of HTTP response | |
| 446187-6 | 2-Critical | K15309 | Manual start of a BIG-IP APM service may trigger 100 percent CPU utilization. |
| 442532-3 | 2-Critical | Log shows 'socket error: resource temporarily unavailable' | |
| 713691 | 3-Major | SELinux issue related to URLDB functionality | |
| 709553 | 3-Major | Memory leak when ACCESS::SESSION data get command is applied | |
| 703984-5 | 3-Major | Machine Cert agent improperly matches hostname with CN and SAN | |
| 682751-3 | 3-Major | Kerberos keytab file content may be visible. | |
| 672818-4 | 3-Major | When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established | |
| 664507-1 | 3-Major | When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration | |
| 658852-2 | 3-Major | Empty User-Agent in iSessions requests from APM client on Windows | |
| 647903 | 3-Major | Android receiver 3.11 new store addition with auto discovery does not work | |
| 640924-5 | 3-Major | On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly | |
| 636643 | 3-Major | OAM Access gate init problem | |
| 633364 | 3-Major | Sometimes APM sends 302 back to client for Publicly hosted content in vCMP environment. | |
| 627385 | 3-Major | Could not add new account in Citrix receiver for mac v12.3.0 | |
| 619879-4 | 3-Major | HTTP iRule commands could lead to WEBSSO plugin being invoked | |
| 619811-5 | 3-Major | Machine Cert OCSP check fails with multiple Issuer CA | |
| 617316 | 3-Major | Desktop title is garbled for Citrix Storefront integration mode with non-sta configuration | |
| 616838-1 | 3-Major | Citrix Remote desktop resource custom parameter name does not accept hyphen character | |
| 615970-3 | 3-Major | SSO logging level may cause failover | |
| 615522-1 | 3-Major | VDI crashes while responding to clients with multiple VDI threads running | |
| 611669-3 | 3-Major | Mac Edge Client customization is not applied on macOS 10.12 Sierra | |
| 611485-6 | 3-Major | APM AAA RADIUS server address cannot be a multicast IPv6 address.★ | |
| 603293-2 | 3-Major | Incorrect handling of L4 Dynamic ACL when it is processed together with L7 ACLs | |
| 589118-2 | 3-Major | K81314569 | Horizon View client throws an exception when connecting to Horizon 7 VCS through APM. |
| 583477 | 3-Major | In Multidomain SSO, primary auth virtual may fail as a resource | |
| 576350-3 | 3-Major | K32581271 | External input from client doesn't pass to policy agent if it is not the first in the chain. |
| 572887-5 | 3-Major | DNS doesn't work properly on Ubuntu 15.10 when using f5fpc CLI client | |
| 566235-2 | 3-Major | Profile License May Be Missing After Failover or Blade Configuration Change In Chassis HA | |
| 559402-2 | 3-Major | Client initiated form based SSO fails when username and password not replaced correctly while posting the form | |
| 552571 | 3-Major | DWA 8.5 with Safari on MAC OS X 10.11 : check names not works | |
| 551454-2 | 3-Major | Edge client sends repeated HTTP probe to captive portal probe URL for mis-configured server | |
| 547692-1 | 3-Major | Firewall-blocked KPASSWD service does not cause domain join operation to fail | |
| 546029-3 | 3-Major | Edge client connection fails: keeps reconnecting when captive portal probe URL is not available at www.f5.com | |
| 543344-2 | 3-Major | ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event | |
| 539018-2 | 3-Major | TMM stack trace when killed by monitoring process when stuck in loop always logged in parent TMM thread log file. | |
| 535714 | 3-Major | Policy creation error after resolving LSO in policy sync for a big policy | |
| 534373-1 | 3-Major | Some Text on French Localized Edge client on windows has grammatical error | |
| 528424-2 | 3-Major | IE11 on Windows 10 doesn't show tooltips/toast notifications when Network Access changes state | |
| 527119-2 | 3-Major | Iframe document body could be null after iframe creation in rewritten document. | |
| 522124-1 | 3-Major | Secondary MCPD restarts when SAML IdP or SP Connector is created | |
| 521822-1 | 3-Major | referer header in request is not completely deflated at gateway, f5-w-dobledot paths are not reduced | |
| 514745-1 | 3-Major | Some BIG-IP objects have no tmsh description field so description text configured in GUI is lost on upgrade | |
| 511385 | 3-Major | <SecurID Soft Token Messages> are not translated | |
| 509677-2 | 3-Major | Edge-client crashes after switching to network with Captive Portal auth | |
| 507899-2 | 3-Major | Custom APM report - Assigned IP field shows 'IPv4' instead of assigned IP value | |
| 502016-3 | 3-Major | MAC client components do not log version numbers in log file. | |
| 495128-10 | 3-Major | Safari 8 continues using proxy for network access resource in some cases when it shouldn't | |
| 494435 | 3-Major | Failed to sync connectivity or rewrite profile created from non-default profile | |
| 475363-5 | 3-Major | Empty or invalid configuration, or during exception in NTLM, handling might not work as expected. | |
| 473488-7 | 3-Major | K17376 | In AD Query agent, resolving of nested groups may cause apd to spin |
| 471825-6 | 3-Major | K16637 | Add 'Date:' header in email message generated by APM Email agent to comply with RFC 5322. |
| 468478-6 | 3-Major | K16659 | APM Portal Access becomes unresponsive. |
| 462258-3 | 3-Major | AD/LDAP server connection failures might cause apd to stop processing requests when service is restored | |
| 458450-3 | 3-Major | K16941 | The ECA process may produce a core file when processing HTTP headers |
| 451083-1 | 3-Major | K16244 | Citrix Wyse clients when working with StoreFront in integration mode |
| 441913-5 | 3-Major | K15454 | Empty Webtop when large number of resources assigned to access policy. |
| 440505-5 | 3-Major | K17207 | Default port should be removed from Location header value in http redirect |
| 439461-5 | 3-Major | Citrix Receiver for Linux is unable to receive full applications list. | |
| 439330-7 | 3-Major | Javascript: getAttribute() returns mangled event handlers | |
| 438548-3 | 3-Major | K11481255 | Please avoid name "none" for branch rules |
| 435419-3 | 3-Major | K10402225 | Install of partial EPSEC file causes mcpd to crash, followed by multiple cores. |
| 433972-12 | 3-Major | New Event dialog widget is shifted to the left and Description field does not have action widget | |
| 433752-8 | 3-Major | K17469 | Web applications might rewrite their event handlers |
| 433243-6 | 3-Major | K16056 | SAML SSO might fail due to clock skew |
| 432102-7 | 3-Major | HTML reserved characters not supported as part of SAML RelayState | |
| 431810-6 | 3-Major | K16315 | APMD process core due to missing exception handling in execute agents |
| 422525-1 | 3-Major | Portal Acccess resources with proxy require hostnames to be resolvable to BIG-IP | |
| 420645-5 | 3-Major | K16438 | Firewall software check cannot detect state of ipfw on MAC OS X |
| 417711-1 | 3-Major | APM does not restore NLAD connections when the configuration is restored from an UCS file★ | |
| 398657-16 | 3-Major | Active Session Count graph underflow | |
| 372139-2 | 3-Major | K43033311 | Manage Sessions are not showing correct current sessions on VIPRION chassis. |
| 369407-2 | 3-Major | Access policy objects are created inconsistently depending on whether created using wizard or manually. | |
| 613095 | 4-Minor | Text Description in Edge client UI may be clipped in sme languages | |
| 563651-1 | 4-Minor | Web application does not work/works intermittently via Portal Access after upgrading BIG-IP to any new version.★ | |
| 552797 | 4-Minor | Login/logout using Safari presents 'server drop connection' message. | |
| 550133 | 4-Minor | K14134155 | OPSWAT fails for Mac OS and Sophos AV version 9.4 |
| 542636 | 4-Minor | APM logon page copyright should show the current year | |
| 536724 | 4-Minor | Policy Sync Status stuck at initiated syncing to subgroup after doing to parent group | |
| 516200-5 | 4-Minor | HTML5 Receivers for Storefront 2.5 and 2.1 are not working on Google Chrome 40+ | |
| 469974-4 | 4-Minor | APM New Session performance graph displays incorrect timed out/error value | |
| 586080 | 5-Cosmetic | APM attempts to launch VMware View Linux Desktop from the webtop using HTML5 client which is not supported | |
| 439680-4 | 5-Cosmetic | BIG-IP as SP fails to report unsupported key transport algorithms when processing encrypted assertions |
WebAccelerator Issues
| ID Number | Severity | Solution Article(s) | Description |
| 706642-5 | 2-Critical | wamd may leak memory during configuration changes and cluster events | |
| 464874-1 | 2-Critical | Client may legitimately send a range request for the cached JS/CSS content which is no longer valid. | |
| 701977-5 | 3-Major | Non-URL encoded links to CSS files are not stripped from the response during concatenation | |
| 630661-1 | 3-Major | K30241432 | WAM may leak memory when a WAM policy node has multiple variation header rules |
| 621284-2 | 3-Major | Incorrect TMSH help text for the 'max-response' RAMCACHE attribute | |
| 533900-2 | 3-Major | Extra Proxy on Image Size Change | |
| 467589-1 | 4-Minor | Default cron script /usr/share/mysql/purge_mysql_logs.pl throws error. |
Wan Optimization Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 546877-2 | 2-Critical | K10934171 | tmm assert 'tcp_set_persist: retransmit pending' |
| 480065-2 | 2-Critical | K58245664 | TMM restarts during iSession tunnel reuse. |
| 440562-3 | 2-Critical | TMM cores dumps due to an iSession "valid event" assertion failure | |
| 568795-4 | 3-Major | Dedup Cache Refresh may fail to re-initialize WOM endpoint | |
| 549327-2 | 3-Major | iSession remote endpoint connection not re-established | |
| 479183-1 | 3-Major | K01749002 | Unexpected iSession tunnel state transition causes TMM to restart. |
| 442884-2 | 3-Major | TMM assert 'spdy pcb initialized' in spdy_process() |
Service Provider Issues
| ID Number | Severity | Solution Article(s) | Description |
| 688942-1 | 3-Major | K82601533 | ICAP: Chunk parser performs poorly with very large chunk |
| 669978-8 | 3-Major | K15204204 | SIP monitor - Via header's branch parameter collision. |
| 590091-3 | 3-Major | K79075081 | Single-line Via headers separated by single comma result in first character second header being stripped. |
| 566630-1 | 3-Major | K17206132 | Outbound ICAP request can double-chunk HTTP payload |
| 600431-3 | 4-Minor | DIAMETER::avp data get "id" ip4|ip6 errors on valid AVP |
Advanced Firewall Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 456376-2 | 1-Blocking | K53153545 | BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32 |
| 668822 | 2-Critical | dwbld service restarts randomly | |
| 653729-1 | 2-Critical | Support IP Uncommon Protocol | |
| 572546 | 2-Critical | Assigning address list with 1000+ entries to 1000+ rules policy results in MCP errors | |
| 551635-1 | 2-Critical | pccd crash when loading firewall config with mixed IPv4 and IPv6 addresses in the same rule | |
| 515562-2 | 2-Critical | K16813 | Sweep and flood may crash if it is enabled when AFM is not licensed or provisioned. |
| 503951-1 | 2-Critical | AFM policies not synced | |
| 501636-2 | 2-Critical | Core file appears on vCMP after restarting the primary blade twice | |
| 484013-3 | 2-Critical | K12435402 | tmm might crash under load when logging profile is used with packet classification |
| 480903-3 | 2-Critical | AFM DoS ICMP sweep mitigation performance impact | |
| 651169-5 | 3-Major | The Dashboard does not show an alert when a power supply is unplugged | |
| 644046 | 3-Major | Firewall ACL logs for IPv6 traffic | |
| 612086-1 | 3-Major | K32857340 | Virtual server CPU stats can be above 100% |
| 551849-2 | 3-Major | If 1 tmm gets more than 1 Mpps then the 1m stats in dos_stats can be wrong | |
| 550926-6 | 3-Major | AFM rule with "unknown" source Geo-entity stops functioning when another entity (geolocation or otherwise) is added to the same list of addresses in the rule | |
| 526774-3 | 3-Major | Search in FW policy disconnects GUI users | |
| 510728-4 | 3-Major | Create and Delete buttons should be disabled for Security :: Protocol Security : Security Profiles : DNS when accessed as Firewall Manager. | |
| 507493-1 | 3-Major | Cannot reset counter for rules of Management Port and Global | |
| 507240-1 | 3-Major | K13811263 | ICMP traffic cannot be disaggregated based on IP addresses |
| 497424-1 | 3-Major | K91533854 | Policy name field appears on Rule creation page even if Policy is selected |
| 475556-7 | 3-Major | Custom X-forwarded-for headers should take prioriy over xff headers | |
| 440817-4 | 3-Major | K03037436 | Sweeper incorrectly reaps a flow that had matched global (or rtdom) rule with action 'Accept Decisive' after the latest firewall configuration change |
| 429885-4 | 3-Major | K17576 | Traffic that does not match any virtual or Self IP is dropped silently (without any logs or statistics) |
| 404876-1 | 3-Major | Rule modifications reset active counters. | |
| 550204-1 | 4-Minor | Any AFM Management Port rules disappear from iptables upon 'bigstart restart iptables' | |
| 528499-4 | 4-Minor | AFM address lists are not sorted while trying to create a new rule. | |
| 498490-2 | 4-Minor | Incorrect overlapping status shown when a rule in a rule list has the same name as a rule not in that list | |
| 498150-1 | 4-Minor | "General database error retrieving information" appears on Self Ip Security page after removing a rule and refreshing the page | |
| 497004-2 | 4-Minor | Policy field is not marked as containing errors when creating a Rule without a Policy | |
| 491165-3 | 4-Minor | Legal IP addresses sometimes logged in Attack Started/Stopped message. | |
| 454961-2 | 4-Minor | Removal of AFM inline rules | |
| 426274-1 | 4-Minor | Firewall ACL Schedules may not work when configured with a daily schedule that starts before the specified start date and time |
Policy Enforcement Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 618657-5 | 3-Major | Bogus ICMP unreachable messages in PEM with ipother profile in use |
Carrier-Grade NAT Issues
| ID Number | Severity | Solution Article(s) | Description |
| 521329-3 | 2-Critical | CGNAT - Rare TMM core with Deterministic NAT | |
| 504021-3 | 3-Major | lsn-pool member routes not properly propagated to routing table when lsn-pool routing-advertisement is enabled | |
| 455020-3 | 3-Major | RTSP profile idle timeout is not applied if it is longer than the TCP profile timeout |
Device Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 479773-2 | 1-Blocking | SR C1800930 - GUI crashs - and SQL errors | |
| 581840-2 | 3-Major | K46576869 | Cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ. |
| 554659-1 | 3-Major | Configurable maximum message size limit for restjavad | |
| 507977-1 | 4-Minor | System sends extra messages in audit log when changing a user's role to or from Administrator/admin. |
iApp Technology Issues
| ID Number | Severity | Solution Article(s) | Description |
| 634146 | 3-Major | scriptd crash during iApp reconfiguration |
Known Issue details for BIG-IP v11.5.x
726255-5 : dns_path lingering in memory with last_access 0 causing high memory usage
Component: Global Traffic Manager (DNS)
Symptoms:
dns_path not released after exceeding the inactive path ttl.
Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.
Impact:
High memory usage.
Workaround:
There is no workaround at this time.
726239-1 : TMM panic via SIGABRT from sod
Component: Local Traffic Manager
Symptoms:
TCP receives SIGABRT during TCP persist mode.
Conditions:
When TCP is in persist mode.
Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.
Workaround:
None.
726232-4 : iRule drop/discard may crash tmm
Component: Local Traffic Manager
Symptoms:
TMM crash after an iRule attempts to drop packet.
Conditions:
Virtual server with UDP profile, and following iRule:
when LB_SELECTED {
drop
# discard - drop is the same as discard
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
725791-1 : Potential HW/HSB issue detected
Component: TMOS
Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.
With a burst of CRC errors in the SRAM for ePVA transformation cache, it won't trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This is because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.
In these cases, there might be the following messages in /var/log/tmm*:
Device error: hsb_lbb* tre2_crc_errs count *
Conditions:
Traffic is offloaded to HSB hardware for acceleration.
Impact:
Hardware accelerated traffic drop.
Workaround:
Switch traffic to software acceleration.
725646 : TMSH core on v11.5.x or v11.6.x when multiple TMSH instances are spawned and terminated quickly
Component: TMOS
Symptoms:
TMSH core on v11.5.x or v11.6.x physical appliances
Conditions:
-- Running version 11.5.x or 11.6.x (i.e., does not occur on 12.x or later).
-- Physical hardware (i.e., does not occur on BIG-IP Virtual Edition).
Multiple instances of TMSH are opened using the following command pattern:
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
...
then all of them are quickly terminated by Ctrl-D.
Impact:
TMSH is terminated and produces a core file in the /shared/core directory. The BIG-IP system should remain operational.
Workaround:
Restart TMSH if problem occurred.
To prevent the issue from occurring: Do not quickly terminate TMSH instances using Ctrl-D.
723988-5 : IKEv1 phase2 key length can be changed during SA negotiation
Component: TMOS
Symptoms:
Using IKEv1, if phase2 key length does not agree on both sides, a responder accepts whatever the initiator proposes as key length, but only after an initiator is authenticated. This results in key length downgrade or upgrade at a trusted peer's request, because the IKEv1 daemon was configured to obey the other peer's key length request.
Conditions:
The value of the ike-phase2-encrypt-algorithm on both sides agree on the encryption algorithm, but differ in key length. For example, if the initiator picks AES128 when the responder expects AES256.
Impact:
The responder accepts AES128 anyway. Although phase1 key length must be an exact match, when phase2 key length does not match, this allows an initiating peer to change the key length a responder uses, thus changing the strength configured by that responder.
Workaround:
No workaround is known at this time.
723794-1 : PTI (Meltdown) mitigation should be disabled on AMD-based platforms
Component: TMOS
Symptoms:
Platforms with AMD processors freeze when the PTI (Page Table Isolation) mitigation is enabled, after a period ranging from several hours to several days.
You can find information about which versions have the PTI (Meltdown) mitigations enabled in the AskF5 Article: Bug ID 707226: DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations :: https://cdn.f5.com/product/bugtracker/ID707226.html.
Conditions:
-- AMD-based platforms:
+ BIG-IP B4100 blades
+ BIG-IP B4200 blades
+ BIG-IP 6900 and NEBS appliances
+ BIG-IP 89x0 appliances
+ BIG-IP 6400 FIPS and NEBS platforms
+ BIG-IP 110x0 appliances
-- The database variable kernel.pti is set to enable (to address PTI (Meltdown)).
Impact:
System locks up and is rebooted by the watchdog timer.
Workaround:
Set the database variable kernel.pti to disable by running the following command:
tmsh modify sys db kernel.pti value disable
According to AMD, these AMD processors are not vulnerable to PTI (Meltdown), so there is no reason to leave the db variable enabled.
723722-5 : MCPD crashes if several thousand files are created between config syncs.
Component: TMOS
Symptoms:
If more than several thousand (typically 20,000, but number varies by platform) files, for example SSL certificates or keys, are created between config syncs, the next config sync operation will take too long and mcpd will be killed by sod.
Conditions:
Creation of several thousand SSL certificates or keys followed by a config sync operation.
Impact:
Traffic is disrupted while the MCPD process restarts.
Workaround:
Run a config sync operation after every ~5000 files created.
723579-1 : OSPF routes missing
Component: TMOS
Symptoms:
When newer link-state advertisement (LSA) (with greater seq) comes in, the Open Shortest Path First (OSPF) discards the old one by marking it DISCARD. The SPF calculation function suspends the calculation every 100 vertexes. If the discard happens during such a suspend, then after the calculation resumes, the discarded LSAs are ignored,n which can cause route unreachable, and eventually route withdraws.
Conditions:
A very large number (~500, beyond best practices) of routers in a single OSPF area.
Impact:
Intermittent route flaps occur that might cause unreachable destination or increased network traffic due to the non-optimal route choice.
Workaround:
There is no workaround.
723306-6 : Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
Component: Local Traffic Manager
Symptoms:
Loading correct configuration with 'tmsh load /sys config' fails. The error message appears similar to the following:
01070726:3: Virtual Address /test/0.0.0.0 in partition test cannot be referenced by Virtual Server /Common/test-internal in partition Common.
Unexpected Error: Loading configuration process failed.
Conditions:
Creating internal virtual server, when 0.0.0.0 address exists on another partition.
Impact:
Inability to load config, with created internal virtual server.
Workaround:
Create internal virtual server first; then create the 0.0.0.0 address on different partition.
723112-2 : LTM policies does not work if a condition has more than 127 matches
Component: Local Traffic Manager
Symptoms:
LTM policies do not work if number of matches for a particular condition exceeds 127.
Conditions:
LTM policy that has a condition with more than 127 matches.
Impact:
LTM policy does not match the expected condition.
Workaround:
There is no workaround at this time.
721408-1 : Possible to create Analytics overview widgets in "[All]" partition
Component: Application Visibility and Reporting
Symptoms:
When creating new widgets, they are created under the currently set partition. If the partition is "[All]" (not a real partition), this name will be used to create the widgets.
In newer version of BIG-IP, there are added validations which disallow using non-existent partitions. When upgrading to v13+, upgrade will fail due to having objects with invalid partition.
Conditions:
Use BIG-IP v11 to create widgets while in the read-only "[All]" pseudo-partition
Impact:
Upgrade fails
Workaround:
It is possible to manually edit the configuration files and update "[All]" to "Common", after which the upgrade should succeed.
720938 : Policy is marked as modified upon change of virtual server association when no other changes are made
Component: Application Security Manager
Symptoms:
When associating or dissociating an ASM policy to a virtual server, the ASM policy is marked as 'modified' in the GUI, even though no actual policy changes were made.
Conditions:
Associating or dissociating an ASM policy to a virtual server.
Impact:
Policy is incorrectly marked as 'modified'.
Workaround:
To remove the 'modified' flag, apply the policy again.
720269-5 : TACACS audit logging may append garbage characters to the end of log strings
Component: TMOS
Symptoms:
When using TACACS audit logging, you might see extra 'garbage' characters appended to the end of logging strings.
Conditions:
Using audit forwarding with a remote TACACS server.
Impact:
Confusing log messages. Remote TACACS logging might stop altogether after some time.
Workaround:
There is no workaround at this time.
719749 : BGP last update timer incorrectly resets to 0 when 'max paths ebgp' is configured
Component: TMOS
Symptoms:
In ZebOS, every time the scan timer resets, it also incorrectly resets the BGP last update timer to 0 (zero).
Note: You can check that the new route shows up in response to the imish command 'sh ip route'.
Conditions:
-- ZebOS has learned a route from a BGP peer.
-- 'max-paths ebgp' is configured.
Impact:
BGP last update timer incorrectly resets to 0. If BGP routes are being redistributed into other protocols, the route may flap in the destination process.
Workaround:
There is no workaround other than not using 'max-paths ebgp'.
718867-5 : tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades★
Component: Local Traffic Manager
Symptoms:
The db variable 'tmm.umem_reap_aggrlevel' (to set the memory-usage level at which aggressive connection-reaping begins) does not persist across upgrades; on upgrade it will be reset to its default value (80%).
Conditions:
-- The db variable 'tmm.umem_reap_aggrlevel' is set to a custom value (specifically, not '80').
-- The BIG-IP system is upgraded.
Impact:
The value for 'tmm.umem_reap_aggrlevel' has reset to '80', its default value.
Workaround:
Reset the variable's custom value after upgrade.
718277 : Deployed guests inoperative after host and guest master-key reset without rebooting host after host master-key is reset.
Component: TMOS
Symptoms:
vCMP guests (ALL Guests) fail to load after reboot of hypervisor when the host master-key is changed and then the guests' master-keys are changed before first rebooting the hypervisor.
Conditions:
-- Issue the following command on vCMP Host hypervisor system:
$ tmsh modify sys crypto master-key prompt-for-password
-- Issue the following command on guests deployed on this hypervisor, before rebooting the hypervisor:
$ tmsh modify sys crypto master-key prompt-for-password
Impact:
Deployed guests cannot decrypt their configurations and so are inoperative.
Workaround:
In order to change the host master-key without causing service interruption to deployed vCMP guests (except for the necessary reboot):
1. On the host and with guests deployed, issue the following command:
$ tmsh modify /sys crypto master-key prompt-for-password
2. After this interactive command completes, again on the host issue the following command:
$ tmsh save sys config && tmsh reboot
3. Wait for the host and guests to come back up, then issue the following command on each guest:
$ tmsh modify /sys crypto master-key prompt-for-password
718110 : MCP high CPU usage after clicking on GTM Listener name to view its properties in the Web GUI.
Component: Global Traffic Manager (DNS)
Symptoms:
MCP has high CPU usage.
Conditions:
A config that contains a large number of virtual servers, profiles and virtual addresses.
Impact:
MCP has high CPU usage for 5 to 20 seconds.
Workaround:
Use TMSH to view the properties if you cannot afford any CPU cycles loss on the BIG-IP you are using to view your listeners.
716391-5 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation
Solution Article: K76031538
Component: TMOS
Symptoms:
vCMP guest with only 2 cores may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.
Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores.
-- A module using MySQL is provisioned.
Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.
Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.
IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.
716166-1 : Dynamic routing not added when conflicting self IPs exist
Component: TMOS
Symptoms:
Missing dynamic route in dynamic routing daemon as shown via 'show ip route'.
Conditions:
When a self IP host address is the same as the network address of the dynamic route being propagated. For example: self IP 10.10.10.0/31 versus dynamic route 10.10.10.0/24; or 10.10.0.0/24 versus dynamic route 10.10.0.0/16.
Impact:
Propagation of the dynamic route to the kernel, TMM.
Workaround:
There is no workaround other than not creating self IPs on the network address of a prefix.
714576 : Removing a Copper SFP on certain platforms incorrectly retains info about the SFP
Component: TMOS
Symptoms:
BIG-IP displays a stale SFP serial number after removing a copper SFP. A fiber SFP inserted into an interface after removing a copper SFP will not come up.
Conditions:
800, 1600, and 3600 platforms with copper SFPs.
Impact:
Cosmetic display of stale serial number of copper SFP. Fiber SFP will not work when inserted after a copper SFP is removed.
Workaround:
Restart bcm56xxd.
714384-7 : DHCP traffic may not be forwarded when BWC is configured
Component: Local Traffic Manager
Symptoms:
DHCP traffic may not be forwarded when BWC is configured on the system.
Conditions:
-- DHCP virtual server configured.
-- BWC policy configured and attached to the route-domain.
Impact:
DHCP traffic may not be forwarded.
Workaround:
There is no workaround other than to remove the BWC policy.
713708-1 : Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI
Component: TMOS
Symptoms:
On the BIG-IP GUI, under System :: Software Management :: Update Check, after pressing 'Check now', the 'Available Update' shows a long string 'OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install' instead of the EPSEC version, e.g.: epsec-1.0.0-679.0.
Conditions:
-- Under System :: Software Management :: Update Check.
-- Press 'Check now'.
Impact:
Cannot determine what version is available by viewing 'Available Update'. Although this is how all the other updates work, it can result in a confusing BIG-IP user experience.
Workaround:
To have the browser show the link's destination address, view the browser's status fields while hovering the cursor over the following link text: OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install.
713691 : SELinux issue related to URLDB functionality
Component: Access Policy Manager
Symptoms:
When moving from a partition running v13.0.0 or later software to a partition containing pre-v13.0.0 software, the files under /var/urldb will have incorrect SELinux labeling.
The BIG-IP system reports SELinux errors in /var/log/auditd/audit.log similar to the following:
-- emerg logger: Re-starting bigd
type=AVC msg=audit(1523996911.786:104): avc: denied { associate } for pid=32553 comm="python" name="incoming" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Conditions:
-- System is running pre-v13.0.0 software.
-- Has URLDB functionality.
-- Upgrade performed to v13.0.0 or later.
-- Switch back to the partition that contains the pre-v13.0.0 software.
Impact:
The URLDB functionality does not work.
Workaround:
Change the SELinux label on /var/urldb (and all files under this directory) using the following command.
chcon -R -t file_t /var/urldb
713533-5 : list self-ip with queries does not work
Component: Local Traffic Manager
Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.
Conditions:
list net self always returns all Self IPs
Impact:
You are unable to filter the Self IP list using a regex pattern.
713283 : Missing transaction count in = application security report under view by IP Intelligence
Component: Application Visibility and Reporting
Symptoms:
Transactions without an IP reputation threat are not listed on application security reports under viewed by IP Intelligence.
Conditions:
-- All transactions without an IP reputation threat.
-- Application security reports.
Impact:
Transaction count statistics are missing.
Workaround:
None.
712664-6 : IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
Component: Local Traffic Manager
Symptoms:
As a result of a known issue IPv6 NS may be dropped if corresponds for host on remote VLAN of transparent vlangroup and matches a Virtual address with disabled ARP setting
Conditions:
- transparent vlan-group
- Virtual Address with ARP disabled
- Virtual Address corresponds to remote IPv6 host address
Impact:
NS for the host is dropped.
Traffic will not reach the remote host as resolution does not complete.
Workaround:
Do not use overlapping Virtual-addresses with ARP disabled, or enable ARP.
712500-4 : Unhandled Query Action Drops Stat does not increment after transparent cache miss
Component: Global Traffic Manager (DNS)
Symptoms:
After a transparent cache miss, if the LTM DNS profile has Unhandled Query Action set to Drop, the request is dropped without incrementing the Unhandled Query Action Drops stat.
Conditions:
LTM DNS profile with a Transparent Cache and Unhandled Query Action set to Drop.
Impact:
Inaccurate statistics for the Unhandled Query Action Drops
Workaround:
None.
711981-1 : BIG-IP system accepts larger-than-egress MTU, PMTU update
Component: Local Traffic Manager
Symptoms:
A Path MTU (PMTU) message can lead to the BIG-IP system to falsely assume an egress MTU on the related flow to be larger than the interface egress MTU.
Conditions:
A valid PMTU message.
Impact:
BIG-IP sends larger-than-configured interface egress MTU messages.
Workaround:
None.
710028-6 : LTM SQL monitors may stop monitoring if multiple monitors querying same database
Component: Local Traffic Manager
Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.
When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:
[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'
then multiple, periodic instances of the following message, referencing the same connection string:
Abandoning hung SQL query: '<query string>' for: '<connection string>'
or:
<connection string>(<thread-number>): Hung SQL query; abandoning
Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.
And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.
Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.
Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.
To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.
709786 : 'bandwidth utilization exceeded' log messages may not be output in all cases
Solution Article: K21241697
Component: TMOS
Symptoms:
In certain cases log messages corresponding to 'bandwidth utilization exceeded' may not be output.
Conditions:
-- Virtual Edition (VE) license with bandwidth limitations.
-- Traffic exceeding the license limit.
Impact:
Logs are not output.
Workaround:
Modify tmsh sys DB variable log.alertbwthreshold with a value other than '0'.
709553 : Memory leak when ACCESS::SESSION data get command is applied
Component: Access Policy Manager
Symptoms:
Slow memory leak occurs when ACCESS::SESSION data get command is used in iRule.
Conditions:
iRule contains an ACCESS::SESSION data get command.
Impact:
Memory leak eventually causes the BIG-IP system to fail over, interrupting traffic.
Workaround:
None.
707929-1 : 2000/4000 series platform after applying performance upgrade license does not show correct name in show sys hardware
Component: TMOS
Symptoms:
Applying a performance upgrade license does not change the name shown in 'tmsh show sys hardware' when running BIG-IP versions 12.1.0 or earlier.
Conditions:
-- 2000 or 4000 series platform running with standard license.
-- Apply a performance upgrade license.
-- Running versions 12.1.0 or earlier.
Impact:
The name does not change, although the performance of the system is upgraded when the required reboot is complete after applying a performance upgrade license. This is a cosmetic issue only.
Workaround:
None. Rebooting does not update to the correct name.
707740-1 : Fixed issue preventing GTM Monitors from being deleted when used on mulitple Virtual Servers with the same ip:port combination
Component: TMOS
Symptoms:
User would get "monitor is in use" when attempting to delete a GTM Monitor, even after removing that monitor from all GTM Virtual Servers
Conditions:
Attach a gtm monitor to multiple gtm virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port
Impact:
User will not be able to ever delete the un-used gtm monitor
Workaround:
There is no workaround at this time.
707738-7 : Network Access cannot be established on Windows 10 RS4
Solution Article: K84747528
Component: Access Policy Manager
Symptoms:
Network Access cannot be established on Microsoft Windows 10 RS4. Both EdgeClient and F5 VPN fails with the following error: An incorrect structure size was detected.
Note: Custom Dial-up entry client is not affected.
This is caused by Windows 10 RS4 regression in Remote Access System (RAS).
Conditions:
Networks Access connection fails when any of the following conditions are met:
-- The Windows system is clean Windows 10 RS4 installation
-- The Windows system has never connected to APM.
-- The Windows system previously was connected to APM, but the BIG-IP Administrator modified Network Access resource settings
When all of the following conditions are met, Network Access continues to work, unless the Administrator modifies the resource configuration or the user connects to a new APM server:
-- The Windows system was previously connected to a specific virtual server on a particular APM.
-- The Windows system was upgraded from previous Windows 10 version to Windows 10 RS4.
-- The Windows system Administrator has not modified any settings of Network Access resource.
Impact:
Network Access connection cannot be established.
Workaround:
None.
Note: This is caused by Windows 10 RS4 regression in RAS.
707691-1 : BIG-IP handles some pathmtu messages incorrectly
Component: Local Traffic Manager
Symptoms:
FastL4 virtual servers incorrectly handle some pathmtu messages, such as ICMPv4 unreachable/fragmentation needed and ICMPv6 packet too big.
Conditions:
This occurs when the following conditions are true:
-- The client sends a window scaling factor greater than 0 (zero).
-- The server sends a window scaling factor equal to 0 (zero).
-- The pmtu message is within the window, but does not reflect the exact expected sequence number. The delta is bigger than the advertised window scaled at a factor of 0 (zero).
Impact:
pmtu message is erroneously ignored.
Workaround:
There is no workaround at this time.
707445-5 : Nitrox 3 compression hangs/unable to recover
Solution Article: K47025244
Component: TMOS
Symptoms:
LTM logs show the following message:
Nitrox 3, Hang Detected: compression device was reset
When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.
Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.
Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.
Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.
Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.
There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:
A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).
Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.
706642-5 : wamd may leak memory during configuration changes and cluster events
Component: WebAccelerator
Symptoms:
wamd memory consumption increases over time.
Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.
Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.
Workaround:
No workaround available.
705794-6 : Under certain circumstances a stale http2 stream can cause a tmm crash
Component: Local Traffic Manager
Symptoms:
A HTTP2 stream is getting overlooked when cleaning up a HTTP2 flow.
Conditions:
Currently only known is that the closing_stream is not empty. Exact entrance conditions not clear.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
705773 : TMM may core with a virtual server configured with fastl4, http, and persistence
Component: Local Traffic Manager
Symptoms:
As a result of a known issue TMM may crash when a specific traffic pattern is received on a virtual server configured with fastl4, http, and persistence.
Conditions:
- Virtual server configured with fastl4, http, and persistence.
Impact:
TMM may crash, disrupting traffic or causing failover.
Workaround:
Do not use fastl4 and http profiles along with persistence together.
705655-1 : Virtual address not responding to ICMP when ICMP Echo set to Selective
Component: TMOS
Symptoms:
If the virtual server's availability has taken the virtual address 'down', enabling the virtual server does not cause it to go 'up'.
Conditions:
-- ICMP Echo is set to Selective for the virtual address.
-- Disable the virtual server.
-- Enable the virtual server.
Impact:
The virtual address does not come up again. This affects the availability status of the virtual-address, and icmp-echo or route-advertisement for the virtual-address.
Workaround:
To work around this issue, do the following:
1. Set ICMP Echo to Always.
2. Disable the virtual-server.
3. Change virtual-address availability calculation back to the desired state.
705112 : DHCP server flows are not re-established after expiration
Component: Local Traffic Manager
Symptoms:
DHCP relay agent doesn't have server flows connecting to all active DHCP servers after a while.
Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds
Impact:
DHCP server traffic not load balanced.
Workaround:
None.
705037-6 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
Solution Article: K32332000
Component: TMOS
Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.
Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.
Impact:
-- Unreliable or confusing statistics via SNMP polling.
-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.
Workaround:
None.
704449-6 : Orphaned tmsh processes might eventually lead to an out-of-memory condition
Component: TMOS
Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.
An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:
/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh
If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.
Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.
Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.
Workaround:
There are several workarounds for this issue:
-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Halt orphaned tmsh processes.
704381-1 : SSL/TLS handshake failures and terminations are logged at too low a level
Component: Local Traffic Manager
Symptoms:
SSL/TLS handshake failures and terminations are being logged at too low of a level (INFO).
Conditions:
-- SSL/TLS connections are received or sent.
-- Handshake failures are logged.
Impact:
Sometimes other errors are produced, and the cause is a SSL/TLS handshake failure, but this failure is not being logged.
Workaround:
There is no workaround.
703984-5 : Machine Cert agent improperly matches hostname with CN and SAN
Component: Access Policy Manager
Symptoms:
Machine certificate agent will match configured host name with actual host name if configured name matches beginning of the actual hostname.
Conditions:
MacOS APM client.
Impact:
Hostname match may be incorrect in these cases.
Workaround:
There is no workaround at this time.
703196-1 : Reports for AVR are missing data
Component: Application Visibility and Reporting
Symptoms:
Some data collected by AVR is missing on some aggregation levels and thus missing from the reports.
Conditions:
Using AVR statistics.
Impact:
Expected AVR statistics may be missing.
Workaround:
Run the following shell command on BIG-IP:
sed -i "s|\(\s\)*SET\ p_aggr_to_ts.*$|$1$(grep "SET p_aggr_to_ts" /var/avr/avr_srv_code.sql | sed 's/truncate(/CEILING/' | sed 's/,0)//')|" /var/avr/avr_srv_code.sql
702450-6 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect
Component: Local Traffic Manager
Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:
# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.
The referenced object is not a "policy action" in this case, but is a virtual server.
Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.
Impact:
Possible confusion at the error message.
Workaround:
There is no workaround at this time.
701977-5 : Non-URL encoded links to CSS files are not stripped from the response during concatenation
Component: WebAccelerator
Symptoms:
Non-URL encoded links to CSS files are not stripped from the response during concatenation.
Conditions:
White space in the URLs.
Impact:
As above.
Workaround:
No workaround at this time.
701722-4 : Potential mcpd memory leak for signed iRules
Component: TMOS
Symptoms:
There is an MCP memory leak that occurs when th message "Signature encryption failed" is seen in /var/log/ltm.
Conditions:
Signing of iRules must be in use. Signature encryption must be problematic.
Impact:
MCP leak memory.
Workaround:
Resolve the signature encryption issue.
701690-5 : Fragmented ICMP forwarded with incorrect icmp checksum
Solution Article: K53819652
Component: Local Traffic Manager
Symptoms:
Large fragmented ICMP packets that traverse the BIG-IP might have their source or destination IP addresses changed and transmitted with the checksum incorrectly calculated.
Conditions:
A FastL4 virtual server able to transmit ICMP frames (ip-protocol ICMP or any), or SNAT/NAT only when a fragmented ICMP packet is received and is expected to be passed through the virtual server (or SNAT or NAT).
Impact:
Large ICMP echo packets (greater than MTU) will be dropped by the recipient due to the checksum error. No echo response will be seen.
Workaround:
Turn on IP fragment reassembly on the FastL4 profile associated with the virtual server.
700433-4 : Memory leak when attaching an LTM policy to a virtual server
Solution Article: K10870739
Component: Local Traffic Manager
Symptoms:
MCP's memory increases when deleting and adding an LTM policy attached to a virtual server.
Conditions:
-- LTM policies must be in use.
-- A policy with at least one rule. (Note: A rule with actions or conditions will leak more memory.)
-- Add the policy to a virtual server.
Impact:
MCP may run slower when memory is low. If all memory is used up, MCP will crash, which will cause a failover or outage.
Workaround:
None.
700426-3 : Switching partitions while viewing objects in GUI can result in empty list
Solution Article: K58033284
Component: TMOS
Symptoms:
In LTM Pool List, Node List, and Address Translations pages, switching partitions while viewing objects in the GUI can result in empty list.
Conditions:
This issue is present when all of the following conditions are met:
-- One partition contains multiple pages of objects.
-- The page count in one partition is greater than the page count in another.
-- The active page number is greater than 1.
-- You switch to a partition whose max number of pages is lower than the active page number.
For example, in the GUI:
1. Create two non-Common partitions.
2. In one partition, create enough pools so that they do not fit on one page.
3. In the second partition, create only enough pools for one page.
4. On the Local Traffic :: Pools list page in the first partition, navigate to the second page of objects.
5. Switch to the other partition.
6. Note that the displayed page contains no objects.
Impact:
The list of pools is empty despite the fact that there are pools available.
Workaround:
Return to the first page of objects before switching to any other partition.
700393-6 : Under certain circumstances a stale http2 stream can cause a tmm crash
Component: Local Traffic Manager
Symptoms:
Tmm may crash due to a stale/stalled HTTP2 stream.
Conditions:
http2 profile in use.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
700299 : Missing changelog entry for CVE-2015-5146 in ntp.spec
Component: TMOS
Symptoms:
There is no changelog entry in ntp.spec indicating that CVE-2015-5146 was fixed.
Conditions:
Running a version of BIG-IP where F5 indicates CVE-2015-5146 has been fixed.
Impact:
The changelog entries in ntp.spec are misleading implies that CVE-2015-5146 was not actually fixed, even though it was.
Workaround:
None.
700061-1 : Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file
Component: Local Traffic Manager
Symptoms:
Restarting service MCPD or rebooting the BIG-IP device adds Unix 'other' read file permissions for key files.
Key files Unix permission changes from '-rw-r-----' to
'-rw-r--r--'
Conditions:
1. Restarting the service MCPD
2. Rebooting BIG-IP device.
Impact:
Key file Unix read permission changes from '-rw-r-----' to
'-rw-r--r--'
Workaround:
There is no workaround at this time.
700057-1 : LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved
Component: Local Traffic Manager
Symptoms:
After upgrading to an affected build, the default key will have incorrect group ownership.
Conditions:
Upgrade or load a .ucs with SSL keys configured.
Impact:
File permissions are not preserved in the .ucs file. The httpd process will not be able to use the default key, so anything using it will fail.
Workaround:
Run the following two commands:
tmsh save /sys config
tmsh load /sys config
700035-1 : /var/log/avr/monpd.disk.provision not rotate
Component: Application Visibility and Reporting
Symptoms:
the log file may fill-up /var partition
Conditions:
there is no special condition for this issue - if the log is big it won't rotate
Impact:
the log file may fill-up /var partition
Workaround:
1. gzip /var/log/avr/monpd.disk.provision
2. touch /var/log/avr/monpd.disk.provision
699898-1 : Wrong policy version time in policy created after synchronization between active and stand by machines.
Component: Application Security Manager
Symptoms:
After synchronization, the policy version time in the policy created on the standby BIG-IP system is different from the policy version time on the original policy on the active BIG-IP system.
Conditions:
Synchronizing the new policies on the active system with new policies on the standby system.
Impact:
Policy version timestamp on standby system is not synchronized properly.
Workaround:
Run full synchronization again from active system to the group.
698933-5 : Setting metric-type via ospf redistribute command may not work correctly
Component: TMOS
Symptoms:
When using a dynamic routing configuration, where an OSPF process redistributes routes setting a metric-type from another OSPF process the metric type is not changed.
Conditions:
Dynamic routing configuration with 2 or more OSPF processes redistributing routes using the "redistribute ospf <other process number> metric-type <type>"
Impact:
Metric type is not changed.
Workaround:
Change metric-type using a route-map applied to the redistribute command.
698038-2 : TACACS+ system auth file descriptor leaks when servers are unreachable
Solution Article: K05730807
Component: TMOS
Symptoms:
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure):
-- httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files].
-- httpd[###]: PAM audit_open() failed: Too many open files
-- Other errors that refer to 'Too many open files'.
This might eventually lead to lack of HTTP-based access to the BIG-IP system.
Conditions:
-- Remote system authentication configured to use TACACS+.
-- Connections to one or more of the configured TACACS+ servers fails.
-- Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST. -- Repeated automated access using iControl is the fastest route.
Impact:
Depending on the number of connection failures, the open files limit of the web server process might be exceeded and new connections to the web server will fail.
Administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.
Workaround:
To prevent the issue, remove unreachable TACACS+ servers from the tacacs configuration, or restart the httpd process as necessary.
To recover if logins via remotely authenticated accounts are no longer possible, restart the httpd process.
698013-6 : TACACS+ system auth and file descriptors leak
Solution Article: K27216452
Component: TMOS
Symptoms:
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure):
-- httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files].
-- httpd[###]: PAM audit_open() failed: Too many open files
-- Other errors that refer to 'Too many open files'.
This might eventually lead to lack of HTTP-based access to the BIG-IP system.
Conditions:
-- Remote system authentication configured to use TACACS+.
-- Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST.
-- Repeated automated access using iControl is the fastest route.
Impact:
In some circumstances, the leak might accumulate to the point that no file descriptors are available and administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.
Workaround:
Workaround options:
1. Use only SSH for administrative access.
2. Restart httpd as needed.
695925-5 : tmm crash when showing connections for a CMP disabled virtual server
Component: Local Traffic Manager
Symptoms:
tmm crashes when performing 'tmsh show sys connection' and there is a connection from a secondary blade to a CMP-disabled virtual server.
Conditions:
This occurs when all of the following conditions are met:
-- There is a CMP-disabled virtual server.
-- There is a connection to that server from the control plane of a secondary blade (this can include monitoring traffic).
-- Connections are displayed that include the connection from the secondary blade ('tmsh show sys connection').
Impact:
tmm crashes and restarts impacting traffic.
Workaround:
Do not use 'cmp-enabled no' virtual servers when there will be connections from the BIG-IP control plane to the virtual server.
Avoid using tmsh show sys connection
695707-1 : BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection
Component: Local Traffic Manager
Symptoms:
BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection.
Conditions:
Close an MPTCP connection.
Impact:
If a DATA_ACK is not received for the DATA_FIN, the connection will stall until it times out.
Workaround:
There is no workaround at this time.
695109-5 : Changes to fallback persistence profiles attached to a Virtual server are not effective
Solution Article: K15047377
Component: Local Traffic Manager
Symptoms:
Changes to fallback persistence profiles attached to a Virtual server may not be effective.
Conditions:
-- Virtual server configured with persistence and a fallback persistence profile.
-- Changes made to the fallback persistence profile.
Impact:
Changes to the fallback persistence profile are not effective with new connections until a change is made to the virtual server or TMM is restarted.
Workaround:
Make a simple change, for instance to the description field, to the virtual servers that have the changed fallback persistence profile configured.
694934-5 : bd crashes on a very specific and rare scenario
Component: Application Security Manager
Symptoms:
When the system is configured in a specific way and the request sender responds incorrectly, bd crashes.
Conditions:
This rarely encountered crash occurs when there is a very specific BIG-IP system configuration, and ICAP is configured but not responding.
Impact:
bd crashes.
Workaround:
None.
694696-1 : On multiblade Viprion, creating a new traffic-group causes the device to go Offline
Component: TMOS
Symptoms:
All devices in the failover device group will go offline, resulting in traffic disruption and possible failovers.
Conditions:
When a new traffic-group is created on a multiblade Viprion system that is a member of a sync-failover device group.
Impact:
Traffic to all other traffic-groups is disrupted for several seconds.
Workaround:
There is no workaround at this time.
693996-1 : MCPD sync errors and restart after multiple modifications to file object in chassis
Solution Article: K42285625
Component: TMOS
Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:
1. Errors are logged to /var/log/ltm similar to the following:
-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..
2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.
Conditions:
Making multiple changes to the same file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group.
Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.
Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.
693901-1 : Active FTP data connection may change source port on client-side
Component: Local Traffic Manager
Symptoms:
The active FTP data connection on the client-side may use source port other than what was configured in the 'Data Port' parameter of the FTP profile.
Conditions:
FTP profile is attached to a virtual server and the 'Data Port' parameter is either left as default (20) or defined as a specific value.
Impact:
Active FTP data connection may be blocked by firewalls that expect a pre-defined source port.
Workaround:
None.
693582-5 : Monitor node log not rotated for icmp monitor types
Component: Local Traffic Manager
Symptoms:
When Monitor Logging is enabled for an LTM node or pool member using certain monitor types, the monitor node log under /var/log/monitors/ is not rotated or compressed when log rotation occurs.
Conditions:
This occurs if Monitor Logging is enabled for an LTM node or pool member and the LTM node or pool member uses any of the following monitor types:
- icmp
- gateway-icmp
Impact:
Depending on the affected BIG-IP version in use, affects may include:
1. The active monitor node log is not rotated (not renamed from *.log to *.log.1).
2. The active monitor node log is rotated (renamed from *.log to *.log.1), but subsequent messages are logged to the rotated log file (*.log.1) instead of to the 'current' log file name (*.log).
3. The active monitor node log is not compressed (*.log.2.gz) when log rotation occurs.
Workaround:
To allow logging to the correct monitor node log file to occur, and for rotated monitor node log files to be compressed, disable Monitor Logging for the affected node or pool member(s).
If symptom #1 (from Impact section above) occurs, Monitor Logging can be re-enabled after log rotation has occurred.
To address symptom #2 or #3 (from Impact section above), Monitor Logging can be re-enabled immediately.
For more information on Monitor Logging, see:
K12531: Troubleshooting health monitors
693007-5 : Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC
Component: Global Traffic Manager (DNS)
Symptoms:
The current IPv4 address for b.root-servers.net is 192.228.79.201. The IPv4 address for b.root-servers.net will be renumbered to 199.9.14.201, effective 2017-10-24. The older number will be invalid after that date.
Conditions:
Several profiles contain the b.root-servers.net IPv4 address as 192.228.79.201.
Impact:
The impact is likely minimal, at most a single timeout for pending TLD queries when they happen to round-robin onto an old IP address, probably not more often than the hint's TTL, which is more than a month, and even this should cause a timeout only when the old IP actually stops responding.
Workaround:
Update the root hints for all affected profiles manually except the hardwired ones.
692941-5 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
Component: Global Traffic Manager (DNS)
Symptoms:
Changing wide IP causes gtmd and tmm core under certain conditions.
Conditions:
-- GTM pool is removed when it is referenced by a persist record.
-- That record is accessed before it is purged.
Impact:
gtmd and tmm core. Traffic disrupted while tmm restarts.
Workaround:
None.
692172-4 : rewrite profile causes "No available pool member" failures when connection limit reached
Component: TMOS
Symptoms:
ltm rewrite profile (with mode uri-translation) can cause connections on ltm forwarding virtual server to be terminated with reason "No available pool member".
Conditions:
Virtual server configured with ltm rewrite profile. Default pool has request queuing enabled and connection limits configured for all its nodes.
Impact:
When the connection limit is reached, further connections are terminated with "No available pool member" cause instead of being queued.
Workaround:
An iRule which selects default pool on HTTP_REQUEST:
when HTTP_REQUEST priority 1000 {
pool [LB::server pool]
}
691785-5 : The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes
Component: Local Traffic Manager
Symptoms:
The bcm570x driver will cause TMM to core with the log message:
panic: ifoutput: packet_data_compact failed to reduce pkt size below 4.
Conditions:
-- Running on a platform that uses the bcm570x driver (BIG-IP 800, 1600, 3600).
-- A packet larger than 6144 bytes is transmitted from the BIG-IP system.
Impact:
TMM core. Failover or outage. Traffic disrupted while tmm restarts.
Workaround:
None.
691749-5 : Delete sys connection operations cannot be part of TMSH transactions
Component: TMOS
Symptoms:
TMSH operations that delete sys connection cannot be part of transactions. Once the TMSH transaction is submitted, TMSH freezes up if a 'delete sys connection ...' command is included.
Conditions:
Include delete sys connection operations in TMSH transactions.
Impact:
TMSH freezes up and transactions do not complete.
Workaround:
Only use tmsh delete sys connection outside of TMSH transactions.
691491-1 : 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
Solution Article: K13841403
Component: TMOS
Symptoms:
2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
Conditions:
-- 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms.
-- SNMP query of network interfaces via OID sysIfxStatHighSpeed.
Impact:
Value returned for 10G/40G/100G interfaces may be incorrect.
Workaround:
Use OID sysInterfaceMediaActiveSpeed.
691485-1 : System fails to boot when syslog-ng is not running.
Solution Article: K47635484
Component: TMOS
Symptoms:
System hangs during boot while trying to start the httpd service.
Conditions:
syslog-ng is not running.
Impact:
System fails to boot
Workaround:
Correct the /etc/syslog-ng/syslog-ng.conf file if necessary and start the syslog-ng service using the following command:
service syslog-ng start
The system should continue to boot.
690890-5 : Running sod manually can cause issues/failover
Component: TMOS
Symptoms:
If multiple instances of the system failover daemon are executed, improper behavior results. The system failover daemon is run internally by the system service manager (bigstart). When accidentally or intentionally executing the command 'sod', the second running instance will disrupt the failover system.
Conditions:
Accidentally or intentionally executing the command 'sod'.
Impact:
System might failover, reboot, or perform other undesirable actions that result in traffic interruption.
Workaround:
Do not attempt to invoke the 'sod' daemon directly. There is no use case for executing 'sod' directly, it is managed by 'bigstart'.
690778-5 : Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule
Solution Article: K53531153
Component: Local Traffic Manager
Symptoms:
Memory leak; the memory_usage_stat cur_allocs will increase each time the iRule is invoked.
Conditions:
This occurs when using an iRule that calls the STREAM::replace command more than once in the iRule's STREAM_MATCHED event.
Impact:
Memory leak; eventually the system will run out of memory and TMM will restart (causing a failover or outage). Traffic disrupted while tmm restarts.
Workaround:
Change the way the iRule is written so that the STREAM::replace command is not called more than once in the iRule's STREAM_MATCHED event.
690042-5 : Potential Tcl leak during iRule suspend operation
Solution Article: K43412307
Component: Local Traffic Manager
Symptoms:
TMM's Tcl memory usage increases over time, and does not decrease. Memory leak of Tcl objects might cause TMM to core.
Conditions:
-- iRules are in use.
-- Some combination of nested proc calls and/or loops must go at least five levels deep.
-- Inside the nested calls, an iRule executes a suspend operation.
Impact:
Degraded performance. TMM out-of-memory crash. A failover or temporary outage might occur. Traffic disrupted while tmm restarts.
Workaround:
None.
689583-5 : Running big3d from the command line with arguments other than '-v' or '-version' may cause a GTM disruption.
Component: Global Traffic Manager (DNS)
Symptoms:
Running big3d from the command line with arguments other than '-v' or '-version' might cause a GTM disruption. When viewing /var/log/gtm, you might see messages similar to the following:
notice big3d[4131]: 012b0020:5: Executable /shared/bin/big3d timestamp is newer than (or the same as) /usr/sbin/big3d.
notice big3d[4137]: 012b0018:5: Respawning to run /shared/bin/big3d.
err big3d[4026]: 012b1015:3: Error 'Address already in use' attempting to bind to socket.
Conditions:
This occurs when attempting to get the big3d version and accidentally typing an invalid or nonsense argument or a valid argument that does not immediately cause big3d to exit. Here are some examples (note the double-dash in the first example):
big3d --version
big3d
big3d -xyz
big3d -d
Impact:
GTM server goes red momentarily.
Workaround:
There is no workaround other than not specifying an invalid or nonsense argument or a valid argument that does not immediately cause big3d to exit.
689449-5 : Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, in some circumstances the system may experience an unconstrained TMM memory growth when a virtual server is configured for spdy/http2 and http with fallback-host.
Conditions:
- VIP configured with spdy/http2 and http with fallback-host.
Impact:
TMM may eventually enter aggressive sweeper mode where this memory will be released. In the process it is possible that some legitimate connections will killed.
Workaround:
No workaround at this time.
689437-4 : icrd_child cores due to infinite recursion caused by incorrect group name handling
Solution Article: K49554067
Component: TMOS
Symptoms:
Every time the virtual server stats are requested via REST, icrd_child consumes high CPU, grows rapidly toward the 4 GB max process size (32-bit process), and might eventually core.
Conditions:
Virtual server stats are requested via iControl REST with a special string that includes the dotted group names.
Impact:
icrd_child consumes high CPU, grows rapidly, and might eventually core.
Workaround:
Clear the virtual server stats via reset-stats and icrd_child no longer cores.
689351-1 : Unclear fipskey event
Component: Local Traffic Manager
Symptoms:
The "fipskey" utility generates erroneous dlopen errors in /var/log/daemon.log when trying to open pkcs11_nethsm.so
Conditions:
Randomly reproduced by running "fipskey export 1 /var/tmp/otters" (even on a VE). Regardless of the error on the command-line, it will log the above in /var/log/daemon.log.
It may occur due to FIPS appliance (built-in FIPS card), and various system utilities (e.g. mcpd) invoke "fipskey" directly. (MCPD invokes fipskey to re-generate DNSSEC-related FIPS keys.)
Those operations succeed, but leave erroneous error messages in the log file while the FIPS library is starting up, and looking for a viable/functional FIPS shared library. (It keeps looking for a viable library even after logging a dlopen() error return value).
Impact:
Erroneous error messages.
Workaround:
N/A
689089-5 : VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
Component: Local Traffic Manager
Symptoms:
The cluster configuration file can be lost or corrupted, resulting in the out-of-band cluster management IP reverting to the default value.
Conditions:
Unexpected system restart while the configuration file is being updated may cause the file to become corrupted. If this occurs, the following error will be logged during blade startup:
"err clusterd[8171]: 013a0027:3: Chassis has N slots, config file has 0, ignoring config file"
Where "N" is the number of physical slots in the chassis (2, 4, or 8).
Impact:
Management IP reverts to 192.168.1.246, resulting in loss of access to the chassis through the out-of-band management network.
Workaround:
If this occurs, the management IP can be restored using TMSH or the UI through an in-band self IP, or with TMSH through the management console port.
689002-5 : Stackoverflow when JSON is deeply nested
Component: TMOS
Symptoms:
When the returned JSON payload from iControl REST is very large and deeply nested, the JSON destruction could trigger stack overflow due to deep recursion. This will crash icrd_child.
Conditions:
Deeply nested JSON returned from iControl-REST.
Impact:
icrd_child process coredumps.
Workaround:
None.
688942-1 : ICAP: Chunk parser performs poorly with very large chunk
Solution Article: K82601533
Component: Service Provider
Symptoms:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system buffers the entire chunk and reevaluates the amount of data received as each new packet arrives.
Conditions:
ICAP server returns large payload entirely in a single chunk, or otherwise generates very large chunks (MB to GB range).
Impact:
The BIG-IP system uses memory to buffer the entire chunk. In extreme cases the parser can peg the CPU utilization at 100% as long as packets are arriving.
Workaround:
If possible, configure the ICAP server to chunk the response payload in mulitple normal sized chunks (up to a few tens of KB).
688833-1 : Inconsistent XFF field in ASM log depending violation category
Component: Application Security Manager
Symptoms:
Depending on the violation category, the xff ip field is reported as 'xff_ip' and sometimes as 'xff ip'.
Conditions:
Viewing the XFF results in ASM log.
Impact:
This might cause problems with the syslog filters configured on the remote loggers.
Workaround:
Put in the rules that the client is using both 'xff ip' and 'xff_ip'.
688586-1 : DTLS does not retransmit ServerHello message if it is lost
Component: Local Traffic Manager
Symptoms:
DTLS does not retransmit ServerHello message if it is lost
Conditions:
The first DTLS ServerHello message is lost
Impact:
It cannot be re-transmit and the handshake fails.
688570-1 : BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes
Component: Local Traffic Manager
Symptoms:
After an MPTCP connection closes properly, the BIG-IP will occasionally start sending MP_FASTCLOSE.
Conditions:
An MPTCP connection is closed.
Impact:
The MPTCP connection on the remote device is closed, but the connection on the BIG-IP remains open until the fastclose retransmission times out.
Workaround:
There is no workaround at this time.
688406-5 : HA-Group Score showing 0
Solution Article: K14513346
Component: TMOS
Symptoms:
The 'show sys ha-group' command incorrectly displays a "0" for the total score even if the pools/trunks/clusters components have non-zero scores.
Conditions:
If the sys ha-group object is not currently assigned to any traffic-group.
Impact:
The total score is not calculated. An incorrect score value is displayed.
Workaround:
Refer to the component Score Contributions displayed using the following command: show sys ha-group detail.
688335-1 : big3d may restart in a loop on secondary blades of a chassis system
Solution Article: K00502202
Component: Global Traffic Manager (DNS)
Symptoms:
After big3d_install is run against a target system, and this target system is a multi-blade chassis, the big3d utility may begin restarting in a loop on all secondary blades of the target system. The primary blade is not affected, where big3d continues to run stable.
Conditions:
The following conditions are required to encounter this issue:
-- The big3d_install utility is used against a target system.
-- The target system is a multi-blade chassis.
-- The big3d_install utility picks the iQuery installation method (and not the SSH one).
-- The big3d_install utility incorrectly determines that the local version of the big3d utility should be copied to the remote system.
Impact:
big3d does not typically do anything on secondary blades, so this issue should have no immediate material impact.
However, should the cluster elect a new primary blade, and should big3d still be restarting on that blade, this could cause iQuery communication failures between that system and remote BIG-IP systems.
Workaround:
To stop secondary blades from restarting, manually restart big3d on the primary blade using the following command:
bigstart restart big3d
To prevent this issue from happening, you can run the big3d_install by specifying that the SSH installation method be used using the following command:
big3d_install -use_ssh <target IP>
688266-1 : big3d and big3d_install use different logics to determine which version of big3d is newer
Component: Global Traffic Manager (DNS)
Symptoms:
The big3d_install utility includes logic to determine whether the local system should copy its version of the big3d daemon to the remote system specified by the user.
This logic is incorrect and may result in the local copy of the big3d daemon being unnecessarily copied to the remote system or not copied when actually necessary.
Conditions:
A user runs the big3d_install utility.
Impact:
If the local big3d daemon was unnecessarily copied over to the remote system, there is no tangible impact (other than the fact big3d restarts on the remote system, which is expected). Eventually, the remote system restores and uses its version of the big3d daemon.
If the local big3d daemon was not copied over when it should have been, then the remote system may continue to run an older version of the big3d daemon, which may impede iQuery communication.
Workaround:
If the local big3d daemon was unnecessarily copied over to the remote system, you do not need to perform any remedial action. The remote system will automatically resolve this situation by restoring the intended (i.e., newer) big3d version.
If the local big3d daemon was not copied over when it should have been, you can invoke the big3d_install utility using the -f argument, which forces an install of the big3d daemon regardless of the local and remote versions.
686626-1 : The BIG-IP system may connect to an OCSP server using an unexpected source IP address
Component: TMOS
Symptoms:
BIG-IP systems configured to perform OCSP Stapling may connect to an OCSP server using an unexpected source IP address.
The source IP address picked by the BIG-IP system may be something that doesn't exist at all in its configuration.
Additionally, the source IP address picked by the BIG-IP system may appear corrupted or invalid to an Administrator (for example: 0.0.0.112).
Conditions:
Required configuration:
1) The BIG-IP system is running a version prior to 13.0.0.
2) The BIG-IP system is deployed as an IPv4/IPv6 multihoming device.
3) The DNS Resolver used by the OCSP Stapling configuration belongs to a non-0 route domain.
4) The virtual servers performing OCSP Stapling belong to a non-0 route domain different than the one used by the DNS Resolver.
5) Virtual servers using OCSP Stapling include both IPv4 and IPv6 destinations.
6) The OCSP server FQDN resolves to an A record.
With these conditions in place, the issue occurs when a client attempts a connection to one of the OCSP Stapling-enabled IPv6 virtual servers, and this needs to connect to an IPv4 OCSP server.
The source IP address used by the BIG-IP system will be an IPv4 address containing the last 4 bytes of an IPv6 Self-IP address configured on the BIG-IP system.
Impact:
The BIG-IP system fails to perform OCSP Stapling, and the unusual traffic may trigger alarms on your network.
The actual impact is limited, as clients who request validation of the certificate status and do not get it should be able to perform it on their own.
Workaround:
Where possible, you can work around this issue by re-configuring the BIG-IP system so that some of the conditions required for this issue to occur no longer apply.
686228-4 : TMM may crash in some circumstances with VLAN failsafe
Solution Article: K23243525
Component: Local Traffic Manager
Symptoms:
TMM may crash when managing traffic in response to the VLAN failsafe traffic generating mechanisms
Conditions:
- VLAN failsafe is configured with low timers.
- VLAN failsafe is triggered and multiple responses are received for traffic generating in fast succession.
Impact:
A TMM may core file may be produced. Traffic disrupted while tmm restarts.
Workaround:
Relax the timer to the default VLAN failsafe timer setting.
685743-1 : When changing internal parameter 'request_buffer_size' in large request violations might not be reported
Component: Application Security Manager
Symptoms:
When the internal 'request_buffer_size' is set to a large value, long requests might be blocked, and no violation is reported.
Conditions:
-- Internal parameter 'request_buffer_size' is set to a large value (~50 KB or larger).
-- Request is long (~50 KB or longer).
-- Violations found.
Impact:
Requests might be blocked, and no reason is reported.
Workaround:
Reset internal 'request_buffer_size' to default.
685582-4 : Incorrect output of b64 unit key hash by command f5mku -f
Component: TMOS
Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.
Conditions:
Viewing output of 'f5mku -f' command.
Impact:
Inconsistent output of the b64 unit key.
Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:
f5mku -vf
For example:
# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...
685519-5 : Mirrored connections ignore the handshake timeout
Component: Local Traffic Manager
Symptoms:
Mirrored connections that do not complete the TCP 3-way-handshake do not honor the configured TCP handshake timeout on active and standby systems.
Conditions:
High availability mirroring enabled on virtual server with attached FastL4 profile.
Impact:
Unestablished TCP sessions in the connection table stay open for the duration of the TCP idle-timeout.
Workaround:
None.
685458-3 : merged fails merging a table when a table row has incomplete keys defined.
Component: TMOS
Symptoms:
There is as timing issue in merged where it will fail processing a table row with incomplete keys defined.
Conditions:
There are no specific conditions required, only that merged is running, which is true on every BIG-IP system, when the BIG-IP system is processing a table row with incomplete keys defined.
Although this issue is not dependent on configuration or traffic, it appears that it is more prevalent on vCMP hosts.
Impact:
There will be a few second gap in available statistics during the time when a core is being created and merged restarts.
Workaround:
None.
684319-1 : iRule execution logging
Component: Local Traffic Manager
Symptoms:
iRule execution can block tmm from getting CPU cycles.
Conditions:
when executing iRule TCL with e.g. a tight while loop, tmm will miss to sent its heartbeat. This change adds additional logging around this.
Impact:
Logging shows now iRule perpetrator.
Workaround:
No workaround.
683706 : Pool member status remains 'checking' when manually forced down at creation
Component: Local Traffic Manager
Symptoms:
When a pool member is created with an associated monitor, and initially forced offline (e.g., '{session user-disabled state user-down}'), that pool member status remains in 'checking'. By default, the pool member status initializes to 'checking' until the first monitor probe confirms the pool member is available. However, by creating-and-forcing-offline the pool member, no monitoring is performed and the status remains in 'checking'.
Conditions:
Pool member is created with an associated monitor, and that pool member is simultaneously forced offline.
Example: create ltm pool test1 members add { 10.1.108.2:80 { session user-disabled state user-down } } monitor http
Impact:
Pool member remains offline as directed, but pool member status indicates 'checking' rather than 'user-down'.
Workaround:
Create the pool member with associated monitor, and in a separate step, force the pool member offline.
683029-4 : Sync of virtual address and self IP traffic groups only happens in one direction
Component: TMOS
Symptoms:
If you have a virtual address and a self IP that both listen on the same IP address, changing the traffic group of the self IP will make an equivalent change to the traffic group of the virtual address. However, this does not work in reverse. Changing the traffic group of the virtual address will not cause a change of the traffic group of the self IP.
Conditions:
You have a virtual address and a self IP that both listen on the same IP address. (The subnet mask need not be the same.)
Impact:
This is by design, but is counterintuitive, and there is no warning message that this is the case. Setting the traffic group on both objects will always work properly.
Workaround:
Care should be taken to ensure that the desired traffic group is set on both objects.
682751-3 : Kerberos keytab file content may be visible.
Component: Access Policy Manager
Symptoms:
Kerberos keytab file content may be visible.
Conditions:
Import a Kerberos keytab file.
From the command line, check the file permissions. It is readable.
Impact:
keytab is similar to a private key file and should not be readable.
Workaround:
Use chmod to change the keytab file permission manually so that it is not world-readable.
681782-2 : Unicast IP address can be configured in a failover multicast configuration
Solution Article: K30665653
Component: TMOS
Symptoms:
Failover multicast configuration does not work when configured with a unicast IP address. Although this is an invalid configuration, the system does not prevent it.
Conditions:
Specify a unicast IP address under 'Failover Multicast Configuration' for network failover in high availability configurations.
Impact:
Failover multicast configuration does not work.
Workaround:
Specify a multicast IP address under 'Failover Multicast Configuration' for network failover.
681109-4 : BD crash in a specific scenario
Solution Article: K46212485
Component: Application Security Manager
Symptoms:
BD crash occurs.
Conditions:
A specific, non-default configuration with specific traffic.
The issue is much more likely to occur when the policy is not tuned correctly, in which case you might receive a potentially huge number of false positive attack signature matches on that payload. The crash might then occur if there is a subsequent 'Parameter value does not comply with regular expression' violation on that same payload.
For example, nothing prevents you from incorrectly associating a Content-Type and <type-value> with a Request Body Handling parser that is not designed to parse that type of data, such as the following:
Content-Type :: *xml* :: form-data
This configuration is likely to result in a very long list of false-positive attack signatures. Because of the big message generated, The regex violation which is also likely to happen on the payload cannot be added to the filled message, which causes the crash.
Impact:
Failover, traffic disturbance.
Workaround:
In order to prevent this, correctly configure the header-based-content-profile property on URLs for cases where an unusual header requires a specific, potentially unexpected parsing mechanism.
A correctly configured header-based-content-profile property on URLs appears as follows:
In URL Properties, the Header-Based Content Profiles section of the wildcard URL is by default applying the value and content signature. Here, you can associate Content-Type with <type-value> with <parser-type>. By default, the correct definitions are as follows:
Content-Type :: *form* :: Form Data
Content-Type :: *json* :: JSON
Content-Type :: *xml* :: XML
680972 : Hidden newlines within monitor parameters may silently load without error
Solution Article: K73425254
Component: Local Traffic Manager
Symptoms:
Monitor parameters containing hidden newlines may silently load without error, when the configuration should fail to load. A conforming configuration requires each monitor parameter to comprise a single line; but manually editing the configuration file may insert a line-break within a single monitor parameter, thus breaking the parameter across two lines (resulting in a non-conforming definition). If the first line has an odd number of double-quotes (regardless of the presence of backslash-escaping), the hidden newline will not be detected and the monitor will load successfully.
Conditions:
A configuration file where a single monitor parameter is broken across two text lines (such as after manually editing the text file), and where the first line has an odd-number of double-quotes (regardless of the presence of backslash-escaping).
For example, an improper text line break within a single monitor configuration that silently loads: 'send "GET http://path={\"checkDatabase\":\"true\"}<CR>\r\n"' ...where "<CR>" represents the hidden line break in the text file. This silently loads because the odd-number of double-quotes on the first line (before the <CR>) hides the newline in the text file, resulting in the first line being merged with the second line upon configuration load.
Impact:
The configuration loads successfully, when it should be rejected as non-conforming. The monitor will function normally, as the two lines separated by the hidden newline will be merged upon load. The configuration will behave correctly, even though the hidden line break implies the file is non-conforming.
Workaround:
Modify the configuration file so that each monitor parameter comprises a single text line (which is required for a conforming configuration).
680069-5 : zxfrd core during transfer while network failure and DNS server removed from DNS zone config★
Solution Article: K81834254
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd cores and restarts.
Conditions:
While zone transfer is in progress, the network fails and the DNS server is removed from the DNS zone configuration.
Impact:
zxfrd cores.
Workaround:
None.
679854-1 : UIE persist may be inconsistent after a pool member is brought down
Component: Local Traffic Manager
Symptoms:
For Universal Inspection Engine (UIE) persist, requests might be load balanced to different pool member after the original persisted pool member is brought down.
Conditions:
-- UIE persist.
-- Original persisted pool member brought down.
Impact:
Inconsistent UIE persist.
Workaround:
None.
679605-3 : Device groups with no members will cause upgrade to fail
Component: TMOS
Symptoms:
An empty device group will fail upgrade with this error message:
Syntax Error:(/config/bigip_base.conf at line: 37) "save-on-auto-sync" unexpected argument
Conditions:
This only affects systems with empty device groups.
Impact:
Configuration will fail to load after the upgrade.
Workaround:
Remove the empty device group before upgrading. An empty device group has no effect on the system, so this is a safe action to take.
679316-2 : iQuery connections reset during SSL key renegotiation
Component: Global Traffic Manager (DNS)
Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
Conditions:
When iQuery data is sent during SSL key renegotiation.
Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.
Workaround:
None.
678925-3 : Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.
Component: TMOS
Symptoms:
Using a multicast VXLAN tunnel without a proper route associated with the tunnel's local-address may cause a TMM crash.
Conditions:
When the following conditions are met:
- No route is associated with the tunnel's local-address.
- A selfip address is assigned to the tunnel.
Then, a connection using the tunnel may cause a TMM crash.
Note that the user can use the TMSH command "show net route lookup <address>" to check if there is a route associated with the tunnel's local-address.
Impact:
The TMM crashes and traffic is disrupted.
Workaround:
Make sure that there is a route associated with the tunnel's local-address, before using the tunnel.
678450-5 : No 'F5RST port in use' sent when new connection arrives to port in use with strict preserve.
Component: Local Traffic Manager
Symptoms:
When 'Source Port: Preserve Strict' option is configured in performance L4 virtual servers, the 'F5RST port in use' packet is not sent, and connection hangs until timeout.
Conditions:
-- Connect to client and launch:
# nc -p 8080 -v 10.10.10.40 80
-- Connect to client2 and launch:
# nc -p 8080 -v 10.10.10.40 80
-- Modify virtual server vs_web type on LTM and repeat.
When the virtual server is standard "F5RST port in use" is sent. When the virtual server is performance L4 is not.
Impact:
Connection hangs. No increase for port-in-use stats when using the following commands:
tmsh show /net rst-cause.
Workaround:
None.
677270-4 : Trailing comments in iRules are removed from the config when entered/loaded in TMSH
Solution Article: K76116244
Component: Local Traffic Manager
Symptoms:
Comments at the bottom of an iRule (outside of any event stanza) end up missing from the config.
Conditions:
-- Merging an iRule in a config file in TMSH or entering the iRule manually in TMSH.
-- iRule comments are outside of any event stanza.
Impact:
Trailing comments in iRules are lost.
Workaround:
Use one or both of the following workarounds:
-- Make sure comments are inside of an event stanza.
-- Enter the iRule using the web GUI.
676828-4 : Host IPv6 traffic is generated even when ipv6.enabled is false
Solution Article: K09012436
Component: Local Traffic Manager
Symptoms:
Observing IPv6 traffic from the BIG-IP system, even when ipv6.enabled is set to false.
Conditions:
sys db ipv6.enabled is false.
Impact:
Extraneous IPv6 traffic from the the BIG-IP system.
Workaround:
None.
676721-4 : Missing check for NULL condition causes tmm crash.
Solution Article: K33325265
Component: Local Traffic Manager
Symptoms:
Missing check for NULL condition causes tmm crash.
Conditions:
One possible route involves load balancing failure, but there may be other paths leading to this crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
675911-3 : Dashboard CPU history file may contain incorrect values
Solution Article: K13272442
Component: Local Traffic Manager
Symptoms:
Values such as 33%, 66% and 99% may appear in the CSV file exported from the dashboard utility
Conditions:
htsplit is enabled.
Impact:
CPU history in exported CSV file does not match actual CPU usage.
Workaround:
You can obtain CPU history through various other means.
One way is to use the sar utility:
In 12.x and 13.x:
sar -f /var/log/sa6/sa
or for older data
sar -f /var/log/sa6/sa.1
The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.
In 11.x:
sar -f /var/log/sa/sa
or for older data
sar -f /var/log/sa/sa.1
The oldest data is found compressed in /var/log/sa and must be gunzipped before use.
675232-1 : Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction
Component: Application Security Manager
Symptoms:
Errors encountered -
In TMSH CLI transaction:
----------------
transaction failed: 01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------
In iApp template implementation:
----------------
script did not successfully complete: (01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------
Conditions:
In an iApp template implementation or TMSH CLI transaction, create a new ASM policy and then try to modify it's active state.
Impact:
The policy is created but the modify action cannot find the policy.
Workaround:
iApps are built to work with ASM Policy Templates.
A new ASM Policy Template can be created from the desired ASM Policy.
That can be done via GUI and starting from from v13.0 via REST as well.
Then, the newly created ASM Policy Template can be referenced in the iApp template implementation or TMSH CLI transaction as follows:
-----------------
tmsh::create asm policy <some_policy> active policy-template NEWLY_CREATED_POLICY_TEMPLATE
-----------------
674957-3 : If a certificate is stored in DER format, exporting it using the GUI corrupts the output.
Component: TMOS
Symptoms:
When a certificate stored in DER format is exported, all bytes with values larger than 0x7E are replaced with 0x3F, and there is one more byte added (0x0a) at the end of the binary file.
Conditions:
Using the GUI to export a certificate stored in DER format.
Impact:
Corrupted certificate.
Workaround:
You will need to use openssl to create a copy of the certificate in .pem or .der format. For example, to export the der certificate myder.crt to a mycert.pem certificate in .pem format, run the following command:
openssl x509 -out mycert.pem -in /config/filestore/files_d/Common_d/certificate_d/\:Common\:myder.crt_75978_1 -inform der
Note: This works for system users who can access the bash command, specifically, those with the administrator role.
674754-4 : ZoneRunner: GUI "Email Contact" field silently ignores invalid char '@' in Email Contact
Component: Global Traffic Manager (DNS)
Symptoms:
Changing the email address in ZoneRunner and using a '@' character does not work. System validation catches that the '@' is invalid, but the operation fails silently, and the new email address is not stored.
Note. The '@' character is invalid for the email field because it has other uses in zone files. A dot should be used instead of '@'.
Conditions:
Zone already exists in ZoneRunner.
Trying to update it with a new email address.
Impact:
Confusion as to why the GUI is ignoring the new email address they entered.
Workaround:
The '@' (at sign) character is invalid for ZoneRunner email fields because it has other uses in zone files. Use a '.' (dot, or period) character instead of '@'.
674591 : Packets with payload smaller than MSS are being marked to be TSOed
Solution Article: K37975308
Component: Local Traffic Manager
Symptoms:
Packets with length less than the specified MSS are sent as TSO packets, and the Broadcom NIC drops those to degrade performance.
Conditions:
When TM.TcpSegmentationOffload is enabled, Packets with length less than MSS are sent as TSO packets.
Impact:
TCP Packets are dropped.
Workaround:
Disable TSO option by setting the following SYS DB variable to disable: TM.TcpSegmentationOffload.
674145-5 : chmand error log message missing data
Component: TMOS
Symptoms:
When there is an error with communication between chmand and lopd, a message is logged giving information about the problem. That message is missing data useful to F5 for determining the cause of the communications error.
Messages similar to:
Jul 11 11:10:19 localhost warning chmand[7815]: 012a0004:4: getLopReg: lop response data does not match request, u16DataLen=0xb expected=0xb, u8Length=0x8 expected=0x, u8Page=0x28 expected=0x$, u8Register=0x50 expected=0xP
The expected data values are missing in this message, making it more difficult for F5 engineers to determine what caused the original communications problem.
Conditions:
This issue only occurs when there is some problem with the communication channel between chmand and lopd.
Impact:
Added difficulty for F5 to determine what problem caused the error message to be logged.
673701 : 'tmsh show sys software' can erroneously show status 'installing hotfix' after inserting new blade
Component: TMOS
Symptoms:
After inserting a new blade into a chassis, it is possible that one of that blade's volumes will report status 'installing hotfix' instead of 'complete'.
Example output of the command: tmsh show sys software:
-----------------------------------------------------------
Sys::Software Status
Volume Slot Product Version Build Active Status
-----------------------------------------------------------
HD1.1 1 BIG-IP 11.5.3 2.0.196 no complete
HD1.1 2 BIG-IP 11.5.3 2.0.196 no complete
HD1.1 3 BIG-IP 11.5.3 2.0.196 no complete
HD1.1 4 BIG-IP 11.5.3 2.0.196 no installing hotfix
HD1.2 1 BIG-IP 11.5.3 2.234.196 yes complete
HD1.2 2 BIG-IP 11.5.3 2.234.196 yes complete
HD1.2 3 BIG-IP 11.5.3 2.234.196 yes complete
HD1.2 4 BIG-IP 11.5.3 2.234.196 yes complete
Conditions:
This can occur after inserting a new blade into a chassis. The specifics conditions that result in the issue are unknown.
Impact:
Cosmetic. This has no effect on system behavior, only the display seen from 'tmsh show sys software'
Workaround:
Run 'bigstart restart lind' or reboot the new blade.
673693 : 'tmsh show sys software' can erroneously show status 'installing hotfix' after inserting new blade
Component: TMOS
Symptoms:
After inserting a new blade into a chassis, it is possible that one of that blade's volumes will report status 'installing hotfix' instead of 'complete'.
Example output of the command: tmsh show sys software:
-----------------------------------------------------------
Sys::Software Status
Volume Slot Product Version Build Active Status
-----------------------------------------------------------
HD1.1 1 BIG-IP 11.5.3 2.0.196 no complete
HD1.1 2 BIG-IP 11.5.3 2.0.196 no complete
HD1.1 3 BIG-IP 11.5.3 2.0.196 no complete
HD1.1 4 BIG-IP 11.5.3 2.0.196 no installing hotfix
HD1.2 1 BIG-IP 11.5.3 2.234.196 yes complete
HD1.2 2 BIG-IP 11.5.3 2.234.196 yes complete
HD1.2 3 BIG-IP 11.5.3 2.234.196 yes complete
HD1.2 4 BIG-IP 11.5.3 2.234.196 yes complete
Conditions:
This can occur after inserting a new blade into a chassis. The specifics conditions that result in the issue are unknown.
Impact:
Cosmetic. This has no effect on system behavior, only the display seen from 'tmsh show sys software'
Workaround:
Run 'bigstart restart lind' or reboot the new blade.
673621-1 : Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.
Component: Local Traffic Manager
Symptoms:
Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.
Conditions:
Set ca-file to 'none' in the clientssl profile.
Impact:
Chain is still sent.
Workaround:
None.
672818-4 : When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established
Component: Access Policy Manager
Symptoms:
When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established.
Conditions:
-- Install Traditional Chinese Windows.
-- Change the 'Region and Language' setting format to Simplified Chinese.
-- Edge Client or browser.
Impact:
Cannot establish VPN.
Workaround:
There is no workaround if there is a to change the 'Region and language' setting must be Simplified Chinese.
672491-4 : net resolver uses internal IP as source if matching wildcard forwarding virtual server
Solution Article: K10990182
Component: Global Traffic Manager (DNS)
Symptoms:
If a net resolver is created and contains a forwarding zone that matches an existing wildcard forwarding virtual server, an incorrect internal IP address will be used as the source.
Upon listener lookup for the net resolver, the wildcard virtual server will be matched to the forwarding zone resulting in a loopback IP address being used as the source IP address.
Conditions:
When creating an AFM policy that restricts FQDNs, a net resolver is needed to resolve the FQDNs. If the forwarding zone of this net resolver matches a wildcard server, DNS queries from the net resolver will use a loopback IP address as the source IP address.
Impact:
Failed DNS queries as a result of incorrect source IP address.
Workaround:
None.
671774 : LTM v11.5.4 f5.http iApp Cannot Deploy if VS IP is an existing Node IP
Component: TMOS
Symptoms:
When a named node is used as a virtual server destination, several F5 iApps will define the virtual server using the node name rather than the node ip address. This causes the iApp to throw an error and fail deployment.
Conditions:
The node is defined prior to running the iApp, it must have a name that does not match its IP address, and its address must be specified as the defined node (i.e., the destination) in the iApp configuration (in this case, f5.http).
Impact:
Virtual addresses are not typically defined as nodes, but in the event that one is, and the specified conditions are met, then the iApp will fail to deploy.
Workaround:
Delete the node prior to running the iApp.
671553-4 : iCall scripts may make statistics request before the system is ready
Component: TMOS
Symptoms:
iCall scripts may make statistics requests before statsd (a necessary service for stats collection) is ready.
Conditions:
Early during startup.
Impact:
The Tcl script may generate an error and stop working.
Workaround:
Use Tcl's 'catch' command to detect and handle the error.
671447-4 : ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form
Component: TMOS
Symptoms:
When using a BIG-IP system configured in an IS-IS network; adjacencies may fail to form with other vendor devices.
Conditions:
- BIG-IP configured to participate as a peer in a IS-IS network.
- IS-IS peers perform strict validation on the length of the Restart TLV.
-- The SystemID used by the BIG-IP system is of length 7 instead of 6. (ZebOS uses a 7-Byte SystemID.)
Impact:
IS-IS adjacencies may not form.
Workaround:
None.
671326-4 : DNS Cache debug logging might cause tmm to crash.
Solution Article: K81052338
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Cache debug logging might cause tmm to crash.
Conditions:
This occurs when the following conditions are met:
-- The dnscacheresolver.loglevel debug value is set to 1 - 5.
-- tmm.verbose is enabled.
Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
Do not enable the DNS Cache debug log when tmm.verbose is enabled.
671261-4 : MCP does not recognize 'Notify Status to Virtual Address' when using 'Selective' setting of ICMP Echo
Solution Article: K32306231
Component: TMOS
Symptoms:
When selecting 'Notify Status to Virtual Address' on a virtual server, and using the 'Selective' setting of ICMP Echo for a corresponding virtual address, MCP does not recognize that this setting has changed and does not modify the ICMP echo settings of the virtual address accordingly. The previous setting will continue to take effect until another (unrelated) change is made to the virtual address.
Conditions:
The 'Selective' setting of ICMP Echo is used for a virtual address, and the user selects 'Notify Status to Virtual Address' on a virtual server associated with that address.
Impact:
The previous setting will continue to take effect, until an (unrelated) change is made to the virtual address, at which point the new setting will take effect.
Workaround:
After changing the 'Notify Status to Virtual Address' on a virtual server (where 'Selective' setting of ICMP Echo is used for the corresponding virtual address), make another change to the virtual address to cause the new setting to take effect.
671236-4 : BGP local-as command may not work when applied to peer-group
Solution Article: K27343382
Component: TMOS
Symptoms:
Using the BGP level command neighbor <peer-group> local-as <AS> might fail to apply on peers in the peer group.
Conditions:
Applying the BGP local-as command to a peer group.
For instance:
neighbor <peer-group> local-as <AS>.
Impact:
The command fails to apply, and the actual local AS sent to the peer is that of the BGP process and not the one specified in the command.
Workaround:
Apply the BGP local-as directly to the peer, not the peer-group.
670520-1 : FastL4 not sending keepalive at proper interval when other side gets response
Component: Local Traffic Manager
Symptoms:
FastL4 not sending keepalive at proper interval when other side gets response. With FastL4, when a response to an LTM-initiated keepalive is received from a device on one side is received, it is forwarded to the other.
It appears that causes a keepalive to not be sent on that other side. The keepalive interval is 20 seconds. If the LTM is scheduled to send a keepalive to the server, but receives a keepalive response on the client side, before it sends the serverside keepalive, the client side keepalive response is forwarded, but the actual keepalive is not sent to the server.
Conditions:
FastL4 and keepalive.
Impact:
Potential for failure as in FastL4: the timeout timer is not updated unless a response is returned. Since the LTM does not send the keepalive, there is not going to be a response for that interval.
Workaround:
None.
670501-3 : ASM policies are either not (fully) created or not (fully) deleted on the HA peer device
Solution Article: K85074430
Component: Application Security Manager
Symptoms:
Policies are either not (fully) created or not (fully) deleted on the peer device
Conditions:
-- Device Service Clustering configured.
-- High availability (HA) configuration with Sync-Only (no failover) device group (Auto, incremental) with ASM sync enabled.
-- Create/delete active/inactive ASM policies via TMSH/GUI.
Impact:
Policies are either not created/deleted, or not fully created/deleted.
Note: Fully created and fully deleted meaning that the following commands agree with each other:
# tmsh list asm policy one-line all-properties
# tmsh list asm policy one-line
Workaround:
Issue a forced full sync from the originating device to the device group.
670044 : High Speed Logging can crash TMM on TCP pool member down.
Component: TMOS
Symptoms:
In rare situations TMM can crash when pool member used in High Speed Logging is marked down by a monitor and pending TCP connection handshake completed shortly after.
Conditions:
-- High Speed Logging pool using TCP protocol.
-- Pool marked down by monitor while pending TCP connection.
-- TCP handshake completes after pool is marked down.
Impact:
Service disruption while tmm recovers. HA failover event. Traffic disrupted while tmm restarts.
Workaround:
None.
669978-8 : SIP monitor - Via header's branch parameter collision.
Solution Article: K15204204
Component: Service Provider
Symptoms:
When there is a failover in a high availability (HA) setup with SIP monitors, the SIP backend servers start flapping on both units. The reason this occurs is that after the failover, the two BIG-IP systems send SIP monitoring messages to the pool members with the same branch parameter on their Via headers. The backend server internal logic gets confused by the request coming from LB2 because it uses the same branch parameters of the request coming from LB1.
Conditions:
SIP branch hash string length is small enough that when sufficient SIP monitor messages were inundated, possible branch collision.
Impact:
This causes the backend server erroneously to send a response message to LB1 instead of LB2.
Workaround:
None.
669262-4 : [GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record
Solution Article: K91122850
Component: Global Traffic Manager (DNS)
Symptoms:
Creating a reverse zone in ZoneRunner ending not exactly as .arpa but with other case variations like .ARPA, resulting that zone is not treated as reverse zone.
PTR is not available from the 'Type' dropbox menu when creating new resource record for that zone:
DNS :: Zones : ZoneRunner : Resource Record List :: New Resource Record.
Conditions:
Creating a reverse zone in ZoneRunner ending not exactly as .arpa but with other case variations like .ARPA.
Impact:
Cannot create PTR resource record for the created reverse zones.
Workaround:
Create reverse zones exactly ending with .arpa.
668964-4 : 'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group
Solution Article: K81873940
Component: TMOS
Symptoms:
When running the 'bgp neighbor <peer IP> update-source <IP>' command to a single peer, the changes may be applied to all peers in peer-group, if the peer IP belongs to a peer group.
Conditions:
- Using BGP with peer-groups.
- Run 'bgp neighbor <peer IP> update-source <IP>', where <peer IP> is an IP of a peer in a peer-group.
Impact:
Changes may apply to all peers in the group.
Workaround:
Depending on the network setup, it may be possible to workaround the issue using the interface version of the command:
bgp neighbor <peer IP> update-source <vlan name>.
668822 : dwbld service restarts randomly
Component: Advanced Firewall Manager
Symptoms:
The service dwbld restarts without generating any core dump. This might happen randomly.
Conditions:
Certain dwbld socket operations can cause a signal to be issued.
Impact:
The signal is uncaught by the process. The signal itself is safe to ignore, but when left uncaught causes the process to restart. Service restart can disrupt ip-intelligence functionality, which the dwbld supports.
Workaround:
None.
668520 : csyncd does not handle an rsync stall
Component: Local Traffic Manager
Symptoms:
An unknown event caused rsync to spin in a select(2) loop while the rsync socket was in TCP state CLOSE-WAIT with 1 byte remaining in the receive queue.
Conditions:
The conditions under which this occurs are unknown, but might be related to VIPRION chassis, since that is the platform where this issue occurred.
Impact:
csyncd does not finish copying a file.
Workaround:
None.
668196-4 : Connection limit continues to be enforced with least-connections and pool member flap, member remains down
Component: Local Traffic Manager
Symptoms:
In rare circumstances while using least-connections load balancing with a connection limit applied, if a pool member is at the connection limit and the node is stopped and restarted, the node will remain marked down.
Conditions:
This occurs under the following circumstances:
- Least Connections (node or member).
- Connection limit is set.
- Then a pool member hits the connection limit.
- The pool member is then marked down then up (e.g., manually).
Impact:
Pool member remains marked down.
Workaround:
This condition is very rare but if it occurs you can try removing the pool member or node and re-adding it.
667223-2 : The merge option for the tmsh load sys config command removes existing nested objects
Component: TMOS
Symptoms:
Nested objects are removed when newer objects are merged in.
Configuration objects can contain nested objects. The merge option for tmsh load sys config command expects the nested-objects passed in to be merged alongside existing objects.
example:
Initial configuration
[root@plate:Active:Standalone] config # tmsh list ltm pool
ltm pool test-pool-mcconfig {
members {
test-mc1:http {
address 10.13.14.15
priority-group 1
session monitor-enabled
state checking
}
test-mc2:http {
address 10.13.14.16
priority-group 4
session monitor-enabled
state down
}
}
monitor tcp
}
Run load merge command:
[root@plate:Active:Standalone] config # tmsh -m
root@(plate)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ltm pool test-pool-mcconfig {
members {
test-mc2:http {
priority-group 0
}
}
}
Loading configuration...
root@(plate)(cfg-sync Standalone)(Active)(/Common)(tmos)# ^D
New configuration, not merged:
[root@plate:Active:Standalone] config # tmsh list ltm pool
ltm pool test-pool-mcconfig {
members {
test-mc2:http {
address 10.13.14.16
session monitor-enabled
state down
}
}
monitor tcp
}
Conditions:
Execute tmsh load sys config merge from-terminal command.
The configuration contains nested objects. The configuration that is being merged in contains nested objects of the same type as the existing configuration.
Impact:
Configuration loss: Post merge the existing nested configuration objects are deleted.
Workaround:
None.
666258-4 : GTM/DNS manual resume pool member not saved to config when disabled
Component: Global Traffic Manager (DNS)
Symptoms:
manual-resume disabled pool member becomes available after reboot.
Conditions:
GTM pool is configured with manual-resume enabled and its pool member was once unavailable.
Impact:
Unexpected available pool member which should be disabled.
Workaround:
After the pool member becomes disabled, manually run:
# tmsh save sys config gtm-only
666117-2 : Network failover without a management address causes active-active after unit1 reboot
Component: TMOS
Symptoms:
An appliance in a Device Service Cluster may erroneously claim Active status when it is rebooted. This results in an Active/Active situation, which may resolve itself by causing a failover.
Conditions:
Device Service Cluster with only self-ips configured for the failover network.
Impact:
Unexpected failover may cause traffic interruption.
Workaround:
Configuring multiple redundant network failover paths, including the management network will reduce the possibility of this problem.
665732-4 : FastHTTP may crash when receiving a fragmented IP packet
Component: Local Traffic Manager
Symptoms:
A virtual server configured to use FastHTTP may cause a TMM core if fragmented IP packets are received by the virtual. This can be observed by the following TMM log statement: panic: Assertion 'l4hdr set' failed.
Conditions:
A virtual server configured with a FastHTTP profile receiving fragmented IP packets.
Impact:
Intermittent TMM core, resulting in a TMM restart. Traffic disrupted while tmm restarts.
Workaround:
Use a different profile than FastHTTP, such as a full proxy with TCP/HTTP filters.
665117-4 : DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping
Solution Article: K33318158
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Server status flapping from red-green-red.
Conditions:
-- Two generic hosts in two different DataCenters;
-- Two generic hosts are not available through DNS;
-- Same monitor with available alias IP/port configured.
Impact:
Server status flaps from red to green and back.
Workaround:
Check Transparent for these monitors.
664894-4 : PEM sessions lost when new blade is inserted in chassis
Solution Article: K11070206
Component: TMOS
Symptoms:
Inserting a blade into a chassis that is using high availability (HA) is configured for 'between clusters' can cause data loss in the SessionDB. This includes iRule table command as well as entries stored in the SessionDB from modules.
Conditions:
HA in use 'between clusters'.
Impact:
Data loss of some SessionDB entries.
Workaround:
In order to cleanly add a blade, put the setting from 'between clusters' to 'within cluster'; then add the new blade(s) to both clusters. Wait 60 seconds, then restore the HA connection to 'between clusters'
664507-1 : When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration
Component: Access Policy Manager
Symptoms:
IdP-connector automation removes certificate reference when update to metadata file is detected, and metadata file contains multiple signing certificates
Conditions:
- BIG-IP is used as SAML SP with configured IdP-connector automation via remotely published metadata.
- Remotely published SAML metadata contains multiple signing certificates.
- Remotely published SAML metadata is periodically updated.
Impact:
Certificate reference to remotely published metadata is removed from local configuration (saml-idp-connector object). As a result, assertions generated by external IdP will not be accepted until proper certificate is configured on saml-idp-connector object again.
Workaround:
When remote metadata is changed, manually update certificate reference on saml-idp-connector object.
664017-1 : OCSP may reject valid responses
Component: TMOS
Symptoms:
If OCSP is configured with certain responders, a valid response may be rejected with the following error:
OCSP response: got EOF
Conditions:
This is entirely dependent on the behavior of the server. If a responder sends null or blank data (but does not close the connection) OCSP simply ends the response.
Impact:
Valid OCSP responses may be rejected.
Workaround:
None.
663911-4 : When running out of memory, MCP can report an incorrect allocation size
Component: TMOS
Symptoms:
If MCP runs out of memory, it may attempt to log how much memory it was allocating when this happened, with a message similar to the following:
Failed to allocate memory for size 260 at clone_message:952.
The memory size indicated in the message may be incorrect.
Conditions:
MCP runs out of memory while attempting an allocation.
Impact:
Misleading logs that make it more difficult to troubleshoot mcpd memory issues.
Workaround:
None.
662816-4 : Monitor node log fd leak for certain monitor types
Solution Article: K61902543
Component: Local Traffic Manager
Symptoms:
When certain types of LTM health monitors are configured with node logging enabled, the bigd daemon may leak file descriptors for the node logs when the monitor is removed from the LTM node, pool or pool member configuration.
Conditions:
This may occur when:
1. One of the below-listed LTM health monitor types is assigned to an LTM node, pool, or pool member with node logging enabled ('logging' value set to 'enabled' in the LTM node or pool member configuration).
2. The LTM health monitor is removed from the LTM node, pool, or pool member configuration while logging is still enabled ('monitor' value set to 'none').
Affected LTM health monitor types include:
diameter, external, firepass, ftp, gateway_icmp, icmp, imap, ldap, module_score, mssql, mysql, nntp, oracle, pop3, postgresql, radius, radius_accounting, real_server, rpc, sasp, scripted, sip, smb, smtp, snmp_dca, snmp_dca_base, soap, virtual_location, wap, wmi.
This problem does not occur if node logging is disabled in the LTM node or pool member configuration ('logging' value set to 'disabled' in the LTM node or pool member configuration) prior to removing the monitor from the LTM node, pool, or pool member configuration.
The following LTM health monitor types are not affected:
dns, http, https, inband, mqtt, tcp, tcp_echo, tcp_half_open
Impact:
When this problem occurs, each instance of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis leaks one file descriptor for each node or pool member with monitor logging enabled.
File descriptors that are opened by the bigd daemon and not closed count against bigd's internal file descriptor limit. This can result in file descriptor exhaustion and failure of LTM health monitoring.
Workaround:
Disable node logging (set 'logging' value to 'disabled') in the LTM node or pool member configuration prior to removing the monitor from the LTM node, pool, or pool member configuration.
661881-4 : Memory and performance issues when using certain ASN.1 decoding formats in iRules
Component: Local Traffic Manager
Symptoms:
Memory and performance issues when using calls to ASN1::decode with "a" or "B" characters in the format string. This occurs because these calls do not correctly free memory allocated by those functions.
Conditions:
iRules that contain calls to ASN1::decode with "a" or "B" characters in the format string.
Impact:
Memory leak, degraded performance, potential eventual out-of-memory crash.
Workaround:
None.
Note: Because of the memory leak associated with this issue, using calls to ASN1::decode with "a" or "B" characters in the format string should be avoided.
660263-2 : DNS transparent cache message and RR set activity counters not incrementing
Component: Global Traffic Manager (DNS)
Symptoms:
The message and Resource Record (RR) set counters for transparent caches do not increment to reflect traffic.
Conditions:
The cache is of type transparent.
-- Viewing statistics counters.
Impact:
The statistics counters stay zero.
Workaround:
There is no workaround.
659969-3 : tmsh command for gtm-application disabled contexts does not work with none and replace-all-with
Component: Global Traffic Manager (DNS)
Symptoms:
The command for distributed-app's disabled-contexts does not work with the options 'none' and 'replace-all-with'.
Conditions:
Issuing gtm-application disabled contexts commands including the options 'none' and 'replace-all-with'.
Impact:
Command does not complete successfully. This is an internal validation issue.
Workaround:
None.
658852-2 : Empty User-Agent in iSessions requests from APM client on Windows
Component: Access Policy Manager
Symptoms:
'User-Agent' might be empty in some '/isession' requests from APM client on Microsoft Windows. Having empty User-Agent headers is not in RFC compliance and forces some firewall to block the connection. This might result in failure to establish a VPN tunnel.
Conditions:
'/isession' requests from APM client on Windows.
Impact:
Failure to establish a VPN tunnel.
Workaround:
None.
658636-5 : When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.
Solution Article: K51355172
Component: TMOS
Symptoms:
- LTM/DNS monitors created via tmsh batch/transactions improperly escape newline characters.
- Expected escaping: \r\n
- Actual escaping: \\r\\n
- Impact: The URI sent is not correct,
Conditions:
When creating LTM or DNS monitors through batch/transaction mode when strings contain newline characters. For example, using the following commands to batch-create:
create gtm monitor http one_test_mon { send "GET / HTTP/1.0\r\nHost: abc.example.com\r\nUser-Agent: slb-healthcheck\r\nConnection: Close\r\n\r\n" recv "200"}
submit cli transaction
list gtm monitor http one_test_mon
The system creates the following monitor:
gtm monitor http one_test_mon {
defaults-from http
destination *:*
interval 30
probe-timeout 5
recv 200
send "GET / HTTP/1.0\\r\\nHost: abc.example.com\\r\\nUser-Agent: slb-healthcheck\\r\\nConnection: Close\\r\\n\\r\\n"
Impact:
Cannot use batch/transaction mode in TMSH to create LTM or DNS monitors. Cannot use LTM or DNS monitors created using batch/transaction mode in tmsh.
Workaround:
Create the monitor directly in tmsh without using batch/transaction mode.
657883-4 : tmm cache resolver should not cache response with TTL=0
Solution Article: K34442339
Component: Local Traffic Manager
Symptoms:
tmm cache resolver caches responses with TTL=0, and it shouldn't.
Conditions:
TTL is set to 0 on the BIG-IP DNS system, so TMM will see TTL=0 from the DNS answer.
Impact:
tmm cache resolver caches responses with TTL=0.
Workaround:
None.
657834-4 : Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
Solution Article: K45005512
Component: TMOS
Symptoms:
When using OSPF with high load and network recalculation there is a possibility of a race condition that can lead to additional OSPF retransmissions being sent out. This might also cause SNMP traps to be sent, if configured on the system.
Conditions:
-- OSPF routing protocol configured.
-- System configured to send SNMP traps.
-- OSPF instability/networking flaps.
Note: The greater the number of routes flapping, the more likely to see the condition.
Impact:
There is no impact on the OSPF processing itself. The additional traffic does not cause failing adjacencies or loss of routing information.
However, this might cause many additional OSPF related traps to be sent, which might cause additional load on the external network monitoring system.
Workaround:
While this does not have a direct workaround, you may want to investigate the cause of the network/OSPF instability that causes the additional retransmissions.
657795-3 : Possible performance impact on some SSL connections
Solution Article: K51498984
Component: Local Traffic Manager
Symptoms:
Some SSL connections may be delayed by almost exactly 5 seconds. The delay occurs between the SSL client hello and the server hello response from the BIG-IP system.
Conditions:
-- SSL configured on a Virtual Server. Affects VIPRION/vCMP Guests.
-- Client connects with an SSL session ID that is not in the cache, and in a very specific format that causes tmm to associate the session ID to a blade that does not exist.
Impact:
Performance may be impacted on those SSL connections.
Workaround:
Disable SSL session cache by setting cache-size to zero in the clientssl profile.
657713-4 : Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.
Solution Article: K05052273
Component: Local Traffic Manager
Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:
-- TMM generates a core file in the /shared/core directory.
-- Your BIG-IP system logs a SIGFPE to the /var/log/tmm file at the same time TMM produces a core file and restarts.
-- In one of the /var/log/tmm log files, you may observe error messages similar to the following example:
notice panic: ../modules/hudfilter/hudfilter.c:1063: Assertion "valid node" failed.
notice ** SIGFPE **
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP system is configured to route traffic using a gateway pool.
-- The gateway pool is configured with Action On Service Down = Reject.
-- The pool monitor marks all members of the gateway pool as unavailable.
-- A connection is rejected by the gateway pool.
Impact:
The BIG-IP system temporarily fails to process traffic while the TMM process restarts. If the BIG-IP system is configured for high availability (HA), the system fails over to a peer system.
Workaround:
Set service-down-action to none or reselect.
655807-4 : With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score
Solution Article: K40341291
Component: Global Traffic Manager (DNS)
Symptoms:
When choosing QoS Load balance, packet rate is dominating the score.
Conditions:
QoS load balance.
Impact:
Load balance decision is mostly impacted by packet rate.
Workaround:
None.
655767-1 : MCPD does not prevent deleting an iRule that contains in-use procedures
Component: Local Traffic Manager
Symptoms:
If an iRule that is attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error.
MCPD contains validation that should prevent a user from deleting an iRule that is currently in use by a virtual server, e.g.:
01070265:3: The rule (/Common/rule_uses_procs) cannot be deleted because it is in use by a virtual server (/Common/vs_http).
However, if an iRule attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error. This results in a configuration that will subsequently fail to load (during a config load, MCPD validation will catch this), or will fail if a full configuration sync is performed.
Conditions:
Must be using iRules that call into other iRules.
Impact:
System gets into a state where traffic may fail unexpectedly, and subsequent reboots, configuration loads, upgrades, or configuration sync operations will fail.
Workaround:
None. Use caution when deleting iRules, especially iRules that call into other iRules.
655724-1 : MSRDP persistence does not work across route domains.
Solution Article: K15695
Component: Local Traffic Manager
Symptoms:
MSRDP persistence doesn't work with non-default route domains.
Conditions:
Configure a virtual server with a MSRDP persistence profile and a pool using a non-default route domain.
Impact:
MSRDP persistence does not work.
Workaround:
Implement MSRDP persistence using iRules.
655432-3 : SSL renegotiation failed intermittently with AES-GCM cipher
Solution Article: K85522235
Component: Local Traffic Manager
Symptoms:
SSL failed to renegotiate intermittently with AES-GCM cipher because IV is not properly updated when a change cipher spec message is received.
Conditions:
This failure is more likely to occur during mutual authentication.
Impact:
Some servers authenticate client using renegotiation. This issue prevents their clients from properly connecting to the servers.
Workaround:
Disable AES-GCM cipher.
655383-1 : Failure to extend database continues to execute rather than halting because of fragmented state.
Component: Local Traffic Manager
Symptoms:
Rarely occurring failure to extend database results in operations continuing to execute rather than halting because of fragmented state. Various behavior might occur, for example: unexpected traffic to disabled pool members, intermittent updated cert usage, receipt of messages such as 'MCP message handling failed' or 'Memory allocation failed: can't allocate memory to extend db size', and others.
Conditions:
TMM heap is fragmented such that memory allocation fails when extending the database.
Impact:
Operations continues to execute rather than halting, as might be expected. The system might report a variety of unexpected log messages and/or behaviors due to subsequent inconsistent state.
Note: This is an extremely rare condition that occurs only when TMM is left in an inconsistent state. Although it is possible that this might eventually lead to bad behavior downstream, the event itself does not cause memory issues.
Workaround:
None.
654109-4 : Configuration loading may fail when iRules calling procs in other iRules are deleted
Solution Article: K01102467
Component: Local Traffic Manager
Symptoms:
Loading of the configuration fail with a message indicating a previously deleted iRule cannot be found:
01020036:3: The requested rule (/Common/rule_uses_procs) was not found.
Conditions:
- iRule A is calling another iRule B using proc calls
- iRule A is attached to a virtual server.
- Detaching and deleting iRule A.
- Loading the config (or performing config sync).
Impact:
iRules are still referenced after implicit deletion (via load).
Configuration does not load.
Workaround:
Force reloading of the MCP binary database.
For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).
653930-4 : Monitor with description containing backslash may fail to load.
Solution Article: K69713140
Component: Local Traffic Manager
Symptoms:
When a monitor description contains a \ (backslash) character, the system adds another backslash for every save-load operation. After enough saves/loads, the description eventually hits the maximum length, causing an error message: '01020057:3: The string with more than 65535 characters cannot be stored in a message' upon loading the config.
Conditions:
Monitor with description containing backslash.
Impact:
Configuration changes without human intervention. Potential load failure.
Workaround:
Don't use backslashes in monitor descriptions.
653775-1 : Ampersand (&) in GTM synchronization group name causes synchronization failure.
Solution Article: K05397641
Component: Global Traffic Manager (DNS)
Symptoms:
A GTM synchronization-group-name containing an ampersand (&) might cause an XML parsing failure and GTM sync groups would fail to sync.
Conditions:
A GTM synchronization group name with an ampersand (&) in the name.
Impact:
GTM sync groups does not synchronize.
Workaround:
Remove ampersand from sync group name.
653746-4 : Unable to display detailed CPU graphs if the number of CPU is too large
Solution Article: K83324551
Component: Local Traffic Manager
Symptoms:
Cannot display detail CPU graph. Go to Statistics :: Performance. Click 'View Detail Graph' under System CPU usage. Graph cannot display. System posts the message: Error trying to access the database.
Conditions:
VIPRION with 288 CPU cores or more totaled across all blades.
Impact:
Administrator is unable to view the detail CPU graphs.
Workaround:
None.
653729-1 : Support IP Uncommon Protocol
Component: Advanced Firewall Manager
Symptoms:
A BIG-IP system can have CPU usage be non-uniformly distributed across the datapath (tmm) threads, such that the overall CPU usage is low, but individual datapath threads may show high usage of a subset of the CPUs on the system. This can be observed by viewing the per-CPU usage, and can manifest as spuriously dropped packets/flows.
Conditions:
A BIG-IP system receives packets that have uncommon IP protocols – those not parsed by the BIG-IP system.
Impact:
The packets are eventually dropped but may drive a subset of the CPUs in the system to very high usage. As CPU increases, potentially reaching 100%, then the BIG-IP system will start dropping packets and the system might eventually fail.
Workaround:
None.
653376-4 : bgpd may crash on receiving a BGP update with >= 32 extended communities
Component: TMOS
Symptoms:
bgpd may crash when receiving a BGP update with >= 32 extended communities
Conditions:
A configured BGP peer sends a route update including and attribute containing 32 or more extended communities.
Impact:
bgpd may crash causing the BGP peering to reset
Workaround:
Ensure that peers do not send 32 or more extended communities to the BIG-IP in BGP routing updates.
652981 : tmipsecd aborts
Component: TMOS
Symptoms:
tmipsecd aborts.
Conditions:
Conditions are unknown; this occurred once.
Impact:
IPsec-related operations halted while tmipsecd restarts.
Workaround:
None.
652877-1 : Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
Component: TMOS
Symptoms:
All services on one or all secondary blades in a VIPRION chassis restart, and MCPD logs errors similar to the following:
-- err mcpd[9063]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)
-- err mcpd[9063]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3:Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)... failed validation with error 17237812.
In versions prior to v11.6.0, the error is: 'Can't save/checkpoint DB object,' rather than 'Can't update_indexes/checkpoint DB object'.
Conditions:
Multi-bladed VIPRION system, where the 'if-index' value for VLANs differs between blades.
You can check the 'if-index' value by running the following command on each blade: tmsh list net vlan all if-index.
Impact:
MCPD restart on all secondary blades results in partial service outage.
Workaround:
Reactivate the license only on a system that is standby/offline.
652671-2 : Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.
Solution Article: K31326690
Component: TMOS
Symptoms:
Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit. When provision.extramb is synced to the peer unit, mprov is called, which restarts tmm.
Conditions:
-- Configure two devices in a sync group.
-- tmsh modify sys db provision.extramb value 150.
-- Sync to peer unit.
Impact:
TMM restarts on the peer unit. Traffic halted while tmm restarts.
Workaround:
None.
652577-4 : Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, changes to the MAC Masquerading setting of a traffic group may cause the Standby unit to be unable to reach the floating Self-IP.
Conditions:
- HA pair
- Traffic-group with a MAC set in the MAC Masquerading setting.
- Floating Self-IP using the above traffic-group
- Make a change to the MAC Masquerading MAC address on the Active unit.
- Run a config-sync from Active to Standby
Impact:
Standby unit is unable to reach the floating Self-IP address.
No external or internet facing traffic will be affected.
Workaround:
Reboot or restart TMM.
651901-5 : Removed unnecessary ASSERTs in MPTCP code
Component: Local Traffic Manager
Symptoms:
There are many scenarios that call ASSERT in the MPTCP code, many of which can be handled without using ASSERT.
Conditions:
A virtual server is configured with a TCP profile with MPTCP enabled.
Impact:
If an ASSERT fails, traffic is disrupted while TMM restarts.
Workaround:
There is no workaround at this time.
651889-1 : persist record may be inconsistent after a virtual hit rate limit
Component: Local Traffic Manager
Symptoms:
persist record may be inconsistent after a virtual hit rate limit
Conditions:
A virtual with rate limit set.
persist is enabled.
Impact:
persist behavior will be impacted.
Workaround:
disable rate limit on virtual
651541-4 : Changes to the HTTP profile do not trigger validation for virtual servers using that profile
Solution Article: K83955631
Component: Local Traffic Manager
Symptoms:
Changing the HTTP profile does not trigger validation for virtual servers, so no inter-profile dependencies are checked.
Conditions:
Using an HTTP profile with a virtual server that uses other profiles that have settings that are mutually exclusive with those of the HTTP profile.
Impact:
The system will be in an invalid state. One immediate way this can be seen is when syncing to a peer. The sync operation does not complete as expected.
Workaround:
Use the error messages in the logs to determine how to change the configuration to return the system to a valid state.
651432 : When mcpd on a secondary blade crashes, after it comes back up, the virtual_disk entries are missing for that blade
Component: TMOS
Symptoms:
vCMP virtual disk images may appear to be missing according to the BIG-IP system (hypervisor), even though the disk images still exist.
Conditions:
MCPD on a secondary blade restarts, but vcmpd does not restart.
Impact:
This can cause confusion when looking at the hypervisor.
Workaround:
Restart vcmpd.
651169-5 : The Dashboard does not show an alert when a power supply is unplugged
Component: Advanced Firewall Manager
Symptoms:
The TMUI Dashboard's alert panel will not show any warning if the cord to one of the power supplies is unplugged.
Conditions:
One of the power supplies is unplugged.
Impact:
Watching the Dashboard will not alert the administrator to an unplugged power supply.
Workaround:
None.
651136-4 : ReqLog profile on FTP virtual server with default profile can result in service disruption.
Solution Article: K36893451
Component: TMOS
Symptoms:
When FTP's control channel and data channel arrive on different TMMs, ReqLog profile may fail to identify data channel's listener.
Conditions:
Default inherit FTP profile virtual server configured with ReqLog profile.
Impact:
Service disruption, fail-over event.
Workaround:
Create non-inheriting FTP profile for FTP virtual server with ReqLog profile.
651005-1 : FTP data connection may use incorrect auto-lasthop settings.
Component: Local Traffic Manager
Symptoms:
Due to known issue FTP data connection may fail to use auto-lasthop settings configured on the virtual server and use a value configured on VLAN level instead.
Conditions:
With the configuration below, FTP data connection will fail to use auto-lasthop:
(1)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'enable'
(2)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'disable'
- Virtual server auto-lasthop set to 'enable'
With the configuration below, FTP data connection will improperly use the auto-lasthop:
(1)
- Global auto-lasthop set to 'enable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'disable'
(2)
- VLAN auto-lasthop set to 'enable'
- Virtual server auto-lasthop set to 'disable'
Impact:
FTP data connection may fail to be established.
Workaround:
Use routing instead of auto-lasthop.
(or) Enable auto-lasthop on VLAN level.
650002-4 : tzdata bug fix and enhancement update
Component: TMOS
Symptoms:
There have been changes to timezone data that impact tzdata packages:
* Mongolia no longer observes Daylight Saving Time (DST).
* The Magallanes Region of Chile has moved from a UTC-04/-03 scheme to UTC-03 all year. Starting 2017-05-13 at 23:00, the clocks for the Magallanes Region will differ from America/Santiago.
Conditions:
-- Mongolia during DST portion of the year.
-- Comparing clock times in the America/Santiago zone with those in the Magallanes Region.
Impact:
Timezone data provided in tzdata will not match the area's time. Clocks for the Magallanes Region will differ from America/Santiago (its current timezone).
Workaround:
None.
649564-4 : Crash related to GTM monitors with long RECV strings
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd core dump related to GTM monitors with long RECV strings.
Conditions:
Sufficiently large RECV (receive) string on a GTM Monitor.
Impact:
Core dump. Traffic might be disrupted while gtmd restarts.
Workaround:
None.
649234-2 : TMM crash from a possible memory corruption.
Solution Article: K64131101
Component: Access Policy Manager
Symptoms:
When APM resumes an iRule event from an asynchronous session data lookup, the resumption fails due to a bad memory access resulting in a crash.
Conditions:
The following must be true for this to happen:
- APM provisioned and licensed.
- Use of APM iRule events.
- Session data lookup from iRule events.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
648954-4 : Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls
Solution Article: K01102467
Component: Local Traffic Manager
Symptoms:
Configuration validation fails spuriously, including potentially as a result of a ConfigSync or modifying an iRule, with an error similar to the following:
01020036:3: The requested rule (/Common/rule_uses_procs) was not found.
Referencing an iRule that previously existed, but has been deleted (or is being deleted as a result of a ConfigSync).
Conditions:
-- iRule using procedures in a different iRule.
-- iRule attached to virtual server.
Impact:
iRule procs are still referenced after deletion. Configuration validation fails spuriously.
Workaround:
Force reloading of the MCP binary database.
For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).
648621-3 : SCTP: Multihome connections may not expire
Component: TMOS
Symptoms:
SCTP: Multihome connections may not expire when forcibly deleted.
Conditions:
When the multi-homing connections have been forcibly deleted from tmsh command.
Impact:
The multi-homing connections won't be expired.
Workaround:
Don't manually deleted the multi-homing connections.
648544-3 : HSB transmitter failure may occur when global COS queues enabled
Solution Article: K75510491
Component: TMOS
Symptoms:
An HSB transmitter failure may occur if global COS queues enabled. The HSB transmitter failure is logged in the TMM log files.
Conditions:
With global COS queues enabled, the HSB's watchdog loopback packets are sent on HSB ring 2, instead of ring 0. If HSB ring 2 is heavily utilized, this could cause the loopback packets to be dropped. If this occurs, then the watchdog may trigger an HSB transmitter failure.
Impact:
If this issue occurs then the BIG-IP is rebooted.
Workaround:
Do not use global COS queues.
648286-3 : GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.
Component: Global Traffic Manager (DNS)
Symptoms:
The combobox does not auto-select the next entry in the list of virtual servers/wide IPs after pressing the Add button and successfully adding an entry to the member list.
Conditions:
-- Have at least two entries in the combobox.
-- Add one of the entries to the member list.
Impact:
The other entry is not selected automatically (as it was in BIG-IP versions 12.1 and earlier). Must manually select each entry to add to the member list.
Loss of functionality from earlier releases.
Workaround:
Manually select each entry to add to the member list.
648037-4 : LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash
Component: Local Traffic Manager
Symptoms:
tmm crashes after the LB::reselect iRule fails to connect to the server.
Conditions:
This issue can occur when a virtual server is configured with HTTP and the LB::reselect iRule. If the LB::reselect fails to connect to the server and there is not a monitor on the pool, tmm will crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure a monitor for the pool.
647903 : Android receiver 3.11 new store addition with auto discovery does not work
Component: Access Policy Manager
Symptoms:
Could not add a new account in auto discovery for Citrix receiver 3.11 version and getting error as "Citrix Receiver could not verify the server address"
Conditions:
BIG-IP virtual is configured for Citrix replacement mode in 11.5.x release
Adding new account in Citrix Android receiver 3.11 in auto discover mode.
Impact:
Could not add new account in auto discover mode for Citrix Android receiver 3.11
Workaround:
Add this iRule to the virtual server.
when HTTP_REQUEST {
set uri_path [string tolower [HTTP::path]]
if { $uri_path == "/vpn/index.html" } {
set cookie "pwcount=0;Secure;HttpOnly;Path=/"
HTTP::respond 200 -version auto content "/vpn/cgi/login" noserver "Set-Cookie" $cookie
} elseif { $uri_path == "/agservices/discover" } {
set cookie "X-Citrix-Session-Expired=true"
HTTP::respond 403 noserver "X-Citrix-Session-Expired" "true"
}
}
647834-2 : Failover DB variables do not correctly implement 'reset-to-default'
Component: TMOS
Symptoms:
When the 'modify sys db' command option 'reset-to-default' is issued, the new value does not take effect, even though 'list sys db' displays the desired value.
Conditions:
This is known to affect at least the following failover-related DB variables:
log.failover.level
failover.nettimeoutsec
failover.debug
failover.usetty01
failover.rebootviasod
failover.packetcheck
failover.packetchecklog
failover.secure
mysqlhad.heartbeattimeout
mysqlhad.debug
mysqldfailure.enabled
mysqldfailure.haaction.primary
mysqldfailure.haaction.secondary
Impact:
The configuration change does not take effect.
Workaround:
Explicitly set the DB variable to the desired value.
647812-1 : /tmp/wccp.log file grows unbounded
Component: TMOS
Symptoms:
WCCP uses /tmp/wccp.log as output for Diagnostic information,
independent of log level or db key. This file can grow unbounded if there are never any WCCP packets sent. If packets are sent the file is cleaned up automatically.
Conditions:
This can occur if WCCP is configured but never goes beyond negotiation.
Impact:
/tmp/wccp.log grows unbounded, filling up the disk.
647071-4 : Stats for SNATs do not work when configured in a non-zero route domain
Component: Local Traffic Manager
Symptoms:
When creating SNAT in a Route Domain different from 0, the command 'tmsh show ltm snat' does not report any statistics.
Conditions:
This occurs on all SNATs in a route domain other than 0.
Impact:
No statistics for the SNATs
Workaround:
None.
645635-4 : Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests
Component: Local Traffic Manager
Symptoms:
VCMP clusters without configured slot-specific management-ip addresses will report 0.0.0.0 for: sFlow (Agent Address), High Speed Logging (in certain log messages), and IPFIX (domain ID).
When creating VCMP guests, the cluster's floating IP address is configured on the host using a command of the form: 'tmsh modify vcmp guest guest0 management-ip 10.1.2.3/24'; however, this will leave the slot-specific management IP address unconfigured. In this case, the affected services (sFlow, HSL, and IPFIX) will report 0.0.0.0 as their management IP address.
Conditions:
- vCMP guest deployed on a chassis with only Cluster IP set, and no individual blade IP addresses configured.
- sflow and/or HSL and/or IPFIX configured.
Impact:
sflow, HSL, and IPFIX may incorrectly use 0.0.0.0 when identifying the BIG-IP system by management IP address. For sFlow, this is the default Agent Address. For HSL, certain log messages which identify the origin BIG-IP system by its management IP address will use this default value. For IPFIX, the domain ID will use this default value.
Workaround:
Configure cluster blade IP addresses. For example, to set the slot-specific management IP address on a VCMP guest which runs on a single slot, use a command similar to the following:
tmsh modify sys cluster default members { 1 { address 10.1.2.3 } }
645058-2 : Modifying SSL profiles in GUI may fail when key is protected by passphrase
Component: Local Traffic Manager
Symptoms:
When a client SSL profile has a Certificate Key Chain (CKC) entry with a passphrase-protected key, attempting to modify/update the profile via the GUI may fail, and produce an error similar to the following:
01070313:3: Error reading key PEM file <Key_File_Path> for profile <Profile_Name>: error:0906A068:PEM routines:PEM_do_header:bad password read.
This can occur even when the passphrase already in the SSL profile is correct.
Conditions:
Upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.
Alternately, creating an SSL profile with a custom cert-key-chain name that references a passphrase-protected key, e.g.:
tmsh create ltm profile client-ssl example-profile defaults-from clientssl cert-key-chain replace-all-with { no { cert protected.crt key protected.key passphrase password } }
Impact:
User cannot update client SSL profile via the GUI.
Workaround:
Modifications to the profile can be made from tmsh. Alternately, delete the CKC and recreate it.
644979-4 : Errors not logged from hourly 1k key generation cron job
Component: TMOS
Symptoms:
Errors from the 1k key generation hourly cron job do not get logged as intended from the hourly 1024-bit key generation task.
Conditions:
This occurs during hourly generation of ephemeral keys.
Impact:
Errors from the 1k key generation hourly cron job do not get logged, and hourly generation of ephemeral keys fails.
Workaround:
Change "loggcercmd" to "loggercmd" in /etc/cron.hourly/genkeys-1024.
644046 : Firewall ACL logs for IPv6 traffic
Component: Advanced Firewall Manager
Symptoms:
Sometimes for IPv6 traffic, the ACL rule hit log can print the destination address in IPv4 form.
Conditions:
When the virtual server destination address range is within IPv4 space, and the traffic is over IPv6, the generated Firewall ACL rule hit log prints the IPv4 address, and not the IPv6 destination address format.
Impact:
Logging reports destination address in IPv4 format, instead of IPv6.
643860-2 : Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly
Component: Local Traffic Manager
Symptoms:
There is no indication that mcpd has restarted, but the system logs messages similar to the following:
-- In /var/log/tmm:
notice MCP connection expired early in startup; retrying.
In/var/log/ltm:
mcpd[5747]: 01070406:5: Removed publication with publisher id TMM1.
Conditions:
The file /dev/vnic is opened by something other than BIG-IP programs.
Impact:
The TMM processes will restart and fail to come up properly.
Workaround:
To recover, reboot the system.
Note: Do not perform file open operations on /dev/vnic. There is no need to.
643799-3 : Deleting a partition may cause a sync validation error
Component: TMOS
Symptoms:
Deleting a partition may cause the sync to peers to fail.
For example, on BIG-IP1:
tmsh delete auth partition P1
tmsh show cm sync-status
Sync Summary
Status Sync Failed
Summary A validation error occurred while syncing to a remote device
Details DG1: Sync error on BIG-IP2: Load failed from BIG-IP1 01070829:5: Input error: Invalid partition ID request, partition does not exist (P1)
Conditions:
Two or more BIG-IPs in a DSC device group, say DG1. A partition (P1) is created where the root partition folder (/P1) or a subfolder is assigned to DG1.
Objects have also been configured in the folder and the user deletes the partition, which will cause the folder and its contents to be deleted.
Impact:
The sync of this change may fail on peers.
Workaround:
Disable auto-sync on the device group if it's enabled, delete the partition on all of the peers, and re-enable auto-sync.
643459-1 : Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy
Solution Article: K81809012
Component: TMOS
Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you are not able to log in to the Configuration Utility. Instead you will see a login error, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP.
Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.
Impact:
You are unable to login to the Configuration Utility.
Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP in the Referer header.
643041-3 : Less than optimal interaction between OneConnect and proxy MSS
Solution Article: K64451315
Component: Local Traffic Manager
Symptoms:
When a client with low MSS is the first to establish a OneConnect flow pair and proxy MSS is enabled, the serverside will share the same low MSS. Successive connections from full-MSS clients may utilize this server-side flow, resulting in suboptimal throughput.
Conditions:
Configure a virtual server with both OneConnect and proxy MSS. Note: Proxy MSS is enabled by default beginning with v12.1.0.
Impact:
Decreased throughput, possible congestion due to small segments.
Workaround:
In some instances, it may be sufficient to disable proxy MSS. This too has the potential to increase segment count and decrease throughput.
642923-4 : MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system
Solution Article: K01951295
Component: TMOS
Symptoms:
MCP may timeout and be killed by the sod watchdog, causing mcpd to restart.
Conditions:
Certain operations, under certain conditions, on certain platforms, may take longer to complete than the mcpd heartbeat timeout (300 seconds). When that happens, the system considers mcpd unresponsive, and will kill mcpd before it has finished its task, resulting in this issue.
There are a number of ways that this issue may manifest.
For example, the default mcpd heartbeat timeout might be reached when loading a configuration file with a large number* of file objects configured (e.g., SSL certificates and keys, data-groups, APM customizations, EPSEC file updates, external monitors, or other data present in the filestore (/config/filestore)).
*Note: Depending the operations mcpd is performing, the performance of the hardware, the speed of disk access, and other potential factors, 3,000 is a relative estimate of the number of filestore objects that might cause this issue to occur.
Impact:
mcpd restarts, which causes a system to go offline and restart services.
Workaround:
To prevent the issue from occurring, you can temporarily disable the heartbeat timeout using the following command:
modify sys daemon-ha mcpd heartbeat disable
Important: Disabling the heartbeat timer means that, should the mcpd process legitimately become unresponsive, the system will not automatically restart mcpd to recover.
Note: If you have a large number of objects (more than 3,000) in the filestore, and are able to reduce this by deleting their related configuration objects, you may be able to work around the issue.
To determine the specific cause of the issue, you can open a support case with F5, to inspect the resulting mcpd core file.
642122 : Cannot delete a SNAT pool and SNAT translation address in a single transaction.
Component: Local Traffic Manager
Symptoms:
When attempting to delete an in-use SNAT translation and SNAT pool in a single transaction, tmsh will report that the SNAT translation object is in use, even though it is up for deletion in the current transaction. The system posts an error similar to the following: SNAT translation address <address> is still referenced by a snat pool
Conditions:
Attempt to delete a SNAT pool and SNAT translation object in the same transaction.
Impact:
Configuration scripts must order object deletion so that the SNAT translation object is removed before the SNAT pool.
Workaround:
Delete the SNAT translation first, then delete the SNAT pool.
641450-2 : A transaction that deletes and recreates a virtual may result in an invalid configuration
Solution Article: K30053855
Component: TMOS
Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.
Config load error:
01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.
Configuration-change-time error in /var/log/ltm:
err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>
Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).
Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.
Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
1. Delete virtual server.
2. Create virtual server (with an empty profile list).
3. Modify the virtual server's profile list.
641390-3 : Backslash removal in LTM monitors after upgrade
Solution Article: K00216423
Component: TMOS
Symptoms:
After upgrading, BIG-IP fails to load the configuration and reports that a monitor failed to load.
Conditions:
-- Specific backslash escaping in LTM monitors.
-- Upgrading from 11.5.x, 11.6.0, 11.6.1, 11.6.2, or 11.6.3 to 12.0.0, 12.1.0, 12.1.1, 12.1.2, or 13.0.0.
Note: This issue is specific to LTM monitors. It does not occur in BIG-IP DNS/GTM monitors.
For example, to have two backslashes in the value, you specify three backslashes. The first backslash is the 'escape' character.
ltm monitor https /Common/my_https {
adaptive disabled
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled
defaults-from /Common/https
destination *:*
interval 5
ip-dscp 0
recv "Test string"
recv-disable \\\"Test\\\"me\\\" <-- pertinent string value (can be in recv, send or username attributes too).
send Test
time-until-up 0
timeout 16
username test\\\"me
}
Impact:
The monitor fails to load.
Workaround:
Manually correct the string to be the way it was before upgrade, then the configuration will load.
640924-5 : On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly
Component: Access Policy Manager
Symptoms:
On macOS Sierra (10.12) LED icons on Edge client's main UI, the buttons (Auto-Connect, Connect, Disconnect) are scaled incorrectly.
Conditions:
macOS Sierra (10.12.x) and Edge client application.
Impact:
This is a display issue only. There is no functional impact to the system.
Workaround:
None.
640369-4 : TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, TMM may respond to an ICMPv6 echo request using the auto-lasthop mechanism, when this has been disabled on the vlan.
Conditions:
- Auto-lasthop disabled on the ingress vlan
- ICMPv6 echo request for a self-IP on the ingress vlan.
- Route to the client IP address via a different vlan
TMM may respond directly using the auto-lasthop feature and not via the route lookup.
Impact:
Traffic may not follow the expected path.
639970-1 : GUI - Client SSL profile certificate extensions names switch to numbers in case of validation error
Component: Local Traffic Manager
Symptoms:
Client SSL profile certificate extensions names switch to numbers if there is any validation error in save.
Conditions:
Try to Create/Modify client ssl profile such that it results in a validation error and click 'Finished/Update'.
Impact:
No functional impact: certificate extensions names switch to their number representation, but if you correct the actual validation error and submit the change, the saved object will have the expected set of certificate extensions.
Workaround:
Use TMSH to create/update client SSL profile.
639774-3 : mysqld.err rollover log files are not collected by qkview
Solution Article: K30598276
Component: TMOS
Symptoms:
Only the file /var/lib/mysql/mysqld.err is collected in qkview without truncation rules normally used for log files. Also, the mysqld.err.1 and mysqld.err.2.gz, etc are not collected at all.
Conditions:
This occurs when generating a qkview.
Impact:
You cannot see other mysqld.err rollover files in the qkview, and since the one mysqld.err file might be huge (larger than 2 GB) the output of qkview will be unusable.
Workaround:
The missing files must be manually copied into the qkview output. If the mysqld.err is greater than 2 GB in size, it must first be truncated to smaller than 2 GB.
639744-4 : Memory leak in STREAM::expression iRule
Solution Article: K84228882
Component: Local Traffic Manager
Symptoms:
If you are using the STREAM::expression iRule with APM, the stream filter can leak memory.
Conditions:
This can occur when using the STREAM::expression iRule with an APM virtual.
Impact:
This causes a memory leak in tmm.
Workaround:
None.
639039-2 : Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons
Solution Article: K33754014
Component: Local Traffic Manager
Symptoms:
Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons.
Conditions:
Dynamic routing in use, and you change the host name of the BIG-IP.
Impact:
Dynamic routing information is lost and must be relearned.
Workaround:
When using dynamic routing, only change the host name during a maintenance window.
638091-2 : Config sync after changing named pool members can cause mcpd on secondary blades to restart
Component: TMOS
Symptoms:
After performing a ConfigSync, mcpd restarts and the following error is seen in /var/log/ltm:
01070734:3: Configuration error: Invalid mcpd context, folder not found <foldername>
Conditions:
- Chassis cluster with at least two blades
- sync-failover device group set to full-sync and auto-sync disabled
- Changing a named pool-member in non-default partition without syncing between delete and create
Impact:
Secondary blades do not process traffic as they restart
Workaround:
To prevent blade restart, follow the workaround in K16592: ConfigSync may fail when deleting and recreating a pool member with a node name set (https://support.f5.com/csp/article/K16592).
To work around this issue, you can synchronize the configuration just after deleting the pool member and node, before re-creating the pool member. To do so, perform the following procedure:
Impact of workaround: Performing the following procedure may impact client connectivity to the node. You should perform this procedure only during a maintenance window.
1. Log in to the BIG-IP system Configuration utility.
2. Navigate to Local Traffic :: Pools, and select the Pool with the member you want to delete.
3. From the top of the menu, click Members.
4. Select the checkbox next to the pool member you want to delete, and click Remove.
5. Navigate to Local Traffic :: Nodes.
6. Select the checkbox next to the node with the same name, and click Delete.
7. Navigate to Device Management :: Overview.
8. Select the local device by hostname (self).
9. Click the Sync option.
10. If the ConfigSync was successful, you may now re-create the pool member.
637613-1 : Cluster blade being disabled immediately returns to enabled/green
Solution Article: K24133500
Component: Local Traffic Manager
Symptoms:
In some scenarios, disabling a blade will result in the blade immediately returning to online.
Conditions:
This can occur intermittently under these conditions:
- 2 chassis in an HA pair configured with min-up-members (for example, 2 chassis, 2 blades each, and min-up-members=2)
- You disable a primary blade on the active unit, causing the cluster to failover due to insufficient min-up-members.
Impact:
Disabling the primary blade fails and it remains the primary blade with a status of online.
Workaround:
This is an intermittent issue, and re-trying may work. If it does not, you can configure min-up-members to a lower value or disable it completely while you are disabling the primary blade. The issue is triggered when the act of disabling the primary blade would cause the number of members to drop below min-up-members.
637308-6 : apmd may crash when HTTP Auth agent is used in an Access Policy
Solution Article: K41542530
Component: Access Policy Manager
Symptoms:
apmd may crash when HTTP Auth agent is used in an Access Policy.
Conditions:
This might occur on heavy load, when AAA HTTP Server is configured in 'Form based' or 'Custom body' mode.
The probability of occurrence is greater if there are session variables specified in the AAA HTTP Server configuration.
Impact:
apmd daemon crash. APM cannot process requests until apmd starts up again.
Workaround:
Use basic auth, or do not use HTTP Auth.
637252-3 : Rest worker becomes unreliable after processing a call that generated an error
Solution Article: K73107660
Component: Application Security Manager
Symptoms:
Unreliable behavior from ASM REST API.
1) REST API tasks (like apply-policy) sometimes do not execute.
2) Calls that end in error are not correctly rolled back on the system.
Conditions:
A REST worker can enter this state if it processes specific calls that ended in error, such as creating a new active Policy.
Note: Policies are meant to be created inactive and then activated through the apply-policy task.
Impact:
1) REST API tasks (like apply-policy) sometimes do not execute.
2) Calls that end in error are not correctly rolled back on the system.
Workaround:
1) Do not create 'active' policies. Create them with 'active': false, and then use the apply-policy task to set them active.
2) To recover a device that has reached this state, restart restjavad using the following command:
bigstart restart restjavad
637227-2 : DNS Validating Resolver produces inconsistent results with DNS64 configurations.
Solution Article: K60414305
Component: Global Traffic Manager (DNS)
Symptoms:
A DNS Validating Resolver incorrectly validates DNS responses received from A queries made as a result of a front-end AAAA query received on a profile with DNS64 configured.
A SERVFAIL response may be sent to the client unless the Validating Resolver cache has previously successfully validated a front-end A query. In this scenario where the A records already exist in the cache, the expected DNS64 AAAA records are synthesized.
Conditions:
This issue may be observed with a DNS Validating Resolver configured on a DNS profile with DNS64 configured when processing AAAA queries.
Impact:
Incorrect SERVFAIL responses for AAAA queries that should get valid responses.
Workaround:
None.
636823-1 : Node name and node address
Component: TMOS
Symptoms:
If you create a node with a name that is an IP address but the IP address is different than the name, it can produce an error when adding the node to a pool.
Conditions:
This can occur if the node name is, for example, /Common/10.10.10.10 and the IP address is 10.10.10.10%1
Impact:
When you attempt to add the node to a pool, an error will occur:
Node name /Common/10.10.10.10 encodes IP address 10.10.10.10 which differs from supplied address field 10.10.10.10%1
Workaround:
If you set the node name to an IP address it must be identical to the actual IP address.
636790-1 : Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete.
Component: Global Traffic Manager (DNS)
Symptoms:
While logged in as a Manager role, if a user attempts to modify an object this role does not have access to, the GUI will post a validation error.
Conditions:
This occurs when users in the Manager role make changes to Datacenter links/servers/prober-pool/Topology.
Impact:
The system posts generic validation errors when Create, Update, Delete actions are initiated by a user without proper permissions. These permissions are not allowed for the Manager, but the GUI makes it appear as if they are.
Workaround:
None.
636669-1 : bd log are full of 'Can't run patterns' messages
Solution Article: K37300224
Component: Application Security Manager
Symptoms:
The bd log are getting filled up with 'Can't run patterns' messages. A core might occur due to the i/o outage. General traffic disturbance/slowness might occur.
Conditions:
Configuration change that relates to attack patterns happens while there is heavy traffic.
Impact:
Potential traffic outage/slowness. 'Can't run patterns' messages filling up the bd log file.
Workaround:
None.
636643 : OAM Access gate init problem
Component: Access Policy Manager
Symptoms:
Access gates are not properly initialized after the first gate in the list initializes.
Conditions:
Configure more than one access gate.
Impact:
Other access gates are initialized with incorrect information, server initialization fails due to wring access gate ID.
Workaround:
None.
636104-5 : If pool member is defined with port 0, member may not be visible on the HTTP dimension pane.
Component: Application Visibility and Reporting
Symptoms:
You are unable to see the pool member under the HTTP "pool" dimension.
Conditions:
Pool member is defined with port 0 and traffic is being sent to e.g. port 80.
Impact:
Not seeing the pool member under the HTTP "pool" dimension.
Workaround:
You can define a temporary pool member with the port that is being used (e.g. 80) and delete it after that.
But once defined once, it will go to the DB and will be shown from that point.
This is a partial workaround since it needs to be done for every port that is being used in traffic.
636031-2 : GUI LTM Monitor Configuration String adding CR for type Oracle
Solution Article: K23313837
Component: TMOS
Symptoms:
If the value entered in for the Configuration String textbox wraps in the GUI, a CR character is added to the configuration file.
Conditions:
Create or edit an LTM Monitor type Oracle. Enter a value in the Configuration String textbox so that it wraps to the next line. Click Finish/Update.
Impact:
The /config/bigip.conf file contains CR characters in the file.
Workaround:
Manually edit the /config/bigip.conf file and remove the CR characters.
635561-4 : Heavy URLs statistics are not shown after upgrade.
Component: Application Visibility and Reporting
Symptoms:
Heavy URLs statistics are not shown after upgrade.
Conditions:
Upgrading to newer version
Impact:
Missing statistics.
Workaround:
No workaround
635173-4 : Standby BIG-IP TMM uses unexpectedly large amount of memory
Component: Local Traffic Manager
Symptoms:
TMM memory usage on a BIG-IP standby device might be substantially higher than an active device, and it recovers each time when the high availability (HA) connection is lost and re-established.
Conditions:
The problem happens only on Standby device with L7 mirroring traffic in effect.
Impact:
The standby device may not be able to take over traffic when failover happens.
Workaround:
There is no workaround at this time.
634259-1 : IP tuple nexthop object can be freed while still referenced by another structure
Solution Article: K50166002
Component: Local Traffic Manager
Symptoms:
IP tuple nexthop object can be freed while still referenced by another structure.
Conditions:
This can happen if LSN is in use and the proxy connection takes some time to complete, creating a large enough time window where the nexthop object might be freed.
Impact:
The BIG-IP system might crash. This is a very timing/memory-usage dependent issue that is rarely encountered.
Workaround:
None.
634201-1 : POST requests get reset on early server response.
Component: Local Traffic Manager
Symptoms:
Connection resets are encountered on large POST requests when the server responds early and shuts down the connection.
Conditions:
AAM is enabled on the virtual server. AAM may improperly forward the response resulting in an internal error.
Impact:
Connections are reset before the response completes.
Workaround:
None.
634146 : scriptd crash during iApp reconfiguration
Component: iApp Technology
Symptoms:
Scriptd crashes on SIGABT While trying to reconfigure an iApp (f5.ldap), and in /var/log/scriptd.out you see the following entry:
terminate called after throwing an instance of 'CLI::Exception'
what(): In root folder, can't get partition folder
/var/log/ltm contains this signature:
info scriptd[22758]: 01420004:6: Starting iApp template /Common/f5.ldap
notice mcpd[5799]: 01070418:5: connection 0x5f654348 (user <user>) was closed with active requests
err scriptd[5619]: 014f0004:3: stopping worker process (22758) socket error
Conditions:
This can be triggered if you click into the iApp, select reconfigure, and hit finish without making any changes.
Impact:
You are unable to update the iApp and may need to uninstall and re-install it.
Workaround:
You may be able to avoid this by ensuring that the "Do you wish to upgrade this template?" checkbox is checked when reconfiguring the iApp.
634014-3 : Absolute timers may fire one second early during the leap second event
Component: TMOS
Symptoms:
Absolute timers that expire at midnight UTC may fire one second early when the leap second is inserted.
Conditions:
This occurs if an absolute timer is used to trigger a task, and the leap second occurs during the timer window. For example if an absolute timer of 60 seconds is scheduled and the leap second event occurs midway through that interval, the event will appear to fire one second earlier than expected.
Impact:
Impact to applications unknown. The system stays stable, and a timer may be fired off earlier than expected
Workaround:
None.
633512-5 : HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.
Component: TMOS
Symptoms:
When a preferred device becomes available and takes over due to an Auto-Failback configuration, the takeover is not performed as a smooth handoff, but instead results in both devices becoming Active for the network failover timeout period (3 seconds).
Conditions:
This problem affects traffic groups on VIPRION systems configured with HA Order and Auto-Failback enabled.
Impact:
Since both nodes are Active for (by default) 3 seconds, this may cause network traffic to be dropped or interrupted during the overlap interval. In addition, the Active/Active overlap may not resolve in favor of the preferred device. When this happens, the preferred device attempts to Auto-Failback again after the Auto-Failback expires, and the process repeats forever.
Workaround:
Do not configure Auto-Failback on VIPRION.
633364 : Sometimes APM sends 302 back to client for Publicly hosted content in vCMP environment.
Component: Access Policy Manager
Symptoms:
Sometimes APM sends 302 back to client for Publicly hosted content in vCMP environment. If vCMP guest runs on only one slot, this issue is not seen. When a vCMP guest is expanded to another slot, Access policy association with Public hosted URI is missing on 2nd slot.
Conditions:
APM needs to be provisioned and public content should be hosted on BIG-IP. Also vCMP guest needs to run on multiple slots.
Impact:
Client might receive 302 from BIG-IP for publicly hosted content instead of 200 or 404.
Workaround:
Restart services on expanded vCMP slot and manually assign the access policy to publicly hosted content.
632825-3 : bcm56xxd crash following 'silent' port-mirror configuration failure
Component: TMOS
Symptoms:
A port-mirror configuration can fail 'silently', that is, no error from MCPD yet the following is logged in /var/log/ltm:
err bcm56xxd: 012c0011:3: Trunk port trouble with bcm_mirror_port_set() Entry exists bs_mirror.c(598).
err bcm56xxd: 012c0010:3: Trouble committing mirror settings to hardware: 0:21 bs_mirror.c(671).
err bcm56xxd: 012c0010:3: Trouble setting port mirror from 2.1 to 2.6 bsx.c(5173).
Once this happens, any subsequent port-mirror configuration will result in a deadlock condition and SOD will restart bcm56xxd.
If the port-mirror interfaces are part of a trunk, any trunk configuration will cause this condition. For example, adding a vCMP guest.
Conditions:
Prior 'silent' port-mirror configuration error followed by a subsequent port-mirror configuration command.
Impact:
bcm56xxd continuously restarts until the bad port-mirror configuration is removed.
Workaround:
None.
632668-2 : When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds
Component: TMOS
Symptoms:
When a BIG-IP using statically configured BFD sessions (i.e. "bfd session <IP> <IP>" in the ZebOS configuration) is forced offline, it continues to send "State Up" BFD packets for an additional ~30 seconds.
Conditions:
System is using statically configured BFD sessions. System is forced offline.
Impact:
The BFD peer thinks the BIG-IP is still online and may send packets to it.
632156 : A standby system can send gratuitous ARPs using both the VLAN and VLAN group MAC addresses
Component: Local Traffic Manager
Symptoms:
The ltm logs show "address conflict" messages for one or more non-floating self IPs:
warning tmm[16580]: 01190004:4: address conflict detected for 172.16.1.17 (00:01:d7:e3:c2:c3) on vlan 1326.
The monitor traffic originated from those self IP addresses might be affected and pool member flapping symptoms might appear in the logs as well.
Conditions:
- The device has at least one non-floating self IP sitting in a VLAN group.
- The device is a member of a Device Group.
- The device's role is standby.
Impact:
Monitoring traffic from the standby unit might be affected, and pool member's status might not be tracked properly.
Workaround:
None.
632001-2 : For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys
Component: Local Traffic Manager
Symptoms:
fipskey.nethsm uses a Thales utility to actually generate/export keys. This utility looks at files in .../kmdata/local to determine what type of protection to use. If there are any softcard or OCS files, then the key will be token protected. If there aren't any files then the key will be module protected.
This can be a problem for BIG-IP since that entire folder is synced down to it, so OCS or softcard files unrelated to the BIG-IP operation will change fipskey.nethsm's behavior.
Conditions:
Use fipskey.nethsm to generate/export a nethsm-protected key while there are OCS or softcard files in the BIG-IP system's .../kmdata/localfolder.
Impact:
Key protection type changes based on the presence of softcard or OCS files in .../kmdata/local.
Workaround:
Explicitly use the -c or --protect option to define the protection type when generating/exporting keys.
630929-2 : Attack signature exception list upload times-out and fails
Solution Article: K69767100
Component: Application Security Manager
Symptoms:
httpd_errors log:
------------
err httpd[<PID>]: [error] [client <client_IP>] PHP Fatal error: Maximum execution time of 30 seconds exceeded in /var/ts/dms/common/classes/Thrift/packages/asmconfig/f5_thrift.php on line <line_ID>, referer: https://<BIG-IP_MGMT_IP>/dms/policy/pl_header_normalization.php
------------
Conditions:
ASM provisioned.
Attack signature exception list uploaded.
Impact:
Attack signature exception list upload times-out and fails.
Workaround:
N/A
630661-1 : WAM may leak memory when a WAM policy node has multiple variation header rules
Solution Article: K30241432
Component: WebAccelerator
Symptoms:
When a WAM policy node has multiple variation header rules, a memory leak occurs upon evaluation of each request.
Conditions:
WAM policy with node utilizing multiple variation header rules.
Impact:
Potential per-request memory leakage driven by client traffic.
Workaround:
The only workaround is to ensure that individual WAM policy nodes have fewer than two header variation rules.
630610-4 : BFD session interface configuration may not be stored on unit state transition
Solution Article: K43762031
Component: TMOS
Symptoms:
'bfd session' statements missing in ZebOS 'running-config'.
Conditions:
State transitions from online to offline.
Impact:
BFD configuration will become missing in ZebOS running config and no BFD sessions will be established.
Workaround:
Re-add statements manually.
629834-3 : istatsd high CPU utilization with large number of entries
Component: TMOS
Symptoms:
With a large number of istats entries, statsd uses a large amount of CPU time to process istats.
Conditions:
This occurs when there is a large number of istats entries in iRules.
Impact:
istats processing is slow. CPU utilization by istatsd is high.
Workaround:
Reduce the number of istats entries. Periodically purge the the istats entries if possible.
629499-3 : tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"
Component: TMOS
Symptoms:
When you run the command tmsh show sys perf, you get an error:
011b030d:3: Graph 'dnsx' not found
This can also occur with other tmsh commands related to performance statistics, like show sys perf dnssec and show sys perf dnsexpress.
Conditions:
It is not known what exactly triggers this, it is caused by a timing issue that occurs during system initialization of multi-blade chassis.
Impact:
Certain tmsh sys perf commands fail to work and give an error.
Workaround:
Restart statsd on all blades once the chassis is up.
e.g.
"bigstart restart statsd" on each blade.
629421-3 : Big3d memory leak when adding/removing Wide IPs in a GTM sync pair.
Component: Global Traffic Manager (DNS)
Symptoms:
The memory consumption of Big3d will slowly increase if a lot of Wide IPs are being created or deleted.
Conditions:
Adding or removing Wide IPs on a GTM sync pair.
Impact:
A few bytes of memory will be leaked by Big3d on sync.
Workaround:
there is no workaround at this time.
629207 : TMSH output shows dtca.crt certificate-key-size is 1
Component: TMOS
Symptoms:
TMSH output shows dtca.crt certificate-key-size is 1, but the correct value should be 2048. This appears to be a cosmetic bug only, as OpenLLS shows the correct key size.
Conditions:
Running the command tmsh list cm cert dtca.crt.
Impact:
Shows dtca.crt certificate-key-size is 1, but the correct value should be 2048. This is a cosmetic issue only.
Workaround:
Use OpenLLS to see the correct key size.
628721-4 : In rare conditions, DNS cache resolver outbound TCP connections fail to expire.
Component: Local Traffic Manager
Symptoms:
If a TCP connection is initiated by the DNS cache resolver but fails to be fully created, it may be leaked until the next restart of tmm.
Conditions:
This is only known to occur when other internal issues are affecting the tmm's functionality. If there are ongoing log messages in the tmm logs of the form: "hud_msg_queue is full," and a DNS cache resolver is attempting new outbound TCP connections, then it is possible to leak these connections.
Impact:
If enough connections are leaked, the tmm will not be able to create new connections even if the conditions causing the "hud_msg_queue" log messages resolve.
Workaround:
Restarting tmm will clear the leaked connections.
628202-1 : Audit-forwarder can take up an excessive amount of memory during a high volume of logging
Component: TMOS
Symptoms:
During a period where a lot of data is logged (such as the loading of a large configuration), audit_forwarder can use up a large amount of memory.
Conditions:
audit_forwarder is used with config.auditing.forward.type set to either "none" or "radius" and config.auditing set to "verbose" or "all".
Impact:
The excessive memory usage may result in processes getting restarted. Once the logging is done, audit_forwarder will not release all of the used memory.
Workaround:
Setting config.auditing value to "enable" or "disable" will slow or stop the excessive memory usage.
628180-3 : DNS Express may fail after upgrade★
Component: Global Traffic Manager (DNS)
Symptoms:
TMM may not answer DNSX zones without TMM restart / DNSX zone refresh on upgrade.
Conditions:
Upgrading from previous version.
Impact:
DNS Express may fail after TMM.
Workaround:
Restart TMM, or force TMM to reload the DNS express database by running "tmsh load ltm dns dns-express-db".
628016-4 : MP_JOIN always fails if MPTCP never receives payload data
Component: Local Traffic Manager
Symptoms:
MP_JOIN during an MPTCP connection always fails if the BIG-IP never receives payload data.
Conditions:
A virtual server is configured with a TCP profile attached and "Multipath TCP" is enabled.
An MPTCP connection is established where payload data is never sent to the BIG-IP.
Impact:
Unidirectional data connections receiving data from the BIG-IP (like with FTP) cannot join additional subflows.
Workaround:
There is no workaround at this time.
627764-4 : Prevent sending a 2nd RST for a TCP connection
Component: Local Traffic Manager
Symptoms:
After a specific sequence of packets resulting in sending a RST packet, TCP connection was kept alive and sent another RST when connection expired.
Conditions:
A specific sequence of packets (a second SYN segment within the TCP window) is received by a TCP connection.
Impact:
2 RST segments is sent to the client instead of 1. In addition, the TCP connection was kept alive until the sweeper cleaned it.
Workaround:
There is no workaround at this time.
627760-1 : gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
Component: TMOS
Symptoms:
When running gtm_add from one BIG-IP system to another, if the system being added already has the same DNSSEC key (dictated by DNSSEC key name), and you synchronize the FIPS card, then the FIPS card is wiped out (as expected), but the key is not re-added.
Conditions:
-- There is an existing DNSSEC key on one system.
-- A second system has a DNSSEC key of the same name.
-- Run gtm_add, with instructions to synchronize FIPS cards.
Impact:
No DNSSEC key of that name is present on FIPS card.
Workaround:
None.
627385 : Could not add new account in Citrix receiver for mac v12.3.0
Component: Access Policy Manager
Symptoms:
Could not add new account in Citrix receiver for mac version 12.3.0. It displays error as "Could not detect the specified account".
Conditions:
BIG-IP APM is used in either integration mode with Storefront or replacement mode. Add new account in Citrix receiver for mac v12.3.0
Impact:
Could not add new account
Workaround:
Attach this irule onto virtual server
when HTTP_REQUEST {
set uri_path [string tolower [HTTP::path]]
if { $uri_path == "/vpn/index.html" } {
set cookie "pwcount=0;Secure;HttpOnly;Path=/"
HTTP::respond 200 -version auto content "/vpn/cgi/login" noserver "Set-Cookie" $cookie
}
}
626721-2 : "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart
Component: TMOS
Symptoms:
Running the command "tmsh reset-stats auth login-failures <username>" on a bladed system can cause the mcpd process to restart on secondary blades if the <username> is not an actual user on the system. The /var/log/ltm log file will contain errors messages similar to:
Configuration error: Configuration from primary failed validation: 01020036:3: The requested username (username) was not found.... failed validation with error 16908342
Conditions:
This occurs on VIPRION systems when running the command for a user that doesn't exist on the other blades.
Impact:
mcpd processes on secondary blades restart, possibly causing loss of traffic and a failover (if in a device cluster).
Workaround:
Run the command "tmsh reset-stats auth login-failure <username>" using only valid usernames.
626589-3 : iControl-SOAP prints beyond log buffer
Solution Article: K73230273
Component: TMOS
Symptoms:
When trace logging is turned on, iControl SOAP can potentially print text beyond its log buffer.
Conditions:
Logging for iControl SOAP is turned on with trace level.
Impact:
iControl-SOAP can print out garbage log to /var/log/ltm and can potentially lead to instability with reading beyond a buffer.
Workaround:
Do not enable logging with trace level, which is not turned on by default.
626577 : HTTP monitor log file is recreated after being deleted
Component: Local Traffic Manager
Symptoms:
HTTP monitor log file is recreated after being deleted.
Conditions:
If the HTTP monitor log file is deleted during normal execution, it will be recreated, which is inconsistent with the behavior of other monitors. Normally the file is not recreated until the process is restarted.
Impact:
Deleted HTTP monitor log file is recreated. There is no impact to the system overall.
Workaround:
None.
626434-3 : tmm may be killed by sod when a hardware accelerator does not work
Solution Article: K65283203
Component: Local Traffic Manager
Symptoms:
tmm may hang and crash (killed by the switchover daemon, sod), when the Cavium hardware accelerator does not come back after the reset from the driver.
Conditions:
This is a rarely seen occurrence. It is triggered when the Cavium hardware accelerator stops working.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Power cycling the system might correct the error.
625892-4 : Nagle Algorithm Not Fully Enforced with TSO
Component: Local Traffic Manager
Symptoms:
Sub MSS packets are more numerous than Nagle's algorithm would imply.
Conditions:
TCP Segmentation Offload is enabled.
Impact:
Sub-MSS packets increase overhead and client power consumption.
Workaround:
Disable TCP Segmentation Offload by running the following command:
tmsh modify sys db tm.tcpsegmentationoffload value disable
625832-3 : A false positive modified domain cookie violation
Component: Application Security Manager
Symptoms:
An unexpected modified domain cookie violation on system that has more than 127 policies configured.
Conditions:
This occurs when more than 127 policies are configured. The violation modified domain cookie is turned on and there are enforced cookies.
Impact:
A false positive violation.
Workaround:
Remove the modified domain cookie violation from blocking.
625807 : tmm cored in bigproto_cookie_buffer_to_server
Component: Local Traffic Manager
Symptoms:
TMM cores on SIGSEGV during normal operation.
Conditions:
It is not known exactly what triggers this, but it may be triggered when a connection is aborted in a client-side iRule iRule, this log signature may indicate that this is being triggered:
tmm3[11663]: 01220009:6: Pending rule <irule_name> <HTTP_REQUEST> aborted for <ip> -> <ip>
Impact:
Traffic disrupted while tmm restarts.
625602-1 : ASM Auto-Sync Device Group Does Not Sync
Component: Application Security Manager
Symptoms:
Some messages that should be sent to peers in a device group are not successfully sent.
Conditions:
A series of create/delete ASM policies and multiple changes to the ASM sync Device Group (creation, deletion, joining devices, removing devices).
Impact:
ASM configuration does not sync properly
Workaround:
Reconfigure the device group and restart asm_config_server using the following command:
# pkill -f asm_config_server
625456-1 : Pending sector utility may write repaired sector incorrectly
Component: TMOS
Symptoms:
When the pendsect process detects a pending sector and performs a repair of that sector, incorrect data may be written to an incorrect location on the hard disk.
This may result in corruption of files on the BIG-IP volume that may not be detected for an indeterminate period of time after the pending sector was repaired.
When a pending sector is repaired, a message similar to the following is logged to :
warning pendsect[17377]: Recovered Pending LBA:#########
(where ######### is the Logical Block Address of the repaired sector)
For more information on the pendsect utility, see:
SOL14426: Hard disk error detection and correction improvements
Conditions:
This may occur on BIG-IP appliances or VIPRION blades which contain hard disks which use 4096-byte physical sectors.
Currently-known affected platforms include:
BIG-IP 5000-/7000-series appliances
BIG-IP 10000-series appliances
VIPRION B4300 blades
VIPRION B2100 blades
Due to manufacturing changes and RMA replacements, additional platforms may potentially be affected.
The smartctl utility can be used to identify hard disks using 4096-byte physical sectors:
# smartctl --scan
/dev/sda -d scsi # /dev/sda, SCSI device
# smartctl -i /dev/sda | grep "Sector Size"
Affected:
Sector Sizes: 512 bytes logical, 4096 bytes physical
Not Affected:
Sector Size: 512 bytes logical/physical
Impact:
Potential corruption of unknown files on BIG-IP volumes.
624917-2 : First few handshakes fail after chassis/appliance reboot when using HSM
Component: Local Traffic Manager
Symptoms:
After rebooting with an HSM configured, you notice the first few handshakes fail, with the following error signature in /var/log/ltm:
warning tmm3[13085]: 01260009:4: Connection error: info tmm3[13085]: 01260013:6: ssl_hs_vfy_sign_srvkeyxchg:9921: sign_srvkeyxchg (80)
1260013:6: SSL Handshake failed for TCP <src> -> <dest>
Conditions:
This occurs on the first few connections after reboot when an HSM is configured, and seems to occur if the device does not immediately pass traffic after reboot.
Impact:
The initial SSL connections will fail, then normal operation will resume.
Workaround:
None.
624909-4 : Static route create validation is less stringent than static route delete validation
Component: TMOS
Symptoms:
When creating a static route the BIG-IP ensures that there is a self-IP on the same interface, but does not check to make sure that there is a self-IP on the same interface that uses the same IP protocol (IPv4 vs. IPv6). If the route is created with only self-IPs that use different IP protocols, then the system will not allow you to delete any self-IPs on the same interface as the static route.
Conditions:
Using a static route that has one IP protocol on a given interface along with self-IPs that, while on the same interface, use a different IP protocol.
Impact:
Unable to delete certain self-IPs.
Workaround:
In order to delete the self-IPs you can either:
1) Delete the static route.
or
2) Create a self-IP on the same interface and using the IP protocol as the static route.
624626-2 : Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility
Component: TMOS
Symptoms:
You cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility, which returns an error message similar to the following example:
01020036:3: The requested Certificate File (/Common/example.crt) was not found
Conditions:
The presence of SSL certificates and keys created without the .crt and .key extensions. This might have happened, for example, if the SSL certificates and keys were created using the tmsh utility.
Impact:
Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility.
Workaround:
You can use the tmsh utility to delete affected SSL certificates and keys. You would use commands similar to the following example:
tmsh delete sys crypto cert example
tmsh delete sys crypto key example
624616-4 : Safenet uninstall is unable to remove libgem.so
Component: Local Traffic Manager
Symptoms:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, it can't remove libgem.so and generates the following error:
rm: cannot remove `/usr/lib64/openssl/engines/libgem.so': Read-only file system.
Conditions:
This can be triggered when uninstalling the safenet client using the command safenet-sync.sh -u.
Impact:
Uninstall is unable to complete.
Workaround:
None.
623536-5 : SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent
Component: TMOS
Symptoms:
Due to a syntax issue in /etc/alert/alertd.conf, SNMP traps sent for notifying RSTs sent due to maintenance mode on are not being sent.
Conditions:
Reset cause logging and maintenance mode are enabled
Snmp trap destination is configured and routable
Impact:
snmp traps are not sent
Workaround:
Adding custom trap in /config/user_alert.conf with escaped characters will workaround the issue:
alert BIGIP_IP_REJECT_MAINT_MODE_FIX "RST sent from (.*) Maintenance mode \(all VIP\/SNAT\/Proxy connections disabled\)" {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.34"
}
623391-2 : cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★
Component: TMOS
Symptoms:
cpcfg fails with errors similar to:
Getting configuration from HD1.2
info: Copying configuration to HD1.1
info: Applying configuration to HD1.1
info: >++++ result:
info: Extracting manifest: /var/local/ucs/config.ucs
info: /: Not enough free space info: 739487744 bytes required
info: 259965952 bytes available
info: /var/local/ucs/config.ucs: Not enough free disk space to install!
info: Operation aborted.
Conditions:
Use cpcfg for a UCS that is larger than free space on root filesystem of target volume set.
Impact:
You cannot use cpcfg to copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size
Workaround:
Run the below to fix /etc/mtab on target (HD1.3 is used in this example; substitute the correct target volume) before cpcfg:
- volumeset -f mount HD1.3
- grep HD1.3 /proc/mounts | sed 's_/mnt/HD1.3_/_g;s_//_/_g' > /mnt/HD1.3/etc/mtab
- volumeset -f umount HD1.3
623371-4 : After changing from remote auth to local auth, if SSH keys are used, SSH attempts from nonexistent users result in a connection closed
Component: TMOS
Symptoms:
When attempting to ssh in as a nonexistent user using SSH keypair, the connection closes.
Conditions:
1. Configure SSH keypair for passwordless login.
2. Set auth source to a remote type such as RADIUS, TACACS+, LDAP, Active Directory.
3. Set auth source back to local.
4. Attempt to ssh to BIG-IP using keypair as a user that does not exist in the BIG-IP local user directory.
Impact:
User does not see expected password prompt.
This can be used to check which usernames are valid on the BIG-IP system, but it requires SSH keys.
Workaround:
None known.
623367-3 : When RADIUS remote authentication is enabled, a nonexistent user is able to ssh into the BIG-IP if they present the root's key.
Solution Article: K57879554
Component: TMOS
Symptoms:
Able to login to BIG-IP using root's keypair as a user which does not exist on either the BIG-IP or the RADIUS server.
Conditions:
1. Configure SSH keypair for passwordless login on the BIG-IP system.
2. Enable RADIUS auth on the BIG-IP system.
3. Attempt to ssh in to the BIG-IP as a user which does not exist on either the BIG-IP or the RADIUS server, using the keypair.
Impact:
With root SSH keys, can login as nonexistent user.
Workaround:
Set the default remote role to something other than admin.
623336-1 : After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★
Component: TMOS
Symptoms:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check is performed incorrectly, and the old bundle may accidentally be chosen.
Conditions:
This happens when /config/ssl/ssl.crt/ca-bundle.crt in the old version contains an RCS revision number near the top of the file, and the newer TMOS version does not contain a revision number. (This is a change in the format of the file generated by the organization providing F5 with this bundle.)
Impact:
Upgrades to versions that ship the "non-RCS" files will incorrectly retain the ca-bundle.crt from the previous version, instead of keeping the newer version that shipped with those versions.
This can result in certificate verification failures (e.g. for an OCSP stapling profile), or a BIG-IP creating an inconsistent/incomplete certificate chain for a virtual server.
Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:
1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
2. Reboot the system and clear the MCPD binary database. Refer to SOL13030, but essentially:
touch /service/mcpd/forceload && reboot
3. After reboot, verify that the two files match (they should have the same checksum):
md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
623265-1 : UCS upgrade from v10.x to v11.4.x or later incorrectly retains v10.x ca-bundle.crt★
Solution Article: K15645547
Component: TMOS
Symptoms:
Inconsistent CA certificate chain creation, or certificate validation/verification when verification occurs against /config/ssl/ssl.crt/ca-bundle.crt.
Conditions:
A system is upgraded from v10.x to v11.x/v12.x, or a v10.x UCS is restored onto a v11.x/v12.x system.
Impact:
Inconsistent ca-bundle.crt upgrade/UCS load handling can lead to odd / non-deterministic behavior between devices, even an HA pair / cluster of devices. Non-determinism increases because ca-bundle.crt does not ConfigSync (and appears not to sync across blades in a chassis).
For example, on one device, the BIG-IP system might construct and send a full certificate chain in an SSL Server Hello, when ca-bundle.crt is specified as a Client SSL profile's 'chain', but on its peer, if the peer is using an older/inconsistent ca-bundle, the peer might be unable to construct a full certificate chain.
Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:
1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
2. Reboot the system and clear the MCPD binary database. Refer to AskF5 article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030), but essentially:
touch /service/mcpd/forceload && reboot
3. After reboot, verify that the two files match (they should have the same checksum):
md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
622619-2 : BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD
Component: TMOS
Symptoms:
MCPd cpu utilization is high and renders it unresponsive.
Conditions:
A ranged log query where the log files are excessively large, e.g., 1 GB uncompressed.
Impact:
MCPd is killed due to being unresponsive, which restarts multiple daemons.
Workaround:
Lower the logging level, thereby decreasing the size of the file which must be parsed.
622260 : Some TCP connections do not work when hardware syncookies are being issued and certain options are enabled
Component: Local Traffic Manager
Symptoms:
On BIG-IP 11.5.x, approximately 50% of TCP connections have all of their packets dropped when hardware syncookies are being issued and certain other features are enabled.
Conditions:
An 11.5.x version of the BIG-IP is in use on the system, the platform supports hardware syncookies, hardware syncookies are being issued, and the sys db TM.TCPProgressive is set to "mptcp" or "negotiate". If the sys db TM.TCPProgressive is set to "negotiate", the issue will occur only if the above conditions and any one of the following conditions applies to the TCP profile attached to the virtual server:
1. MPTCP is enabled.
2. Rate pacing is enabled.
3. Congestion control is not reno, new-reno, high-speed, or scalable.
Impact:
Approximately 50% of connections will have all of their packets dropped when hardware syncookies are being issued.
Workaround:
Any of the following actions will mitigate this issue:
1. Disable hardware syncookies.
2. Set sys db TM.TCPProgressive to "enable" or "disable". This will have performance implications and may disable some TCP features.
3. If sys db TM.TCPProgressive is set to "negotiate", set the following options on the TCP profile as follows:
a. Disable MPTCP.
b. Disable rate pacing.
c. Set congestion control to reno, new-reno, high-speed, or scalable.
622183-2 : The alert daemon should remove old log files but it does not.
Component: TMOS
Symptoms:
When the utilization of the log filesystem goes above the configuration setting 'sys db logcheck.alertthres' (default 90%), it is intended that the alert daemon should delete old log files. It does not.
Conditions:
System activity generates a high number of log messages, and/or a user puts large files in /var/log.
Impact:
The log filesystem may become completely full, and new log messages cannot be saved.
622148-1 : flow generated icmp error message need to consider which side of the proxy they are
Component: Local Traffic Manager
Symptoms:
when generating an error message from a flow, the icmp6 code does not check which side the messages needs to be crafted for.
Conditions:
error handling
Impact:
As a result generated ICMP error message might contain the wrong addressing
Workaround:
no workaround
622017-7 : Performance graph data may become permanently lost after corruption.
Solution Article: K54106058
Component: Local Traffic Manager
Symptoms:
During an upgrade, system reboot or restart of the statsd daemon, if a performance graph /var/rrd/*.info file is corrupt, the system is expected to backup the performance data before replacing it and starting with new empty graph data. It is then possible to manually recover the previous performance data.
However, if the /shared/rrd.backup directory already exists, the system restarts the performance graph with new data without backing up the previous data.
Conditions:
During startup of the statsd daemon (such as after an upgrade or reboot), the issue occurs if the following two conditions are present:
* The /var/rrd/<filename>.info files are corrupt (CRC value does not match contents).
* The /shared/rrd.backup directory exists.
Impact:
The previous performance graph data is not displayed, and is no longer available for manual recovery.
Workaround:
Old performance graph data can be extracted from the var/rrd directory of a QKView taken prior to the beginning of the problem.
621909-6 : Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members
Solution Article: K23562314
Component: TMOS
Symptoms:
When a trunk on the BIG-IP 5000 or 10000 platforms has an odd number of members, the traffic distribution to those interfaces will be unbalanced. Some interfaces will see more traffic than others.
Conditions:
This can occur for two reasons:
-- Purposefully configuring an odd number of members.
-- A port goes down in a trunk that has an even number of members.
Impact:
Uneven traffic distribution.
Workaround:
None.
621855 : TMM could use a lot of memory when an iRule calls parking command under AUTH events
Component: Local Traffic Manager
Symptoms:
TMM memory usage keeps going and depending on the situation may eventually crash.
Conditions:
iRule calls parking commands under AUTH events.
Impact:
TMM memory usage keeps going up. Traffic disrupted while tmm restarts.
Workaround:
The AUTH usage is replaced with APM module which is the preferred solution.
621843-2 : the ipother proxy is sending icmp error messages to the wrong side
Component: Local Traffic Manager
Symptoms:
the ipother proxy error handling sends ICMP error messages down the wrong side of the proxy. when a client-side error occurs, the error message is being sent to the server side
Conditions:
error handling of the ipother proxy
Impact:
ICMP error messages show up on the wrong side
Workaround:
no workaround
621736-2 : statsd does not handle SIGCHLD properly in all cases
Component: Local Traffic Manager
Symptoms:
- Performance graphs are not updating or are not existant.
- proc_pid_stat shows statsd time not increasing
- Top also shows that statsd is not taking any processor time.
Infact statsd is stuck on a wait in a signal handler.
Conditions:
If statsd receives a SIGCHLD signal it will get stuck and not process anything.
The following can trigger the issue:
rm -rf /shared/rrd.backup
- sed -i "s/^#CRC.*$/#CRC $RANDOM/" /var/rrd/throughput.info
- kill -HUP $(pgrep -f /usr/bin/statsd)
Impact:
No performance graphs are collected / generated
Workaround:
Restart statsd:
- bigstart restart statsd
621284-2 : Incorrect TMSH help text for the 'max-response' RAMCACHE attribute
Component: WebAccelerator
Symptoms:
The TMSH help text for the 'max-response' RAMCACHE attribute incorrectly states that for the default value of 0 (zero) unlimited cache entries are allowed. In reality the number of cache entries is limited to 10.
Conditions:
Invoking the TMSH man/help page on RAMCACHE.
Impact:
Incorrect TMSH help text
Workaround:
N/A
621259-1 : Config save takes long time if there is a large number of data groups
Component: TMOS
Symptoms:
Config save takes a long time to complete
Conditions:
This occurs when there is a large number (~2000) of data-group objects in the configuration
Impact:
When take longer than 90 seconds soap iControl will time out.
This make it impossible to manage via EM
620969-2 : iControl doesn't give correct valid key sizes for FIPS keys on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards.
Component: TMOS
Symptoms:
Using the get_valid_key_sizes() for querying the valid key sizes, 1024 is returned, which is not valid when the FIPS firmware is version 2.2 or above.
Conditions:
FIPS firmware is version 2.2 or above.
Impact:
Unsupported key-size is returned.
620958 : TMM crash with assertion failure of pkt type not already ETHERTYPE_ARP
Component: Local Traffic Manager
Symptoms:
tmm crashes repeatedly on SIGSEGV during normal operation.
Conditions:
It is not known exactly what triggers this, but the following log signature is seen in /var/log/ltm:
arning tmm[6659]: 01190004:4: address conflict detected for <ip> (<mac>) on vlan <vlan>
Where <ip> is the self IP, and <mac> is the mac from the peer BIG-IP device.
Impact:
Traffic disrupted while tmm restarts.
620954-1 : Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable
Component: TMOS
Symptoms:
Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:
PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.
Conditions:
High concurrent authentication attempts may trigger this issue. For example, open a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), then close the connection. If done frequently enough, there is an occasional authentication failure.
Impact:
This intermittent authentication failure results in users not being able to login.
Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to log in again.
620658 : Existence of /mprov_firstboot with vcmp can set improper tmmcount
Component: TMOS
Symptoms:
During start-up, tmm may go into a restart loop and never come up fully.
Conditions:
This can occur on both the vCMP host and guest, usually during the first or second boot of the upgraded software. The existence of /mprov_firstboot and a provision.tmmcountactual set to an incorrect value is an indication that this is occurring.
Impact:
Traffic disrupted while tmm restarts.
tmm on the host goes into a restart loop due to lack of memory. Signature in the log files is similar to "notice Too small memsize (90) -- need at least 136 MB"
tmm on the guests core with tmm log entries:
notice panic: vdag failed to attach
notice ** SIGFPE **
620346-1 : When auto-refresh is enabled on the statistics screen for wideip / pools, it refreshes to the wrong screen.
Component: Global Traffic Manager (DNS)
Symptoms:
When the page refreshes, it loads the wideip statistics screen, rather than the wideip pool statistics screen.
Conditions:
Have wide IP & pools and visit the stats page and click on view detail under the "Pools" column with refresh enabled.
Impact:
It makes it hard for the user to view updated stats for that particular stats page because it cannot be auto-refreshed.
Workaround:
Clicking the << Back button and "view detail" again would update the page stats.
620215-2 : TMM out of memory causes core in DNS cache
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.
Conditions:
This can occur when the TMM memory is exhausted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Provision sufficient memory for the TMM or reduce load.
619879-4 : HTTP iRule commands could lead to WEBSSO plugin being invoked
Component: Access Policy Manager
Symptoms:
With SSO logs set to 'Debug' in Access log configuration, the following log messages are seen in '/var/log/apm':
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: constructor
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext constructor ...
Sep 30 12:46:17 BIG-IP3900mgmt err websso.3[14520]: 014d0005:3: Unsupported SSO Method
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914b510, SERVER: TMEVT_REQUEST
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914a718, CLIENT: TMEVT_ABORT_PROXY
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext destructor ...
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoConfig destructor
With 'rstcause' enabled, the following log message is seen in '/var/log/ltm':
Sep 30 12:46:17 BIG-IP3900mgmt err tmm2[13116]: 01230140:3: RST sent from 172.17.90.92:57611 to 127.0.0.1:10001, [0x24ccbbc:820] Internal error (APM::WEBSSO requested abort (Unsupported SSO Method))
Conditions:
HTTP::disable followed by HTTP::enable.
when CLIENT_ACCEPTED {
HTTP::disable
// do some other stuff
HTTP::enable
}
Impact:
client receives a HTTP 503 reset
Workaround:
When the access profile is added to the virtual server, the websso plugin profile is automatically added. Manually removing the websso plugin fixes this bug.
619854 : Duplicate entry for bigipPb200 in F5-BIG-IP-SYSTEM-MIB
Component: TMOS
Symptoms:
Duplicate error when loading F5-BIG-IP-SYSTEM-MIB into the SNMP manager.
Conditions:
Loading F5-BIG-IP-SYSTEM-MIB into the SNMP manager.
Impact:
F5-BIG-IP-SYSTEM-MIB fails to load into the SNMP manager.
Workaround:
Changing
bigipPb200 OBJECT IDENTIFIER ::= { sysDeviceModelOIDs 19 } to
bigipViprion4 OBJECT IDENTIFIER ::= { sysDeviceModelOIDs 19 }
in the F5-BIG-IP-SYSTEM-MIB.
619811-5 : Machine Cert OCSP check fails with multiple Issuer CA
Component: Access Policy Manager
Symptoms:
If there are multiple CAs in the CA bundle and issuing CA is not first in it, the OCSP responder returns "unauthorized" response.
Conditions:
This can only happen when issuing CA is not first in the CA file.
Impact:
OSCP check in machine cert will fail and user won't be able to follow successful branch in Access Policy. This might result in Authentication failure even though the machine cert is valid.
Workaround:
Use iRule Event and variable Assign agent in between Machine Cert and OCSP Auth agent.
Follow these steps:
iRule:
1) Loop through the CA bundle until you find matching issuer cert
2) Set this new issuer cert to "session.check_machinecert.last.cert.issuer.cert"
Variable Assign:
3) Read this issuer cert from the session db and assign it back to the same session variable:
session.check_machinecert.last.cert.issuer.cert = expr { [mcget -nocache {session.check_machinecert.last.cert.issuer.cert}] }
619528-3 : TMM may accumulate internal events resulting in TMM restart
Component: Local Traffic Manager
Symptoms:
Under some uncommon circumstances, long-lived connections may cause internal events to be accumulated causing excessive memory usage potentially resulting in TMM restarting.
Conditions:
HTTP virtual with long-lived connections.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
The issue can be mitigated by setting the HTTP 'max-requests' profile option to a reasonably low value - this value will depend on application requirements.
619210 : [FIPS] High CPU usage (11.5.4) or memory error messages (11.6.1) during stress test using FIPS keys
Component: TMOS
Symptoms:
When running a stress test (for example, using Apache Bench tool) to aggressively connect virtual server whose clientSSL profile is using FIPS key;
in 11.5.4, you may observe high CPU usage by using "top" command on the system and "Clock advanced" messages in the ltm logs;
in 11.6.1, the above symptoms appeared in 11.5.4 are not seen, but ltm log prints a sequence of ERR_MEMORY_ALLOC_FAILURE at the beginning of the stress test.
Conditions:
1. The connection to the virtual server is using a clientSSL profile whose SSL key is a FIPS key.
2. The connection that uses the FIPS key is triggered very frequently (such as in a stress test). For example, from the client side, it runs this Apache Bench command "ab -c 1000 -n 1000000 https://10.10.10.100/" to test the virtual server.
Impact:
When the connections occupy too much of the CPU's resource, it could impact the performance of other tasks of the system.
Workaround:
When this issue occurs, you can try to mitigate it by any methods that restricts FIPS key usage in the SSL connection, for example, do not configure the clientSSL profile with the FIPS key as the default clientSSL profile of the virtual server, and add more non-FIPS clientSSL profiles to the virtual server, so that the connections are not always handled by the FIPS key.
619158-3 : iRule DNS request with trailing dot times out with empty response
Component: Global Traffic Manager (DNS)
Symptoms:
The DNS request takes about 20 seconds to respond and the response is empty.
Conditions:
An iRule uses RESOLV::lookup or NAME::lookup to resolve a domain name that ends with a dot.
Impact:
The request does not properly resolve to an IP address.
Workaround:
Strip the trailing dot from the domain name before calling RESOLV::lookup or NAME::lookup.
618884-4 : Behavior when using VLAN-Group and STP
Component: Local Traffic Manager
Symptoms:
May not see ICMP response traffic when using Ping within the same VLAN when STP mode is configured.
Conditions:
-- STP mode is configured.
-- Ping is issued in the same VLAN.
Note: This issue is a constraint to soft switched platforms.
Impact:
May not see ICMP response traffic.
Workaround:
None.
618771-3 : Some Social Security Numbers are not being masked
Component: Application Security Manager
Symptoms:
ASM does not block or mask some SSN numbers.
Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains social security numbers with specific ranges.
Impact:
The traffic passes neither masked nor blocked to the end client.
Workaround:
None.
618693-1 : Web Scraping session_opening_anomaly reports the wrong route domain for the source IP
Component: Application Security Manager
Symptoms:
When generating a web scraping attack of session opening anomaly type, there is an attack start/end event shown in the /var/log/asm and GUI: Security :: Event Logs : Application : Web Scraping Statistics. The event has a "source ip" field which should come along with the route domain. In the case of "session opening anomaly" the route domain is always zero. (For example: 127.0.0.1%0). Even there is a non-zero route domain configured.
Conditions:
Route domain is configured and a web scraping attack event triggers.
Impact:
Incorrect route domain field is shown in the GUI and /var/log/asm.
Workaround:
None. This is a cosmetic error. The system uses the correct route domain
618657-5 : Bogus ICMP unreachable messages in PEM with ipother profile in use
Component: Policy Enforcement Manager
Symptoms:
The ipother virtual server will send bogus ICMP unreachable messages caused by incorrect error handling in the PEM filter.
Conditions:
A VS with ipother profile configured together with the PEM profile. In the field defect the additional piece needed was the missing classification, but this is due to code ordering, so in non-fixed versions this can also happen with the classification profile present.
Impact:
Unnecessary ICMP traffic
618546-1 : ClientSSL profile could incorrectly inherit cert-key-chain objects from parent profile
Component: Local Traffic Manager
Symptoms:
Child clientSSL profile continues to inherit the cert-key-chain objects from parent clientSSL profile when it shouldn't.
Conditions:
Create a clientSSL profile is created by having cert/key field as defaults from parent profile, with a change in chain field. Make sure that no new cert-key-chain objects are added to the child profile.
In this case, since chain field is changed, the child profile shouldn't inherit any cert-kay-chain objects from the parent, but it does.
Impact:
Child clientSSL profile continues to inherit the cert-key-chain objects from parent clientSSL profile when it shouldn't.
618463-1 : artificial low route mtu can cause SIGSEV core from monitor traffic
Component: Local Traffic Manager
Symptoms:
When configuring a monitor instance targeting an address reachable via a route with an artificially low route mtu, tmm can crash repeatedly.
Conditions:
see above
Impact:
Traffic disrupted while tmm restarts.
Workaround:
configure correct MTU
618319-2 : HA pair goes Active/Active, and reports peer as 'offline' if network-failover service is blocked
Solution Article: K58255321
Component: TMOS
Symptoms:
All members of a Sync/Failover Device Group report 'Active' for all traffic-groups, and 'Offline' for all peers. Configuration sync works appropriately.
Conditions:
This can occur if the network failover configuration is incorrect. Each device should have multiple network failover addresses (either unicast or multicast) configured, and any self-IPs configured as unicast addresses must not block the configured unicast UDP source-port (default value: 1026).
If this port is blocked, the devices cannot exchange failover status information.
Impact:
When devices cannot reach the failover address of their peer devices, failover traffic is not processed correctly and the device become active for all traffic groups. This results in duplicate IP addresses on the network for the objects in the traffic groups, which causes a disruption of service.
Workaround:
Ensure that the 'allow-service' parameter for the self-IP address includes the configured network-failover port.
Normally this is done with 'allow-service { default }' if using the default default-list, or an explicit entry can be used with 'allow-service { udp:1026 }'.
618104-4 : Connection Using TCP::collect iRule May Not Close
Component: Local Traffic Manager
Symptoms:
The BIG-IP never sends a TCP FIN in response to a client FIN.
Conditions:
A finite TCP::collect iRule is in progress.
This is repeatable in the debug kernel; in the default kernel, there has to be execution delay in a CLIENT_DATA iRule.
Impact:
The connection does not close until the sweeper causes a RST.
Workaround:
Adding a TCP::close command to a CLIENT_DATA iRule may work.
618024-4 : software switched platforms accept traffic on lacp trunks even when the trunk is down
Component: Local Traffic Manager
Symptoms:
On software switched platforms tmm owned LCAP trunks still accept traffic even though the trunk is down from the control plane ( LACP status down).
Conditions:
LACP trunk with status down
Impact:
VLAN failsafe timers are erroneous reset, VLAN failsafe is broken.
Workaround:
no workaround
617841 : Using iControl REST to create ucs archive results in a "500 internal server error" response when unit has ASM provisioned
Component: Application Security Manager
Symptoms:
using iControl REST to create a ucs archive results in a "500 internal server error" response when unit has ASM provisioned.
however, the UCS file does get created.
Conditions:
ASM provisioned
Impact:
BIG-IP returns a 500 internal server error; however, the UCS file does get created.
Workaround:
N/A
617658 : Attack Signature Update with only 1 active policy logs "Please apply policy" error message
Component: Application Security Manager
Symptoms:
Attack Signature Update on a device with only a single active policy will log the following error message:
"There are too many Security Policies using outdated attack signatures. Please apply policy on all Security Policies."
This occurs even if "Auto Apply New Signatures Configuration After Update" is checked.
Conditions:
Attack Signature Update on a device with only a single active policy.
Impact:
Benign error posted. The error message has no functional impact and can be safely ignored.
Workaround:
None.
617316 : Desktop title is garbled for Citrix Storefront integration mode with non-sta configuration
Component: Access Policy Manager
Symptoms:
Desktop launched from browser or from native receiver has garbled title.
Conditions:
Citrix storefront integration mode through APM with no STA configured. Double byte language such as Japanese character set is used in the backend.
Impact:
Desktop title is not shown properly.
Workaround:
None
616838-1 : Citrix Remote desktop resource custom parameter name does not accept hyphen character
Component: Access Policy Manager
Symptoms:
While adding the custom parameter in Citrix Resource would give parser error as following,
01070734:3: Configuration error: apm resource remote-desktop /Common/ctx_resource: Parse error on line 1: DesktopViewer-ForceFullScreenStartup=On"
Conditions:
Having Citrix resource with custom parameter name with hyphen character
Impact:
Custom parameter can not be used with hyphen character
Workaround:
None
616021-4 : Name Validation missing for some GTM objects
Solution Article: K93089152
Component: TMOS
Symptoms:
The BIG-IP system fails to prevent control characters from being embedded within GTM object names. Once the objects exist in the configuration, the BIG-IP system fails to load GTM configurations where objects containing control characters are referenced by other objects.
The following GTM objects are susceptible to this control character issue:
gtm datacenter
gtm prober-pool
gtm device
gtm application
gtm region entry
gtm virtual server
gtm server
gtm link
gtm pool
Conditions:
-- A GTM object with a control character in the name.
-- That object is referenced by another object.
Reproduction example:
create gtm datacenter "start^Mend"
create gtm server test datacenter "start^Mend" address add { 1.2.3.4 }
save sys config gtm-only
load sys config gtm-only
Impact:
Causes the config to fail to load.
Workaround:
Remove control characters prior to creating GTM objects.
615970-3 : SSO logging level may cause failover
Component: Access Policy Manager
Symptoms:
SSO logging level may cause failover.
Conditions:
SSO logging level set to "Debug".
Impact:
TMM may crash. Core file may be generated.
Workaround:
Lower the SSO log level from "Debug" to either "Info" or "Notice".
615696 : TMM crash during AVR data cleaning timer
Component: Application Visibility and Reporting
Symptoms:
TMM crashed during data cleaning timer.
Conditions:
Root cause is not clear; cannot reproduce issue.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
615553-2 : Reverse/transparent setting reverting to disabled on child monitor
Solution Article: K51205306
Component: Local Traffic Manager
Symptoms:
Child monitor failing. Reverse/transparent setting reverting back to disabled.
Conditions:
Parent monitor with reverse/transparent enabled and child monitor with reverse/transparent disabled.
Impact:
The child monitor begins to fail when the configuration is re-loaded.
Workaround:
Make sure child and parent monitors have the same reverse/transparent setting. Or don't use a custom monitor as a parent if you want to modify reverse/transparent settings.
615522-1 : VDI crashes while responding to clients with multiple VDI threads running
Component: Access Policy Manager
Symptoms:
VDI crash dump is seen in bigip/var/core/ directory while accessing VDI resources.
Conditions:
VDI profile is attached to Virtual server and VDI resources are being used from webtop or from native client
Impact:
VDI access is interrupted
Workaround:
None.
615303-4 : bigd crash with Tcl monitors
Solution Article: K47381511
Component: Local Traffic Manager
Symptoms:
bigd crashes after logging an error similar to the following:
emerg bigd: PID: 38611 Received invalid magic '1213486160' in the stream
Conditions:
-- Tcl Monitors: FTP, SMTP, POP3, IMAP.
-- This issue might also occur if the Tcl worker is in a stuck state, due to pool member not responding within the configured timeout.
-- May be particularly likely if the monitor is configured with an interval value of 1 second.
Note: Although less frequent, this issue might still occur with proper monitor configurations (timeout: 3*interval + 1).
Impact:
bigd crashes and error messages.
Possible interruption of monitoring status, pool members going down, interruption of traffic.
Workaround:
For the case where a Tcl monitor is configured with a 1-second interval value, increase the interval value to 2 seconds. Also increase the timeout value to 7 seconds (3*interval + 1). This reduces the chances of this issue occurring but does not eliminate it entirely.
614493-3 : BIG-IP reset on ePVA accelerated flow may contain stale TCP window information.
Component: TMOS
Symptoms:
Reset sent by BIG-IP system on ePVA accelerated active flows might contain stale sequence number and ACK number, which might be out of the receiver's valid RST window.
Conditions:
For example, server side pool member down events lead to BIG-IP reset of all client flows on the pool member. If these flows are actively offloaded in ePVA with heavy traffic at the time of pool member down and reset sending out time, the SEQ/ACK number for the sending RST by BIG-IP SW might not be recent, and therefore a RST with most SW aware SEQ/ACK will be encoded.
Impact:
These RST might be ignored by the receiver if it is out of the valid window. The receiver must rely on the idle or alive timeout to clean this up. Although the receiver must rely on its TCP alive or idle timeout to activate in order to clean up these connections, this is the standard TCP stack behavior.
Workaround:
None.
614486-4 : BGP community lower bytes of zero is not allowed to be set in route-map
Component: TMOS
Symptoms:
The bgpd process does not accept community attributes that contain values of the form ASN:0.
Conditions:
set the BGP community value to a value of form ASN:0
Impact:
if you attempt to configure a BGP daemon community attribute with a value of the form ASN:0, the system does not set the community value. This could also impact upgrading from the old versions to the version that doesn't support community values of the form ASN:0.
Workaround:
None
614410-1 : Unexpected handling of TCP timestamps in HA configuration
Component: Local Traffic Manager
Symptoms:
Despite TCP timestamps being configured, the BIG-IP system fails to present timestamp option during TCP negotiation.
The BIG-IP system calculates invalid round trip time which might result in delayed retransmission.
Conditions:
This occurs when the following conditions are met:
- Virtual server configured with a TCP profile with timestamps enabled.
- Virtual server configured with connection mirroring.
Impact:
Retransmission timeout (RTO) value may be skewed. Segments that are subject to RTO might take up to 64 segments to retransmit.
614364 : Linux client NA components cannot be installed neither using sudo password nor root password
Component: Access Policy Manager
Symptoms:
Linux client Network Access components cannot be installed neither using sudo password nor root password on firefox browser. Issue occurs because version reported is incorrect and post installation version on the machine still doesn't match with version reported by the server.
Conditions:
Firefox web browser, NPAPI plugins, Network Access on Linux distributions
Impact:
Installation and update of web browser plugin for network access fails
613912 : SSID filter may cause excessive buffering and high CPU
Component: Local Traffic Manager
Symptoms:
CPU usage increases with excessive buffering of significant amount of data.
Conditions:
High CPU with huge amount of data buffered up, and SSL persistence is in use.
Impact:
Can slow down the system.
Workaround:
None.
613618-3 : The TMM crashes in the websso plugin.
Component: Local Traffic Manager
Symptoms:
The TMM core and plugins operate asynchronously. A connection may abort and the TMM may deallocate connection context before the plugin has finished processing asynchronous events. The TMM crashes when a plugin accesses deallocated connection context.
Conditions:
Events raised during normal use of the sessiondb store may be processed after the connection context has been deallocated.
Impact:
Traffic disrupted while tmm restarts.
613415-5 : Memory leak in ospfd when distribute-list is used
Solution Article: K22750357
Component: TMOS
Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv2 and the Routing Information Base (RIB). The leak may lead to a the daemon being terminated via the oom-killer.
Conditions:
OSPFv2 in use with a distribute-list, and Link State Advertisements (LSAs) in the database whose prefixes will be filtered by the distribute-list.
Impact:
ospfd may leak memory until the system terminates the process via the oom-killer.
Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.
613095 : Text Description in Edge client UI may be clipped in sme languages
Component: Access Policy Manager
Symptoms:
Text strings in Edge client UI may be clipped in some languages as the width of UI control is not large enough to accommodate some strings translated to a non-English language.
Conditions:
This can be seen in the Edge client using the French translation.
Impact:
Usability impact. Cannot see complete description.
Workaround:
None.
613088-2 : pkcs11d thread has session initialization problem.
Component: Local Traffic Manager
Symptoms:
pkcs11d does not initialize, especially in the secondary slot(s). SafeNet connections cannot be established on the secondary blades.
Conditions:
This occurs when SafeNet is configured with VIPRION chassis
Impact:
When this occurs, BIG-IP is unable to establish SafeNet connections from the secondary blades.
Workaround:
None.
613079-1 : Diameter monitor watchdog timeout fires after only 3 seconds
Component: Local Traffic Manager
Symptoms:
The Diameter monitor has a 3-second timeout that overrides the interval and timeout settings configured for the monitor.
Conditions:
A Diameter monitor must be configured.
Impact:
If the Diameter server takes longer than 3 seconds to reply to requests, it will be marked down.
Workaround:
None.
613045-2 : Interaction between GTM and 10.x LTM results in some virtual servers marked down
Component: Global Traffic Manager (DNS)
Symptoms:
Some GTM virtual servers are never marked up when interacting with 10.x LTM.
Conditions:
1. On a GTM server, with autoconf off, manually create a virtual server that is using translated IP/port and either no LTM virtual server name or an incorrect LTM virtual server name.
2. Make sure the LTM virtual server is available.
Impact:
On the GTM side, that LTM virtual server will never get marked up.
Workaround:
None.
612086-1 : Virtual server CPU stats can be above 100%
Solution Article: K32857340
Component: Advanced Firewall Manager
Symptoms:
The CPU usage is reported as above 100%.
Conditions:
It is not known exactly what triggers this.
Impact:
The reported CPU usage values are invalid and do not properly report the actual CPU usage. The invalid values will be visible in results from tmsh commands, SNMP OID messages, and also in the GUI.
Workaround:
Use top to see the actual CPU usage, or tmctl to examine the stats for the individual CPUs.
611691-2 : Packet payload ignored when DSS option contains DATA_FIN
Component: Local Traffic Manager
Symptoms:
The payload of a packet is ignored when an MPTCP DSS option has DATA_FIN set.
Conditions:
A packet contains both a payload and an MPTCP DSS option with DATA_FIN set. This has been observed when uploading files from a Linux client to a server.
Impact:
The last packet of data is not received.
Workaround:
Disable MPTCP.
611669-3 : Mac Edge Client customization is not applied on macOS 10.12 Sierra
Component: Access Policy Manager
Symptoms:
Mac Edge Client's Icon, application name, company name, amongst other things can be customized on BIG-IP before deploying on end user's machine. But on Mac Edge Client on macOS 10.12 Sierra this customization is not applied.
Conditions:
macOS Sierra 10.12, Edge client, customization
Impact:
Mac Edge Client customization is not applied on macOS 10.12 Sierra. Functionally there should be no impact except that user will see default application visually.
Workaround:
run following command on Terminal and re-launch Edge client:
For English:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"
For German:
$ defaults write -globalDomain AppleLanguages -array "de" "de-US"
For Korean:
$ defaults write -globalDomain AppleLanguages -array "ko" "ko-US"
For Japanese
$ defaults write -globalDomain AppleLanguages -array "ja" "ja-US"
For French
$ defaults write -globalDomain AppleLanguages -array "fr" "fr-US"
For spanish
$ defaults write -globalDomain AppleLanguages -array "es" "es-US"
For Chinese traditional
$ defaults write -globalDomain AppleLanguages -array "zh-Hant" "zh-Hant-TW" "zh-Hant-US"
For Chinese simplified
$ defaults write -globalDomain AppleLanguages -array "zh-Hans" "zh-Hans-US"
611485-6 : APM AAA RADIUS server address cannot be a multicast IPv6 address.★
Component: Access Policy Manager
Symptoms:
In the 13.0.0 release, support for AAA RADIUS direct IPv6 is added. However, validation will prevent using a multicast address for AAA radius IPv6 address. If you upgrade from a previous version to this version, you will see a validation error when the configuration loads.
Conditions:
The validation error occurs if APM AAA RADIUS address is an IPv6 multicast address on BIG-IP version 13.0.0 and beyond.
Impact:
Support for AAA RADIUS direct IPV6 is added in BIG-IP version 13.0.0. And the new validation affects only IPv6 multicast address. So any working IPv4 configuration will not be affected by this validation.
Workaround:
Multicast IPv6 addresses are not supported for direct IPv6 RADIUS, ensure you are using unicast addresses.
611161-2 : VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
Solution Article: K28540353
Component: Local Traffic Manager
Symptoms:
VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
Conditions:
VLAN failsafe configured on a non-default cmp-hash VLAN.
When the VLAN failsafe situation occurs, and the generated arp requests are not being answered, VLAN failsafe resorts to ICMP.
Impact:
There are very rare situations in which failsafe triggers but it should have not.
Workaround:
None.
611154-3 : BD crash
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
An iRule (or other non-ASM module) that adds or delete the server headers. Especially if it touches the Set-Cookies header
Impact:
Failover, traffic disrupted while TMM restarts.
Workaround:
No workaround at this time.
611054-4 : Network failover "enable" setting is sometimes ignored on chassis systems
Component: TMOS
Symptoms:
The failover device group network-failover attribute has an effect on chassis systems. The high availability subsystem will continue to send network failover packets, and continue to operate normally, even if this is set to "disable".
Conditions:
This only affects chassis systems. On appliances, the setting takes effect, causing all devices to become Active simultaneously.
Impact:
System appears to failover normally even when the configuration is incorrect; however, if the system contains more than one traffic-group, the next-active calculation and other failover features do not function correctly.
Workaround:
Enable network-failover in the sync-failover device-group.
610302-3 : Link throughput graphs might be incorrect.
Component: Local Traffic Manager
Symptoms:
The link throughput performance graphs available in the GTM, DNS or Link Controller modules might show the throughput for the wrong link in the graph.
Conditions:
Multiple links exist and one of the links has a name that is a prefix for the name of one or more other links.
For example, there are two links defined and named "mylink" and "mylink2".
Impact:
The graphs for all links that contain the prefix might show the throughput for the link whose name matches the prefix.
For example, the throughput graphs for both "mylink" and "mylink2" might both show the throughput data for "mylink"
As a result of this issue, the historical link throughput data is gathered and stored incorrectly. This data is used to generate the throughput graphs.
Workaround:
Do not create links where the name of one link forms a prefix for the name of other links.
609772-2 : Tilde character does not work on GET requests via iControl REST
Component: TMOS
Symptoms:
When issuing an iControl REST GET request to a URL that contains a tilde (~), for example when specifying a folder, the REST call will return an error.
Conditions:
This occurs when performing an iControl REST GET request to any URL that contains contains a tilde character in the path name.
Impact:
iControl REST will respond with an error.
Workaround:
None.
609402 : When upgrading from v10.2.4 to v11.5.x or v11.6.x, with fallback set to null in a wideip pool, the new pool will have fallback-ipv4 set to any6.★
Solution Article: K59134660
Component: Global Traffic Manager (DNS)
Symptoms:
When upgrading from v10.2.4 to v11.5.x or v11.6.x, with fallback set to null in a wideip pool, the new pool will have fallback-ipv4 set to any6.
Conditions:
-- Upgrading from v10.2.4 to v11.5.x or v11.6.x.
-- Fallback set to null in a wideip pool.
Impact:
The fallback-ipv4 is incorrectly set to an IPv6 address rather than an IPv4 address.
Workaround:
The only workaround is to set Fallback to a different value before upgrading, and then set back after upgrade is complete.
609244-7 : tmsh show ltm persistence persist-records leaks memory
Component: Local Traffic Manager
Symptoms:
A small memory leak is detected when running the following command: tmsh show ltm persistence persist-records.
Conditions:
This occurs when running tmsh show ltm persistence persist-records.
Impact:
The memory leak is small, however if the command is run constantly the memory growth can become large.
Workaround:
None.
609199-2 : Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join
Component: Local Traffic Manager
Symptoms:
If an MPTCP connection times out while a subflow is still performing the three-way handshake, the TMM produces a core. This only affects the debug TMM, not the default one.
Conditions:
An MPTCP connection times out while a subflow is still performing the three-way handshake with MP_JOIN. This only affects the debug TMM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable MPTCP.
609186-1 : TMM or MCP might core while getting connections via iControl.
Component: TMOS
Symptoms:
When getting the connections list over iControl using System.Connections.get_list(), TMM or MCP cores or exits.
Conditions:
Using iControl to view all connections, and there is a very large number of connections (1 million or more) in the list.
Impact:
TMM or MCP may core or exit. Traffic disrupted while tmm restarts.
Workaround:
None.
609119-3 : Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
Component: TMOS
Symptoms:
Occasionally the logging system prints out a blank message, similar to the following example:
-- err mcpd[19114]: 01070711:3:
For this log statement, there is text associated with the error in the bigip_mcpd_error_defs.in file, so something should be logged.
Conditions:
The problem is the result of an exception handler issue in mcpd's File Object validator. The damaged logs can come from anywhere in mcpd, but appear only after a File Object configuration change fails validation. If the problem occurs, it will happen only once per validation error. The damage caused by the exception handler is automatically corrected when the system rewrites the log.
Impact:
Except for the missing log text, the state and behavior of the BIG-IP system is unaffected.
Workaround:
None. The problem corrects automatically when the system rewrites the log.
609107-3 : mcpd does not properly validate missing 'sys folder' config in bigip_base.conf
Component: TMOS
Symptoms:
If a 'sys folder' is manually removed from bigip_base.conf, and the config is then reloaded, mcpd does not produce any warning or error messages, and allows the config to load.
Conditions:
A folder is removed from a previously valid configuration file.
Impact:
Inconsistent configuration between devices in the same device-group, shows in-sync when they are not, prevents config loading after mcpd has been reset.
Workaround:
Do not remove folders from the configuration file.
608991-2 : BIG-IP retransmits SYN/ACK on a subflow after an MPTCP connection is closed
Component: Local Traffic Manager
Symptoms:
If a SYN with MP_JOIN is received on a new subflow during an MPTCP connection and the connection closes before the three-way handshake is complete, the BIG-IP will continue trying to complete the three-way handshake.
Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and a SYN with MP_JOIN is received on another flow during an MPTCP connection.
Impact:
The BIG-IP retransmits the SYN/ACK to the joining flow after the connection is closed.
Workaround:
There is no workaround
608348-1 : Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system
Component: TMOS
Symptoms:
After deleting an iApp build from the f5.citrix_vdi.v2.3.0 template then running a config sync, the system that received the sync could have a tunnel object left over which should have been deleted.
Running 'tmsh load sys config verify' after this sync would give the following error.
01070734:3: Configuration error: The object (Tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect) is owned by a non-existent application (/Common/test-citrix-app-svc.app/test-citrix-app-svc).
Unexpected Error: Validating configuration process failed.
Conditions:
This occurs when the iApp has been deployed in a sync group, then the iApp is deleted, then a config sync is initiated.
Impact:
Config validation fails, and you must delete the tunnel manually.
Workaround:
On the system that received the sync, edit /config/BIG-IP_base.conf to remove the following objects (replace "test-citrix-app-svc" with the name of the deleted iApp):
a. vlan from net route-domain: /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
b. net fdb tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
c. net tunnels tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
607961-5 : Secondary blades restart when modifying a virtual server's route domain in a different partition.
Component: TMOS
Symptoms:
Secondary blades restart when modifying a virtual server's route domain in a different partition. This log signature is in /var/log/ltm before the secondaries restart: err mcpd[1255]: 0107004d:3: Virtual address (/stef/1.1.1.1%0) encodes IP address (1.1.1.1) which differs from supplied IP address field (1.1.1.1%1).
Conditions:
- Only happens on chassis.
- Route domains created on each device.
- Route domain assigned to a new partition after they were created.
Impact:
Traffic disrupted while secondary blades restart.
Workaround:
None.
607360-3 : Safenet 6.2 library missing after upgrade★
Component: Local Traffic Manager
Symptoms:
After upgrading BIG-IP, a symbolic link is missing to the core Safenet library.
Conditions:
This occurs when a BIG-IP installation with Safenet 6.2 already installed is upgraded.
Impact:
Safenet 6.2 is not functional.
Workaround:
Reinstall Safenet 6.2. Or,
run this command at all blades of BIG-IP after the installation.
ln -sf /shared/safenet/toolkit/libgem.so /usr/lib64/openssl/engines/libgem.so
607246-1 : Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires
Component: Local Traffic Manager
Symptoms:
You notice erratic persistence behavior when you set cookie persistence to "required" in your cookie persistence profile
Conditions:
Encrypted cookie persistence with fallback where the fallback persistence has a reasonable short timer such that a request containing a valid cookie is handled after the fallback entry has expired.
Impact:
Persistence fails after fallback expired.
Workaround:
Change cookie-encryption to preferred which allows persistence on either encrypted or decrypted cookie.
607166-4 : Hidden directories and files are not synchronized to secondary blades
Component: Local Traffic Manager
Symptoms:
Hidden directories and files (those whose filenames start with '.') that are created on primary blade are not synced to secondary blades.
Existing hidden files that are edited on the primary blade are not synced to secondaries.
Conditions:
Multi-bladed system.
Impact:
The most common uses of hidden files are per-user shell configuration and history.
Workaround:
Manually copy configuration files onto other blades.
606799-4 : GUI total number of records not correctly initialized with search string on several pages.
Solution Article: K16703796
Component: TMOS
Symptoms:
GUI total number of records not correctly initialized with search string on several pages.
Conditions:
Searching on the Data Group File List, iFile List, and lw4o6 File Object List pages.
Impact:
GUI shows that there are two pages, but advancing to the second page shows empty page.
Workaround:
Avoid searching in the Data Group File List, iFile List, and lw4o6 File Object List pages to view all items.
606330-1 : The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family.
Component: TMOS
Symptoms:
The BIG-IP system does not accept incoming or initiate outgoing BGP connections when using peer-groups and no default address family.
Conditions:
BGP configured with 'no bgp default ipv4-unicast' and neighbors configured using a peer group that's explicitly activated for IPv4.
Impact:
The BGP connection to any neighbor in the peer group will not come up until 'clear ip bgp' is run on the neighbor or tmrouted is restarted.
Workaround:
Clear the BGP neighbor after changing the configuration.
605840-1 : HSB receive failure lockup due to unreceived loopback packets
Component: TMOS
Symptoms:
HSB reports a lockup due to a receive failure. Analysis of the HSB receive/transmit rings indicate that this is a false positive. Loopback packets were successfully transmitted, but not received, resulting in the receive failure. /var/log/ltm contains this signature: notice *** TMM 9 - PDE 19 - receive failure ***
Conditions:
Unknown.
Impact:
The unit is rebooted.
Workaround:
None.
605800-1 : Web GUI submits changes to multiple pool members as separate transactions
Component: TMOS
Symptoms:
You notice an unusually high amount of sync traffic when changing many pool members at once. In extreme cases, mcpd may run out of memory and crash.
Conditions:
When looking at a list of pool members, it is possible to choose to view many pool members at once, and you can then select them all and enable or disable them with one press of a button. Rather than sending all of the operations in a single transaction, the GUI code updates each pool member one by one. When there are a lot of pool members and auto-sync is being used, this can cause race conditions that can generate a large number of transactions going from the local machine to the remote machine.
Impact:
This can cause an unusually high amount of sync traffic to occur between devices in the sync group with auto-sync enabled. In extreme cases this can cause mcpd to crash and traffic is disrupted while mcpd restarts.
Workaround:
If you frequently need to enable/disable many pool members at once, there are a couple of options:
1. You can switch to manual sync during this operation.
2. You can minimize the number of pool members that are altered at once. The issue was observed when changing over 300 pool members at once.
605792-5 : Installing a new version changes the ownership of administrative users' files★
Component: TMOS
Symptoms:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID.
Conditions:
A user is an administrative user who has advanced shell (bash) access and custom files in their home directory.
Impact:
Low in most cases, since the administrative user can still access most files. One exception is that SSH requires that the authorized_keys file be owned by the user ID in question. This is 0 when a user has an administrative role, so the authorized_keys file will be ignored and a password will still be required for login.
Workaround:
Run the following command, substituting a different filename as needed: chown 0 /home/theuser/.ssh/authorized_keys.
605775 : Config sync fails after creating local user matching previously logged in remote user
Component: TMOS
Symptoms:
After a remote user logs in to a BIG-IP system that is a member of an HA group, if a local user account is created with a name that matches the remote user, config sync fails attempting to sync the local user account to other devices in the HA group.
Conditions:
1. A remotely authenticated user logs in to a BIG-IP HA member.
2. An administrator user creates a local user account on the same BIG-IP HA member with a name that matches the previously logged-in remote user.
This problem has been observed using TACACS remote authentication, but is expected to occur with other remote authentication methods as well.
Impact:
Unable to sync device groups.
Workaround:
1. To avoid this error, create the local user on a different HA member, where the remote user has not previously logged in.
2. To recover from this error:
(a) Delete the newly-created local user from the same HA member where it was created:
tmsh del auth user <new-local-user-name>
(b) Save current config:
tmsh save sys config file <recovery-config-filename.scf>
(c) Recover the device group sync status:
tmsh run cm config-sync recover-sync
(d) Restore the saved config:
tmsh load sys config file <recovery-config-filename.scf>
605649-5 : The cbrd daemon runs at 100% CPU utilization
Solution Article: K28782793
Component: Application Security Manager
Symptoms:
The cbrd daemon runs at 100% CPU utilization.
You may notice this issue while inspecting:
- The performance graphs for the BIG-IP device.
- SNMP reports from the BIG-IP device.
- The output of utilities such as top or ps.
Note: The cbrd daemon performs XML Content-Based Routing on the BIG-IP system. However, the daemon runs regardless of provisioning and whether the feature is actually being utilized or not.
Conditions:
This is a rarely occurring event whose cause is not known.
Impact:
The cbrd daemon may run inefficiently. Additionally, other control-plane processes running on the BIG-IP device may also be detrimentally affected (depending on the size of the BIG-IP device and its configuration).
Workaround:
You can try to work around this issue by restarting the cbrd daemon using the following command:
bigstart restart cbrd
As the issue occurs rarely, you may not experience this issue again for a long time. This is, however, only a temporary workaround, and will have to be repeated as needed.
605616-4 : Creating 256 Fundamental Security policies will result in an out of memory error
Component: Application Security Manager
Symptoms:
ASM out of memory error will occur when 256 fundamental security policies are created.
Conditions:
Create 256 fundamental security policies.
Impact:
Out of memory error.
Workaround:
None.
605175-2 : Backslashes in monitor send and receive strings
Component: Local Traffic Manager
Symptoms:
After creating a monitor using the GUI containing a recv parameter with a backslash such as '\* OK', loading the configuration generates a validation error:
01070753:3: Monitor /Common/test recv parameter contains an invalid regular expression (Invalid preceding regular expression).
Unexpected Error: Loading configuration process failed.
Attempting to configure the same monitor via tmsh throws the validation error before creating the monitor, but the GUI allows the single backslash. Two backslashes are required in this case.
Conditions:
Using the GUI to configure a monitor, whose receive string needs to look for a backslash, and only a single backslash is entered in the GUI.
Impact:
Configuration fails to load after it is successfully created via the GUI. The GUI accepts this when it should throw a validation error: two backslashes are required.
Workaround:
When configuring the monitor via the GUI, use two backslashes instead of one.
604923-2 : REST id for Signatures change after update
Component: Application Security Manager
Symptoms:
The REST id of existing signatures are unexpectedly modified after updating a User Defined Signature, or downloading an Attack Signature Update that modifies existing signatures.
Conditions:
A User-Defined Signature is updated, or an ASU containing updated signatures is downloaded.
Impact:
The REST id of the modified signatures is changed which may confuse REST clients.
Workaround:
Execution of the following script will repair an affected device:
perl -MF5::Utils::Rest -MF5::DbUtils -MF5::ASMConfig::Entity::Signature -e '$dbh = F5::DbUtils::get_dbh(); $dbh->begin_work(); $dbh->do("UPDATE PLC.NEGSIG_SIGNATURES SET rest_uuid = \"\" "); F5::Utils::Rest::populate_uuids(dbh => $dbh, rest_entities => ["F5::ASMConfig::Entity::Signature"]); $dbh->commit();'
604893-1 : ComplexType child elements in XML schema cannot have different values set in "fixed" attribute
Component: Application Security Manager
Symptoms:
Within the XML schema definition, multiple child elements under a ComplexType cannot have different values set in "fixed" attribute.
Conditions:
Multiple child elements under a ComplexType in an XML schema are defined with different values set in "fixed" attribute.
Impact:
Subsequent elements are validated incorrectly with the initial element's definition.
Workaround:
Remove "fixed" attribute for subsequent elements in schema definition.
604549-2 : MPTCP connection not closed properly when the segment with DATA_FIN also DATA_ACKs data
Component: Local Traffic Manager
Symptoms:
If a DATA_FIN is received with a DATA_ACK that acknowledges data, the BIG-IP will not process the DATA_ACK and will not shutdown the connection properly as it thinks there is still outstanding data to be acknowledged.
Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and a DATA_FIN that DATA_ACKs data is received on an MPTCP connection.
Impact:
The connection is not closed properly and eventually times out.
603380-3 : Very large number of log messages in /var/log/ltm with ICMP unreachable packets.
Component: Local Traffic Manager
Symptoms:
With ICMP unreachable packets, every packet generates a log message in /var/log/ltm. This results in a very large number of log messages, which takes up space without providing additional information.
Conditions:
You have a DNS virtual server with DNS resolver cache configured. The virtual server receives ICMP unreachable in response to the DNS query.
Impact:
You will see messages similar to the following in /var/log/ltm.
err tmm[5021]: comm_point_tmm_recv_from failed: Software caused connection abort
Workaround:
None.
603293-2 : Incorrect handling of L4 Dynamic ACL when it is processed together with L7 ACLs
Component: Access Policy Manager
Symptoms:
L4 Dynamic ACL is not applied to incoming traffic when assigned in combination with L7 ACL.
Conditions:
APM supports a combination of L7 ACL and L4 ACL to be assigned to one session. When L7 ACLs are assigned with higher priority than L4 ACLs, the processing of L4 ACLs is automatically deferred until L7 information is available. The issue here is that when none of L7 ACLs with higher priority match with the traffic, L4 ACL is incorrectly marked to be applied only to HTTP traffic. Therefore if the incoming traffic is not HTTP, for example, HTTPS, then this particular dynamic L4 ACL is bypassed.
Impact:
L4 Dynamic ACL is not applied correctly.
Workaround:
Reorder L4 ACLs with higher priority than L7 ACLs, if possible, or to prevent the issue from occurring, avoid assigning L7 ACLs if not needed.
603236-3 : 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware
Component: Local Traffic Manager
Symptoms:
Creating 1024 and 4096 size keys fail when the SafeNet client version installed on BIG-IP is 6.2 and SafeNet appliance firmware is 6.10.9.
Conditions:
-- SafeNet appliance: 6.2.
-- SafeNet client: 6.2.
-- SafeNet firmware: 6.10.9.
Impact:
Cannot create 1024 or 4096 size RSA keys.
Workaround:
None.
603092-2 : "displayservicenames" does not apply to show ltm pool members
Component: TMOS
Symptoms:
The db variable bigpipe.displayservicenames does not apply to the 'show ltm pool members' tmsh command.
Conditions:
This occurs when running tmsh show ltm pool members with bigpipe.displayservicenames enabled.
Impact:
The the IP address but not the service name is displayed.
602566-3 : sod daemon may crash during start-up
Component: TMOS
Symptoms:
sod daemon produces core file during start-up
Conditions:
sod encounters an error during start-up and attempts to recover.
Impact:
sod restarts
602366-3 : Safenet 6.2 HA performance
Component: Local Traffic Manager
Symptoms:
With Safenet 6.2 HA setup, you only sees the performance of one HSM.
Conditions:
Safenet 6.2 client is installed and Safenet HA is used.
Impact:
Only one HSM is used for the HA setup.
Workaround:
Add primary hsm to the newly created ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>
or
echo "copy" | /shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>
Add following hsm to the ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup addMember -serialNumber 470379014 -group ha_test -password <pw>
Enable HAonly
/shared/safenet/lunasa/bin/lunacm -c hagroup HAOnly -enable
Delete ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup deleteGroup -label ha_test
602329-2 : syncookie header of HA channel mirror packets is not cleared
Component: Local Traffic Manager
Symptoms:
You notice that L7 connections on the standby unit are increasing and may not be cleared until the tcp timeout.
Conditions:
This can occur when using mirroring when syn cookies are enabled. It is more severe with hardware syn cookies but still occurs with software syn cookies.
Impact:
Connections increase unnecessarily on the standby unit.
Workaround:
Although it does not completely clear the condition, you can disable hardware syncookies to work around this problem.
In tmsh:
modify /ltm profile tcp <profile_name> hardware-syn-cookie disable
602326-2 : Intermittent pkcs11d core when installing Safenet 6.2 software
Component: Local Traffic Manager
Symptoms:
Sometimes you may see pkcs11d core when stopping/restarting pkcs11d service.
Conditions:
bigstart issues "stop" to pkcs11d while pkcs11d receives message.
Impact:
pkcs11d may core intermittently.
Workaround:
pkcs11d may automatically restart without intervention.
602193-1 : iControl REST call to get certificate fails if
Component: TMOS
Symptoms:
While using the iControl REST API, a call to /mgmt/tm/sys/crypto/cert results in a 400 or 500 error. The call to /mgmt/tm/sys/crypto/key works.
Conditions:
This can occur if any of the certificates contain non utf-8 characters.
Impact:
iControl REST API call will fail.
Workaround:
If possible, generate the certificate to only contain utf-8 characters.
602136-2 : iRule drop command causes tmm segfault or still sends 3-way handshake to the server.
Component: Local Traffic Manager
Symptoms:
If you have a client-side iRule that drops a client-side connection, either tmm will segfault or the BIG-IP system still sends the SYN to the server, and then a RST. The reset cause will be 'TCP 3WHS rejected'.
Conditions:
Client-side iRule that drops a connection.
Impact:
TMM segfaults or the BIG-IP system still sends a SYN to the server. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
601536-5 : Analytics load error stops load of configuration★
Component: Application Visibility and Reporting
Symptoms:
After upgrading, the configuration fails to load and you see this log message: 01071ac1:3: Non-Comulative metric (max-request-throughput) cannot be calculated per single entity (pool-member).
Unexpected Error: Validating configuration process failed.
Conditions:
This can occur any time the analytics configuration was valid in a previous release and is no longer valid. For example, if you have an analytics profile set at pool-member granularity, it will load in 12.0.0 but will fail to load on 12.1.0 as granularity must be set at the virtual-server level, not the pool level.
Impact:
Configuration fails to load, will not pass traffic.
Workaround:
Fixing the configuration manually is the only option when this occurs. In the pool-member granularity example, you can check all your analytics profiles for granularity pool-member and set them to granularity virtual-server.
601414-3 : Combined use of session and table irule commands can result in intermittent session lookup failures
Component: TMOS
Symptoms:
[session lookup] commands do not return the expected result.
Conditions:
An iRule which combines use of [table] and [session lookup] commands.
Impact:
Intermittent session functionality.
Workaround:
If possible, use table commands in lieu of session commands.
601220 : Multi-blade trunks seem to leak packets ingressed via one blade to a different blade
Component: TMOS
Symptoms:
When a multi-blade VIPRION deployment first starts up or recovers from a chassis-wide force offline/release offline event, multi-blade trunks seem to leak packets that ingressed on one blade, out the same trunk's member interfaces on other blades.
Conditions:
-- Multi-blade VIPRION deployment.
-- Chassis-wide force-offline/release-offline event occurs.
Impact:
This is a very intermittent issue that is not reproducible and happens for only a few milliseconds. This may temporarily impact the upstream switch L2 FDB and cause slight traffic redirection as the upstream switch will learn the source MAC of the gratuitous ARPing host from the same trunk the traffic was broadcast to.
Note: This is not an F5 specific problem. It occurs on every stack switch hardware under these conditions.
Workaround:
There is no workaround.
601189-1 : The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode
Component: Local Traffic Manager
Symptoms:
The BIG-IP system might send TCP packets out of order in Fastl4 in syncookie mode.
Conditions:
-- Fastl4 VS.
-- syncookie mode.
Impact:
TCP packet are sent out of order.
Workaround:
None.
601180-3 : Link Controller base license does not allow DNS namespace iRule commands.★
Solution Article: K73505027
Component: Global Traffic Manager (DNS)
Symptoms:
The Link Controller base license improperly prevents DNS namespace iRule commands.
Conditions:
A Link Controller license without an add-on that allows Layer 7 iRule commands.
Impact:
An administrator cannot add DNS namespace commands to an iRule. Cannot upgrade from a pre-11.5 configuration, where the commands were working, to 11.5.4 through 12.1.2.
Workaround:
To enable upgrade, remove DNS namespace commands from the configuration prior to upgrade.
601178-4 : HTTP cookie persistence 'preferred' encryption
Component: Local Traffic Manager
Symptoms:
When encryption is 'preferred' in the http cookie persistence profile, when the client presents a plain-text route domain formatted cookie the BIG-IP will ignore the cookie and re-load balance the connection.
Conditions:
This occurs when route-domain-compatible cookies are sent in plaintext.
Impact:
Cookie does not get accepted by the persistence profile and flow does not persist.
600944-4 : tmsh does not reset route domain to 0 after cd /Common and loading bash
Component: TMOS
Symptoms:
In tmsh, you are in a partition with a custom route domain. When you run 'cd /Common' and run bash then run 'ip route', the routing table from the partition is displayed, not /Common
Conditions:
Attempting to see the route table from the /Common partition after leaving another parition
Impact:
You cannot get /Common's route table back without quitting and restarting tmsh.
Workaround:
Quit tmsh and restart.
600593-5 : Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests
Component: Local Traffic Manager
Symptoms:
After a CONNECT request is sent to the BIG-IP system and processed, if the client disconnects before a response is received from the server, the FIN is not propagated to the server-side and that connection remains open. If a client sends another CONNECT request to the same destination, the previous server-side flow is reused for the new request. Inspection of packet captures reveals that the BIG-IP system does not process the new CONNECT request as such, but instead forwards it to the server using the old server-side flow. This behaviour is incorrect. The CONNECT method should disable connection reuse, and the BIG-IP should close the server-side flow if the client disconnects first.
Conditions:
Use of HTTP Explicit Proxy and OneConnect together. CONNECT requests must arrive to the virtual server. The client must disconnect before the server responds.
Impact:
Some connections may fail. Depending on what data is sent to the server over an unintended connection, unpredictable results may be experienced.
Workaround:
You can apply the following iRule to the HTTP Explicit Proxy virtual server to mitigate the issue:
when HTTP_PROXY_REQUEST {
if { [HTTP::method] equals "CONNECT" } {
ONECONNECT::reuse disable
}
else {
ONECONNECT::reuse enable
}
}
600431-3 : DIAMETER::avp data get "id" ip4|ip6 errors on valid AVP
Component: Service Provider
Symptoms:
TCL error in /var/log/ltm that looks like 'error Buffer error invoked from within "DIAMETER::avp data get 257 ip4 index 0"'
Conditions:
iRule that extracts ip address from a diameter avp.
Impact:
The iRule ends with an error.
Workaround:
Instead of
set data [DIAMETER::avp data get 257 ip4]
use an iRule such as
if { [DIAMETER::avp count 257] > 0 } {
set data [DIAMETER::avp data get 257]
binary scan $data S family
switch $family {
1 {
# ipv4 should contains 4 bytes
set ip [IP::addr parse -ipv4 $data 2]
log local0. "ip = $ip"
}
2 {
# ipv6 should contains 16 bytes
set ip [IP::addr parse -ipv6 $data 2]
log local0. "ip = $ip"
}
default {
log local0.alert "address family $family is not supported"
}
}
}
600385-3 : BIG-IP LTM and BIG-IP DNS monitors are allowed to be configured with interval value larger than timeout
Solution Article: K43295141
Component: Local Traffic Manager
Symptoms:
When configuring BIG-IP LTM and BIG-IP DNS monitors, administrators can set the interval value be larger than the timeout value.
Conditions:
Setting interval value to be larger than the timeout value.
Impact:
The misconfigured monitor setting might result in unexpected monitor behavior.
Workaround:
Set the interval value lower than the timeout value.
598707-3 : Path MTU does not work in self-IP flows
Component: Local Traffic Manager
Symptoms:
While performing an Update Check, the network connection fails. Path MTU is not working in self-IP initiated flows.
Conditions:
Network flows initiated by the Self IP address (in this case it was encountered while running Update Check)
Impact:
If the downstream router sends ICMP Path MTU messages back to the Self IP, the messages will be ignored and MTU will not be adjusted.
598650-3 : apache-ssl-cert objects do not support certificate bundles
Component: TMOS
Symptoms:
The Traffic Management Shell (tmsh) documents command options for apache-ssl-cert objects that suggest that Apache SSL Certificates (apache-ssl-cert objects) support certificate bundles.
References to certificate bundles in context of the 'bundle-certificates', 'subject' and 'is_bundle' fields are in error, and should refer to single certificates only.
Apache SSL Certificates (apache-ssl-cert objects) do not actually support certificate bundles.
On BIG-IP v11.5.0 and later, attempting to create Apache SSL Certificate objects from a certificate bundle will result an error like the following:
01070712:3: Values (/Common/certificate_name) specified for Certificate Bundle Entity (/Common/certificate_name.0 /Common/certificate_name): foreign key index (certificate_file_object_FK) do not point at an item that exists in the database.
Conditions:
Attempting to create Apache SSL Certificate objects from a certificate bundle.
Impact:
Unable to create Apache SSL Certificate objects from a certificate bundle.
598498-6 : Cannot remove Self IP when an unrelated static ARP entry exists.
Component: TMOS
Symptoms:
Cannot remove a self-IP when an unrelated static ARP entry exists. The system produces an error similar to the following: err mcpd[6743]: 01071907:3: Cannot delete IP <addr> because it would leave a static neighbor (ARP/NDP) entry unreachable.
Conditions:
Static arp entry exists, and there are no Self IP addresses on the same subnet as the static ARP entry. When in this condition, none of the Self IP addresses can be deleted.
Impact:
Must delete static ARP entries in order to delete Self IP addresses.
Workaround:
None.
598289-1 : TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>
Component: TMOS
Symptoms:
In TMSH, when trying to add a pool member that has name in the format of <ipv4>:<number>:<service port>, TMSH gives an error. It also corrupts bigip.conf.
Conditions:
-- Use TM Shell to load configuration.
-- ltm pools have members that have names in the format of <ipv4>:<number>:<service port>
Impact:
TMSH fails to load system configuration file
Workaround:
None.
598204-2 : In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.
Solution Article: K54284420
Component: Local Traffic Manager
Symptoms:
In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.
Conditions:
This occurs when the following conditions are met:
-- TCP profile.
-- syncookie mode.
Impact:
A TCP virtual server might use bigger MSS in syncookie mode and not honor the MSS specified in the profile. Some configurations require a smaller MSS for certain virtual servers, rather than using the VLAN's MTU to calculate the MSS.
Workaround:
None.
597879-4 : CDG Congestion Control can lead to instability
Component: Local Traffic Manager
Symptoms:
Debug TMM crashes when the TCP congestion window allows an abnormally high or low congestion window. You can see this by looking at the bandwidth value in "tmsh show net cmetrics" if cmetrics-cache is enabled in the TCP profile.
Conditions:
Running the Debug TMM with CDG Congestion Control.
Impact:
Traffic disrupted while tmm restarts.
In the default TMM, the allowed sending rate will be abnormally high or low.
Workaround:
Use a congestion control algorithm other than CDG.
Switch to the default TMM.
597729-2 : Errors logged after deleting user in GUI
Component: TMOS
Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may potentially be observed:
1. After approximately 10 minutes, an error similar to the following may appear in the LTM log (/var/log/ltm):
mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests
Such message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.
2. After clicking Refresh, the GUI may not show the correct web page.
Conditions:
It is possible that this error could be encountered when deleting local users (Access Policy :: Local User DB : Manage Users), and may theoretically be encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.
Impact:
Error messages logged.
GUI may not show the correct web page.
Workaround:
Use the CLI (tmsh) to delete local users.
597532-3 : iRule: RADIUS avp command returns a signed integer
Component: Local Traffic Manager
Symptoms:
iRules that process attribute-value pairs from RADIUS treat integers as signed when they should be treated as unsigned.
Conditions:
iRules using RADIUS::avp to retrieve data.
Impact:
iRules using the RADIUS::avp command will not work as expected.
Workaround:
The result can be cast to an unsigned integer after obtaining the value, as follows:
ltm rule radius_avp_integer {
when CLIENT_DATA {
set charid_integer [RADIUS::avp 26 "integer" index 0 vendor-id XXXXX vendor-type Y]
set unsigned_charid_integer [expr {$charid_integer & 0xFFFFFFFF}]
}
}
Note that tmm internally treats avp values as signed integers so this might not completely correct the issue.
596826-1 : Don't set the mirroring address to a floating self IP address
Component: TMOS
Symptoms:
Using tmsh, you can configure the mirroring IP address using the command tmsh modify cm device devicename mirror-secondary-ip ip_address
It is possible to set ip_address to a floating self IP address when using tmsh, but BIG-IP can't mirror to a floating self IP address. The tmsh command will complete without error.
Conditions:
Accidentally setting the mirroring IP address to the floating self IP address using tmsh.
Impact:
Mirroring does not work in this case. If you configured it this way using tmsh, the GUI will show the primary and secondary mirroring address as "None".
Workaround:
Change the mirroring address to a non floating self IP address. The GUI will only present non floating self IP addresses.
For more information about mirroring, see K13478: Overview of connection and persistence mirroring at https://support.f5.com/csp/#/article/K13478
596815-2 : System DNS nameserver and search order configuration does not always sync to peers
Component: TMOS
Symptoms:
Modifying the System DNS nameserver and search order configuration does not always sync during an incremental sync if modified in the GUI or tmsh modify sys db.
Conditions:
The device is in a failover device group with incremental sync turned on.
In the GUI, modify the DNS Lookup Server List or the DNS Search Domain List fields under System >> Configuration : Device : DNS.
In tmsh, tmsh modify sys db dns.nameserver (or dns.domainname), and in some cases tmsh modify sys dns name-servers (or search)
Impact:
Modifications will not change the sync status nor sync the change to peers.
Workaround:
Perform a full sync or use 'tmsh modify sys dns name-servers replace-all-with' or 'tmsh modify sys dns search replace-all-with'.
Optionally, to get this setting to sync, modify the file /config/BigDB.dat to set realm=common for [DNS.NameServers] and [DNS.DomainName] and restart mcpd on all devices in the failover device group. However, this file may get overridden on a hotfix or upgrade.
596067-1 : GUI on VIPRION hangs on secondary blade reboot
Component: TMOS
Symptoms:
After rebooting a VIPRION chassis, the GUI suddenly becomes unresponsive several minutes after the reboot.
Conditions:
It is not known exactly triggers this as it is a race condition that occurs on system start, but it is believed that Enterprise Manager making queries against the VIPRION for non-chunked statistics while the blade(s) has not fully started will trigger this condition.
Impact:
GUI becomes unresponsive
Workaround:
bigstart restart httpd will clear this condition if it occurs.
596020-1 : Devices in a device-group may report out-of-sync after one of the devices is rebooted
Component: TMOS
Symptoms:
Devices in a device-group may report out-of-sync after one of the devices is rebooted.
As a result of this issue, you may encounter the following symptoms:
- After the reboot, the config-sync originator reports 'Not All Devices Synced'.
- After the reboot, the other devices in the device-group report 'Changes Pending'.
Conditions:
This issue occurs when all of the following conditions are met:
- You have a Sync or Sync-Failover device-group with multiple devices in it.
- On a device (the config-sync originator, you modify the configuration, triggering the devices to become out of synchronization.
- Using the Overwrite Configuration option in the GUI, you manually initiate a synchronization of the configuration from the device where the configuration was modified, to the device-group.
- The devices in the device-group display that they are in the synchronized state.
- You reboot the config-sync originator device.
Impact:
After the reboot, the devices report out-of-sync.
Note: This issue is purely cosmetic; no configuration is lost as result of this issue.
Workaround:
You can work around this issue by not using the Overwrite Configuration option in the Configuration utility if you know you will have to reboot the device soon.
Also note that once the issue occurs, you can restore normal config-sync status on the devices by performing a new config-sync operation.
595921-3 : VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.
Component: Local Traffic Manager
Symptoms:
VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.
Conditions:
Configuration of a virtual server on a VLAN group that does not have a Self-IP configured.
Impact:
Traffic destined for the virtual server might be rejected with an ICMP unreachable sourced from a loopback address.
Workaround:
Use a Self IP address on the VLAN group.
595868 : HSB TX HGM lockup on 3900, 8900, and 10000-series platforms.
Component: TMOS
Symptoms:
HSB TX HGM lockup on 3900, 8900, and 10000-series platforms. Tmm cores with the following error message in /var/log/ltm: notice panic: hsb interface 2 DMA lockup on transmitter failure.
Conditions:
It is not known what triggers this condition.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
595854 : An incorrect MSS can be sent in client SYN/ACK packet for an accelerated connection
Component: Local Traffic Manager
Symptoms:
A client may receive an incorrect MSS value in the SYN/ACK packet for a connection that is hardware accelerated and the flow is accelerated during TCP three way handshake.
Conditions:
A fastl4 profile with Offload State set to SYN.
This affects all platforms and versions of BIG-IP with HSB/ePVA hardware acceleration.
Impact:
BIG-IP advertises an MSS value that might be too large. This may cause problems if the server receives a packet that exceeds its MSS.
Workaround:
Configure the fastl4 profile's Offload State to EST.
595317-5 : Forwarding address for Type 7 in ospfv3 is not updated in the database
Component: TMOS
Symptoms:
The ospf nssa-external database is not updated when the global address on an interface that is used as a forwarding address is changed
Conditions:
remove the global address on the forwarding interface
Impact:
the packets will be sent to an incorrect interface.
Workaround:
clear ipv6 ospf process
595293-2 : Deleting GTM links could cause gtm_add to fail on new devices.
Component: Global Traffic Manager (DNS)
Symptoms:
Once links are auto-discovered, if auto discovery is disabled and the links are deleted, they could become stuck in the Server > Virtual Server list, preventing new devices from joining the sync group. If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.
Conditions:
Links are auto-discovered
Auto discovery is disabled
The links are deleted
Impact:
If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.
Workaround:
None
594751-5 : LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN
Solution Article: K90535529
Component: Local Traffic Manager
Symptoms:
Vlan Name and Vlan Tag values are not seen by the LLDP neighbors of the BIG-IP system.
Conditions:
1. LLDP is enabled globally and per interface.
2. Interfaces are added to a trunk after it has already been assigned to a VLAN.
For instance, assume the following protocol were followed for creating an LLDP trunk:
tmsh modify net lldp-globals enabled
tmsh modify net interface 1.1 lldp-admin txrx lldp-tlvmap 114680
tmsh modify net interface 1.2 lldp-admin txrx lldp-tlvmap 114680
tmsh create net trunk myTrunk
tmsh create net vlan myVlan
tmsh modify net trunk myTrunk interfaces add { 1.1 1.2 }
tmsh modify net vlan myVlan interfaces add { myTrunk }
The neighbor to this BIG-IP unit would not see the Vlan Name and Vlan Tag information of this trunk because the interfaces were added after the trunk was already assigned to a VLAN.
Impact:
LLDP Neighbors are unable to see VLAN information for the LLDP interfaces of the BIG-IP.
Workaround:
If the configuration has not yet been performed, the issue can be prevented by assigning all the desired interfaces to a trunk before assigning the trunk to a VLAN.
If the problem already exists, it can be remedied by performing a restart of the LLDP service. This should not impact dataplane services outside of LLDP. To do so, run the following command:
bigstart restart lldpd
594647-1 : No iControl functions to get and set master key.
Component: TMOS
Symptoms:
No iControl functions to get and set master key.
Conditions:
Using iControl with master key.
Impact:
Cannot get or set master key.
Workaround:
There is no iControl workaround.
594228 : Resetting mgmt interface statistics doesn't work on VE or VCMP
Component: TMOS
Symptoms:
$ tmsh reset-stats net interface mgmt
Doesn't reset mgmt interface statistics.
Conditions:
Only on VE or VCMP
Impact:
You cannot reset the management interface statistics, but this has no impact elsewhere in the system.
594064-3 : tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.
Solution Article: K57004151
Component: Local Traffic Manager
Symptoms:
When the tcpdump utility is used with the ':p' modifier, it appears that the first few serverside packets are not captured.
Conditions:
-- Using the ':p' modifier with the tcpdump utility to capture serverside flows associated with clientside flows that match a tcpdump filter.
-- FastL4 or standard virtual server UDP flows are being captured.
Impact:
Typically, the peer flow will not be captured until the second packet is processed on the original flow that is captured by the tcpdump filter. Although there is no operational impact, it might cause confusion when looking for serverside traffic when capturing using a command similar to the following: tcpdump -i <vlan>:p host <client-ip>
Typical examples of missing packets include:
-- Serverside syn and syn-ack from FastL4 TCP traffic.
-- All serverside packets for single packet request/reply traffic, e.g., dns request/reply.
Workaround:
Specify filter that includes serverside traffic (e.g., include pool member addresses as 'host <addr>').
593536-3 : Device Group with incremental ConfigSync enabled can report "In Sync" when devices have differing configurations
Component: TMOS
Symptoms:
Devices do not have matching configuration, but system reports device group as being "In Sync".
Conditions:
Device Service Cluster Device Group with incremental sync enabled. A ConfigSync occurred where a configuration transaction failed validation, and then a subsequent (or the final) configuration transaction was successful.
Impact:
BIG-IP incorrectly reports configuration is in-sync, despite the fact that it is not in sync. All sorts of failures or odd behavior or traffic impact can result from this.
Workaround:
Turn off incremental sync (by enabling "Full Sync" / "full load on sync") for affected device groups.
593530-3 : In rare cases, connections may fail to expire
Component: Local Traffic Manager
Symptoms:
Connections have an idle timeout of 4294967295 seconds.
Conditions:
Any IP (ipother) profile is assigned to virtual server.
Impact:
Connections may linger.
Workaround:
None.
593396-4 : Stateless virtual servers may not work correctly with route pools or ECMP routes
Component: Local Traffic Manager
Symptoms:
Stateless virtual servers might not work correctly if the configured poolmember is reachable via a route pool or via several ECMP routes learned via dynamic routing.
Conditions:
- Stateless virtual server.
- Pool reachable via route pool or via ECMP routes.
Impact:
Traffic might be dropped.
Workaround:
Use other virtual server types to process this traffic.
592620-4 : iRule validation does not catch incorrect 'after' syntax
Component: Local Traffic Manager
Symptoms:
iRule validation does not catch iRule with incorrect 'after' syntax, allowing an invalid iRule to be saved.
Conditions:
iRule with incorrect 'after' syntax. For example "after 5000 periodic" should be "after 5000 -periodic" (with a hyphen)
Impact:
Traffic handled by the iRule fails, generating the Tcl error 'invalid command name 'periodic' while executing 'periodic LB::reselect''.
Workaround:
Correct the syntax error.
592497-3 : Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.
Component: Local Traffic Manager
Symptoms:
While passing normal traffic, CPU utilization of one or more tmms suddenly goes to 100% as viewed by top and remains there indefinitely.
Conditions:
Idle timeout for tcp flows in FIN_WAIT_2.
Impact:
There is a rare occurrence in which tmm might result in 100% CPU busy.
Workaround:
None.
592194-1 : Rarely, an HSB transmitter failure occurs
Component: TMOS
Symptoms:
A very rare HSB transmitter failure occurs. This is indicated by the following message in the tmm logs:
panic: hsb interface 1 DMA lockup on transmitter failure.
Conditions:
Although the exact conditions for this issue are unknown, this might be related to a 5250 platform or to a configuration containing a vCMP guest.
Impact:
Reboot of the unit.
Workaround:
None.
591733-1 : Save on Auto-Sync is missing from the configuration utility.
Solution Article: K83175883
Component: TMOS
Symptoms:
The option to configure save-on-auto-sync is missing in the Device Management GUI.
Conditions:
Devices configured in a DSC configuration.
Automatic with Full or Incremental Sync is enabled.
You attempt to configure the save-on-auto-sync option from the GUI.
Impact:
You will need to have TMSH access to the BIG-IP system to perform this task.
Workaround:
You will need to have TMSH access to the BIG-IP system to perform this task.
591732 : Local password policy not enforced when auth source is set to a remote type.
Component: TMOS
Symptoms:
Local password policy not enforced when auth source is set to a remote type. Any non-default password policy change is not enforced for local users.
Conditions:
1) Some part of the local password policy has been changed from the default values, for example, changing the password minimum-length to 12 where the default is 6.
2) The auth source is set to a remote source, such as LDAP, AD, TACACS.
Impact:
The system does not enforce any of the non-default local password policy options.
For example, even if the minimum-length is set to 12, a local user's password can be set to something less than 12.
Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).
Workaround:
None.
591705-2 : Domain-name-strict has been deprecated, but is still present in GUI, GUI OLH, and TMSH CLI help.
Solution Article: K14861154
Component: Global Traffic Manager (DNS)
Symptoms:
Domain-name-strict has been deprecated. The default is now domain-name-check allow-underscore.
Upon loading a pre-existing configuration file, the following warning message will be logged in /var/log/ltm:
-- Warning generated : value strict is deprecated. Forcing to allow-underscore.
-- Configuration warning: value strict is deprecated. Forcing to allow-underscore.
Upon loading a pre-existing configuration file, a warning will also be displayed in the console:
value strict is deprecated. Forcing to allow-underscore.
Conditions:
Loading a pre-existing configuration file containing domain-name-strict.
Impact:
Although warnings are posted, the files are still loaded.
However, GUI, GUI OLH, and TMSH CLI help have 'strict' as an option, and which is not accurate.
Workaround:
Do not use the 'strict' options, even though they are listed.
591104-4 : ospfd cores due to an incorrect debug statement.
Component: TMOS
Symptoms:
ospfd cores due to an incorrect debug statement.
Conditions:
This occurs in NSSA configs when ASE OSPF debugging enabled in imish (for example, by running the command: debug ospf route ase). Affected configuration commands are (in imish):
debug ospf all.
debug ospf route.
debug ospf route ase.
Impact:
ospfd might crash, interrupting dynamic routing.
Workaround:
Do not enable debugging in ospf that includes 'route ase'.
590938-1 : The CMI rsync daemon may fail to start
Component: TMOS
Symptoms:
CMI starts an instance of the rsync daemon used for synchronizing file objects. If this daemon is not running, but left its PID file, then it will not restart.
Conditions:
The rsync daemon failed unexpectedly.
Impact:
Sync of file objects will fail with an error like this:
01070712:3: Caught configuration exception (0), Failed to sync files...
Workaround:
Delete the PID file, "/var/run/rsyncd-cmi.pid". Then look up the configsync-ip of the local device and run "rsync-cmi start 1.2.3.4", replacing 1.2.3.4 with the current device's configsync-ip.
590904-4 : New HA Pair created using serial cable failover only will remain Active/Active
Component: TMOS
Symptoms:
After creating a new sync-failover device group without network failover enabled, both devices remain Active.
Conditions:
Create a new sync-failover device-group without enabling network failover.
Impact:
Both device in the HA pair will be Active, which is unlikely to pass traffic successfully.
Workaround:
After adding the 2nd device to the sync-failover group, restart sod with "bigstart restart sod" on both devices.
590851-1 : "never log" IPs are still reported to AVR
Component: Application Security Manager
Symptoms:
IP addresses marked as "never log" are reported to AVR regardless of the flag
Conditions:
Always
Impact:
Extra, unwanted logging for IP addresses flagged as "never log"
Workaround:
N/A
590156-1 : Connections to an APM virtual server may be reset and fail on appliance and VE platforms.
Component: Local Traffic Manager
Symptoms:
APM connections failing when mac masquerade is in use and source-port preserve-strict is enabled on the APM virtual server.
Conditions:
The traffic-group has mac-masquerade configured and source-port preserve-strict is in use on the APM virtual server
Impact:
Connections to an APM virtual server may be reset and fail on appliance and VE platforms.
Workaround:
Disable either mac-masquerade or source-port preserve-strict (or both)
590091-3 : Single-line Via headers separated by single comma result in first character second header being stripped.
Solution Article: K79075081
Component: Service Provider
Symptoms:
Removing the first Via header strips the leading character from the second Via when headers are separated by a comma (',').
Conditions:
Multiple Via headers on single-line separated by a single comma (',').
Impact:
Leading character of 2nd Via header will be stripped e.g. 'SIP/2.0/TCP' becomes 'IP/2.0/TCP'.
Workaround:
None.
589862-3 : HA Grioup percent-up display value is truncated, not rounded
Component: TMOS
Symptoms:
The value displayed in "show sys ha-group detail" and "list sys ha-group" is shown as only the integer portion of the actual percent-up value.
Conditions:
When the number of "up" members in an HA Group results in a percent-up value that is not a whole number, the displayed value is truncated, not rounded.
Impact:
Incorrect display of the percent-up value. The score contribution is correct, and displayed rounded properly.
589199 : CoS queue egress drop counts not reported in all drop counter stats.
Component: TMOS
Symptoms:
CoS queue egress packet drop counts are not exposed in the 'Drops' column for 'tmsh show net interface' for B2250, B4300 and 1x000 platforms. The CoS queue egress packet drop counts are however correctly reported via the 'drop_reason' and 'interface_stat' tmstat counters.
Conditions:
This occurs on B2250 and B4300 blades and on 1x000 platforms.
Impact:
CoS queue egress packet drop counts are not exposed via net interface reports, but are reported correctly via tmstat counters.
Workaround:
CoS queue egress packet drop counts can be viewed in tmsh using the following counters:
-- tmctl interface_stat.
-- tmctl drop_reason.
589118-2 : Horizon View client throws an exception when connecting to Horizon 7 VCS through APM.
Solution Article: K81314569
Component: Access Policy Manager
Symptoms:
If APM is configured as PCoIP proxy against Horizon 7 VCS, the Horizon View client fails to retrieve the list of entitlements with an exception written in its logs.
Conditions:
APM as PCoIP proxy for Horizon 7 View Connection Server.
Impact:
Horizon View client cannot be used with APM to access Horizon 7.
Workaround:
You can use the following iRule to update the broker protocol version returned by APM to be 11.0 instead of 9.0.
when HTTP_REQUEST {
if { [HTTP::header "Origin"] ne "" } {
HTTP::header remove "Origin"
}
if { [ HTTP::method ] == "POST" && [ HTTP::uri ] == "/broker/xml" } {
set BROKER_REQUEST 1
HTTP::collect [HTTP::header Content-Length]
}
}
when HTTP_REQUEST_DATA {
if { [ info exists BROKER_REQUEST ] && [ regexp {<have-authentication-types[ \t\r\n]*>[ \t\r\n]*<name[ \t\r\n]*>[ \t\r\n]*saml[ \t\r\n]*</name>[ \t\r\n]*</have-authentication-types>} [HTTP::payload] ] } {
HTTP::respond 200 content {<?xml version="1.0" encoding="UTF-8"?><broker version="11.0"><set-locale><result>ok</result></set-locale><configuration><result>ok</result><broker-guid>1</broker-guid><authentication><screen><name>saml</name><params></params></screen></authentication></configuration></broker>} Content-Type text/xml
}
}
when HTTP_RESPONSE {
if { ! [ IP::addr [ IP::remote_addr ] equals 127.0.0.0/8 ] } { return }
set BROKER_RESPONSE 1
set content_length 0
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1048576
}
# Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
when HTTP_RESPONSE_DATA {
if { ! [ info exists BROKER_REQUEST ] || ! [ info exists BROKER_RESPONSE ] } { return }
regsub "<broker version=\"9.0\">" [HTTP::payload] "<broker version=\"11.0\">" payload
HTTP::payload replace 0 [HTTP::payload length] $payload
HTTP::release
}
589006-6 : SSL does not cancel pending sign request before the handshake times out or is canceled.
Component: Local Traffic Manager
Symptoms:
When TMM has many SSL handshake, for ephemeral key, SSL does not sign for ServerKeyExchange message. Then it is possible that sign request is pending on crypto SSL queue. Even the handshake is timeout or canceled, the sign request is still in the queue. This might cause memory accumulation.
Conditions:
When TMM has many SSL handshake, for ephemeral key, SSL should sign for ServerKeyExchange message.
Impact:
Even if the handshake times out or canceled, the sign request is still in the queue. This might cause memory accumulation.
Note: Although this issue was fixed in 11.5.4 HF3, the fix was reverted in 11.5.4 HF4, meaning that the issue is not fixed in 11.5.4 HF4.
Workaround:
None.
588946 : BIG-IP v11.5.4 successfully installs on 12250v platform but is not supported.
Solution Article: K72351284
Component: TMOS
Symptoms:
You can install v11.5.4 on the 12250v platform, but are unable to license BIG-IP. This is because v11.5.4 is not supported on the 12250v platform.
Conditions:
Install BIG-IP v11.5.4 on a 12250v platform.
Impact:
BIG-IP v11.5.4 is not supported on the 12250v platform. Even though installation succeeds, it is not possible to license BIG-IP system.
Workaround:
Install a supported version of BIG-IP on the 12250v. Supported versions are 11.6.0 HF2 or later and 12.0.0 or later.
588646-4 : Use of Standard access list remarks in imish may causes later entries to fail on add
Component: TMOS
Symptoms:
The use of remarks in standard access lists in dynamic routing shell causes subsequent filters in the same ACL to fail to load.
Conditions:
Create a standard access list with a remark.
Add to the same list another entry to permit or deny a IP/range.
Impact:
The ACL does not load and error is returned.
Workaround:
No not use remarks in standard access lists or use an access list in the extended or named ranges.
588289-5 : GTM is Re-ordering pools when adding pool including order designation
Component: Global Traffic Manager (DNS)
Symptoms:
GTM re-orders, including the "0" order when adding the pool with specific order designation.
Conditions:
This occurs when adding pools with a specified order.
Impact:
This changes the pool order unexpectedly which will affect Load balancing using global-availability.
588229-3 : DNS protocol default profiles can be deleted after being modified.
Component: Global Traffic Manager (DNS)
Symptoms:
A protocol default profile can be deleted in some cases.
Conditions:
The protocol default profile is not a parent to any other profile and has been modified.
Impact:
Default protocol profile can be deleted. If a default profile has been deleted, the config might get into an invalid state, and a config reload might be necessary.
Workaround:
Do not attempt to delete a protocol default profile.
587821-4 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
Solution Article: K91818030
Component: TMOS
Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.
In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.
Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.
Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.
Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.
Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.
587698-1 : bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
Component: TMOS
Symptoms:
bgpd daemon crashes
Conditions:
bgp extended-asm-cap is configured before configuring
ip extcommunity-list standard with rt and soo fields.
Impact:
bgpd daemon crashes leading to route loss and traffic loss.
587668-4 : LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.
Component: TMOS
Symptoms:
Pressing the LCD checkmark button does not always bring up clearing prompt on VIPRION blades.
Conditions:
Pressing the LCD's checkmark button to clear an alert on VIPRION blades.
Impact:
Cannot clear the alert using the LCD.
Workaround:
Press the checkmark button followed by the left or right arrow buttons.
587656-4 : GTM auto discovery problem with EHF for ID574052
Component: Global Traffic Manager (DNS)
Symptoms:
After applying EHF9-685.88-ENG to CRCGTMCS101, many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.
Conditions:
After applying EHF9-685.88-ENG
Impact:
Many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.
Workaround:
Skip to the next Eng HF
v11.4.1-hf10/hotfix/HF10-690.10-ENG
587457-1 : REST API does not allow modification of AFM address list
Component: TMOS
Symptoms:
You are unable to modify an existing address list with an API call. You can only overwrite the whole list.
Conditions:
You wish to modify an existing AFM address list using the REST API
Impact:
The only option is to replace the entire list.
586938-3 : Standby device will respond to the ARP of the SCTP multihoming alternate address
Solution Article: K57360106
Component: TMOS
Symptoms:
When there is a SCTP connection established, the router will request the ARP for the client-side multi-homing alternate address, but the standby device will reply to the ARP request as well.
Conditions:
When an SCTP profile has at least one alternate-address configured, and is used in an high availability (HA) scenario, this issue will manifest.
Impact:
Traffic for the alternate-addresses may be directed to the wrong device in an HA group. The multi-homing function will fail as the alternate connection cannot established on the standby device.
Workaround:
Do not use a VLAN address as an alternate address. Use only routed addresses, and route those addresses to the floating Self-IP address of the BIG-IP system.
586621-2 : SQL monitors 'count' config value does not work as expected.
Solution Article: K36008344
Component: Local Traffic Manager
Symptoms:
SQL monitors 'count' config value does not work as expected.
Conditions:
SQL monitor in use with the 'count' config value specified. The 'count' value is intended to record the number of times the connection to the back-end database is re-used before it is disconnected. However, the value is not correctly recording the number in this release.
Impact:
SQL monitor might use a 'count' value that is incorrect.
Workaround:
Add 101 to the desired value. For example, if the desired count is '5', use '106' instead.
586348-3 : Network Map Pool Member Parent Node Name display and Pool Member hyperlink
Component: TMOS
Symptoms:
The Network Map was not displaying the correct node name and the link was taking you to an incorrect pool member.
Conditions:
Create a pool and pool member from a FQDN node. Add that pool to a virtual server. From the Network Map page the pool member link does not show the FQDN making it hard to tell what pool member it is. When you click on the pool member hyperlink it takes you to the incorrect pool member.
Impact:
This causes confusion because the pool members are difficult to identify without the FQDN and the link takes you to the incorrect pool member.
586138-2 : Inconsistent display of route-domain information in administrative partitions.
Solution Article: K84112154
Component: Local Traffic Manager
Symptoms:
When IpAddress is displayed in GUI and TMSH, there exists some inconsistencies on how the route-domain of the address is displayed. This occurs for virtual servers and pool members.
Conditions:
IpAddresses configured for virtual servers and pool members outside the default-route-domain of the administrative partition.
Impact:
Although this is only a cosmetic issue, there might be confusion associated with the display inconsistencies.
Workaround:
None.
586080 : APM attempts to launch VMware View Linux Desktop from the webtop using HTML5 client which is not supported
Component: Access Policy Manager
Symptoms:
VMware View Linux Desktops have been introduced along with the newer HTML5 client which is not supported with BIG-IP APM 11.5.x.
However, if user gets entitled to a Linux Desktop when logging in to the APM webtop, they may attempt to launch it and APM will unsuccessfully try to use HTML5 client for it.
Conditions:
APM webtop configured for PCoIP Proxy case and VMware View Linux Desktop host assigned to the user.
Impact:
User may be confused being shown a desktop they cannot access.
Workaround:
Do not attempt to connect to Linux Desktops hosts as they are not supported in 11.5.x versions.
585097-4 : Traffic Group score formula does not result in unique values.
Component: TMOS
Symptoms:
In certain configurations, the Traffic Group score for a particular Traffic Group can be identical across devices in a device service cluster, resulting in the Traffic Group becoming Active on more than one device simultaneously.
Conditions:
The score is derived from the management-ip and other factors. If the device management-ips are not on the same /24 subnet, the score is not guaranteed to be unique.
The score can be observed with the tmsh "run cm watch_trafficgroup_device" command, and in some versions of BIG-IP, the "show cm traffic-group" command.
Impact:
When the problem occurs, Traffic Groups will be Active on multiple devices simultaneously. The problem can affect all Traffic Groups.
Workaround:
The only solution is to change the management-ip on one of the colliding devices. The workaround is not practical with DHCP, and in many other situations.
584948-4 : Safenet HSM integration failing after it completes.
Component: Local Traffic Manager
Symptoms:
tmm cannot load the Safenet library, and the following log entry is found in /var/log/auditd/audit.log:
denied { read } for pid=4936 comm="tmm" name="libCryptoki2_64.so" dev=dm-1 ino=1441838 scontext=system_u:system_r:tmm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file.
Conditions:
This occurs when there is at least one symlink in the shared/safenet/lunasa/lib/ directory.
The safenet-sync.sh script (used to replicate a functioning Safenet HSM installation to a newly-inserted secondary blade) and csyncd conspire to improperly install/fix permissions on the secondary blade if there are symlinks, which results in the Safenet HSM integration failing after it completes, until the user takes appropriate actions.
Impact:
Upon failover to secondary blade, the BIG-IP system will be unable to communicate with the configured netHSM.
Workaround:
Use chcon and chcon -h to fix any permissions issues. The --reference option can be used on any properly permissioned file in the same directory to do this quickly.
For example: chcon -h --reference=libcklog2.so libCryptoki2_64.so.
584865-2 : Primary slot mismatch after primary cluster member leaves and then rejoins the cluster
Component: Local Traffic Manager
Symptoms:
Secondary blades in a Viprion system can disagree about the identity of the Primary blade.
Conditions:
Viprion chassis with 3 or more blades. If the primary is temporarily isolated from the other blades, a new primary will be elected. When the primary rejoins, the non-primary blades do not correctly switch back to the newly re-elected primary.
Impact:
Configuration and status may not be kept properly in sync between blades.
584788-3 : Directed failover of HA pair using only hardwire failover will fail
Component: TMOS
Symptoms:
Units configured in a HA pair using only hardwire failover will not be able to use a targeted failover.
Conditions:
HA pair configured without network failover but with a hardwire failover.
Failover is attempted using one of the 2 following methods:
Via GUI
Device Management -> Traffic Groups
check <traffic group>
click "force to standby"
again click "force to standby"
via tmsh
tmsh run sys failover standby device <peer device> traffic-group <traffic group name>
Impact:
Failover may fail with the following logs in /var/log/ltm
Mar 15 10:27:57 <hostname> notice sod[8214]: 010c0044:5: Command: go standby <traffic group name> <device name> GUI.
Mar 15 10:27:57 <hostname> notice sod[8214]: 010c002b:5: Traffic group <traffic group name> received a targeted failover command for <peer mgmt IP>.
Mar 15 10:28:00 <hostname> notice sod[8214]: 010c004b:5: Target device <traffic group name> is not responding, cannot failover.
Workaround:
Use an alternative failover method:
- Device Management > Devices > Force to Standby
- Device Management > Traffic Groups > [traffic Group name] > Force to Standby
- tmsh run sys failover standby # without device
584772-2 : ssldump may crash when decrypting bad records
Component: Local Traffic Manager
Symptoms:
ssldump crashes while decrypting.
Conditions:
Using ssldump to decrypt SSL which contains bad records.
Impact:
ssldump crashes making it difficult to decrypt SSL data.
583777-1 : [TMSH] sys crypto cert missing tab completion function
Solution Article: K33230520
Component: TMOS
Symptoms:
When pressing the tab key for the tmsh command "sys crypto cert", it does not display existing certificate names. You must manually type the certificate name that you want to operate.
Conditions:
This occurs in tmsh:
root@(big7)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys crypto cert <------- press <tab>.
Options:
all | <------------ nothing shows up.
root@(big7)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys crypto cert <------- press <tab>.
Options:
all | <------------ nothing shows up.
Impact:
Not possible to select a certificate using tab complete.
Workaround:
Manually type the certificate name.
583754-4 : When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
Component: TMOS
Symptoms:
Executing 'show ltm persist persist-records' results in a blank error message.
Conditions:
TMM must be down.
Impact:
Non-obvious / unhelpful error message is generated, leading to confusion.
Workaround:
N/A
583700-4 : tmm core on out of memory
Component: Local Traffic Manager
Symptoms:
tmm memory increases quickly, then crashes on out of memory condition
Conditions:
It is not known exactly what triggers this, but it was observed on a hardware platform processing a large number of ECDH ciphers.
Impact:
Traffic disrupted while tmm restarts.
583477 : In Multidomain SSO, primary auth virtual may fail as a resource
Component: Access Policy Manager
Symptoms:
Multidomain SSO use case with two virtuals: vs1 and vs2. Both virtuals are configured as APM+LTM pools. vs1 is designed as the primary auth virtual
The expected result is that users can access resources on both virtuals. If they have not yet authenticated, they will be redirected to vs1 to authenticate.
The reported result was that sometimes an already authenticated user would be able to access the resources on vs2. But their cookie would be rejected by vs1, and they would be asked to authenticate again.
Conditions:
It is not known what conditions cause this to occur.
Impact:
Users may be asked to re-authenticate, even though they just did so.
Workaround:
Use an independent auth virtual that is not also a resource.
583475-3 : The BIG-IP may core while recompiling LTM policies
Component: TMOS
Symptoms:
In some rare and still unknown situations the BIG-IP Mcpd process may core when creating or modifying LTM policies. While the root cause of the crash is not fully understood at this time, one of the symptoms points to a nonexistent or invalid LTM policy.
Conditions:
Creating or modifying LTM policies.
Impact:
The BIG-IP control plane services restart thus affecting both, control plane and data plane functionality.
Workaround:
A possible workaround could be to attempt re-creating the LTM policy producing the crash under a different name. Avoid any special characters (or spaces) in the name of the LTM policy.
583084-3 : iControl produces 404 error while creating records successfully
Solution Article: K15101680
Component: TMOS
Symptoms:
iControl produces 404 error while creating gtm topology record successfully.
Conditions:
Creating gtm topology record without using full path via iControl.
Impact:
Result code/information is not compatible with actual result.
Workaround:
Use full path while creating gtm topology record using iControl.
582595-1 : default-node-monitor is reset to none for HA configuration.
Solution Article: K52029952
Component: TMOS
Symptoms:
default-node-monitor is reset to none for high availability (HA) configuration.
Conditions:
Scenario #1
Upgrading HA active/standby configuration, and reboot standby.
Where configuration consists of the following:
* ltm node with a monitor.
* ltm default-node-monitor with a different monitor.
Scenario #2
Given a HA active/standby configuration with an ltm default-node-monitor configured, set device-group sync-leader.
Impact:
Monitoring will stop after upgrading or setting sync-leader for all nodes that relied on the default-node-monitor.
Workaround:
Reconfigure a default-node-monitor.
582234-3 : When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.
Component: Local Traffic Manager
Symptoms:
When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.
Conditions:
A monitored pool member is initially disabled, and a config merge re-enables it
Impact:
Monitoring does not resume when pool member is re-enabled via config merge.
Workaround:
You can re-enable monitoring by running the following commands:
tmsh save sys config
tmsh load sys config
582207-6 : MSS may exceed MTU when using HW syncookies
Component: Local Traffic Manager
Symptoms:
Packets larger than the interface's MTU can be transmitted.
Conditions:
A SYN packet is received with an MSS that exceeds the interface's MTU.
Impact:
Potential packet loss.
Workaround:
Disable HW syncookie mode.
582084-4 : BWC policy in device sync groups.
Component: TMOS
Symptoms:
When there is a BWC policy created in global sync group and also a local one, then the configuration displays an error.
Conditions:
If BWC policy is created both in global sync and local.
Impact:
Configuration error, BWC policies will not be synced due to errors.
Workaround:
Ensure that BWC policy is in global sync only.
582003-3 : BD crash on startup or on XML configuration change
Component: Application Security Manager
Symptoms:
BD crash.
out of memory XML message in the bd.log.
The BD doesn't startup and keeps crashing upon startup.
Conditions:
Many XML profiles and relatively large XML configuration.
Impact:
ASM down, machine is offline.
Workaround:
Increase the XML available memory.
581865 : 6900, 8900, 8950, or 11050 platforms missing swap storage★
Solution Article: K11053914
Component: TMOS
Symptoms:
No swap is available; observable via 'cat /proc/swaps'.
Conditions:
A 6900, 8900, 8950, or 11050 platform with RAID LVM, directly upgraded from a pre-10.2.4 version to version 11.x/12.x.
Impact:
No swap space is created during upgrade. Multiple unexpected issues might occur because there is no swap space available.
Workaround:
Newer systems have the swap storage created during initial format. You might also be able to first upgrade to version 10.2.4. Then, when upgrading to version 11.x/12.x, the process creates the swap during upgrade.
581851-5 : mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands
Component: TMOS
Symptoms:
The Master Control Program Daemon (MCPD) on secondary blades may unexpectedly restart when the BIG-IP system processes multiple, concurrent TMOS Shell (tmsh) commands.
Under these circumstances, a race condition may occur and cause the mcpd process on the secondary blades to fail to correctly process concurrent updates from the primary blade.
As a result of this issue, you may encounter one or more of the following symptoms:
-- The mcpd process on secondary blades unexpectedly restarts.
-- You notice error messages in the /var/log/ltm file on the BIG-IP system that appears similar to the following example:
+ err mcpd[<PID>]: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset
+ err mcpd[<PID>]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset
-- Depending on your high availability (HA) configuration, the device may unexpectedly fail over to another system in the device group.
Conditions:
This issue occurs when all of the following conditions are met:
-- You have a VIPRION platform or Virtual Clustered Multiprocessing (vCMP) guest configuration that uses two or more blades.
-- You attempt to run multiple, concurrent tmsh commands on the BIG-IP system. For example, you run a tmsh command to continually reset persistence records and at the same time run another tmsh command to continually reset the TCP statistics.
Impact:
The BIG-IP system may experience performance degradation when the secondary blades become unavailable while the mcpd process restarts. Depending on your HA configuration, the device may fail over.
Workaround:
None.
581840-2 : Cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.
Solution Article: K46576869
Component: Device Management
Symptoms:
If trying to manage a BIG-IP version 11.6.1 or 11.6.1 HF1 with an administrator account named other than “admin”, this can fail.
Conditions:
This can occur with a BIG-IQ managing a BIG-IP version 11.6.1 or 11.6.1HF1 system with a different account than “admin”.
Impact:
You cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.
Workaround:
Install 11.6.1 HF2 on the BIG-IP system, or use an administrator account named “admin” for managing the device.
580832 : mcpd core during config push from Enterprise Manager
Component: TMOS
Symptoms:
During a config push from EM to BIG-IP, mcpd and chmand core.
Conditions:
It is not known what triggers this, but it was seen during a config push of over 100 users from Enterprise Manager to an HA pair.
Impact:
mcpd cores, system restart.
580225-4 : WEBSSO::select may crash tmm.
Solution Article: K24604331
Component: Access Policy Manager
Symptoms:
The WEBSSO::select iRule command can cause TMM to crash if no arguments are passed in.
Conditions:
This occurs the command is used with no arguments.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
See the following DevCentral page related to WEBSSO::select - https://devcentral.f5.com/wiki/irules.websso__select.ashx
579694-3 : Monitors may create invalid configuration files
Component: TMOS
Symptoms:
Under certain conditions monitors created or edited in the GUI may save an invalid configuration to disk, causing errors when the configuration is reloaded.
Conditions:
Using the GUI to create/edit monitors.
Impact:
tmsh load sys config will fail.
Workaround:
Use tmsh to create or edit monitors.
If your configuration file already has an offending backlash, please manually remove the backlash.
579252-1 : Traffic can be directed to a less specific virtual during virtual modification
Component: Local Traffic Manager
Symptoms:
Traffic can be directed to an less specific virtual during virtual modification. It could also be dropped if there is no less specific virtual server.
Conditions:
net self external-ipv4 {
address 10.124.0.19/16
traffic-group traffic-group-local-only
vlan external
}
net self internal-ipv4 {
address 10.125.0.19/16
traffic-group traffic-group-local-only
vlan internal
}
ltm pool redirect-echo {
members { 10.125.0.17:7 }
}
ltm virtual fw {
description "less-specific virtual"
destination 10.125.0.0:any
ip-forward
mask 255.255.255.0
profiles { fastL4 }
translate-address disabled
translate-port disabled
vlans-disabled
}
ltm virtual redirect-echo {
description "enable/disable this one"
destination 10.125.0.20:echo
ip-protocol udp
mask 255.255.255.255
pool redirect-echo
profiles { udp }
vlans { external }
vlans-enabled
}
Impact:
Traffic can be directed to less specific virtual server
Workaround:
No known workaround at this time other than applying configuration changes in a manner that avoids doing them on a unit that is handling the traffic. Applying changes on the standby and then failing over and syncing or utilizing a maintenance window would be common schemes to achieve a separation between production traffic and configuration changes.
579035-1 : Config sync error when a key with passphrase is converted into FIPS.
Solution Article: K46145454
Component: TMOS
Symptoms:
When a key with passphrase is converted to a FIPS key (that is, imported into the FIPS card) and a config sync is done, sync fails with an error saying that passphrase is specified but the key is not passphrase protected.
Conditions:
Converting a private key with a passphrase to FIPS key and then performing a config-sync.
Impact:
Config sync will fail.
Workaround:
Ensure that you only import FIPS keys that are not encrypted with a passphrase. For more information, see K15720: Certain tasks related to the management of SSL certificates do not support encrypted private keys (11.x) at https://support.f5.com/csp/#/article/K15720
578971-4 : When mcpd is restarted on a blade, cluster members may be temporarily marked as failed
Component: Local Traffic Manager
Symptoms:
When mcpd is restarted on a blade, the clusterd process on that blade may become blocked for some time. This may result in cluster member heartbeat timeouts, which are seen in the /var/log/ltm log file with messages that include:
"Slot 1 suffered heartbeat timeout ..."
This causes cluster members to be marked failed. The condition resolves itself within one minute, and the cluster fully recovers on its own.
Conditions:
Mcpd is restarted on a blade.
Impact:
Though all blades recover on their own, the cluster members being marked fail may result in a failover.
Workaround:
There is no workaround for this issue. It is recommended to avoid restarting mcpd on any blade belonging to the active unit of an HA group. The issue resolves itself within about a minute, and all cluster members will be marked as up again.
578551-1 : bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot
Component: TMOS
Symptoms:
network 0.0.0.0/0 route-map Default is missing in bgp after a restart/reboot
Conditions:
"network 0.0.0.0/0 route-map Default" is configured in bgp
Impact:
The bgp doesn't have the same configuration after a restart/reboot. persistence of bgp protocol is not maintained leading to unexpected behavior of bgp
577440-3 : audit logs may show connection to hagel.mnet
Component: TMOS
Symptoms:
An iControl host header is improperly formatted with the name hagal.mnet
The request is properly delivered to the correct host but contains a badly addressed host header that is ignored.
If the authorization fails for the icontrol query then the audit log will contain this destination information which may be confusing.
Conditions:
Setting up device trust exercises this code path.
Impact:
No impact to functionality but is confusing for log interpretation.
Workaround:
There is not workaround
576350-3 : External input from client doesn't pass to policy agent if it is not the first in the chain.
Solution Article: K32581271
Component: Access Policy Manager
Symptoms:
When client gets authenticated, and then the session is deleted (times out or is manually deleted from memcache), the browser still has its authorization token.
If client refreshes the page, the browser passes the existing 'authorization' token, which gets deleted by the agent processing the existing task (a message box, in this case) for the targeted agent (HTTP_401_Response agent, in this case).
Conditions:
When a logon page is not the first agent in the access policy chain and it gets a pre-authenticated token from browser.
Impact:
Although client (browser) sends the pre-authenticated token, the browser still posts a challenge for credential (pop up window). This is unnecessary and should not occur.
Workaround:
None.
576123-1 : ASM policies are created as inactive policies on the peer device
Solution Article: K23221623
Component: Application Security Manager
Symptoms:
ASM policies are created as inactive policies on the peer device.
Conditions:
This occurs when the following conditions are met:
-- ASM Sync is enabled on a Sync-Only auto-sync Device Group.
-- There is either no failover group, or the failover group is a manual sync group.
Impact:
ASM policies are created as inactive policies on the peer device, resulting in an inconsistency between peers.
Workaround:
You can use either of the following workarounds:
-- Set the device group with ASM sync enabled to manual sync.
-- Enable auto-sync for the failover group.
575848-3 : Traffic statistics on a SNAT object might not be updated if traffic is ePVA accelerated.
Solution Article: K03803451
Component: TMOS
Symptoms:
Traffic statistics on a SNAT object might not be updated if traffic is ePVA accelerated.
Conditions:
SNAT object on a ePVA capable platform.
Impact:
Some traffic-related statistics (pkts/bytes in/out) are not updated.
Workaround:
To get these statistics, convert the global SNAT to an appropriate virtual server.
575368-1 : Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card
Component: TMOS
Symptoms:
When a UCS with FIPS keys is loaded after re-initializing the FIPS card, errors should be posted that the FIPS keys in the configuration that are now invalid. Instead, the configuration loads without any errors, and SSL handshake failures are seen when a clientSSL profile uses the FIPS key.
Conditions:
UCS file with FIPS keys is loaded after re-initializing the FIPS card.
Impact:
SSL handshake failures are seen when a clientSSL profile uses the FIPS key.
Workaround:
You can delete the FIPS keys, re-initialize the FIPS card, then install the needed keys.
575347-3 : Unexpected backslashes remain in monitor 'username' attribute after upgrade
Component: Local Traffic Manager
Symptoms:
The monitor 'username' attribute contains unexpected backslashes.
Conditions:
Upgrading from an earlier version with a configuration that contains a monitor 'username' attribute with at least one escaped backslash ('\\').
Impact:
Monitor probes contain excess backslashes which can lead to monitor failures.
Workaround:
Un-escape backslashes after upgrade by transforming '\\' sequences to '\'.
575176-4 : Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic
Component: TMOS
Symptoms:
In some scenarios UDP traffic can cause syncookie statistics to be incremented.
Conditions:
Virtual server with fastL4 profile with ePVA offload enabled.
Virtual server to handle UDP traffic.
Impact:
Statistics might be incorrectly incremented, and can lead to early syncookie activation if used in conjunction with TCP on the same virtual server.
575170-6 : Analytics reports may not identify virtual servers correctly
Component: Application Visibility and Reporting
Symptoms:
In certain configurations, Analytics statistics on virtual server activity may not be reported correctly.
Conditions:
This occurs for virtual servers that are configured in one of these ways:
1. Two virtual servers have the same IP-Port-RouteDomain setting, but they use different protocols (such as TCP for one and UDP for the other) or different sources.
2. A virtual server is defined with a masked IP address rather than an explicit address (for example, 10.10.10.0/24).
Impact:
As a result, Analytics reports show an Aggregated Virtual Server or an incorrect one instead of displaying the correct virtual servers.
Workaround:
None.
574263 : keys remain on FIPS card after deletion
Component: Local Traffic Manager
Symptoms:
Sometimes when 'delete sys crypto key all' is executed with 5K fips keys, the keys are deleted from mcpd but still exist on the fips card. Subsequent key creation may fail with error 'max capacity reached'
Conditions:
It is not known what causes this.
Impact:
Keys may remain on the FIPS card, and may prevent the creation of additional keys
574160-1 : Publishing DNS statistics if only Global Traffic and AVR are provisioned
Component: Application Visibility and Reporting
Symptoms:
AVR does not publish DNS statistics if LTM is not provisioned.
Conditions:
LTM is not provisioned.
Impact:
The DNS chart does not show statistics.
574052-5 : GTM autoconf can cause high CPU usage for gtmd
Component: Global Traffic Manager (DNS)
Symptoms:
The autoconf feature of GTM can cause high CPU utilization (~90%) under certain situations.
In large configurations of LTM vses that contain "." (dot) in the name.
Conditions:
Large configuration of LTM VS that contain "." in the name have the name converted ("." is replaced by "_") and the LTM VS name is saved to the config.
This causes the matching algorithm in autoconf to spend many CPU cycles walking the list of VS to find a match.
This problem is caused by large numbers of VSes on a GTM Server. (10k VSes on 10k Server is less of an issue
than 10k VSes on 1 GTM Server)
Impact:
CPU usage is high, which may impact monitoring and LB decisions.
Workaround:
There are some mitigations. The preferable (for performance
and stability) are listed first.
1. Rename the virtual servers on the LTM to remove the "."
This would require deleting the GTM configuration and
rediscovering it and recreating pools.
2. Turn off autoconf.
Run autoconf once to populate the config, then turn it
off.
3. Reduce the frequency of autoconf. It will still cause
a high CPU usage scenario, but it will be less frequent.
Versions 12.0.0 and higher do not convert the "." to "_". So that problem is eliminated for new configurations.
If a customer upgrades to 12.0.0 and the config still contains VS names that were previously converted, they still may run into high CPU usage.
Upgrading to 12.0.0 alone does not fix this issue, a reconfig would be necessary.
574020-1 : Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')
Component: Local Traffic Manager
Symptoms:
Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}').
Conditions:
This issue occurs when the following conditions are met:
-- Safenet HSM installation.
-- Password contains special metacharacters (!#{}').
Impact:
Script fails to work properly, and fails to properly install/configure the HSMs, requiring manual intervention. Performing the operation manually is very complex, because the user must account for both tmsh and shell quoting, which the some user environments might not have.
Workaround:
Change password, or manually run tmsh command to define the /sys crypto fips external-hsm object (using proper shell quoting).
573031-2 : qkview may not collect certain configuration files in their entirety
Component: TMOS
Symptoms:
If the following files exceed 5M in size, they will be truncated when collected by qkview:
/config/partitions/*/bigip.conf
/config/partitions/*/BIG-IP_base.conf
/config/BIG-IP_gtm.conf
Conditions:
Any of the listed files exceeds 5 Mbytes.
Impact:
Fault diagnosis may be affected.
Workaround:
Create a qkview, and examine the qkview_run.data file. If this file indicates that any of the listed files has been truncated, manually copy that file from the BIG-IP device.
572887-5 : DNS doesn't work properly on Ubuntu 15.10 when using f5fpc CLI client
Component: Access Policy Manager
Symptoms:
DNS doesn't work properly on Ubuntu 15.10 when using f5fpc CLI client. This happens because f5fpc fails to patch /etc/resolv.conf on Ubuntu 15.10 release.
Conditions:
/etc/resolv.conf, Ubuntu 15.10, f5fpc CLI client and network access establishment.
Impact:
DNS doesn't work properly on Ubuntu 15.10
572885-3 : Policy automatic learning mode changes to manual after failover
Component: Application Security Manager
Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.
Conditions:
ASM provisioned.
Device group w/ ASM policy sync configured.
ASM Policy is in automatic learning mode.
A failover occurs.
Impact:
The policy changes from automatic learning mode to manual.
Workaround:
None.
572655-3 : Request Logging profile Template textarea wrapping set to soft wrap
Component: TMOS
Symptoms:
The Template field in the Request Logging profile adds line break characters to long values.
Conditions:
This occurs when there is a long string of text in the Template field for the Request Logging profile, for example, $DATE_NCSA [REQUEST] - [$HOST:$VIRTUAL_PORT] - $VIRTUAL_POOL_NAME - [SRC_PORT:$CLIENT_PORT] - $NCSA_COMBINED.
Impact:
The data stored has line break characters in it at every location where the text wraps inside the Template text box.
Workaround:
There is a partial workaround, depending on the length of the string and the width of your screen. Adjust the width of the Template field by clicking and dragging the lower-right corner of the field. The line breaks the system adds occur only when the text wraps inside the box when you save the profile (by pressing Finished on a new profile or Update on an existing one).
572546 : Assigning address list with 1000+ entries to 1000+ rules policy results in MCP errors
Component: Advanced Firewall Manager
Symptoms:
If the size of an address list is too big, and that address list is used in 1000+ rules, it will cause MCP error when saving the config.
Conditions:
Assigning address list with 1000+ subnets to 1000+ rules
Impact:
The configuration fails to save.
572375 : Race condition in the terminate handler of the icrd_child process causes the process to become unresponsive, and generates a core file
Solution Article: K36870345
Component: TMOS
Symptoms:
* In the /var/log/icrd log file, you may observe an error message similar to the following example:
notice icrd: 5823,14414, RestServer, INFO,Connection idle too long fd:11.
* The BIG-IP system may generate an icrd_child core file in the /var/core directory.
Conditions:
You use the iControl REST application programming interface (API) to obtain data from or modify the configuration of your BIG-IP system.
Impact:
icrd_child experiences an intermittent segfault error and has to be restarted.
Workaround:
No workaround.
572180-3 : httpclass containing escaped backslashes are stripped on migration to LTM policy★
Component: Local Traffic Manager
Symptoms:
When upgrading or installing a UCS file with http class profiles values containing escaped backslashes will have the escaped backslashes stripped from the value.
Conditions:
A http class profile with values containing escaped backslashes. This occurs on upgrades through 12.0.0.
Impact:
The escaped backslashes will be removed and then the policy will not correctly match.
Workaround:
Edit the policy and add backslashes back in.
572142-1 : Config sync peer may fail to monitor newly added pool member after it is added via sync
Component: Local Traffic Manager
Symptoms:
If a pool member in a sync group is removed and another member added and then synced to the peer, the monitor state on the peer may be erroneous.
Conditions:
2 or more devices in a device group
A pool member is deleted, and another is added, then a full config sync is performed
Impact:
Monitoring does not happen. If the pool member should be marked down by the monitor, it may indicate as being up. You may need to do a system restart to get monitoring to resume properly.
Workaround:
Suggested workaround:
Here’s a way that should avoid any possible downtime:
1. Do the node replacement on box A. Do not sync.
2. Do the node replacement on box B. Do not sync.
3. This will cause a sync conflict, and its resolution will require a full load. This is intentional. Force a sync.
The result of that final sync will be that mcpd sends no changes to the relevant nodes on the receiving device.
572015-4 : HTTP Class profile is upgraded to a case-insensitive policy★
Component: Local Traffic Manager
Symptoms:
If you upgrade to version 11.4.0 through 12.0.0, and your configuration contains a HTTP Class profile, the generated policy will be case-insensitive.
Conditions:
HTTP Class profile
Impact:
Generated policy does not match on the same conditions as original HTTP Class profile.
Workaround:
Manually edit generated policy
571651-2 : Reset crypto accelerator queue if it becomes stuck.
Solution Article: K66544028
Component: Local Traffic Manager
Symptoms:
Certain configuration parameters used during an SSL handshake can elicit a 'queue stuck' message from the accelerator. When this happens, the /var/log/ltm log file will contain a message similar to the following:
'n3-cryptoX request queue stuck'.
Conditions:
An SSL handshake sent to the BIG-IP system is incorrectly configured or contains bad information.
Impact:
In-flight and queued contexts for the specific accelerator are dropped. After device recovery, new requests will be accelerated.
Workaround:
Disable crypto acceleration.
571635 : VIPRION B2100 or B2150 blade Optic OPT-0016-00 is ON during BIG-IP system boot sequence causing errors with connected equipment
Solution Article: K12010393
Component: TMOS
Symptoms:
When a VIPRION B2100 or B2150 blade boots, there is a brief window during which the transmitter on the optics module is enabled, but the accompanying initialization of the Broadcom switch has not yet occurred. during this window (~20 seconds) random data may be transmitted which may be reported as errors by the link partner.
Conditions:
VIPRION B2100 or B2150 blade is powered or rebooted or when the user performs a 'bigstart restart'.
Impact:
This has a minor impact. In most cases link is functional after the system fully initializes, although error counts may show up on the link partner.
Workaround:
If link fails to come up, attempt "bigstart restart bcm56xxd" to restart the Broadcom daemon. However, this will have no impact on errors seen by peer equipment.
You can determine the type of hardware using the command: tmsh show sys hardware. 'Type' is A109 for VIPRION B2100 blades and A113 for VIPRION B2150 blades.
571482-1 : Unbalanced double-quotes may merge lines upon config save-then-load★
Component: Local Traffic Manager
Symptoms:
Unbalanced double-quotes used in the configuration will cause load failure, or will merge subsequent configuration lines until a balancing double-quote character is found. For example, an improper expression may be used to configure a monitor 'recv' value that results in an unbalanced (odd number) of double-quote characters, such as "R\\"eceive" (note three double-quote characters, resulting in an unbalanced string).
The string is considered unbalanced with an odd number of double-quote characters, regardless of escaping (such as double- or triple-backslash escaping).
Conditions:
An odd count of double-quotes are used for a configuration value, resulting in an unbalanced string.
For example, configuring a monitor 'recv' value as "R\\"eceive" results in an unbalanced string (notice three double-quotes, an odd number).
Impact:
The configuration will fail to load, as it is improperly formed. In some cases the configuration may successfully load, but the unbalanced string will cause newline(s) to be implicitly escaped until a balancing double-quote is found; this will merge subsequent lines to the unbalanced line, resulting in the consumed lines to not be considered as configuration values, but as the merged continuation of the unbalanced line.
Workaround:
Modify configuration values that use double-quotes to be balanced (i.e., configuration items should have an even-number of double-quoted characters, even if they are escaped).
571424 : Topology Records: Longest Match Sorting in Unexpected Order
Component: TMOS
Symptoms:
The UI or TMSH only includes a create in a transaction. However, validation modifies an attribute (the order in this case) of another record, so both a create and a modify command is included in the transaction sent to TMM and other devices.
Conditions:
Create a GTM configuration with 3 topology regions.
Create 3 topology records with the 'Request Source' (LDNS) as one of the regions.
This results in 3 topology records with orders of 1, 2, and 3.
Delete the topology record with the order of 2.
Add another topology record with a region as the 'Request Source'.
Note that while the UI or TMSH only includes a create in the transaction, a create and a modify is included in the transaction sent to TMM, etc.
Impact:
If there is another GTM in the sync group, it receives a transaction with both a create and a modify. This results in additional validation on the 2nd system.
Workaround:
None.
571333-11 : fastL4 TCP handshake timeout not honored for offloaded flows
Solution Article: K36155089
Component: TMOS
Symptoms:
When a virtual server is configured with a fastl4 profile that enables full acceleration and offload state set to 'embryonic', and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the 'idle timeout' value of the fastl4 profile, but it should be set to the 'tcp handshake timeout' instead.
Conditions:
-- Virtual server is configured with a fastl4 profile that enables full acceleration and offload state of 'embryonic'.
-- A flow is offloaded for hardware acceleration.
Impact:
The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value.
Workaround:
Set the offload state to 'established'.
569281-5 : L2 loop on the BIG-IP system's management port network might cause VIPRION to reboot
Solution Article: K33242855
Component: TMOS
Symptoms:
Several 'kernel: BUG: soft lockup' messages from kernel leading to TMM. Eventual blade reboot
Conditions:
-- Using vCMP.
-- Network to which the BIG-IP management port is connected has a Layer 2 loop.
Impact:
The BIG-IP system is unusable and eventually reboots.
Workaround:
Avoid L2 loops in the network to which the BIG-IP management port is connected.
568795-4 : Dedup Cache Refresh may fail to re-initialize WOM endpoint
Component: Wan Optimization Manager
Symptoms:
WOM endpoints are not always re-initialized
correctly when for dedup cache refresh operations:
tmsh modify wom remote-endpoint all dedup-action cache-refresh
Conditions:
WOM
Impact:
iSession tunnels do not establish.
Workaround:
bigstart restart
567862-2 : intermittent SSL traffic failure with Safenet HSM on BIG-IP chassis and appliance
Component: Local Traffic Manager
Symptoms:
BIG-IP intermittently has SSL traffic failures with HSM. This symptom happens on both chassis and appliance. The general error messages are logged with
"FIPS acceleration device failure: fips_poll_completed_reqs: req: 44 status: 0x1 : Cancel"
Conditions:
When Safenet HSM is used with BIG-IP.
Impact:
SSL traffic is failing.
Workaround:
"bigstart restart pkcs11d" might mitigate this issue.
567774-3 : ca-devices and non-ca-devices addition/deletion has been removed from restart cm trust-domain Root
Component: TMOS
Symptoms:
The properties 'ca-devices' and 'non-ca-device' are available in the 'restart' command but are not valid.
Conditions:
None
Impact:
You should not use the restart command with the properties 'ca-devices' and 'non-ca-device'. It has to be used similar to the delete command.
Workaround:
A new tmsh command to reset a device trust was added:
'restart cm trust-domain Root' which operates exactly like 'delete cm trust-domain Root'. The properties 'ca-devices' and 'non-ca-device' are available in the 'restart' command but are not valid. These properties are not available in the 'delete cm trust-domain'. Workaround for customer is to not use these two properties when running the 'restart cm trust-domain' command or to use the 'delete cm trust-domain'
567743 : Possible gtmd crash under certain conditions.
Solution Article: K70663134
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd core leading to a SIGSEV due to a possible race condition.
Conditions:
Due to a possible race condition that occurs under certain conditions (such as a sync event), gtmd might core.
Impact:
This event could lead to an outage.
Workaround:
None.
566630-1 : Outbound ICAP request can double-chunk HTTP payload
Solution Article: K17206132
Component: Service Provider
Symptoms:
An outbound ICAP request body is double-chunked (has extra chunk headers inserted within the body chunks).
Conditions:
A primary virtual server has an HTTP profile and either request-adapt or response-adapt profiles, and a corresponding internal virtual server with an ICAP profile. Outbound ICAP request payload might be double-chunked if any of the following are true.
Primary virtual server has a request-adapt profile and either:
1. HTTP client sends a POST request with chunked payload and the http profile has request chunking mode 'preserve' (default).
2. HTTP client sends POST request with chunked payload and the http profile has request chunking mode 'selective', unless certain other http related profiles are present on the http virtual server.
Primary virtual server has a response-adapt profile and ICAP server responds with a body (200 ok), and:
3. HTTP server responds with chunked payload and the http profile has response chunking mode 'preserve'.
If any of these conditions are true, the outbound ICAP request body might be double-chunked.
Impact:
The ICAP server receives corrupt payload and might malfunction and/or return corrupt payload to the receiving client or server.
Workaround:
None.
566507-1 : Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment
Component: TMOS
Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.
Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.
Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.
Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.
566235-2 : Profile License May Be Missing After Failover or Blade Configuration Change In Chassis HA
Component: Access Policy Manager
Symptoms:
Some or all profile licenses may be missing after failover or, in a chassis high availability (HA) setup, if some blades in the standby chassis are removed, followed by failover. As a result, sessions cannot be established and the following error message will show up in the APM log.
-- err tmm8[16609]: 01490514:3: 00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_process_state_client_get_license, Line: 7135.
-- err tmm8[16609]: 01490514:3: 00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 2487.
Conditions:
This failure may happen in a HA setup when
1. Failover happens, or
2. Changing multi-blade chassis HA blade configuration as follows:
2.1. Set mirroring to 'between'.
2.2. Leave the primary blade up and shut down the secondary blades in the standby chassis.
2.3 Change 'minimum numbers of blades up' to 1.
2.3. Force failover. The 1-blade chassis becomes active.
Impact:
Session will be terminated due to ERR_NOT_FOUND error when acquiring profile license.
Workaround:
For failover case:
-- Disassociate and then re-associate the APM profile with the virtual server after failover.
For blade configuration change, there are two options:
1. After failover, disassociate and then re-associate the APM profile with the virtual server after the 1-blade chassis becomes active
2.
2.1. Change mirroring to 'within'.
2.2. Shut down the secondary blades one by one, waiting a few minutes in between each shutdown (waiting is important because SessionDB needs some time to create backup copies).
2.3. Force failover.
2.4. Change mirroring back to 'between'.
566071-6 : network-HSM may not be operational on secondary slots of a standby chassis.
Component: Local Traffic Manager
Symptoms:
pkcs11d may not be running on secondary slots of a chassis.
Conditions:
This might occur when the following conditions are true:
1. Network-HSM installed on BIG-IP chassis.
2. Chassis is in standby state OR Secondary slots do not have management IP configured.
Impact:
If SSL profiles are configured with keys of security-type 'nethsm' when the specified conditions are true, traffic for such profiles will fail when the affected slots process traffic.
Workaround:
Manually install netHSM on each secondary slot.
564899 : During shutdown, csyncd may dump core
Component: Local Traffic Manager
Symptoms:
When csyncd exists during shutdown, it occasionally might leave a core dump.
Conditions:
This occurs during shutdown.
Impact:
None. csyncd is shutting down anyway; it just does so in an unclean manner. This is a cosmetic condition and does not indicate an issue with the system.
Workaround:
None.
564634-2 : Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool
Component: Local Traffic Manager
Symptoms:
Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool.
Conditions:
Remove a monitor from a pool using tmsh edit commands.
Impact:
bigd still monitors the pool.
Workaround:
None.
563933-3 : [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs
Component: Local Traffic Manager
Symptoms:
A and AAAA RRsets in the additional section are dropped.
Conditions:
When dns64-additional-section-rewrite is 'v4-only' or 'v6-only'.
Impact:
Failure to include the additional RRs results in additional lookups by the client which could be glue records for a resolver.
Workaround:
Set dns64-additional-section-rewrite is 'any'.
563687-1 : [DNS] dns64 behavior does not comply with RFC about how to treat RCODEs other than 'NO ERROR'
Solution Article: K10751444
Component: Local Traffic Manager
Symptoms:
GTM/BIG-IP DNS forwards AAAA response with and RCODE other than 3 to the client, instead of sending an A query to the server.
Conditions:
dns64 profile configured.
Impact:
The client application fails even there is an A GTM/BIG-IP DNS server available.
Workaround:
None.
563651-1 : Web application does not work/works intermittently via Portal Access after upgrading BIG-IP to any new version.★
Component: Access Policy Manager
Symptoms:
Web application does not work/works intermittently via Portal Access after BIG-IP upgrading to any new software version.
Conditions:
-- Web application via Portal Access.
-- any modern browser like Chrome, Firefox, Safari or MS Edge.
-- After upgrading of BIG-IP.
Impact:
Various unexpected behaviors. For example, a custom intranet application link might experience intermittent failures through rewrite. This occurs because Portal Access does not support Storage areas (localStorage, sessionStorage). This might impact web-applications with content previously populated in Storage areas.
Workaround:
Possible workaround:
-- Clear browser cache manually after upgrading.
563587 : Javascript error in Safari browser when working with framed Cross-Domains website
Component: Application Security Manager
Symptoms:
ASM Client-Side Human User Indicator (CSHUI) script injected into a page with frames, and there are frames pointing to a domain that that is different from the top window frame, Safari browser throws out javascript error similar to the following:
Blocked a frame with origin "http://172.16.32.64" from accessing a frame with origin "http://172.16.38.211". Protocols, domains, and ports must match.
Conditions:
-- CSHUI with framed Cross-Domains website in Safari.
-- Frames on the page point to a domain that that is different from the top window frame.
Impact:
Javascript error in Safari browser.
Workaround:
None.
563560-2 : Intermittent iStats reset
Component: TMOS
Symptoms:
iStats will intermittently be reset back to zero.
Conditions:
An event that causes iStats to be archive, such as removing an iStat, removing a configuration object that has an iStat or removing a custom-stat repeatedly may cause a reset.
Impact:
The iStat values will be reset to zero and then resume incrementing.
Workaround:
Avoid removing iStats or other events that trigger the resets.
562292-3 : Nesting periodic after with parking command could crash tmm
Component: Local Traffic Manager
Symptoms:
If an iRule contains a periodic after command, and within this there is another periodic after command whose contents park, it can lead to tmm crashes.
Conditions:
A periodic after command is used, and within this there is another periodic after command whose contents park.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not nest after commands with parking command.
561595-1 : Guest user cannot see Event Correlation details
Component: Application Security Manager
Symptoms:
Guest user cannot see Event Correlation details.
Conditions:
Log in as Guest
Impact:
Limited read access for guest users.
Workaround:
For guest user - there is no workaround, but if it is possible to log in as another user - then everything works.
561444-2 : LCD might display incorrect output.
Component: TMOS
Symptoms:
Incorrect LCD display due to garbled messages received from LCD panel.
Conditions:
This occurs in various situations. Multiple messages sent to LCD and user interaction on LCD seem to reproduce the issue.
Impact:
LCD may display incorrect data.
Workaround:
The LCD usually corrects itself eventually, but to restore it immediately to a good state, run the following command: bigstart restart fpdd.
560685-3 : TMM may crash with 'tmsh show sys conn'.
Component: Local Traffic Manager
Symptoms:
Although unlikely, the 'tmsh show sys conn' command may cause the tmm process to crash when displaying connections.
Conditions:
Although the conditions under which this occurs are not well understood, this is a rarely occurring issue.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
The only workaround is to not issue the command: tmsh show sys conn.
560231-2 : Pipelined requests may result in a RST if the server disconnects
Component: Local Traffic Manager
Symptoms:
If a HTTP client sends multiple pipelined requests before a full response is received, the HTTP filter will buffer them, and send them one at a time to the server.
If the server ends via a "Connection: Close" the HTTP filter will ignore this, and continue to send the next buffered request.
If the server then sends a FIN packet while that buffered request is in progress, the HTTP filter will send a RST packet to the client.
Conditions:
Multiple concurrent pipelined HTTP requests, and a back-end server that closes a connection while some requests are still buffered.
Oneconnect is not used.
Impact:
The client will receive a RST instead of a FIN packet.
Workaround:
There are two work-arounds.
1) Enable one-connect.
2) via iRule. If a "Connection: close" header exists in the HTTP_RESPONSE event, then HTTP::close may be used to cleanly shut the connection down.
559916 : Corrupt MCP message causes crash in MCPConnection::sendMessage
Component: TMOS
Symptoms:
MCPd produces a core from both blades of 2 blade guest after running 'tmsh show sys conn' a few times.
Conditions:
Unknown
Impact:
Failover
Workaround:
None.
559911 : Nondescriptive error when an application template upload fails on iApp load.
Component: TMOS
Symptoms:
Nondescriptive error when an application template upload fails on iApp load. The system posts a message similar to the following:
Loading configuration... /tmp/upload_template.tmpl Syntax Error:(/tmp/upload_template.tmpl at line: 1) "PK" unexpected argument
Conditions:
Uploading an incorrect file (e.g., a zip file instead of an iApp template).
Impact:
Difficult to determine the problem.
Workaround:
None.
559837-7 : Misleading error message in catalina.out when listing certificates.
Component: TMOS
Symptoms:
GUI logs 'Table not found' in catalina.out when some exceptions are returned before/at table creation. The exceptions are the actual cause of the failure.
java.sql.SQLException: Table not found: SSL_CERTIFICATES_0_1652477104084229 in statement [DROP TABLE ssl_certificates_0_1652477104084229].
Conditions:
This occurs when listing certificates, and exceptions are returned.
Impact:
1. Throws table creation exceptions when randomly generated table name contains invalid character ('-').
2. Misleading 'Table not found" message in catalina.out.
Workaround:
Refreshing the page might fix the invalid table name issue because doing so generates a new table name. In some situations a restart of tomcat and httpd may be required.
559584-4 : tmsh list/save configuration takes a long time when config contains nested objects.
Solution Article: K23410869
Component: TMOS
Symptoms:
A configuration containing a number of nested objects takes a long time to list or save. For example, the tmsh listing time for a ~2 MB config can exceed 30 seconds.
Conditions:
Following is an example of nested objects in a config. If the config contains thousands of such virtual servers, it might take longer than 30 seconds to run either of the following commands: -- tmsh list ltm virtual. -- tmsh save config.
ltm virtual vs {
destination 10.10.10.10:http
ip-protocol tcp
mask 255.255.255.255
profiles { ::: nested object
http { }
http_security { }
tcp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vs-index 26
}
.
Impact:
When commands take longer than 30 seconds to complete, iControlREST times out.
Workaround:
None.
559571 : Temporary negative bit-count on mgmt interface after LBH reset
Component: TMOS
Symptoms:
Temporary negative bit-count on mgmt interface after LBH reset.
Conditions:
Reset stats and an AOM reset.
Impact:
Minimal. After some traffic is passed via the mgmt interface, it comes back into the positive.
Workaround:
None.
559554-3 : CHD congestion control can have erroneous very large cwnd.
Component: Local Traffic Manager
Symptoms:
At times, CHD congestion control can store a very large congestion window, resulting in release of data well beyond that warranted by network conditions.
Conditions:
The client advertises a receive window less than 1 MSS, and CHD tries to decrease the window.
Impact:
Possible network congestion.
Workaround:
Change congestion control algoirhtm from CHD.
559402-2 : Client initiated form based SSO fails when username and password not replaced correctly while posting the form
Component: Access Policy Manager
Symptoms:
Client initiated form based SSO fails when the username and password are not replaced correctly in post request. The reason for this is that client initiated form based SSO and browser urlencode special character in username/password differently. and the case sensitive comparison fails to find match between both these urlencoded values. So sso module adds the username password to the token again. This results in password attribute/value pair appears twice with both the f5-sso-token and the real password and so it fails
Conditions:
When the password contains special charaters like [ or ]
Impact:
SSO fails with password attribute/value pair appears twice with both the f5-sso-token and the real password in the token and so it fails
Workaround:
No workaround
559100-1 : Unable to Import Certificate to a partition subfolder, message: Name cannot contain '/' nor '\'.
Solution Article: K60804782
Component: TMOS
Symptoms:
UI prevents importing to sub-partitions a certificate with a forward slash in the name.
Conditions:
Create a sub-partition such as /Test/MyPartition and import a certificate with name /Test/MyPartition/myCertificate to target the /Test/MyPartition.
Impact:
Import operation fails. The system posts the following error: Name cannot contain '/' nor '\'. User cannot use the GUI to import a certificate in a sub partition.
Workaround:
For a certificate with a forward slash in the name, use tmsh to import it to a sub partition.
559080-2 : High Speed Logging to specific destinations stops from individual TMMs
Component: TMOS
Symptoms:
High Speed Logging to specific destinations stops from individual TMMs. The flows appear to have very large idle times. Attempts to delete the flows sets the idle time to zero, but does not kill the flow.
Conditions:
This appears to be the result of a failure on the part of the log destination (for example, a log server) wherein the server's TCP stack ACKs a FIN request from the TMM, but does not follow through with a matching FIN or RST. The logging code expects another timeout (essentially a FIN-WAIT2 timeout), but never receives one because the flow has already been marked as expired. As a result, the flow goes into a state in which it appears to be viable but is not actually delivering.
Impact:
Logs are silently lost.
Workaround:
Create an additional virtual server to act as a proxy for the log server, and sent the logs to this virtual server. This essentially uses the TMM itself as a sanitizing proxy.
559048 : "Request violation" details are blank in /var/log/asm
Component: Application Security Manager
Symptoms:
"Request violation" details are blank in /var/log/asm
Conditions:
ASM provisioned
Impact:
"Request violation" details are blank in /var/log/asm
Workaround:
bigstart restart asm
558944-3 : HSB debug registers needed
Component: TMOS
Symptoms:
Some hardware platforms provide insufficient diagnostic information in the hsb_snapshot to determine the problem the system encounters. (The hsb_snapshot command gathers information from the high speed bridge (HSB) for diagnostic purposes.) Additional HSB debug registers are needed to perform full diagnostics.
Conditions:
Running the hsb_snapshot command in the qkview utility.
Impact:
Some HSB debug registers are needed to provide full diagnostics.
Workaround:
None,
558893-1 : TMM may fail to forward FTP data connections when multiple PORT/EPRT commands are used in succession referring to the same IP/PORT
Component: Local Traffic Manager
Symptoms:
TMM may fail to forward FTP data connections when PORT/EPRT commands are used in succession referring to the same IP/PORT.
Conditions:
FTP Virtual server configured with an FTP profile that does inherit-parent-profile disabled.
A client to request EPRT and then PORT commands referring to the same IP/PORT.
Impact:
TMM may reset the connection in some cases.
Workaround:
Change the ftp profile to enable the inherit-parent-profile option.
557548-1 : TMM can continuously attempt to reset failing Nitrox
Component: Local Traffic Manager
Symptoms:
If a Nitrox crypto accelerator chip fails, TMM will attempt to reset it to clear the failure condition. If the Nitrox failure is permanent, TMM will continuously attempt to reset the Nitrox, adversely impacting traffic flow. You will see errors in /var/log/ltm that say "crit tmm[12809]: 01010025:2: Device error: cn0 device soft resetting"
Conditions:
This occurs when one of the Nitrox crypto accelerator chips fails.
Impact:
Loss of traffic.
557513 : Monitor description containing escape characters could get double-escaped
Component: Local Traffic Manager
Symptoms:
When creating a monitor whose description contains escape characters, they get double-escaped.
Example:
root@(v11-5-01)(cfg-sync Disconnected)(Active)(/Common)(tmos)# create ltm monitor http http_foobar description \@\#\$\@\#\$\@\#\$\@\#\$\@\#\$
root@(v11-5-01)(cfg-sync Disconnected)(Active)(/Common)(tmos)# list ltm monitor http http_foobar
ltm monitor http http_foobar {
defaults-from http
description "@\\#\\$@\\#\\$@\\#\\$@\\#\\$@\\#\\$"
Conditions:
Creating monitors with escape characters in the description
Impact:
Description contains extra backslashes.
557452-3 : Messages logged when the CAN daemon (cand) receives unsolicited data
Component: TMOS
Symptoms:
When the log filter is configured to filter at the 'Informational' log level, the logs can get filled with 'request for unsolicated data' messages. These messages appear in the log every 20 seconds.
Conditions:
This occurs when using a remote syslog logging filter with the 'Severity' field set to 'Informational'.
Impact:
Logs fill with messages. These messages are related to communication with the CAN daemon (cand), and are completely benign, so you can safely ignore them.
Workaround:
Change the remote syslog logging level to 'Notice'.
557155-1 : BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
Solution Article: K33044393
Component: TMOS
Symptoms:
BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
Conditions:
Sustained high packet rate with a very small payload.
Impact:
Traffic through the guest stops until the guest/BIG-IP system is reset. However, this issue is reproduced during a test that over provision a 2-vCPU guest and is unlikely to happen in normal operation.
Workaround:
Try ones of the following workarounds (first on is the most preferred and so ):
1. Increase guest memory.
2. Significantly reduce the value of the content in '/sys/module/unic/rx_queue_size'. For example running the following command substantially decreases throughput: echo 1048576 > /sys/module/unic/rx_queue_size.
3. Set panic on OOM. Try this as the last option.
sysctl vm.panic_on_oom=1
557079 : 'gtmd' daemon is not visible in daemon-ha list command
Component: TMOS
Symptoms:
On the VIPRION B2250 blade, running tmsh list sys daemon-ha does not show gtmd even though gtmd is provisioned and running as confirmed by tmsh show sys service gtmd
Conditions:
This ocurs on VIPRION B2250 blades.
Impact:
gtmd not listed in daemon-ha table.
556616-1 : Unable to install from hotfix on platform with SSD via the GUI
Solution Article: K75634982
Component: TMOS
Symptoms:
When using the GUI to install a hotfix on a platform with SSD drives, the system posts the following error message: No base image installed or compatible volume to install the Hotfix.
Conditions:
The hotfix's base software image is not installed on a non-active volume on a appliance with SSD drives.
Current appliances shipping with SSD drives include the following:
C109 - 5000 series (5250, 5050)
D110 - 7000 series (7250, 7050, 7055)
D111 - 12000 series (12050, 12250)
D113 - 10000 series (10150N, 10350, 10350F, 10050, 10055)
C119 - i5600/i5800
C118 - i7600/i7800
C116 - i10600/i10800
C121 - HRC-i5800
C122 - HRC-i10800
A113 - B2150 blade
A112 - B2250 blade
A114 - B4450N blade
Impact:
Cannot use the GUI to install a hotfix.
Workaround:
Using the CLI to install the hotfix.
555464-1 : HA channel flapping will cause SessionDB memory leak on standby due to unexpired entries
Component: TMOS
Symptoms:
SessionDB memory leak on a standby in the HA pair due to HA channel flapping causing failure of expiry messages.
Conditions:
SessionDB in use, HA channel errors
Impact:
Slow memory leakage on the standby
Workaround:
Alleviate the HA flapping and then restart the standby.
555343-2 : tmm may crash in fastl4 tcp virtual server
Component: Local Traffic Manager
Symptoms:
tmm may crash if receives a fragmented packet in a fastl4 tcp virtual server.
Conditions:
fastl4 tcp virtual server
fragmented packet arrives
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Enable option "Reassemble IP Fragments" in the fastl4 profile.
554659-1 : Configurable maximum message size limit for restjavad
Component: Device Management
Symptoms:
if the client issues a requests to iControl REST that results in a large amount of data (approx 200 MB), restjavad goes into an out-of-memory condition when attempting to serialize the response prior to returning it to the client.
Conditions:
A message is received by restjavad that is larger than the total free heap space. The most common cause is that the system sends a board query to icrd, which returns a very large response (approx 200 MB).
Impact:
restjavad becomes unresponsive until it is rebooted.
Workaround:
This fix exposes the maximum message size limit and allows a Network operator to change it by posting to a new configuration worker. An example is included below. The actual value varies by installation - load, average message size etc. Set it too low and the clients will receive 5xx errors even though there is sufficient memory. Set it too high and dangerously-large messages do not get dropped and might cause an out-of-memory exception. 5 MB is a recommended starting value.
An example of setting the maximum message body size to 5kB (5000 bytes) on a machine called 'green.' The password needs to be changed appropriately.
curl -s -k -u admin:PASSWORD -H "Content-Type: application/json" -H
'Connection: keep-alive' -X PUT
"https://green/mgmt/shared/server/messaging/settings/8100" -d
'{"maxMessageBodySize": "5000" }'.
554444-5 : LTM Policy resets connection when removing non-existant HTTP header
Component: Local Traffic Manager
Symptoms:
Customer might notice that certain HTTP requests would be prematurely terminated without seeing a response.
Conditions:
This occurs when an LTM Policy is defined to remove an HTTP header from a request or response, but the request or response does not contain the specified header.
Impact:
The connection gets reset, client does not see response.
Workaround:
As a possible mitigation, if the HTTP header to be removed has narrowly-defined expected value, it may be possible to add a condition that effectively tests for the existence of a header. For example, instead of unconditionally removing the Server: header from a response, a condition could be added to check whether the Server: header contains "Apache", or even if it contains the letter 'a', or even any letter or number.
553830-3 : Use of OneConnect may result in stalled flows
Component: Local Traffic Manager
Symptoms:
Stuck serverside flows that do not expire
Conditions:
Serverside flow expires while clientside is closing while OneConnect is being used.
Impact:
Excessive memory usage, tmm can crash.
Workaround:
Disable OneConnect. This can also be mitigated by ensuring the server-side idle timeout is not set lower than the client profile's fin-wait timeout while using OneConnect.
553614-2 : Modification to parent clientssl CKC does not consistently reflected in the child clientssl profile
Component: Local Traffic Manager
Symptoms:
If cert is modified in the parent client-ssl profile, and inherit-certkeychain is set TRUE in the child client-ssl profile, the system adds the parent CKC(cert-key-chain) to the client-ssl profile instead of changing it to the same value as the parents.
Conditions:
1. Set inherit-certkeychain to TRUE in the child client-ssl profile.
2. Change the Parent CKC value.
Impact:
Parent cert-key-chain is added to the client-ssl profile instead of changing it to the same value as the parent's value. Certificate validation can fail if it is not in the chain.
Workaround:
You can use either of the following workarounds:
-- Manually fix the CKC of child client-ssl profile.
-- Set 'inherit-certkeychain = False' in the client-ssl profile.
553521-2 : TMM crash when executing route lookup in tmsh for multicast destination
Component: Local Traffic Manager
Symptoms:
tmsh show net route lookup 224.0.0.1
will crash TMM.
Conditions:
always
Impact:
Traffic disrupted while tmm restarts.
Workaround:
avoid route lookups of multicast destinations from tmsh. It should be possible to use ip route show instead. tmsh still should work for unicast routes.
553446-2 : Interface bfd session does not appear in configuration file or in show running-config
Solution Article: K44842083
Component: TMOS
Symptoms:
When a Bi-Directional Forwarding Detection (BFD) session is configured for an interface, the bfd session command does not appear in the show running config or in the configuration file. However, running show bfd session command shows that a session is configured.
Conditions:
Interface bfd session between two nodes.
Impact:
Cannot determine whether a bfd session is configured. Further, because it is not save in the configuration file, the bfd session configuration is lost when the system restarts the protocol.
Workaround:
None.
552797 : Login/logout using Safari presents 'server drop connection' message.
Component: Access Policy Manager
Symptoms:
Logging in to the BIG-IP system using Safari browser and then click the "Logout" button, the system posts an error similar to the following:
Safari can not open the page because server drop connection.
Conditions:
Logging in to the BIG-IP system using Safari browser and then click the "Logout" button.
Impact:
Minimal. The error stays for 30 seconds, and then the page refreshes, posting the expected logout page.
Workaround:
None.
552585-2 : AAA pool member creation sets the port to 0.
Solution Article: K32030059
Component: TMOS
Symptoms:
When the AAA server pool member is created (for Radius mode BOTH and for AD), the port is set to 0 (Any) as there are more than one ports for that pool member.
Conditions:
Create AAA pool member while creating an AAA RADIUS server or Active Directory server. The created pool member does not support the ability of having multiple port numbers and for that reason is updated with 0 (Any) as the port number for the pool member. If the user continues to modify using the Admin UI, the port changes made using tmsh will be overwritten again to 0.
Impact:
AAA pool member port is set to 0 (Any) rather than the port specified in the GUI. This is correct as the pool member does not support more and 1 port number.
552571 : DWA 8.5 with Safari on MAC OS X 10.11 : check names not works
Component: Access Policy Manager
Symptoms:
For Domino Web Access 8.5 with Safari on Mac OS X 10.11, check names does not work.
Conditions:
Steps to Reproduce:
1. Create new message.
2. Enter the beginning of recipient name and press Check Names.
3. If there are some users whose names start with the same substring, a screen displays with possible names; select one of them.
Steps 3 fail with APM reverse proxy.
No windows pop up with possible name.
Impact:
User unable use 'check names' functionality.
Workaround:
There is no workaround at this time.
552278 : Inconsistent behavior on IP TTL handling between ePVA and tmm for Fast L4 flows.
Solution Article: K07441245
Component: TMOS
Symptoms:
Fast L4 proxy operates in TTL decrement mode. That means that for Fast L4 software-transformed flows (that is, no PVA acceleration) the system decrements TTL by 1 during the transform. In comparison, for the ePVA assisted flows, the system operates in preserve mode (no TTL change).
Conditions:
For all ePVA assisted flows.
Impact:
Inconsistent behavior on IP TTL handling between ePVA and tmm for Fast L4 flows: TTL is not decremented for ePVA assisted flows, but TTL is decremented for flows without hardware acceleration.
Workaround:
Disable hardware acceleration to see TTL decrements.
551849-2 : If 1 tmm gets more than 1 Mpps then the 1m stats in dos_stats can be wrong
Component: Advanced Firewall Manager
Symptoms:
If 1 tmm with AFM DoS gets more than 1 Mpps then in the dos_stats, where stats_1m is calculated (previous 60s average pps) can be wrong. This can cause the DoS attack to be detected sooner than it should.
Conditions:
AFM DoS configured and provisioned. Any 1 tmm gets more than 1 Mpps of a certain kind for which we've configured DoS attack detection - and this could cause the 1 minute average stats to be wrong.
Impact:
The state will be wrong and AFM could detect a DoS attack before it actually reaches the configured threshold.
Workaround:
None.
551635-1 : pccd crash when loading firewall config with mixed IPv4 and IPv6 addresses in the same rule
Component: Advanced Firewall Manager
Symptoms:
pccd crash when loading firewall config with mixed IPv4 and IPv6 addresses in the same rule
Conditions:
If firewall config contains rules with mixed IPv4 and IPv6 addresses in the same rule (either as source addresses or destination addresses), pccd may crash
Impact:
pccd crash.
Workaround:
Separate different address family addresses into separate rules. In other word, each firewall rule should contain only IPv4 or OPv6 addresses.
551454-2 : Edge client sends repeated HTTP probe to captive portal probe URL for mis-configured server
Component: Access Policy Manager
Symptoms:
Edge client sends repeated HTTP probe to captive portal probe URL for mis-configured server. This has no functional impact on end user.
Conditions:
End user specifies incorrect VPN server URL in edge client
Impact:
None. This has no functional impact on end user.
Workaround:
Specify correct server URL in edge client
550926-6 : AFM rule with "unknown" source Geo-entity stops functioning when another entity (geolocation or otherwise) is added to the same list of addresses in the rule
Component: Advanced Firewall Manager
Symptoms:
When an AFM rule is configured to "unknown" geographic location, the rule stops functioning when another entity (geolocation or IP address) is added to the same list of addresses in the rule.
Conditions:
Configure an address list of AFM rule with "unknown" source Geo-entity and at least one other entity (geolocation or IP address).
Impact:
Confusing, inconsistent, and apparently broken behavior.
Workaround:
Do not configure "unknown" geographic locations as one of the entities in an address list. Known geographic locations work correctly.
550653 : Errant DNS Express database log message.
Component: Global Traffic Manager (DNS)
Symptoms:
Upon initial system configuration or whenever the DNS Express database is recreated, the log message "Failed to reload dns-express db (Open)." may display in the ltm log for a short period of time. The message indicates that tmm attempted to load the database before it was written to disk. This error message is only of concern if it is persistent.
Conditions:
This error message may occur upon initial system configuration or if the DNS Express database has been regenerated.
Impact:
There is no impact to the system.
550204-1 : Any AFM Management Port rules disappear from iptables upon 'bigstart restart iptables'
Component: Advanced Firewall Manager
Symptoms:
Any AFM Management Port rules disappear from iptables upon 'bigstart restart iptables'.
Conditions:
-- Issuing the command: bigstart restart iptables.
-- AFM configured.
Impact:
AFM Management Port rules disappear from iptables.
Workaround:
Before issuing the command 'bigstart restart iptables' issue the following command:
/sbin/iptables-save > /etc/sysconfig/iptables
550133 : OPSWAT fails for Mac OS and Sophos AV version 9.4
Solution Article: K14134155
Component: Access Policy Manager
Symptoms:
OPSWAT fails for Mac OS and Sophos AV version 9.4
Conditions:
Update Sophos Antivirus software to v9.4.0.
Impact:
AV Check fails.
Workaround:
None.
549872-4 : REST API command to create a new pool member on an existing pool returns a 404 error
Solution Article: K55535322
Component: TMOS
Symptoms:
The following REST API command to create a new pool member on an existing pool works as expected in v11.5.2, but after upgrading to any v11.5.3 through v12.0.0 release returns a 404 error.
curl -X POST -H "Content-Type:application/json" https://pt-f5-BIG-IP-1.pt-virt.exmple.com/mgmt/tm/ltm/pool/~cldform_partition~test-cfme-pool/members -d '{"kind":"tm:ltm:pool:members:membersstate", "name":"test-eap-0.dev.example.com:80", "address":"192.168.1.1?}' --user testuser:$password --insecure
However, pool member list in the GUI or TMSH shows the new member has been created.
Conditions:
- Setup a plain LTM system with normal set of objects including a pool.
- Run the CURL command specified, adjusting the details to match what to use for that LTM and pool.
(You can find reference information in the following DevCentral article, REST API Pool Member Creation: https://devcentral.f5.com/questions/rest-api-pool-member-creation.)
Impact:
Although the system presents a 404 error, the pool member is still created.
Workaround:
Ignore 404 error in REST command for creating a pool member.
549569-1 : tmm may crash in the case of mem alloc fails.
Component: Local Traffic Manager
Symptoms:
tmm may crash in the case of mem alloc fails.
Conditions:
mem alloc that occurs with incompletely constructed RX queues.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
549327-2 : iSession remote endpoint connection not re-established
Component: Wan Optimization Manager
Symptoms:
Intermittently an iSession remote endpoint control connection may not be re-established.
Conditions:
This problem may occur in the following instances:
-- Changing the deduplication cache mode.
-- Terminating an iSession remote endpoint control connection.
Impact:
New iSession connections to the remote endpoint cannot be established.
Workaround:
NOne.
548611-2 : Memory protection strategies can conflict
Component: Local Traffic Manager
Symptoms:
The TMM has three mechanisms to protect memory usage when under pressure: the sweeper responds to low memory with a variety of strategies such as killing idle flows; memory reaping is activated to restore memory to the system; and tcp random early drops are activated if configured.
Since these are all targeting the same memory levels by default, it's possible that all three activate and victimize more flows than required.
In addition, a flaw in the random early drop logic could cause unpredictable behavior.
Conditions:
Always.
Impact:
More flows are victimized than necessary when under memory pressure. One symptom is a large number of random early drops, and hovering right near the sweeper's low-water mark causing new flows to encounter the random early drop limits nearly immediately.
Workaround:
The sweeper's low-water mark can be adjusted, along with the tm.tcpmemorypressure.hiwater and tm.tcpmemorypressure.lowater variables so that they are not all at the same location; this can alleviate most symptoms of this issue.
548175-3 : Idle timeout may be tcp handshake timeout on CMP demoted Fast L4 virtual servers.
Solution Article: K74474731
Component: TMOS
Symptoms:
In certain circumstances, CMP demoted Fast L4 virtual servers may intermittently and incorrectly use the tcp handshake timeout instead of the configured idle timeout.
Conditions:
- CMP demoted Fast L4 virtual servers.
Impact:
Connections may be reset earlier or closed at an unexpected time.
Workaround:
Ensure that the virtual server is not CMP demoted. To do so, do one of the following:
-- CMP-enable the virtual server.
-- Ensure that any iRules that CMP-demotes the virtual server are corrected. See SOL13033: Constructing CMP-compatible iRules at https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13033.html
547692-1 : Firewall-blocked KPASSWD service does not cause domain join operation to fail
Component: Access Policy Manager
Symptoms:
KPASSWD service runs on tcp/464 and udp/464. If both of these ports were blocked, BIG-IP would not be able to properly set the machine account password for the created machine account. However, there is a bug on BIG-IP as well, which fails to report this failure back to the administrator.
As the machine account itself was successfully created on ActiveDirectory side without the correct password, and BIG-IP's failure to report the KPASSWD failure problem, the domain join operation seems had worked perfectly.
However, since the password information is never set on ActiveDirectory side, this causes this machine account effectively unusable because BIG-IP would never be able to establish a working SCHANNEL with ActiveDirectory server because of this password mismatch.
creation is LDAP (+ Kerberos GSS-API with SASL binding), the machine account itself is generated. Furthermore, as password setting for machine account is not allowed to be performed by administrator, this situation obfuscate the fact the KPASSWD was failing as AD server never receives thus AD never logged any failure on this matter, while BIG-IP fails to detect the KPASSWD failure, and so as administrator's user experience goes, everything seems perfectly worked for domain join.
Conditions:
Out of DNS, LDAP, KERBEROS, KPASSWD services which are required for domain join operation, only KPASSWD is blocked.
Impact:
Created machine account is effectively unusable due to password mismatch, and BIG-IP would never be able to establish a working SCHANNEL, this renders NTLM authentication feature to be not working.
Workaround:
Allow KPASSWD to reach ActiveDirectory server
546877-2 : tmm assert 'tcp_set_persist: retransmit pending'
Solution Article: K10934171
Component: Wan Optimization Manager
Symptoms:
The tmm issues a 'tcp_set_persist: retransmit pending' assert.
Conditions:
Occurs in the TCP stack when the two internal timers, persistence timer and retransmission timer, are active simultaneously.
Impact:
TMM asserts 'tcp_set_persist: retransmit pending'. Traffic disrupted while tmm restarts.
Workaround:
Use the TCP4 stack. To do so, use the default TCP profile
Note: The issue occurs only in the TCP Stack. The TCP4 stack does not have this defect.
546231 : Aced crashed occasionally while shutting down
Component: Access Policy Manager
Symptoms:
An aced core file might be generated when it tries to terminate.
Conditions:
Any time aced process tries to exit due to, among others:
1. Receive SIGTERM signal;
2. MCP query or process notification error;
Impact:
There is no impact to normal aced service. This crash only happens when aced is trying to shutdown.
Workaround:
No workaround available
546029-3 : Edge client connection fails: keeps reconnecting when captive portal probe URL is not available at www.f5.com
Component: Access Policy Manager
Symptoms:
Using Edge client on Microsoft Windows to establish a VPN repeatedly connects and disconnects.
Conditions:
Edge client on Windows is used to establish VPN.
Impact:
Cannot establish VPN. This occurs because The F5 probe URL page used by earlier versions of the Edge client has been decommissioned.
Workaround:
There is no workaround other than to upgrade to a more recent Edge client for Windows.
545946-3 : Vlangroup may have its MAC address set to 02:00:00:00:00 on first configuration load★
Component: TMOS
Symptoms:
Transparent/translucent Vlangroup may have its MAC address set to 02:00:00:00:00 on either the first configuration load after an upgrade or on a manual mcpd db clear/reload.
Conditions:
Transparent/Translucent vlangroup configured.
Upgrade to later version (11.3.0 through 12.1.0) or manually delete mcpd DB binary.
Impact:
Vlangroup MAC address is incorrect and can adversely affect traffic transversing the vlangroup.
Workaround:
Reload configuration or alter vlangroup configuration: e.g: set back and forth between transparency modes.
545856 : Java VM crash while monitoring DB
Component: Local Traffic Manager
Symptoms:
The Java VM crashed while attempting to monitor the proper functioning of a DB
Conditions:
Unknown
Impact:
One known occurrence. Failure affects a single attempt at monitoring the DB.
Workaround:
Based on the information available, this failure is not persistent. A single attempt at monitoring the DB failed and proper functioning resumed without intervention.
545799-3 : Dashboard fails to export derived throughput history
Solution Article: K48550324
Component: TMOS
Symptoms:
Dashboard fails to export derived throughput history.
Conditions:
Exporting derived throughput history in the Dashboard.
Impact:
The derived stats are not included in the export file.
Workaround:
The derived stats can be calculated from the exported raw stats.
545796-1 : [iRule] [Stats] iRule is not generating any stats for executed iRules.
Component: Local Traffic Manager
Symptoms:
iRule is not generating any stats for executed iRules when the rule is removed/edited and then re-added to the virtual server.
Conditions:
This occurs when the following steps are taken:
1. Move/edit an iRule that is attached to a virtual server.
2. Pass traffic to the virtual server.
3. Add the iRule back to the virtual server.
Impact:
No iRule usage stats available.
Workaround:
None.
545214-4 : OSPF distance command does not persist across restarts.
Solution Article: K54734184
Component: TMOS
Symptoms:
When ospfd is restarted, the value configured for the OSPF distance command is lost.
Conditions:
The distance command is configured in OSPF and the ospfd process is restarted.
Impact:
The distance command does not function as configured, which affects OSPF behavior.
Workaround:
None.
544958 : Monitors packets are sent even when pool member is 'Forced Offline'.
Component: Local Traffic Manager
Symptoms:
If you have a pool member associated with more than one virtual server and the pool member is marked Forced-Offline, the pool monitor will continue to function if the monitor is assigned to both pools.
Conditions:
-- Pools containing identical members.
-- Pool monitoring configured.
-- Pool members are Forced Offline.
Impact:
Monitors packets are sent even when pool member is 'Forced Offline'.
Workaround:
None.
544033-1 : ICMP fragmentation request is ignored by BIG-IP
Solution Article: K30404012
Component: Local Traffic Manager
Symptoms:
Client sends a large ICMP Echo Request whose size exceeds the MTU of the network the packet traverses requiring the ICMP Echo Response to be fragmented. BIG-IP ignores the fragmentation request and continues sending ICMP Echo Replies that exceed the network MTU.
Conditions:
-- A large (exceeds MTU of network traversed) ICMP Echo Request is directed to a Virtual Address on the BIG-IP system.
-- ICMP Echo Reply is larger than upstream networks MTU resulting in fragmentation needed being sent to BIG-IP.
Impact:
ICMP Echo Reply is not received by the requester.
Workaround:
None.
543344-2 : ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event
Component: Access Policy Manager
Symptoms:
When a BIG-IP system is configured with explicit HTTP proxy, an ACCESS iRule does not work reliably in HTTP_PROXY_REQUEST. The issue happens when the current ACCESS iRule searches the associated session ID from the connection itself in either of these ways:
-- The session ID is embedded in the request.
-- The connection was processed by ACCESS previously.
When neither condition is satisfied, then the current ACCESS iRule cannot find the associated session ID.
Conditions:
This occurs when the following conditions are met:
-- ACCESS iRule such as ACCESS::session data get/set.
-- ACCESS::session exists.
-- Session ID is not provided by the caller.
-- Caller expects the session ID to be resolved internally.
Impact:
Whenever ACCESS iRule commands cannot find the associated session ID, ACCESS iRule commands are processed as if the caller provided an empty session ID in its arguments. As a result, ACCESS::iRule commands return an empty result.
Workaround:
If possible, use ACCESS_ACL_ALLOWED as the event for the iRule, when the session ID is known. This would work for a BIG-IP system configured for reverse proxy or forward proxy.
542636 : APM logon page copyright should show the current year
Component: Access Policy Manager
Symptoms:
APM logon page shows copyright valid to 1999-2014.
Conditions:
-- APM logon page.
-- Running v11.5.3.
Impact:
Incorrect copyright date.
Workaround:
Go to customization, select the profile, and change footer text.
542347-4 : Denied message in audit log on first time boot
Component: TMOS
Symptoms:
After booting BIG-IP for the first time, you may see a 'denied' message for the lastlog file in /var/log/audit.log:
type=AVC msg=audit(1440786377.593:32): avc: denied { read write } for pid=5922 comm="login" name="lastlog" dev=md2 ino=18 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file.
Conditions:
This can occur on first time boot of devices that contain version 11.x software in one of the image slots.
Impact:
This error message is benign and can be ignored.
Workaround:
None needed. This is cosmetic and does not indicate an issue with the system.
542292-3 : GUI might cause MIB files to be uncompressed when downloading from GUI with Chrome.
Solution Article: K11051722
Component: TMOS
Symptoms:
In certain circumstances the BIG-IP GUI might cause MIB files to be served uncompressed, but with tar.gz extension.
Conditions:
Use Chrome to download BIG-IP MIB files from the GUI.
Impact:
MIB files are uncompressed.
Workaround:
Do not attempt to uncompress the MIB files further if downloaded with Chrome. Simply untar and use as normal. Renaming the file may help avoid further confusion.
542191-3 : Snmpd V1 and V2c view based access.
Solution Article: K53938810
Component: TMOS
Symptoms:
SNMP v3 allows for 'views' to be created. These views can be a union of multiple sub-branch OID access config statements. Users/groups can then be assigned to a view.
Conditions:
If more that one snmpd view is specified per community string the second view is not accessible. Note: A view is a portion of a MIB tree defined by an OID.
Impact:
The BIG-IP system does not support view configuration. If multiple views are created using the lines: rouser USER [noauth|auth|priv [OID]], the system adds only one of them to the snmpd.conf file.
Workaround:
Multiple views with the same community string are not supported.
541916 : tmm segfault: hud_process_upper
Component: Local Traffic Manager
Symptoms:
The tmm fails with a segmentation fault in hud_process_upper.
Conditions:
This is a rarely occurring issue whose causes are not well understood.
Impact:
The tmm fails and restarts.
Workaround:
None.
541693-1 : Monitor inheriting time-until-up and up-interval from parent incorrectly via GU
Solution Article: K32391836
Component: TMOS
Symptoms:
Monitors inherit incorrect time-until-up and up-interval from parent.
Conditions:
Create a parent monitor with non-default time-until-up and up-interval values. Using the GUI, create a child monitor.
Impact:
The child monitor's time-until-up interval value is set to default (0). The up-interval value is incorrectly inherited from the parent.
Workaround:
Set the time-until-up value for the child to the desired value.
541320-4 : Sync of tunnels might cause restore of deleted tunnels.
Solution Article: K50973424
Component: TMOS
Symptoms:
After a full load sync, tunnels may be spuriously added to the default route domain for the partition that contains them.
Conditions:
Viewing tunnels after a full load sync.
Impact:
This might result in a deleted tunnel being restored to the configuration.
Workaround:
None.
539199-2 : HTML filter is truncating the server response when sending it to client
Component: TMOS
Symptoms:
The response to the client is truncated
Conditions:
When a server sends a compressed response to a flow that has html profile. It seems like compressed response may not be a prerequisite - it might just be bringing out the issue better due to asynchornous nature of inflating
Impact:
the response is truncated when it reaches the client.
Workaround:
None.
539026-2 : Stats refinements for reporting Unhandled Query Actions :: Drops
Component: Local Traffic Manager
Symptoms:
There are five drop down sections for Unhandled Query Actions:
Allow
Drop
Reject
Hint
No Error
but in statistics page, there are only four Unhandled Query Actions:
Drops
Rejects
Hints
No Errors
Drops refers to the dropped packets for the system, not specifically for Unhandled Query Actions. It would be more clear if there were one dropped packets stats for the system, and another specifically for Unhandled. And also add stats for Allow packets under Unhandled.
Conditions:
Statistics pages for Unhandled Query Actions :: Drops.
Impact:
May be confusing to determine what the statistics mean.
Workaround:
None.
539018-2 : TMM stack trace when killed by monitoring process when stuck in loop always logged in parent TMM thread log file.
Component: Access Policy Manager
Symptoms:
TMM stack trace when killed by monitoring process when stuck in loop always logged in parent TMM thread log file instead of looping TMM thread log file.
Conditions:
TMM stuck in a loop and aborted by monitor process.
Impact:
Unclear which TMM thread was looping and resulted in crash and failover.
537213-3 : Second push is required after deactivating Active Security Policy and Sync flag indicates "In Sync" status
Component: Application Security Manager
Symptoms:
Changes made to security policies are not synced to peer. The sync status says "In sync" but the policy changes have not been made.
Conditions:
This occurs when making changes to security policies with policies on each device in a sync-only ASM device group.
Impact:
Changes are not propagated to the other devices in the sync-only device group, yet the sync status says it is in sync (the sync-failover group will say changes are pending). If you perform a second sync, the changes are pushed to the other devices.
Workaround:
Performing a second sync will push the changes to the other devices.
537209-1 : Fastl4 profile sends RST packet when idle timeout value set to 'immediate'
Component: Local Traffic Manager
Symptoms:
When a virtual is configured with a Fastl4 profile and the idle timeout value is set to 'immediate', traffic is handled improperly and a RST is issued.
Conditions:
A virtual is processing traffic that contains a Fastl4 profile with idle timeout set to 'immediate'.
Impact:
Traffic is Reset on a virtual where it should properly handle the traffic.
Workaround:
Avoid using the 'immediate' setting for the idle timeout value on a Fastl4 profile.
536724 : Policy Sync Status stuck at initiated syncing to subgroup after doing to parent group
Component: Access Policy Manager
Symptoms:
Policy sync status of source device gets stuck at "Initiated" and never transitions to completed.
Conditions:
1. Create two sync-only device groups so that one contains all the members of the other.
2. Initiate a policy sync to the bigger group.
3. Initiate a policy sync to the smaller group.
Impact:
Policy sync cannot complete and status remains "Initiated".
535904-3 : BD crashes when attempting to access a closed connection
Component: Application Security Manager
Symptoms:
The Enforcer Application system generates a BD core file to the /shared/core directory.
Conditions:
One or more of these features is turned on - Session tracking, web scraping, ICAP, ASM irules. The client side or the server side pre-maturely closes the connection.
Some load happens on this traffic.
Impact:
The Enforcer Application system may temporarily fail to process traffic.
Workaround:
N/A
535857-1 : When binary database is not present, during mcp load, unexpected creation of VLAN membership in 'cist' STP singleton
Component: Local Traffic Manager
Symptoms:
When user removes a VLAN from a Spanning Tree Protocol (STP) instance, it appears in stp instance 0. This is by design.
Conditions:
Deleting a VLAN from an STP instance.
Impact:
Minor: VLANS deleted from an STP instance do not "disappear", they are instead added to STP instance 0.
Workaround:
There is no workaround at this time.
535714 : Policy creation error after resolving LSO in policy sync for a big policy
Component: Access Policy Manager
Symptoms:
An error dialog popup with title "Policy Creation Error" and text " Request timeout Status text communication failure" after resolving LSOs and clicking on "finish" button.
Conditions:
- Import or create a big policy, e.g. 2.7MB for the .conf and 1.6MB for the resources in the res directory, 1100 ACLs with 9600 ACL entries in them.
- Initiate a policy, resolve LSOs and click "finish"
Impact:
GUI won't recover.
Workaround:
Running following shell command from console:
bigstart restart tomcat
535122-7 : [tmsh/iCRD/GUI] Do not automatically add extensions to SSL key/cert/crl/csr file objects
Component: Local Traffic Manager
Symptoms:
Using iControl REST's process (iCRD) with 'sys crypto' always fails, and the GUI does not work with SSL file objects created without extensions using tmsh (with 'sys file') during the create process.
Conditions:
-- Creating SSL certificates/keys/CRL/CSR objects using iControl (with 'sys crypto') or tmsh (with 'sys file').
-- Specifying the file extension associated with the object: .crt/.key/.crl/.csr.
Impact:
The system creates a file with two extensions, for example, specifying the filename csrname.crt creates a file named csrname.crt.csr in folder /config/ssl/ssl.csr/.
-- Using iCRD with 'sys crypto' fails.
-- The BIG-IP GUI exhibits the following behavior:
+ Inconsistently manages those files improperly.
+ May return errors (e.g., 'An error has occurred while trying to process your request.' or 'No certificate.').
+ May confuse two objects (e.g., 'web-server' and 'web-server.crt').
+ GUI cannot create an archive (System :: File Management : SSL Certificate List :: Archive) containing one of these files, and reports an error similar to the following: Key management library returned bad status: -2, Not Found.
Workaround:
When creating SSL-related file objects via tmsh 'sys file' or iCRD with 'sys crypto', do include a file extension (.crt/.key/.crl/.csr) in the object name, even if it is the extension associated with the type of object. This is because the system explicitly adds the appropriate file extension during the create operation for ('sys crypto') but does not add extensions for ('sys file').
534890-3 : When using session tickets, the session id sent might be incorrect
Solution Article: K73310443
Component: Local Traffic Manager
Symptoms:
Under some circumstances, when SSL session is resumed using session tickets, the BIG-IP system might send an incorrect session id.
Conditions:
Session tickets are enabled.
Impact:
The session id sent might be incorrect
Workaround:
Do not enable session tickets.
534373-1 : Some Text on French Localized Edge client on windows has grammatical error
Component: Access Policy Manager
Symptoms:
Grammatically incorrect text is displayed in Edge Client UI localized for French language.
Conditions:
French Localized version of Edge Client is used.
Impact:
Branding.
Workaround:
None.
533900-2 : Extra Proxy on Image Size Change
Component: WebAccelerator
Symptoms:
Using AAM with image optimization, if an image which is large enough to be stored in datastor is replaced with one that is small enough to fit into the small object cache, AAM will proxy to the OWS one additional time before starting to serve the image from cache.
Conditions:
AAM, image optimization, and a change in image size on the OWS.
Impact:
One additional proxy after the larger image is replaced with the smaller one.
Workaround:
None.
533790-2 : Creating multiple address entries in data-group might result in records being incorrectly deleted
Component: TMOS
Symptoms:
Using the GUI to create multiple address entries in data-group might result in records being incorrectly deleted
Conditions:
Creating multiple address entries in data-group
Impact:
Cannot add/remove IP addresses from existing data groups without affecting existing IP addresses through GUI.
Workaround:
Use TMSH to add/remove IP addresses from existing data groups.
532915-2 : No validation error attempting to modify a record in an external data-group using iControl SOAP.
Component: TMOS
Symptoms:
As a result of changes to data-groups between versions 10.x and 11.x, external data-groups are not allowed to have modified records. This was fixed in tmsh, but not propagated to iControl SOAP.
Conditions:
Attempt to modify a record in an external data-group using iControl SOAP.
Impact:
No validation error.
Workaround:
None.
532904-1 : Some HTTP commands fail validation when it is in a proc and the proc is called from another proc
Solution Article: K24219334
Component: Local Traffic Manager
Symptoms:
The following HTTP commands fail validation:
HTTP::uri
HTTP:version
HTTP::header
HTTP::method
Validation fails with the following error:
HTTP::uri command in a proc in rule (<the rule>) under event at virtual-server (<the virtual>) does not satisfy cmd/event/profile requirement.
Conditions:
Command is in a proc and the proc is called from another proc.
Impact:
Config load fails.
Workaround:
Directly call the proc from an iRule, instead of from the proc.
530927-1 : Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed
Component: TMOS
Symptoms:
If a trunk is created from interfaces that have lower than max speed (e.g., 100full-duplex on 1GbE links) adding a new interface fails.
When this occurs, the system posts an error similar to the following:
01070619:3: Interface 1.4 media type is incompatible with other trunk members.
Conditions:
Interfaces use a lower speed then their capacity.
Trunk is created where the highest speed of any of the members is this reduced speed.
Interface, also lowered, is added to the trunk.
Impact:
Interface cannot be added to the trunk.
Workaround:
Remove all interfaces, readd them all at the same time.
530877-6 : TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances.
Solution Article: K13887095
Component: Local Traffic Manager
Symptoms:
A specific combination of configuration options might cause iRule processing to run the CLIENT_ACCEPTED event twice.
If the iRule contains a suspending command, the system may eventually stop accepting connections to any TCP virtual servers with that have the Verified Accept option enabled.
Conditions:
This occurs when all of the following conditions are met:
- Standard Virtual Server is configured.
- Virtual Server is configured with a TCP profile in which Verified Accept is enabled.
- Client sends the initial data to be sent on the ACK of the three-way-handshake.
Impact:
Depending on the scenario, this might:
- Result in the specific connection being reset.
- Eventually result in TMM being unable to process any further connections to virtual servers with Verified Accept enabled.
Workaround:
You can use the following workarounds:
- Disable Verified Accept in the TCP profile.
- Modify the iRule to run the commands in the CLIENT_ACCEPTED event once, by setting a variable and checking whether the variable has been set on subsequent runs.
530266-2 : Rate limit configured on a node can be exceeded
Component: Local Traffic Manager
Symptoms:
Rate limit configured on a node is not honored and is exceeded. The excess per second can be as much as 10 (100%) when the limit is configured as 10.
Conditions:
More than 1 tmm needs to be there. Rate limit needs to be configured on the node.
Impact:
Node rate limit feature does not work as intended.
Workaround:
Rate limit can be shifted from the node to pool member and it works.
530102-3 : Illegal meta characters on XML tags -★
Component: Application Security Manager
Symptoms:
After upgrading from 11.4.1 to 11.6.0, 11.6.1 or 12.0.0, you see a lot of "Illegal meta character in value" false positives on your XML content. The flagged character are valid within XML (<, >, /, :, etc.) and the affected URLs are associated with legitimate XML profiles via header-based content profiles.
From the security event report, one can see that the invalid characters are for the global UNNAMED wildcard parameter and that the request is a multipart POST.
Conditions:
XML profile is assigned to the wildcard URL and having Header-Based Content profile.
Impact:
False positive violations could happen on the parameter enforcement (as it's not a parameter content but XML).
Workaround:
N/A
529535-3 : MCP validation error while deactivating a policy that is assigned to a virtual server
Component: Application Security Manager
Symptoms:
When deactivating a security policy via REST, and the policy is assigned to a virtual server, then BIG-IP reports the following error:
----------------------------
"MCP Validation error - 01071726:3:
Cannot deactivate policy action '/Common/<VS_name>'. It is in use by ltm policy '/Common/<L7_policy_name>'.",
----------------------------
However, the security policy becomes inactive and remains assigned to virtual server.
This will cause the virtual server to stop processing network traffic, and there will be the following errors in 'bd.log':
----------------------------
BD_MISC|ERR |Jun 24 12:53:35.698|17566|src/acc_reject_policy.c:0165|Account id 10 has no reject policy configured. Cannot get data
----------------------------
Conditions:
ASM provisioned, with a security policy assigned to a Virtual Server, then the security policy is deactivated via the REST API
Impact:
An inactive security policy remains assigned to a Virtual Server
Workaround:
Deactivate the security policy via GUI at:
'Security :: Application Security : Security Policies : Active Policies':
528987-2 : Benign warning during formatting installation
Component: TMOS
Symptoms:
The system posts a benign warning during formatting installation: warning: array conf_write could not find data disk.
Conditions:
This occurs during formatting installation.
Impact:
This is a benign error message that does not indicate an issue with the system. You can safely ignore it.
Workaround:
None needed. This is a cosmetic message.
528894-4 : Config sync after sub-partition config changes results extra lines in the partition's conf file
Component: TMOS
Symptoms:
Config sync after sub-partition config changes results extra lines in the partition's conf file.
Conditions:
Make changes under any partition except /Common and then config sync without overwrite.
Impact:
/config/partitions/partition_name/bigip_base.conf in the partitions folder has trunk and ha-group configuration. /config/bigip_base.conf no longer has the trunk and ha-group configuration.
Workaround:
'Sync Device to Group' with 'Overwrite Configuration' enabled.
528499-4 : AFM address lists are not sorted while trying to create a new rule.
Component: Advanced Firewall Manager
Symptoms:
AFM address lists are not sorted while trying to create a new rule.
Conditions:
Seen only in the rule creation page.
Impact:
AFM address lists are not sorted in the rule creation page.
Workaround:
none
528424-2 : IE11 on Windows 10 doesn't show tooltips/toast notifications when Network Access changes state
Component: Access Policy Manager
Symptoms:
Tooltips/Toast notification are not displayed when Network Access changes state (Connect, Disconnect, Reconnect, etc). Beginning with Microsoft Windows 8, tooltips are replaced by Toast Notifications; Windows does not convert tooltips to toast notification for F5 WebComponent in Windows 10.
Conditions:
The problem occurs under these conditions: Internet Explorer 11.
Windows 10.
Networks Access changes state.
Impact:
User is not notified about state change.
Workaround:
To enable tooltips, in Group Policy change this setting:
"User Configuration \ Administrative Templates \ Start Menu and Taskbar \ Disable showing balloon notifications as toasts" to Enable.
528343-1 : Loading cli preference that does not contain the user attribute will fail
Component: TMOS
Symptoms:
The cli preference config objects under certain circumstances can be saved without a user attribute. The loading of such a cli preference will result in error "Loading a preference requires user name specified".
Impact:
Loading scf, ucs configuration will fail
Workaround:
Remove the cli preference that does contains the user from the configuration (/config/bigip_user.conf or SCF) and reload.
528295-9 : Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.
Solution Article: K40735404
Component: TMOS
Symptoms:
A 10.x UCS containing LTM virtual servers with ARP set to disable. Loading the 10.x UCS on 11.4.x or later system leads to the ARP and ICMP echo setting value being flipped each time the load occurs.
Conditions:
Reloading a 10.x UCS containing virtual servers on 11.4.x or later system.
Impact:
ARP and ICMP echo setting value being flipped each time the load occurs. Note that the ICMP echo virtual field will be flipped even if ARP is enabled.
Workaround:
Delete the LTM virtual servers on the 11.x/12.x version system prior to re-loading the 10.x UCS.
528083-3 : On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
Solution Article: K12055204
Component: TMOS
Symptoms:
On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
Conditions:
System shutdown. Unable to reproduce the issue reliably, so conditions for the crash are unknown
Impact:
Since the core happens on shutdown, operation on the device is not affected, but a core file may be generated.
Workaround:
None
528056-2 : VCMP: Large vdisk was unable to migrate in 15 minute timeout
Component: TMOS
Symptoms:
A 25G+ vdisk did not complete migration from one blade to another within the timeout and was stopped.
Conditions:
When an existing single slot guest is allocated to a different slot the VCMP host moves the vdisk to the new slot. This process is referred to as vdisk migration.
Impact:
The vdisk was not moved and results in the following message to /var/log/ltm:
<date> <slot>/ltm err vcmpd[13859]: 01510004:3: Guest (<name>): Failure - VDisk migration process from slot [N] failed. Timed out after 900 seconds.
Workaround:
Increase the migrating timeout db var:
sys db vcmp.timeout.migrating {
value "2700"
}
527907-3 : TCP reject Virtual Servers may not respond with TCP reset
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, reject Virtual servers configured with IP protocol TCP may not respond to TCP SYN packets with a TCP RST; silently dropping them.
All-protocols and UDP reject virtual servers are unaffected.
Conditions:
- Virtual Server, type Reject
- Virtual server ip-protocol only TCP.
Impact:
TCP SYN packets are silently dropped.
Workaround:
Use all-protocols or use a standard VIP and reject via iRule.
527720-3 : Rare 'No LopCmd reply match found' error in getLopReg
Component: TMOS
Symptoms:
An error message similar to the following might be logged at rare intervals while the BIG-IP system is operating normally:
warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.
This message might be followed by a log message similar to one of the following:
err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0.
err chmand[32142]: 012a0003:3: GET_STAT failure (status=0xffffffff) page=0x%20 reg=0x50.
This message might be followed by a log message similar to the following:
warning chmand[5847]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.
Conditions:
This problem might occur rarely on the BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances, and on VIPRION 2100, 2150, and 2250 blades.
Impact:
This problem might occur if the response to a request to read the status of the hardware registers for the management interface is delayed beyond the normally-expected timeout value. When this problem occurs, status of the management interface might be reported incorrectly, which might cause the management interface to flap momentarily. In this scenario, subsequent requests typically complete successfully, at which point status of the management interface is again reported normally, and expected functionality restored.
Workaround:
None.
527238-2 : Improvements to the Single DH use option in SSL profile
Component: Local Traffic Manager
Symptoms:
"Single DH use" option in Client SSL or Server SSL profile was ignored in some cases.
Conditions:
"Single DH use" is set in Client SSL or Server SSL profile.
Impact:
"Single DH use" was always effectively "on" for DHE-based ciphersuites in any Server SSL profile.
Single DH use had no effect for ECDHE ciphersuites in any SSL profile or DHE ciphersuites in any ClientSSL profile.
The main benefit of the Single DH use is to provide true/ultimate perfect forward secrecy. The aim of such high security posture is to be able to claim that no encryption key resides in memory on BIG-IP beyond a single TLS session. This security posture requires disabling of TLS session reuse, TLS session ticket, and the matching behaviour of any TLS client. The benefit of this fix is to primarily address these high security needs.
DHE ciphersuites on BIG-IP use periodically re-generated custom DHE groups in any SSL profile. The use of custom DHE groups implies that the massive pre-computation needed to efficiently solve DH discrete logarithm problem (DH DLP) is only helpful for the lifetime of a given DHE group. Provided that the DH DLP is easy, "Single DH use" doesn't materially slow down the DLP attacks. ECDHE groups provide sufficient security today making ECDHE DLP infeasible. Please refer to 2015 LogJam attack for the background.
Workaround:
No workaround.
527206-4 : Management interface may flap due to LOP sync error
Component: TMOS
Symptoms:
An error that occurs while reading the management interface registers might cause incorrect interpretation of the management interface state, which might cause the management interface to flap.
Example error sequence:
-- warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.
-- err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0 : File mgmtif/BourneMgmtIfSvc.cpp Line 357.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x7 expected=0x5.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is DOWN.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is UP.
Conditions:
This problem might occur rarely on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades.
Impact:
The management interface on the affected blade or appliance might be down for several seconds, 15 seconds being a typical interval.
Workaround:
None.
527119-2 : Iframe document body could be null after iframe creation in rewritten document.
Component: Access Policy Manager
Symptoms:
End users report being unable to use certain page elements in chrome (such as the Portal Access menu), and it appears that Javascript has not properly initialized.
Conditions:
The body of a dynamically created iframe document could be initialized asynchronously after APM rewriting. The issue is specific to Chrome browser and results in JavaScript errors on the following kind of code:
iframe.contentDocument.write(html);
iframe.contentDocument.close();
<any operation with iframe.contentDocument.body>
One of applications known to contain such code and fail after APM rewriting is TinyMCE editor.
Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access.
Workaround:
Revert rewriting of the document.write call with a post-processing iRule.
The workaround iRule will be unique for each affected application.
527058 : TMM Crash, at AVR lookup mechanism
Component: Application Visibility and Reporting
Symptoms:
TMM crash at high stress at lookup mechanism
Conditions:
Rare cases, at high stress, and when AVR is being used.
Impact:
Traffic disrupted while tmm restarts.
526774-3 : Search in FW policy disconnects GUI users
Component: Advanced Firewall Manager
Symptoms:
GUI disconnects due to a timeout when doing search on the active rules page with a large number of context objects.
Conditions:
wildcard search in active rules page with lots of objects causes GUI to hang
Impact:
Unable to use the GUI
Workaround:
The query to search for matches was optimized to omit context objects that did not have any rules.
526708-1 : system_check shows fan=good on removed PSU of 4000 platform
Component: TMOS
Symptoms:
Running system_check on a 4000 platform with one PSU removed will still show status FAN=good; STATUS=good
Conditions:
This applies only to the BIG-IP 4000 platform.
Impact:
Fan shows status of 'good' when the PSU is removed. Reading the power supply status in the system_check output will show the PSU as down.
526642-5 : iRule with HTML commands inside can be attached to Virtual server without HTML profile
Component: TMOS
Symptoms:
If iRule with HTML commands inside is attached to Virtual server which has not HTML profile, this iRule may fail with 'Unknown error' message in the log.
Conditions:
- iRule with HTML commands
- Virtual server without HTML profile
- the iRule is attached to this server
Impact:
iRule does not work as expected
Workaround:
If Virtual server uses iRule with HTML commands, this server should use HTML profile.
525847-1 : SNMP manager doesn't accept community name in double quotes in packet capture.
Component: TMOS
Symptoms:
When configuring SNMP trap via tmsh sys snmp v2-traps (trap2sink directive) or v1-traps (trapsink directive) commands, the community name contains double quotes in packet capture. This causes a problem as SNMP manager doesn't accept the trap because of the community mismatch.
On the other hand, if traps are configured using tmsh sys snmp traps (trapsess directive), community name doesn't contain double quotes, which is an expected behavior.
Conditions:
Use tmsh sys snmp v2-traps or tmsh sys snmp v1-traps to configure SNMP traps.
Impact:
Community name contains double quotes in packet capture, which causes the SNMP manager to reject the trap because of the community mismatch.
Workaround:
Use tmsh sys snmp traps.
525580-2 : tmsh load sys config merge file filename.scf base command does not work as expected
Solution Article: K51013874
Component: TMOS
Symptoms:
The presence of base option indicates that only the base objects in the configuration should be considered for the save operation. The non-base objects in the configuration should be ignored.
However, this is not true for the following command:
tmsh load sys config merge file filename.scf base.
Conditions:
Running the command: tmsh load sys config merge file filename.scf base.
Impact:
This command ignores the base option. When specified with the merge option the base option is ignored. It merges the non-base configuration objects. It does not load only the base config objects as specified in the command.
Workaround:
None.
525133-2 : Restarting TMM or failover offline causes causes bigd 'emerg logger' error message
Component: Local Traffic Manager
Symptoms:
Stopping and starting the tmm causes bigd to restart with an 'emerg logger' error message. The restart is expected behavior, but the error-level message is not.
Conditions:
On active unit run one of the following commands:
-- bigstart restart tmm.
-- bigstart stop tmm;bigstart start tmm.
-- bigstart stop tmm;bigstart start.
-- tmsh run sys failover offline.
Impact:
bigd restarts and a message is logged to the console similar to the following: emerg logger: Re-starting bigd. Traffic monitoring ceases until TMM restart is complete. For the failover offline, impact is limited as unit is sent offline.
Workaround:
None.
524277-3 : Missing power supplies issue warning message that should be just a notice message.
Component: Local Traffic Manager
Symptoms:
Missing power supplies issue warning message in /var/log/ltm when the message should be just a notice.
Absent power supplies should be notice level, not warning level since this is a normal acceptable way of running a system.
Conditions:
Running chassis with absent power supplies, or with power not applied, will cause ltm to issue warning messages.
Impact:
Extra logging.
Workaround:
Ignore missing power supply warning messages.
524193-3 : Multiple Source addresses are not allowed on a TMSH SNMP community
Component: TMOS
Symptoms:
If multiple source addresses are specified on a TMSH snmp community command (add, modify,delete, replace-all). Only the first address will be saved.
Conditions:
Specifying multiple source addresses are specified on a TMSH snmp community command.
Impact:
The command is accepted, but only the first address will be allowed snmp access.
Workaround:
Add an additional source address to another snmp community object that has the same community string.
524185-1 : Unable to run lvreduce
Component: TMOS
Symptoms:
Unable to run lvreduce command due to missing program 'blockdev'. (The missing program 'blockdev' is part of the util-linux-extras package.)
Conditions:
Attempting to reallocate disk resources when upgrading a vCMP system.
Impact:
Cannot reallocate the vmdisks app volume.
Workaround:
Acquire the /sbin/blockdev executable from a different BIG-IP device running version 11.6.0-HF6 or 12.x, and install it on the BIG-IP device affected by this issue.
Note: If the receiving system is a multi-blade VIPRION, you must install the file on each blade.
If you do not have a suitable donor device available, you can contact F5 Support, who will be able to supply the executable to you.
Note: Using a blockdev executable from another source is not recommended.
524123-4 : iRule ISTATS::remove does not work
Component: TMOS
Symptoms:
When an iRule invokes ISTATS::remove to remove an iStat, the iStat is not removed.
Conditions:
Invoking the ISTATS::remove command from an iRule.
Impact:
The value of the iStat remains defined.
Workaround:
Use istats-triggers and iCall scripts to invoke the iStats command line tool indirectly.
523992-6 : tmsh error map not included in /etc/alertd
Solution Article: K12604540
Component: TMOS
Symptoms:
tmsh error map is not included in /etc/alertd.
Conditions:
File /etc/alertd/bigip_tmsh_error_maps.h missing.
Impact:
The tmsh error maps include certificate expiration warnings (i.e., BIGIP_TMSH_TMSH_CERT_EXPIRED, BIGIP_TMSH_TMSH_CERT_WILL_EXPIRE). This information is used to create alerts. Not having the map makes it difficult to create alerts for tmsh related errors (e.g., certificate expiration warnings).
Workaround:
None.
523985-2 : Certificate bundle summary information does not propagate to device group peers
Component: TMOS
Symptoms:
Certificate summary information about individual certificates in a bundle does not propagate to device group peers after a config sync.
Conditions:
A certificate file is create in a folder synced to a device group.
Impact:
Certificate information about the bundle is not displayed on peers. However, the bundle itself is intact and available.
Workaround:
None.
523814-6 : When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections
Component: Local Traffic Manager
Symptoms:
An HTTP virtual server with OneConnect and RAM Cache will not consistently keep server-side connections alive and idle (for reuse), depending on the HTTP version that the client uses.
Clients that use HTTP/1.1 will result in fewer serverside connections being reused.
Conditions:
HTTP virtual server with HTTP cache enabled (in RAM cache mode, not AAM mode) and OneConnect profile.
Alternately, an iRule that down-steps the HTTP request version to HTTP/1.0
Impact:
Increased server utilization and number of ports in use / timewait / finwait as a result of OneConnect and RAM Cache closing serverside connections more frequently than expected.
Inconsistent behavior as a result of client HTTP version.
Workaround:
An iRule can work around this issue by inserting a Connection: Keep-Alive header.
523797-4 : Upgrade: file path failure for process name attribute in snmp.★
Component: TMOS
Symptoms:
The upgrade operation might fail to update the file path name for snmp.process_name, causing a validation error.
Conditions:
Upgrade from 10.x. to 11.5.1 or later.
Impact:
The upgrade operation does not remove the parent path name from process-monitors, which might cause a validation error.
Workaround:
Edit the process name path in /config/BIG-IP_sys.conf to reflect the location. For more information, see K13540: The BIG-IP system may return inaccurate results for the prTable SNMP object at https://support.f5.com/csp/article/K13540.
523522-2 : In a device group, installing a UCS (on any one of the peers in group) does not propagate the ASU file (that is bundled with UCS) to other peers
Component: Application Security Manager
Symptoms:
In a device group, after installing a UCS file (on any one of the peers in group), an inconsistent state of Application security update version is achieved between peer machines.
Conditions:
ASM is provisioned.
Device group with ASM sync enabled.
Install UCS file with a bundled ASU version different then the currently installed.
Impact:
An inconsistent state of ASU version is achieved between peer machines.
Workaround:
Manually trigger ASU update/install from:
Security > Security Updates > Application Security
522993-1 : tmsh crashes when trying to perform a wildcard delete of iRules
Solution Article: K17638180
Component: TMOS
Symptoms:
tmsh will crash with a segmentation fault if an administrator attempts to delete iRules using wildcard syntax (e.g., 'tmsh delete ltm rule rules\*'). This occurs if the object name includes either an asterisk (*) or left square bracket ([).
Conditions:
A BIG-IP administrator runs a command such as the following: tmsh delete ltm rule rules\*
Impact:
tmsh crashes with a segmentation fault. The system is otherwise not impacted.
Workaround:
Do not attempt to use wildcard syntax to delete iRules; instead, delete each iRule individually.
522620-2 : BIG-IP continues to monitor APM AAA pool with old monitor after monitor changed
Component: Local Traffic Manager
Symptoms:
BIG-IP APM continues to use old monitor (in addition to new monitor configuration) for APM AAA pool after the monitor type is modified.
Conditions:
APM AAA pool's monitor configuration is modified via the APM GUI.
Impact:
BIG-IP APM continues to use old monitor (in addition to new monitor) to monitor pool members for an AAA pool.
Workaround:
Once a system is affected by this issue, the misbehavior can be resolved by doing the following:
Save and re-load the configuration to correct the incorrect information in mcpd:
tmsh save sys config partitions all && tmsh load sys config partitions all
522124-1 : Secondary MCPD restarts when SAML IdP or SP Connector is created
Component: Access Policy Manager
Symptoms:
Secondary MCPD restarts when the admin creates APM SAML IdP Connector (or SP Connectors) from attached metadata on the primary blade.
Conditions:
BIG-IP chassis with multiple blades where the configuration includes APM SAML IdP Connector or SP Connector created from attached metadata file.
Impact:
Secondary slot's MCPD restarts.
522024-4 : Config sync of SecurID config file fails on secondary blades
Solution Article: K17214
Component: TMOS
Symptoms:
After uploading a new SecurID config file using the GUI, mcpd restarts and fails to sync the file to the secondary.
Conditions:
If APM is provisioned, and upload a new SecurID config file via the GUI. This can also happen on device group peers.
Impact:
The secondary blade restarts mcpd, which in turn restarts several other daemons. The secondary blade never receives the config file, so if it becomes primary, it does not have the correct configuration.
Workaround:
Use tmsh: tmsh modify apm aaa securid secureid-name config-files modify { sdconf.rec { local-path /path/to/sdconf.rec } }.
521828-1 : CMI device credentials (device name or password) containing XML special charactersresults in peer discovery error
Solution Article: K78693459
Component: TMOS
Symptoms:
When attempting to set up CMI device credentials (device name or password), an error message can result if the device name (of the current device, or the newly specified name for the target device) or the administrator password (for the target device) contains certain characters.
The error message has this format:
java.io.IOException: Could not read response from server: ParseError at [row,col]:[1,225] Message: Element type 'bigip2' must be followed by either attribute specifications, '>' or '/>'.
Conditions:
The list of characters is any XML special character (less than, greater than, or ampersand).
Impact:
Failure to set up CMI sync.
Workaround:
For the device name, these characters are illegal and a different device name should be chosen. If the current device has any of the specified characters, you can use the command 'mv cm device source-name target-name' to change the name of the device.
There is no workaround if the relevant character is in the password field, except to change the password.
521822-1 : referer header in request is not completely deflated at gateway, f5-w-dobledot paths are not reduced
Component: Access Policy Manager
Symptoms:
Referer header received by backend contains in the path component(s) 'f5-w-doubledot'.
Conditions:
There were doubledot components in referer URL (for example: '../../test.html').
Impact:
Backend can be confused after receiving referer header with different value.
Workaround:
Custom iRule can be used to fix referer header value; no general iRule exists.
521329-3 : CGNAT - Rare TMM core with Deterministic NAT
Component: Carrier-Grade NAT
Symptoms:
Under some circumstances TMM may core when using deterministic NAT due to a divide by zero error.
Conditions:
CGNAT using deterministic NAT mode and persistence enabled. This error only occurs if a previous connection created an address persistence entry using the second address.
This crash is dependent on both the configuration and the traffic.
When the number of subscriber addresses that disaggregates to a TMM is not evenly divided by the number of translation addresses that disaggregates to the same TMM, connections from one or more subscribers may be assigned to blocks from two translation addresses. Depending on the exact address ratio, there may be only one port using the second address.
Due to an off-by-one error, the number of ports available for the second address may be set to zero when it should be set to one. This causes the divide by zero fault.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
520732-2 : XML policy import adds default entities if the relevant element list (in policy xml doc) is specified and empty
Component: Application Security Manager
Symptoms:
Default entities (File types, Parameters, URLs, Cookies, Signatures, Redirection Domains and Brute Force Log-In URLs) are added to the policy upon XML policy import.
Conditions:
ASM policy with entities of some type (File types, Parameters, URLs, Cookies, Signatures, Redirection Domains and Brute Force Log-In URLs) deleted (all entities of that type).
Export it to XML and then import that XML back - the default entities are added.
Impact:
XML policy import adds default entities if the relevant element list (in policy XML doc) is specified and empty.
Workaround:
The relevant element list (in the policy XML doc), that is specified and empty, should be completely removed (from the policy XML doc).
519011-1 : Auditor role: Exporting the Request Log
Solution Article: K01287948
Component: Application Security Manager
Symptoms:
Users with the Auditor role cannot export from the Request log.
Conditions:
Users with Auditor role trying to export from the Request log.
Using a software version 11.5.x or 11.6.x.
Impact:
Cannot export from the Request log.
Workaround:
None.
518959 : BIG-IQ Discovery of an 11.5.2 EHF1-19 BIG-IP fails
Component: Application Security Manager
Symptoms:
If you use a BIG-IQ device to discover a BIG-IP device running version 11.5.2 EHF1-19, the discovery fails with the message
"Error querying iControl Rest for ASM Policy - Response Pages in."
Conditions:
BIG-IQ deployed, and attempting to discover a BIG-IP running 11.5.4 HF 1-19.
Impact:
BIG-IQ discovery will fail with error.
Workaround:
Delete one of the installation volumes on the BIG-IP system and re-install the BIG-IP hotfix. For example, these are the tmsh commands to remove the volume and install the hotfix:
# tmsh delete sys software volume HDx.y
# tmsh install sys software hotfix Hotfix-BIG-IP-whatever-hotfix.iso volume HDx.y create-volume reboot
where 'HDx.y' is a (any) desired target software volume.
After the boot, run the following commands:
# /usr/share/ts/bin/add_del_internal add rest_api_extensions 1
# tmsh restart sys service asm
Wait for the BIG-IP device to become 'Active' again and then restart the discovery process from the BIG-IQ system.
517756-1 : Existing connections can choose incorrect route when crossing non-strict route-domains
Component: Local Traffic Manager
Symptoms:
After modifying the BIG-IP system's routing table, traffic for some existing connections might be interrupted because an incorrect route starts being used.
Conditions:
After a routing table modification, routes might be reselected for a portion of connections through the BIG-IP system. When a connection crosses non-strict route-domains, the routing table from a route-domain that is different from the route-domain used during connection start-up may be used.
Impact:
This might lead to traffic following a different path to the destination and traffic interruption. New connections will work properly, this only affects existing connections.
Workaround:
None.
517609-1 : GTM Monitor Needs Special Escape Character Treatment
Solution Article: K77005041
Component: Global Traffic Manager (DNS)
Symptoms:
When searching received data for bytes that are regex metacharacters such as $ (dollar sign), . (period), ? (question mark), etc., the search string typically requires backslash characters to escape these. Such escaped characters result in non-matching behavior in GTM monitors without warning in the GUI. The GUI also validates Perl (non-POSIX) character classes such as \d rather than [:digit:], but these Perl extensions do not search properly.
Conditions:
Any running GTM monitor.
Impact:
If a GTM monitor's expression contains regex Perl extension character classes or escaped regex metacharacters, a member's status might be incorrectly labeled.
Workaround:
When escaping a regular expression metacharacter, an \x5C can be entered as a substitute for a backslash. If searching for whitespace or digits, use [:space:] and [:digit:] rather than \s and \d.
For example, searching for 'HTTP/ 1.1' in a GTM HTTP monitor, you can enter the search expression HTTP/ 1\x5C.1, which the regex compiler interprets as 'HTTP/ 1\.1', to search for the period character rather than interpreting the period ( . ) as the 'any non-null byte' metacharacter.
517589-1 : 'array' command not functional from within MOS context
Component: TMOS
Symptoms:
The array command does not produce correct results.
Conditions:
MOS shell
Impact:
array cannot be managed
Workaround:
manage the array from TMOS
517578-2 : statsd crash when failed to open stats files
Component: TMOS
Symptoms:
When certain errors occur trying to open stats files, the statsd daemon could crash calling tmidx_free.
Conditions:
Something like permissions, file descriptor exhaustion, etc. that could lead to an error opening stats files.
Impact:
The statsd daemon crashes leaving a core file and a gap in collecting systems stats and historical stats.
Workaround:
none
517393-5 : Spurious RTO Detection Triggers Early Exit from Fast Recovery.
Solution Article: K17507
Component: Local Traffic Manager
Symptoms:
When Fast Retransmit follows a spurious RTO, detection of the spurious RTO can overwrite Fast Recovery state and trigger premature exit. Spurious RTO detection can trigger crashes. Otherwise, in certain configurations, there can be an very slight decrease in performance.
Conditions:
A step change in delay causes a spurious TCP RTO, accompanied by significant packet reordering and additional packet loss.
Impact:
Possible crashes. Otherwise, a very small decrease in performance in certain configurations.
Workaround:
Disable Early Retransmit.
517202-3 : Applications including Internet Explorer using Microsoft's Secure Channel (Schannel) may fail SSL/TLS handshakes
Component: Local Traffic Manager
Symptoms:
Applications including Microsoft Internet Explorer (IE) using the Microsoft Secure Channel ('Schannel') TLS library may experience TLS handshake failures while accessing virtual servers with Client SSL profiles.
When the client and server select a TLS ciphersuite that utilizes ephemeral Diffie-Hellman (DHE) key exchange, the server (the BIG-IP system) sends a ServerKeyExchange message with Diffie-Hellman parameters to the client. For a subset of the generated parameters (approximately 1 in 128 for 1024-bit DH parameters), the length of the encoded 'dh_Ys' parameter is less than the length of the encoded 'dh_P' parameter.
As a result of that encoding combined with an issue with the Schannel library, the client experiences a fatal error and is unable to complete the TLS handshake.
When this issue occurs, only a subset (potentially only one) TMM may experience handshake failures, because each TMM generates unique DH parameters. Handshake failures may last for up to an hour, as each TMM regenerates parameters every hour.
Conditions:
- Virtual servers with Client SSL profiles.
- Client applications using the Secure Channel (Schannel) TLS library. Relevant clients include IE.
- The BIG-IP system selects a ciphersuite that uses DHE key exchange. Note that the ECDHE key exchange is unaffected.
Impact:
Schannel-based applications may be unable to complete TLS handshakes with one more TMMs on a system for up to an hour.
Other clients are unaffected, and can successfully complete TLS handshakes.
Workaround:
Disable DHE cipher suites in client-ssl profiles, as follows:
* 'DEFAULT:!EDH' to permanently remove DH-based ciphersuites.
* 'DEFAULT:-EDH:DEFAULT+EDH' to move them to the end of the preference list.
516280-1 : bigd process uses a large percentage of CPU
Component: Local Traffic Manager
Symptoms:
With a very large number of monitors, the bigd process can consume more than 80% CPU when a slow HTTP server returns an error.
Conditions:
~8000 HTTP/HTTPS monitors, and a slow HTTP server returns a 500 error.
Impact:
bigd process uses a large percentage of CPU.
Workaround:
None.
516200-5 : HTML5 Receivers for Storefront 2.5 and 2.1 are not working on Google Chrome 40+
Component: Access Policy Manager
Symptoms:
Google Chrome version 40+ shows JavaScript errors when using HTML5 Receivers for Storefront 2.5 and 2.1.
Conditions:
APM is configured for Citrix proxy or replacement and HTML5 Receivers for Storefront 2.5 or 2.1 are used.
Impact:
HTML5 Receivers for Storefront 2.5 or 2.1 can't be used.
Workaround:
Need to edit the HTML5 receiver files as suggested by Citrix.
http://discussions.citrix.com/topic/361040-storefront-21-html5-broken-on-chrome-v40/
1) Edit SessionWindow.html file at "C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\src\SessionWindow.html"
2) Find <meta http-equiv="content-security-policy" content="default-src 'none';
3) Add child-src directive <meta http-equiv="content-security-policy" content="default-src 'none'; child-src 'self';
516167-4 : TMSH listing with wildcards prevents the child object from being displayed
Solution Article: K21382264
Component: TMOS
Symptoms:
The tmsh list command is attempted with an identifier that specifies use of wildcard match character (*) , the results returned may not print the nested objects contained within the parent object.
For example, the list ltm pool* command will print all pools that begin with the word pool, but will fail to list the profiles that are within the pool.
Conditions:
tmsh list with a wildcard character specified for parent object.
Impact:
Missing details of nested objects when tmsh list is invoked with wildcard character (*) specified in the object identifier
Workaround:
None.
515764-3 : PVA stats only being reported on virtual-server and system-level basis.
Component: TMOS
Symptoms:
The VLAN/interfaces stats do not include PVA stats. PVA stats are reported on a per-virtual-server including virtual server plus pool and pool members.
Conditions:
Viewing PVA stats.
Impact:
Interfaces stats only count TMM software traffic stats, and do not include PVA traffic stats. Although this is by design, it makes it difficult to monitor per-VLAN throughput on their devices.
Workaround:
Retrieve pool member PVA stats for server-side PVA stats on the associated VLANs. Also look at PVA stats in the virtual server stats for client-side PVA stats. Note: On the client side, the virtual server might be configured to run on multiple VLANs, so the client-side details are not included in the stats.
515562-2 : Sweep and flood may crash if it is enabled when AFM is not licensed or provisioned.
Solution Article: K16813
Component: Advanced Firewall Manager
Symptoms:
When AFM is not not licensed or provisioned, the user might still be able to enable Sweep and Flood.
Conditions:
Enable Sweep and Flood vector when AFM is not not licensed or provisioned.
Impact:
TMM might crash.
Workaround:
Avoid configuring Sweep and Flood vectors when AFM is not licensed or provisioned
515190-1 : Event Logs -> Brute Force Attacks can't show details after navigating to another page
Component: Application Security Manager
Symptoms:
After using the pagination mechanism on the Brute Force Attacks screen, the user is unable to open the attack details.
Conditions:
Navigate to another page on Event Logs -> Brute Force Attacks
Impact:
The user is unable to see the brute force attack details.
Workaround:
N/A
514745-1 : Some BIG-IP objects have no tmsh description field so description text configured in GUI is lost on upgrade
Component: Access Policy Manager
Symptoms:
Some BIG-IP Access Policy objects have no description field in tmsh, but they do have Description field in the GUI. When defining the Description field in the GUI, the content is lost upon upgrade.
Conditions:
-- Using tmsh.
-- Various Access Policy objects. Here are some examples of the GUI counterparts:
+ Secure connectivity profile (Access Policy :: Secure Connectivity).
+ Active Directory trusted domains (Access Policy :: AAA Servers :: Active Directory Trusted Domains).
+ Microsoft Exchange (Access Policy :: Application Access :: Microsoft Exchange).
+ AAA Servers :: Endpoint Management Systems
+ SSO Configurations :: HTTP Basic
+ SSO Configurations :: NTLMV1
+ SSO Configurations :: NTLMV2
+ SSO Configurations :: Kerberos
+ SSO Configurations :: Forms
+ SAML :: BIG-IP IdP Automation
Impact:
Cannot use tmsh to specify the description. If there is a description specified using the GUI, that definition is lost upon upgrade.
Workaround:
None.
514431-2 : [TMSH][GTM] Add validation for special characters like Ctrl+k for gtm object names
Component: Global Traffic Manager (DNS)
Symptoms:
GTM objects display ^K characters, cannot be assigned to other objects
When editing bigip_gtm.conf using the CLI, it is possible to use some characters in server, virtual server, and pool names. These characters can be saved to the config as a space or as a special character. Characters include ^K ^B, ^N, ^L.
Conditions:
Editing bigip_gtm.conf using CLI.
Impact:
1. Config is not displayed properly.
2. Odd problems happen when object has such names, for example, it fails to add virtual server to a server with such names, in 11.5.1 and 11.4.1 virtual servers cannot be assigned to pools, pools to wideips etc.
Workaround:
Do not use such characters (CTRL+) for objects.
513887-6 : The audit logs report that there is an unsuccessful attempt to install a mysql user on the system
Component: Application Security Manager
Symptoms:
There are "/usr/sbin/useradd" and "/usr/sbin/groupmod" related errors in '/var/log/auditd/audit.log'
Conditions:
Provisioning AFM and/or APM after ASM is already provisioned.
Impact:
"/usr/sbin/useradd" and "/usr/sbin/groupmod" related errors in '/var/log/auditd/audit.log'
no other impact
Workaround:
none
513787-2 : CSRF doesn't apply web application callback registered as XMLHttpRequest.onload in IE8-10
Component: Application Security Manager
Symptoms:
Since Javascript is executed on client side. When it comes to page render, javascript errors might break your page.
Conditions:
Using Internet Explorer 8-10 with CSRF ASM enabled.
Impact:
Since Javascript is executed on client side. When it comes to page render, javascript errors might break your page.
Workaround:
N/A
513310-4 : TMM might core when a profile is changed.
Component: Local Traffic Manager
Symptoms:
TMM might core when a profile is changed.
Conditions:
A "standard" type virtual server configured with the TCP or SCTP protocol profile, and a Persistence, Access or Auth profile. This issue might occur in either of the following scenarios:
-- Change profile on the active device.
-- Change profile on the standby device and perform a config sync to the active ones.
Impact:
TMM might core. Traffic disrupted while tmm restarts.
Workaround:
None.
512885-1 : https monitor fails to work with MD5 with RSA as signature hash algorithm
Component: Local Traffic Manager
Symptoms:
https monitor fails to work with server that has MD5 with RSA as signature hash algorithm
Conditions:
https monitor, server using MD5 with RSA.
Impact:
https monitor fails
Workaround:
configure the back end server to use another cipher
512853-3 : Kerberos SSO fails if KDC is not specified
Component: TMOS
Symptoms:
When you configure single sign-on (SSO) using Kerberos, and you do not fill in the KDC field on the configuration page (Access Policy > SSO Configurations > Kerberos) , you may encounter an error. The error may be similar to: <Date> slot2/BIGIP1 err websso.0[29236]: 014d0005:3: Kerberos: can't get TGT for host/svcf5kerberos.corpdev.apdev.local@CORPDEV.APDEV.LOCAL - Cannot contact any KDC for realm 'CORPDEV.APDEV.LOCAL' (-1765328228)
Conditions:
This occurs if you do not specify a value for KDC when configuring SSO with Kerberos.
Impact:
SSO fails
Workaround:
Has a workaround, administrator should edit /etc/krb5.conf file manually and set option
dns_lookup_kdc=true
Note that this workaround is:
not synced across cluster
not backed up
not audited
not upgrade safe
not re-provision safe
may revert during other maintenance operations
512130-5 : Remote role group authentication fails with a space in LDAP attribute group name
Component: TMOS
Symptoms:
Remote role group authentication fails if there is a space in attribute name of remote-role role-info.
Conditions:
This occurs when the auth remote-role role-info attribute name contains a space character.
Impact:
LDAP authentication fails.
Workaround:
Remove space characters from LDAP attribute group name.
Another option is to use '\20' in place of spaces in the remote-role's role-info member-of attribute, for example:
memberOf=CN=Some Big Group,CN=Users,DC=DOMAIN,DC=COM
becomes:
memberOf=CN=Some\20Big\20Group,CN=Users,DC=DOMAIN,DC=COM
512000-2 : Event Log Filter using Policy Group isn't accurate
Component: Application Security Manager
Symptoms:
Request Log - filter by policy group does not work.
Conditions:
At least one policy group created and used.
Impact:
Request Log - filter by policy group does not work.
Workaround:
N/A
511868-2 : Management port loses connectivity during AOM reset
Component: TMOS
Symptoms:
After resetting AOM, you are unable to connect to the BIG-IP management port.
Conditions:
This occurs immediately after resetting AOM and during the AOM reboot.
Impact:
Unable to connect to the management port
511865-2 : [GTM] GTM external monitor is not correctly synced in GTM sync group without device group
Solution Article: K16670
Component: Global Traffic Manager (DNS)
Symptoms:
GTM external monitor is not correctly synced in GTM sync group without device group.
Conditions:
This occurs when the following conditions are met: 1. GTM systems exist in the same GTM sync group but not in the same device group. The GTM external monitor refers to non-default system file.
Impact:
The GTM external monitor is not synced correctly and configuration fails on the peer GTM system. The system posts an error similar to the following: err iqsyncer[20361]: 011ae104:3: Gtm config sync result from local mcpd: result { result_code 17237778 result_message '01070712:3: Values (/Common/bad_external_monitor.sh) specified for external monitor parameter (/Common/external_test 2 RUN_I=): foreign key index (to_file) do not point at an item that exists in the database.' }
Workaround:
Configure both GTM systems in the same GTM sync group and the same device group.
511782-9 : The HTTP_DISABLED event does not trigger in some cases
Solution Article: K16424
Component: Local Traffic Manager
Symptoms:
HTTP_DISABLED is not triggered by the HTTP::disable iRule command, requests using the CONNECT method, and Web-sockets traffic.
Conditions:
If the HTTP filter is switched into pass-through mode by the HTTP::disable command, CONNECT requests, or via Web-sockets traffic.
Impact:
The HTTP_DISABLED event does not trigger.
Workaround:
This issue has the following workaround: -- For HTTP::disable, add the logging code within HTTP_DISABLED after that iRule command. -- For CONNECT, use an iRule to match the method in HTTP_REQUEST, and check that 200 Connected is returned as the status in HTTP_RESPONSE. If so, invoke the logging code within HTTP_DISABLED. -- For Web-sockets, use an iRule to match the 101 Switching Protocols status code in HTTP_RESPONSE. If this happens invoke the logging code that is also within HTTP_DISABLED.
511385 : <SecurID Soft Token Messages> are not translated
Component: Access Policy Manager
Symptoms:
<SecurID Soft Token Messages> are not translated
Conditions:
Always in case of SecurID soft token error.
Impact:
Minimal. They are valid customization entries in English and could be translated by admin.
Workaround:
Customization has entries for this, so they are translatable
511324-4 : HTTP::disable does not work after the first request/response.
Solution Article: K23159242
Component: Local Traffic Manager
Symptoms:
The HTTP::disable command does not work correctly after the first request is complete. If called during the second request (or response), then the connection is reset with an error message.
Conditions:
HTTP::disable is called in a request after the first. The pass-through data reaches the server-side before the server-side HTTP filter expects it.
Impact:
The connection is reset.
Workaround:
None.
511006-2 : Virtual address is advertised to ZebOS (as visible via imi shell) while unavailable.
Solution Article: K79414444
Component: TMOS
Symptoms:
OSPFv2 does not advertise Virtual Addresses upon monitor state changes.
Conditions:
Dynamic routing must be configured. Virtual address is not associated with a virtual server.
Impact:
Route availability inappropriately advertised. The virtual address shows is advertised in ZebOS as available when it is not.
Workaround:
None.
510951-2 : Status of connection limited pool is reported incorrectly
Solution Article: K70436635
Component: Local Traffic Manager
Symptoms:
Status of connection limited pool or member is shown as available, even if the nodes have a connection limit and the limit has been met or exceeded.
Conditions:
Node connection limit is reached on all nodes.
Impact:
Misleading status indicator - virtual server and pool reports UP and nodes report DOWN.
Workaround:
None.
510728-4 : Create and Delete buttons should be disabled for Security :: Protocol Security : Security Profiles : DNS when accessed as Firewall Manager.
Component: Advanced Firewall Manager
Symptoms:
Create and Delete buttons should be disabled for Security :: Protocol Security : Security Profiles : DNS when accessed as Firewall Manager.
Conditions:
User with role of Firewall Manager and accessing
Security :: Protocol Security : Security Profiles : DNS
Impact:
Firewall Manager has extra abilities not considered in scope for the role. Therefore a validation error will be thrown similar to the following: "01070822:3: Access Denied: user (username) does not have create access to object (dns_security)"
510436-4 : TMM logs carry a generic hostname at startup
Solution Article: K94250670
Component: TMOS
Symptoms:
During startup, TMM processes the log with the tmm process name for a hostname until the system initializes enough to get the BIG-IP system's configured host name.
Conditions:
This occurs during startup when the system writes messages to the log.
Impact:
It might not be possible to determine the source of a given TMM startup log for consolidated off-box logs from many BIG-IP systems.
510395-2 : Disabling some events while in the event, then running some commands can cause tmm to core.
Solution Article: K17485
Component: Local Traffic Manager
Symptoms:
If an event is disabled inside the event itself, and then a Tcl command that executes asynchronously is executed, TMM can core.
Conditions:
An event is disabled from inside the event, and then a parking command is issued.
Example:
when HTTP_REQUEST {
if { $a == $b } {
event disable HTTP_REQUEST
}
after 100
log local0. "foo"
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable events as the last command before exiting the event. For example:
when HTTP_REQUEST {
if { $a == $b } {
event disable HTTP_REQUEST
return
}
}
509677-2 : Edge-client crashes after switching to network with Captive Portal auth
Component: Access Policy Manager
Symptoms:
When switching to a network with Captive Portal authentication, the Edge-client becomes unresponsive.
Conditions:
- Captive Portal uses https logon page
- Network switching done by unplugging network cable from NIC or disconnecting from wireless network (not disabling network
interface).
Impact:
Edge-client crashes
Workaround:
N/A
508341-3 : Scheduled-reports are not syncing the 'first-time' value on a sync group
Component: Application Visibility and Reporting
Symptoms:
Creating a scheduled-report on a sync or sync-failover group configuration.
Conditions:
Having a DSC configuration and trying to create a scheduled report.
Impact:
This issue may cause other devices in sync group to send reports before the first-time they assigned to.
507977-1 : System sends extra messages in audit log when changing a user's role to or from Administrator/admin.
Component: Device Management
Symptoms:
BIG-IP sends extra messages in the audit log whenever you make a change to a user's role (when changing a user's role to or from Administrator/admin). When that happens, there are extra 'create_if' messages sent for all the users that have the Administrator role in the system, for example:
01070417:5: AUDIT - user admin - transaction #3153035-5 - object 0 - modify { userdb_entry { userdb_entry_name "admint2" userdb_entry_shell "/sbin/nologin" } } [Status=Command OK].
Conditions:
-- LTM and ASM provisioned.
-- RADIUS authentication.
Impact:
There may be extra messages in the audit log whenever a change is made to a BIG-IP system user's role
Workaround:
You can correct this issue by forcing an overwrite sync operation.
For instructions, see K13887: Forcing a BIG-IP device group member to initiate a ConfigSync operation (https://support.f5.com/csp/article/K13887).
507899-2 : Custom APM report - Assigned IP field shows 'IPv4' instead of assigned IP value
Component: Access Policy Manager
Symptoms:
In a custom APM report, the Assigned IP field shows IPv4 instead of the assigned IP value.
Conditions:
This affects only 11.5.x and 11.6.x releases. If user creates a custom report with 'Assigned IP' as a field and runs the report, the content of Assigned IP is the IP type rather than the correct IP.
Impact:
The report content is not correct.
Workaround:
Use one of the built-in reports, All Sessions or Current Sessions, to get the correct content for the Assigned IP field.
507493-1 : Cannot reset counter for rules of Management Port and Global
Component: Advanced Firewall Manager
Symptoms:
Cannot reset counter for rules of Management Port and Global
Conditions:
Firewall rules for Global context and for Management port
Impact:
Users unable to reset counters for these rules.
507240-1 : ICMP traffic cannot be disaggregated based on IP addresses
Solution Article: K13811263
Component: Advanced Firewall Manager
Symptoms:
ICMP traffic might not be disaggregated evenly if there is not enough entropy from the ICMP header.
Conditions:
-- ICMP traffic has low entropy in ICMP header.
-- System is configured to disaggregate traffic.
Impact:
Traffic imbalance.
Workaround:
None.
506548-1 : Mgmt port does not link with correct speed or duplex when using fixed media on AOM-based platforms
Component: TMOS
Symptoms:
Statically configured port speeds and duplex disables port autonegotiation
Conditions:
Connect the mgmt interface to a remote switch port that is set to auto negotiate and set the mgmt interface media to something other than 'auto'.
Alternatively, the condition may be encountered when the mgmt interface is set to autonegotiate speed and duplex but the remote switch port may be set to static values.
In both cases, a high amount of collisions and dropped packets can be oversed on the mgmt interface.
Impact:
Link may not establish. As a result, the mgmt interface might not be connected. The link may establish but can be in a mismatched state where neither side agrees on speed and/or duplex.
Connectivity can occur over the console port to restore interface settings.
Workaround:
Make sure the mgmt interface media setting is 'auto' when connecting to autonegotiating switch ports. Make sure the mgmt interface's static configuration aligns with the connected switch ports when using static switch port configurations.
506423-1 : [GTM] [ZoneRunner] Silent failure when adding a resource record is not successful
Solution Article: K17361
Component: Global Traffic Manager (DNS)
Symptoms:
Silent failure on unsuccessful creation of resource record.
Conditions:
Create a resource record which will not be successful and for which NAMED does not return an error.
For example: Adding DS record via Zone Runner when subdomain delegation is not configured.
Impact:
Record does not get added with no errors returned by SoneRunner
Workaround:
None.
505323-3 : NSM hangs in a loop, utilizing 100% CPU
Solution Article: K17349
Component: TMOS
Symptoms:
NSM daemon hangs in an endless loop searching recursive nexthop in a trie. This causes NSM to be unresponsive.
Conditions:
Configure BGP with recursive nexthop.
Impact:
Dynamic routing fails to be responsive to imish commands, and NSM might not update routes.
Workaround:
None.
505123-6 : sysObjectID returns 'unknown' platform on the VIPRION 4400
Solution Article: K59284293
Component: TMOS
Symptoms:
Querying for sysObjectID on VIPRION 4400 returns 'unknown' (.1.3.6.1.4.1.3375.2.1.3.4.1000):
# snmpwalk -v 2c -c community big-ip sysObjectID
SNMPv2-MIB::sysObjectID.0 = OID: F5-BIGIP-SYSTEM-MIB::unknown (# snmpwalk -v 2c -On -c community big-ip sysObjectID
.1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.3375.2.1.3.4.1000.)
Conditions:
This occurs when running 'show sys hardware' on the VIPRION 4400.
Impact:
The snmpd call incorrectly identifies the BIG-IP system as unknown.
505003 : SSLv3 is disabled by default on the management interface of BIG-IP on AWS Marketplace
Component: TMOS
Symptoms:
SSLv3 has known security issues. To make BIG-IP more secure on AWS, it is disabled by default on the management and data interfaces. This can cause legacy client connections which require SSLv3 to fail.
Conditions:
SSLv3 disabled on management interface of BIG-IP on AWS Marketplace.
Impact:
Legacy client connections that require SSLv3 might fail.
Workaround:
F5 does not recommend changing the default SSL profiles, but they can be configured per K13171: Configuring the cipher strength for SSL profiles (11.x), https://support.f5.com/csp/article/K13171, and K17370: Configuring the cipher strength for SSL profiles (12.x - 13.x), https://support.f5.com/csp/article/K17370.
504021-3 : lsn-pool member routes not properly propagated to routing table when lsn-pool routing-advertisement is enabled
Component: Carrier-Grade NAT
Symptoms:
lsn-pool with route-advertisement enabled does not have routes properly propagated to the routing-table.
Conditions:
when route-domain routing protocol is enabled after lsn-pool route-advertisement is enabled and lsn-pool member added.
Impact:
route entries for lsn-pool members with route-advertisement enabled.
Workaround:
Either 1) restart tmrouted after enable routing-protocol for the desired route-domain. 2) toggle routing-advertisement on lsn-pool after enable routing-protocol for the desired route-domain.
503960-5 : The requested unknown (1936) was not found.
Component: TMOS
Symptoms:
mcpd restarts leaving the message "The requested unknown (1936) was not found"
Conditions:
The conditions for this bug are somewhat unknown. Older versions of Big-IP have a simple lookup for display names. This display name table only has a select few configuration items in it, where everything else returns "unknown". So any configuration error that is generated from using a type that is not defined in the table could potentially lead to this error.
Impact:
MCPD restarts, causing system-wide restarting of daemons.
503951-1 : AFM policies not synced
Component: Advanced Firewall Manager
Symptoms:
During configuration sync you notice that AFM policies are not enforced on one of the devices, and you see errors in /var/log/ltm:
crit tmm1[25043]: 015e0001:2: pktclass: pktclass_blobs not initialized.
Conditions:
It is not known exactly what triggers this, but it is encountered during system initialization.
Impact:
Policies do not sync and the sync does not recover.
503795-3 : [LTM] [DNS] [LOG] debug log information is logged even when "dnscacheresolver.loglevel" set to higher than debug
Solution Article: K37104180
Component: Local Traffic Manager
Symptoms:
The BIG-IP system logs debug log information when 'dnscacheresolver.loglevel' is set to higher than debug.
For example, 'dnscacheresolver.loglevel' is set to notice.
Conditions:
'dnscacheresolver.loglevel' log level is set to higher than 'debug'.
Impact:
Although it might be difficult to determine the severity of the logging information, there is no known negative impact on the system.
Workaround:
This issue has no workaround at this time.
502129-1 : Hash Cookie Persistence interaction with persistence iRules
Component: Local Traffic Manager
Symptoms:
When a virtual server is configured with fallback persistence, which looks up information from a session table (e.g., source address persistence) and the cookie is associated with an iRule that performs cookie insert, periodically TMM uses the default cookie name instead of the cookie name set in the iRule.
Conditions:
- Fallback persistence configured.
- Using 'persist cookie insert' with custom cookie name in iRule.
Impact:
The cookie inserted by TMM will switch between the configured cookie name and the default cookie name (e.g., BIGip<cookie_name><pool_name>Server). Persistence may fail to work correctly when the persist iRule command overrides from cookie to hash-cookie persistence.
Workaround:
There is no workaround at this time.
502016-3 : MAC client components do not log version numbers in log file.
Component: Access Policy Manager
Symptoms:
Some client components do not log version numbers in the log file.
Conditions:
Mac client components.
Impact:
Lack of version numbers in the log file.
Workaround:
None.
501984-1 : TMM may experience an outage when an iRule fails in LB_SELECTED.
Component: Local Traffic Manager
Symptoms:
When an iRule fails in LB_SELECTED, it is possible for TMM to crash. The TMM failure is an intermittent, timing-related issue..
Conditions:
Using iRules with a rule for when LB_SELECTED is operating on a node/pool member.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
501947-1 : Cannot delete keys/certificates whose names start with 0 (zero).
Solution Article: K01521766
Component: TMOS
Symptoms:
Cannot delete keys/certificates whose names start with 0 (zero).
Conditions:
Trying to delete a key/certificate who names start with 0.
Impact:
Trying to delete a key/certificate whose name starts with 0, the GUI shows the confirm delete page, but there is no key or certificate listed, and after clicking delete again, the system displays the key/certificate list page, with the key/certificate still there.
Workaround:
Use tmsh or iControl to delete keys/certificates whose names start with 0 (zero).
501636-2 : Core file appears on vCMP after restarting the primary blade twice
Component: Advanced Firewall Manager
Symptoms:
pccd cores on vCMP after restarting the primary blade twice.
Conditions:
This occurs in the following scenario:
1) bigstart restart on primary blade.
2) waiting until this blade load (and become secondary).
3) bigstart restart on new primary blade.
Impact:
Brief disruption of firewall rule updates.
Workaround:
Pccd should recover and functional normally after coring.
No extra action is needed.
501418-3 : OSPF: Multiple ECMP default routes not distributed to TMM
Solution Article: K17534
Component: TMOS
Symptoms:
TMM route table does not use both ECMP routes for the default route.
Conditions:
When using ECMP and OSPF.
Impact:
Does not use both equal-cost routes to route traffic.
Workaround:
None.
500402-1 : 'Data publisher not found or not implemented' mcpd error message when iRule is loaded from tmsh.
Solution Article: K33178590
Component: Local Traffic Manager
Symptoms:
'Data publisher not found or not implemented' mcpd error message when iRule is loaded from tmsh. The system posts the following mcpd error message in ltm log when an iRule is loaded from tmsh: err mcpd[5834]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (6589).
Conditions:
When merging config files, the error message may show up in system log.
Impact:
There is no functional impact observed.
Workaround:
Manually edit and merge config files.
499719-3 : Order Zones statistics would cause database error
Component: Global Traffic Manager (DNS)
Symptoms:
'General database error retrieving information' error in GUI.
Conditions:
This occurs when using the GUI to view Statistics for DNS zones.
Impact:
Not able to view Statistics from GUI for DNS zones.
Workaround:
Use tmsh to view Statistics for DNS zones.
499694-3 : LTM v10.2.x to v11.x upgrade misses partition name on node specific monitor★
Component: TMOS
Symptoms:
When upgrading from v10.2.x to v11.x, the node monitor name does not acquire full path or partition information. Similarly, creating a node with a monitor via TMSH, the node monitor name does not show partition information; however, configuring a node via GUI does add partition information.
If a node with a specific none monitor is later forced down and then re-enabled, the node will remain in a marked down by monitor state.
Conditions:
Upgrade from v10.2.x to v11.x.
Impact:
For nodes that have a specific monitor of "none", if the node is forced down and then re-enabled via tmsh or the node list in the GUI, the node will be marked down by the monitor. If the node is re-enabled from the node properties page in the GUI, this issue does not occur.
For other monitor types or pool and pool member monitors, the issue is cosmetic.
Workaround:
Load sys config base, then load sys config. Then in both the GUI and TMSH add partition info to the node monitor.
499615-14 : RAM cache serves zero length documents.
Component: Local Traffic Manager
Symptoms:
RAM cache serves zero length documents.
Conditions:
Forcing caching in an iRule.
Impact:
RAM Cache will cache a HEAD response, if an iRule is configured to force it to do so. This causes RAM cache to serve zero length documents.
Workaround:
If the HTTP operation is a HEAD request, do not cache the response.
499431-3 : Validation does not check that all keys/certificates are removed from the clientSSL profile★
Solution Article: K90250656
Component: Local Traffic Manager
Symptoms:
Using iControl, a system admin is able to remove all the keys/certificates associated with a clientSSL profile. If this remains in the configuration and the system is upgraded to a version that validates that there are no empty keys or chains, the config will fail to load and will post this error signature in /var/log/ltm:
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all" - failed. -- 01070315:3: profile <Client SSL profile> requires a key Unexpected Error: Loading configuration process failed.
Conditions:
Using iControl to remove keys and certificates from a clientSSL profile.
Note: This issue may not be seen initially if the clientSSL profile is not in use. Upgrading to a version that performs validation against empty keys and chains, such as an upgrade from 11.5.1 to 11.6.0, will reveal the issue.
Impact:
The configuration fails to load.
Workaround:
SSL profiles with no keys or certificates are invalid profiles. Make sure you fully delete all profiles if this is your intention. Also be careful not to leave the profile and delete only the key and certificate using iControl.
499404-2 : FastL4 does not honor the MSS override value in the FastL4 profile with syncookies
Solution Article: K15457342
Component: Local Traffic Manager
Symptoms:
FastL4 does not honor the MSS override value in the FastL4 profile when syncookies are in use. This can lead to cases where the advertised MSS value in the SYN/ACK is larger than the MSS override value.
Conditions:
The FastL4 profile specifies a non-zero MSS override value and syncookies mode is active.
Impact:
The wrong MSS value is advertised during 3WHS.
Workaround:
None.
499348-3 : System statistics may fail to update, or report negative deltas due to delayed stats merging
Component: TMOS
Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.
The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.
Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This might occur under the following conditions:
-- The system is spawning/reaping processes on a frequent basis (e.g., when there is a large number of external monitors).
-- iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server (this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis).
Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.
Workaround:
This issue has two workarounds:
1. Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:
-- Reduce the frequency of configuration changes.
-- Reduce the use of 'SSL::profile' in iRules.
-- Reduce the number/frequency of processes being spawned by the system.
2. Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:
tmsh modify sys db merged.method value slow_merge.
498490-2 : Incorrect overlapping status shown when a rule in a rule list has the same name as a rule not in that list
Component: Advanced Firewall Manager
Symptoms:
An incorrect overlapping status (redundant or conflicting) is shown when a rule in a rule list has the same name as a rule not in that list.
Conditions:
Identical rule names in both in the Rule List and outside the rule list.
Impact:
Potentially misleading presentation.
Workaround:
use different rule names
498433-2 : Upgrading with ASM iRule and virtual server with no websecurity profile★
Component: Application Security Manager
Symptoms:
If you have an iRule that uses "ASM::*" assigned to a virtual server with no websecurity profile, when trying to upgrade from BIG-IP version 11.4.0 to any newer version, the upgrade fails, and you receive the following error message:
-----------------
ASM::disable in rule (iRule_name) requires an associated WEBSECURITY profile on the virtual server (virtual_server_name).
-----------------
Conditions:
On version 11.4:
1) Have an iRule that uses ASM::*, e.g.
when HTTP_REQUEST {
ASM::disable
}
2) Create a virtual server and associate an ASM policy with it via CPM (L7) policy
3) Assign the iRule to the VS
4) Remove the CPM policy from the VS
Now upgrade to any newer version
OR
Save the ucs and try to manually install it on any newer version
Impact:
Fails to upgrade.
Fails to install ucs.
Workaround:
Prior to upgrading and/or saving the ucs, for all virtual servers that have no websecurity profile assigned to them, remove all iRules that contain 'ASM::*' actions.
498150-1 : "General database error retrieving information" appears on Self Ip Security page after removing a rule and refreshing the page
Component: Advanced Firewall Manager
Symptoms:
The error "General database error retrieving information" appears on the Self IP Security page after removing a rule and refreshing the page.
Conditions:
Error occurs after deleting a rule from the Self IP Security page
Impact:
The user must refresh the page to continue configuring that feature.
Workaround:
You can navigate again to Network :: Self IPs : self_ip_name : Security when this issues occurs. The issue does not stop the user from deleting the rule itself.
497424-1 : Policy name field appears on Rule creation page even if Policy is selected
Solution Article: K91533854
Component: Advanced Firewall Manager
Symptoms:
The Policy name field appears on the Rule creation page even if the Policy is selected, requiring the user to reselect the policy.
Conditions:
This occurs when creating a rule for a policy and applying it to a context.
Impact:
This is a cosmetic issue and has no functional impact.
Workaround:
Reselect the desired policy.
497004-2 : Policy field is not marked as containing errors when creating a Rule without a Policy
Component: Advanced Firewall Manager
Symptoms:
Policy field is not marked as containing errors when creating a Rule without a Policy. The system posts the following error message without explicitly calling out the policy field omission: 01070712:3: Invalid primary key on fw_policy_rule object - path is empty.
Conditions:
Create a rule without a policy.
Impact:
Posted error message does not indicate the error. Unclear feedback from UI validation.
Workaround:
Always fill out policy field when creating rules.
496663 : iRule object in non-Common partition referenced from another partition breaks upgrade/config load★
Component: TMOS
Symptoms:
iRule object in non-Common partition referenced from another partition results in upgrade/configuration load failure in 11.x/12.x.
Conditions:
This occurs when upgrading/loading a configuration containing an iRule in one non-Common partition that references an object in another non-Common partition. A configuration of this type can be saved only using pre-11.x versions of the software.
Impact:
The config upgrade fails, and the UCS/configuration files cannot be loaded. The system posts an error message similar to the following: 'myucs.ucs' failed with the following error message: 'Rule [/UNCOMMONPARTITION/RULEABC] error: Unable to find rule_object (...) referenced at line xyz: [element]'.
Workaround:
None.
496346-2 : TMM crash when moving to standby
Solution Article: K02274323
Component: TMOS
Symptoms:
During the active to standby to transition while passing traffic, tmm crashes.
Conditions:
This might occur when the following conditions are met:
-- The transition from active to standby occurs.
-- There exists an active SCTP association which has already been torn down on the clientside.
-- The serverside is still attempting to establish an association to a nonresponsive pool member at the moment that the transition occurs.
Impact:
tmm crashes on the standby, then restarts. If other traffic groups are active on the newly-standby unit, they will be disrupted.
Workaround:
None.
496155-1 : tmsh show ltm persistence persist-records sometimes shows an incorrect number of entries on VIPRION chassis
Component: TMOS
Symptoms:
tmsh show ltm persistence persist-records or tmsh show ltm persistence persist-records client-addr <client ip>
sometimes shows an incorrect number of entries on VIPRION chassis.
Conditions:
When there are multiple slots on a VIPRION chassis, and the command is executed on a secondary from the primary.
Impact:
Results are not reported correctly in tmsh. Results display a fluctuating number of src ip persistence entries.
Workaround:
Specify the virtual server name in the tmsh command directly, instead of running the command for all virtual servers.
496038-1 : system_check shows stale chassis fan tray data after the chassis is removed
Component: TMOS
Symptoms:
After a chassis fan tray is removed, the system_check utility still shows the stale data from time before the removal.
Conditions:
Remove chassis fan tray
Impact:
There is a warning in the ltm log when the chassis fan tray is removed. So, the impact of the system_check inconsistency is small.
Workaround:
None.
496018-3 : Deleting a rewrite profile fails to delete the dependent objects.
Component: TMOS
Symptoms:
Deleting a rewrite profile fails to delete the dependent objects.
Conditions:
Deleting a rewrite profile.
Impact:
ConfigSync fails with a message similar to the following: err mcpd[6817]: 01070712:3: Caught configuration exception (0), Values (/Common/rewrite_profile) specified for rewrite rules URI (/Common/rewrite_profile rewrite_uri_rule): foreign key index (rewrite_rules_uri_fk) do not point at an item that exists in the database.
Workaround:
On an affected system (for example, the system sourcing a ConfigSync), save and then re-load the configuration. This causes mcpd to remove the vestigial object.
To do so, run the following commands, in sequence:
-- tmsh save sys config partitions all.
-- tmsh load sys config partitions all.
Ensuring that is enabled on device groups also mitigates this issue.
495227-4 : tmsh displays wrong cert expiration date on 'show gtm iquery' (later than Jan 18 2038).
Component: TMOS
Symptoms:
When displaying iQuery stats in tmsh, the expiration date of the certificate appears to be in the past.
Conditions:
Certificate expiration date is beyond Jan 18, 2038 (Max epoch represented by signed 32 bit int).
Impact:
The certificate remains valid. This is a cosmetic issue only.
Workaround:
None.
495128-10 : Safari 8 continues using proxy for network access resource in some cases when it shouldn't
Component: Access Policy Manager
Symptoms:
If a client machine uses proxy and Network Access does not specify any proxy, then Safari should not use proxy for some Network Access resource after the Network Access tunnel is created. However, Safari does so.
This problem occurs with Safari 8. Other versions of Safari and other browsers work as expected in our testing.
Apple has been notified: rdar://problem/18651124
Conditions:
The problem occurs when all of these conditions exist:
1. OS = Mac OS X Yosemite.
2. Configuration = Client machine has local proxy configured and Network Access on BIG-IP system access policy does not specify any proxy.
3. Action = Accessing Network Access resource after tunnel is created.
Impact:
As a result, some Network Access resource might be unavailable.
Workaround:
There is no workaround at this time.
494435 : Failed to sync connectivity or rewrite profile created from non-default profile
Component: Access Policy Manager
Symptoms:
Policy sync fails with error status "Created failed on target" on target devices.
Conditions:
1. Create a connectivity or rewrite profile from the default one.
2. Create another child profile using the one created above as parent.
3. Create a virtual server, with the child connectivity and/or rewrite profile, and an access policy.
4. Initiate a policy sync for the access profile.
Impact:
Policy sync function fails.
Workaround:
To work around the problem, create connectivity or rewrite profile, only use the default profile as parent; or, have the non-default parent profile sync first to target devices.
494084-3 : Certain rapidly-terminating UDP virtuals may core on standby
Component: Local Traffic Manager
Symptoms:
Based on an internal race condition, it is possible for certain flows to cause cores on standby BIG-IPs when using connection mirroring on layer 7 VIPs. This does not apply to use of mirroring on Performance or Performance (HTTP) virtuals.
Conditions:
Standard UDP virtual using connection mirroring.
Impact:
Restart of the standby tmm. No connections are affected, though if packets are set to require acknowledgements from the standby there may be a brief delay in processing for some or all connections.
493250-3 : BGP disabling graceful-restart in ZebOS does not persist and is automatically enabled
Solution Article: K36428111
Component: TMOS
Symptoms:
The ZebOS command to 'disable' BGP graceful-restart works temporarily, but is reset to 'enable' after system restart.
Conditions:
Setting BGP graceful-restart to enable and restarting the system.
Impact:
Cannot disable graceful-restart past a restart operation.
492352-4 : SSL profiles using password protected SSL keys cause config utility error
Component: Local Traffic Manager
Symptoms:
A config utility error occurs when attempting to modify client SSL profile.
Conditions:
A client SSL profile with a password protected SSL key.
Impact:
Modification of SSL profile fails.
Workaround:
use tmsh to modify profile.
491789-1 : Better retransmit recovery in a lossy network.
Component: Local Traffic Manager
Symptoms:
When a network is inherently lossy, the system might unnecessarily lose a TCP connection if a tail drop of all in-flight data happens. This problem can also happen with a configured a rate-shaper/BWC policy with a very low bandwidth limit.
Conditions:
During a TCP data transfer if all the data sent out is being dropped in the network, delayed ACKs will not be available for a fast re-transmit/recovery. The problem is exaggerated if the system is already in a re-transmit back-off.
Impact:
Connection slow down, even TCP-connection reset in the worst cases. Depending on how lossy or throttled a network is, the impact varies from slowing down or losing a connection once in a while to losing most connections.
Workaround:
There is no workaround at this time.
491165-3 : Legal IP addresses sometimes logged in Attack Started/Stopped message.
Component: Advanced Firewall Manager
Symptoms:
Sometimes legal IP addresses are logged as attack started/stopped messages.
Conditions:
AFM licensed and provisioned and Sweep & Flood Vector enabled.
Impact:
Logging.
Workaround:
N/A
490139-3 : Loading iRules from file deletes last few comment lines
Component: Local Traffic Manager
Symptoms:
Loading iRules from the iRules file deletes last few comment lines immediately preceding the closing bracket.
Conditions:
This occurs when loading an iRule file from versions prior to 11.5.1.
Impact:
Although the comments are removed, this does not affect iRule functionality.
Workaround:
Put comments in places other than immediately above the closing bracket.
490121-2 : Incorrect reporting of PVA current and maximum connection with SERVER_CONNECTED event
Component: Local Traffic Manager
Symptoms:
PVA current and maximum stats are incorrectly reported when using a FastL4 profile with a SERVER_CONNECTED iRule event. For each connection that is established, the current connection count is incremented twice and decremented only once when the connection is terminated. This leads to a lingering connection, which skews the stats.
Conditions:
A fastL4 virtual with a SERVER_CONNECTED iRule event.
Impact:
The current and maximum PVA stats are incorrectly reported.
Workaround:
This issue has no workaround at this time.
489572-1 : Sync fails if file objects are created and deleted in same transaction.
Component: Local Traffic Manager
Symptoms:
Sync fails if you create/import a file object and delete it before triggering manual sync; ltm logs contain messages similar to the following:
Standby:
-- err mcpd[7339]: 01070712:3: Caught configuration exception (0), Failed to sync files..
-- err mcpd[7339]: 01071488:3: Remote transaction for device group /Common/test to commit id 42 6079477704784246664 /Common/test failed with error 01070712:3: Caught configuration exception (0), Failed to sync files...
Active:
-- err mcpd[6319]: 0107134a:3: File object by name (/Common/filename) is missing.
Conditions:
This occurs when the following conditions are met:
-- BIG-IP systems configured for high availability (HA) are not configured to sync automatically, and incremental synchronization is enabled (these are the default settings).
-- One or more file objects are created and deleted before performing a sync from Active to Standby.
Impact:
Sync fails.
Workaround:
When you create/add a file object, make sure to sync before deleting it.
If a system is already in this state, perform a full sync and overwrite the configuration, as described in K13887: Forcing a BIG-IP device group member to initiate a ConfigSync operation :: https://support.f5.com/csp/#/article/K13887.
489499-1 : chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd
Component: TMOS
Symptoms:
chmand fails to register for unsolicited LOP events, meaning that asynchronous alerts from lopd will not seen or reported by chmand. A message is seen in /var/log/ltm that contains the phrase, "failed to register for LOP at <address>"
Conditions:
Occurs when chmand has been re-started after it has already synchronized once with lopd.
Impact:
Asynchronous events from lopd will not be reported or handled, such as fan tray removal/insertion and PSU removal/insertion. Alerts that are driven by system_check through polling sensor values and comparing them to specified limits, however, will still be operational.
Workaround:
Re-start lopd:
# bigstart restart lopd
489217-2 : "cipher" memory can leak
Component: Local Traffic Manager
Symptoms:
When performing SSL handshakes, memory usage can increase. Examining "cipher" memory in the "memory_usage_stat" may show large amounts of "cipher"memory allocated.
Conditions:
BIG-IP performing SSL handshakes.
Impact:
Memory usage increases until no more memory is available.
488610-1 : Navigating to iApps :: Templates :: MyTemplate :: Properties in the GUI presents a blank page
Solution Article: K46331880
Component: TMOS
Symptoms:
Navigating to iApps :: Templates :: MyTemplate :: Properties in the GUI presents a blank page.
Conditions:
This occurs when there are more than 150 applications using the same template.
Impact:
Cannot edit the iApp template.
Workaround:
Recommendation is to copy the iApp template to a different name and assign half of the application services to that new template.
488262-5 : moving VLAN from route-domain being deleted in the same transaction can cause errors
Component: TMOS
Symptoms:
Error can occur when removing VLAN(s) from route-domain, and deleting the said route-domain in the same transaction can cause errors.
Conditions:
In a transaction, removing the VLAN membership from route-domain, and deleting the same route-domain.
Impact:
Transactional deletion of route-domain and route-domain VLAN membership changes in the same transaction.
Workaround:
Perform route-domain VLAN changes, and route-domain deletion in different transaction.
486735-3 : Maximum connections is not accurate when TMM load is uneven
Component: Local Traffic Manager
Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections virtual server.
Conditions:
This occurs when the load disaggregated to available TMMs is uneven.
Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in higher-than-expected maximum connections.
Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.
485352-2 : TMM dumps core file when loading configuration or starting up
Component: TMOS
Symptoms:
TMM dumps core file when configuration file is being loaded or when TMM is starting up.
Conditions:
This error happens when there is no APM license installed.
Impact:
Traffic disrupted while tmm restarts.
485164-3 : MCPD cores when the Check Service Date in the license is not current.
Component: TMOS
Symptoms:
MCPD cores when the license has not been reactivated, causing the Check Service Date to be before the release date, and there are modified default profiles in the config.
Conditions:
A license with a check Service Date before the release of the current version and a config with modified default profiles.
Impact:
The BIG-IP system does not function.
Workaround:
Reactivate the license prior to upgrade.
484013-3 : tmm might crash under load when logging profile is used with packet classification
Solution Article: K12435402
Component: Advanced Firewall Manager
Symptoms:
When tmm is under heavy load it may run out of memory and crash under certain conditions.
Conditions:
This occurs when the following conditions are met:
1. Packet classification is enabled
2. Security logging profile is used with 'log translation fields' option enabled.
3. Fast flow forwarding is enabled on forwarding virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
To work around this, do one of the following:
-- Disable 'log translation fields' in the security logging profile.
-- Disable fast flow forwarding.
483653-3 : In some traffic situations, virtuals using SSL can excessively buffer client data instead of closing the TCP window
Component: Local Traffic Manager
Symptoms:
In some traffic situations, TMM can excessively buffer client data instead of closing the TCP window. This buffering occurs based on internal race conditions that are not directly controllable. This occurs only when the BIG-IP is providing SSL termination or origination.
In extreme circumstances with a slow connection, this could ultimately lead to out of memory situations.
Conditions:
The virtual must be providing SSL termination and/or origination.
Impact:
Increased memory usage, possibly leading to tmm crashing.
483242-3 : GUI LTM Profile ClientSSL unable to recognize certificates/key with short names.
Component: TMOS
Symptoms:
LTM ClientSSL profile unable to detect certificate/key files with short names.
Conditions:
When you have a certificate/key file with a short name like 'app', the ClientSSL profile is unable to find the file.
Impact:
You may be unable to select the desired certificate/key.
Workaround:
Use tmsh to assign certificate/key to ClientSSL profile.
481869-1 : Certain blade failure events may result in a 10+ second delay in failover occurring
Component: Local Traffic Manager
Symptoms:
For certain blade failures scenarios the HA score on the remaining blades does not update, and thus a failover does not occur, for at least ten seconds. This is because the remaining blades wait for a ten second timeout period before marking the powered-off blade as down.
Conditions:
A blade is powered off via the serial console or the 'bladectl' command, or the blade is physically removed from the chassis, and the chassis is configured in an HA pair where the loss of a blade should result in a failover.
Impact:
The expected failover will not occur for at least ten seconds
Workaround:
There is no workaround for this issue.
480983-5 : tmrouted daemon may core due to daemon_heartbeat
Component: TMOS
Symptoms:
In rare instances, tmrouted for dynamic routing may core with a message similar to the following: warning sod[8953]: 01140029:4: HA daemon_heartbeat tmrouted fails action is restart.
Conditions:
This is a rarely occurring issue that occurs due to timing-related interactions in dynamic routing operations.
Impact:
tmrouted cores and restarts.
Workaround:
None.
480982-3 : pkcs11d with a high thread count can result in high CPU utilization
Solution Article: K37041313
Component: Local Traffic Manager
Symptoms:
When pkcs11d is set to use a very high thread count, CPU utilization can increase dramatically.
Conditions:
The thread count for pkcs11d is set higher than the default.
Impact:
Less CPU available for other processes.
Workaround:
Do not set the db variable for pkcs11d thread count (/sys crypto fips external-hsm num-threads) higher than the default.
480903-3 : AFM DoS ICMP sweep mitigation performance impact
Component: Advanced Firewall Manager
Symptoms:
In AFM DoS, the performance of ICMP Sweep Vector Mitigation brings down the performance of the BIG-IP system.
Conditions:
ICMP Traffic levels at 4 million pps from ~100 Src IP addresses, with the AFM DoS Sweep vector enabled to mitigate ICMP traffic.
Impact:
Slower performance of the BIG-IP system. A lot of CPU is used to mitigate the AFM DoS Sweep vector.
Workaround:
Do not enable the AFM DoS Sweep vector for ICMP Traffic when the attack rate is over 4 Million pps.
480065-2 : TMM restarts during iSession tunnel reuse.
Solution Article: K58245664
Component: Wan Optimization Manager
Symptoms:
An "Isession data not drained" assertion failure causes a TMM process to create a core file and restart.
Conditions:
A virtual server has an iSession profile with Reuse Connection enabled along with deduplication and/or compression enabled.
Impact:
The TMM process creates a core file and restarts.
Workaround:
This issue has no workaround at this time.
479888-1 : BCM debug logging cannot be turned off once enabled
Solution Article: K51292925
Component: TMOS
Symptoms:
Log messages continue to appear after being disabled.
Conditions:
This occurs when the BCM daemon loglevel is increased to debug and a non-zero mask is set.
Impact:
Unexpected log messages. The volume of logs from bcm56xxd debug can be overwhelming, and being unable to stop them risks filling the filesystem where they are logged.
Workaround:
Restart bcm56xxd daemon. Note: Restarting this daemon affects traffic.
479872-2 : Corresponding protocol profiles must exist on both clientside/serverside
Solution Article: K16284
Component: Local Traffic Manager
Symptoms:
Virtual servers configured without protocol profiles on both the clientside and serverside do not pass traffic.
Conditions:
This occurs on virtual servers configured without protocol profiles on both the clientside and serverside.
Impact:
Attempts to connect to the virtual server might result in RSTs ('no local listener'), or the virtual address might not respond to ARP if there are no other functional virtual servers on the same virtual address. Virtual servers affected by this issue do not pass traffic.
Workaround:
If a protocol profile with a context (clientside or serverside) is specified when defining a virtual server, ensure that a protocol profile is specified for the peer context.
479773-2 : SR C1800930 - GUI crashs - and SQL errors
Component: Device Management
Symptoms:
The WebUI is unusable as it can take 30 seconds to a minute to load different pages. Other times the user will get the "service restarting" message. They have tried multiple browsers and changed the maximum connections to the config utility from 20 to 50 and back to 20 when that didn't help.
Conditions:
The customer says that he can get it to occur by having 3 users log into the config utility and then click around randomly until it crashes.
Impact:
GUI inaccessible
Workaround:
Work around is available by removing the following from the httpd.conf:
--------------
# If DCOEP is defined then enable the related configuration.
<IfDefine DCOEP>
...
</IfDefine>
--------------
This can be done by modifying the template /defaults/config/templates/httpd.tmpl.
479262-1 : 'readPowerSupplyRegister error' in LTM log
Component: TMOS
Symptoms:
The 'readPowerSupplyRegister error' is logged in LTM log when DC PSU loses its power.
Conditions:
When a DC powered PSU loses its power, the system logs 'readPowerSupplyRegister error' messages in the LTM log. This occurs because PSU data is not available without power.
Impact:
The 'readPowerSupplyRegister error' messages occur because PSU data is not available without power. When the system is in this state, you can safely ignore these messages.
Workaround:
None. You can safely ignore this error message in this case.
479183-1 : Unexpected iSession tunnel state transition causes TMM to restart.
Solution Article: K01749002
Component: Wan Optimization Manager
Symptoms:
A TMM process cores due to a 'valid event' assertion failure in isession_handle_evt().
Conditions:
This issue can occur when a virtual server's iSession profile is modified while idle iSession connections are awaiting reuse. The iSession profile must have connection reuse enabled for this problem to occur.
Impact:
An assertion failure causes tmm to create a core file and restart. Traffic disrupted while tmm restarts.
Workaround:
Disable reuse-connection in iSession profile.
477992-1 : Instance-specific monitor logging fails for pool members created in iApps
Solution Article: K07450534
Component: Local Traffic Manager
Symptoms:
Errors when enabling Debug Monitoring for an iApp-created pool member and disabling strict updates for the iApp.
Conditions:
Create pool members via an iApp, and attempt to enable logging on the pool member.
Impact:
Instance-specific monitor logging fails for pool members created in iApps. The log is never created. The system posts error messages in /var/log/ltm stating the log file cannot be opened.
Workaround:
If logging is required, bigdlog is available. To enable logging, run the following command: tmsh modify sys db bigd.debug value enabled.
477897-1 : After modifying the protocol profile on an SCTP virtual, the logs may contain error messages
Component: Local Traffic Manager
Symptoms:
Error messages are logged in the tmm and ltm logs:
/var/log/tmm:
<13> Sep 4 10:07:29 localhost notice hudfilter_init: 'proxy' is not a bottom-level filter.
/var/log/ltm
Sep 4 10:07:29 localhost err tmm1[14942]: 01010008:3: Proxy initialization failed for /Common/sctp_echo
Sep 4 10:07:29 localhost err tmm[14942]: 01010008:3: Proxy initialization failed for /Common/sctp_echo
Conditions:
Modify an SCTP virtual by changing the protocol profiles so that the client-side and server-side profiles are are both the same profile.
Impact:
The only impact is that an ominous error message is logged.
476708-9 : ZebOS using BGP ECMP may not correctly update the ECMP paths when one of the paths goes down and comes back up
Solution Article: K34225935
Component: TMOS
Symptoms:
ZebOS using BGP equal-cost multi-path routing (ECMP) might not correctly update the ECMP paths when one of the paths goes down and comes back up.
Conditions:
This occurs when a downstream ECMP link is disabled such that one of the two equal-cost paths becomes unavailable, and is then enable.
Impact:
ECMP does not function as desired because both available paths are not utilized. This can only be recovered by clearing the BGP connection on the affected ECMP path.
Workaround:
None.
476616-1 : Set active fails after accept learning suggestion for illegal metachar Policy with encoding iso-8859-1
Component: Application Security Manager
Symptoms:
The GUI reports the following error: Could not apply configuration; Set active failed.
Conditions:
-- Policy is configured for an application language like iso-8859-1 or iso-8859-15.
-- Learning suggestions that stem from multi byte UTF-8 parameter values (Illegal Meta Character in Value) are accepted.
Impact:
Set active fails. Policy changes cannot be applied.
Workaround:
Go to Parameters list and for each parameter with override 'Allow' for the metachar 'ÿ' remove the override completely: choose the override, click on '>>' and click on update.
476544-1 : mcpd core during sync
Component: TMOS
Symptoms:
mcpd can run out of memory and core when a device in a sync group is sending an extremely high volume of sync messages.
Conditions:
The exact cause of this is unknown, and it has been seen very rarely with a large sync in a sync group. Large incremental syncs could be a symptom of other things happening between the devices which could trigger the core.
Impact:
mcpd cores and restarts if it runs out or memory. Only through inspection of the core file can this condition be detected.
Workaround:
None.
476405-2 : BFD IPv6 session display command in IMI shell display the wrong remote port number.
Component: TMOS
Symptoms:
'show bfd session detail' command displays the wrong BFD port number of 13784 or 14784 for IPv6 BFD sessions. This is a cosmetic issue. TMM uses the correct port numbers of 3784 or 4784 for single/multihop sessions respectively.
Conditions:
BFD configured using IPv6 addresses. Display session state via IMI shell command 'show bfd session detail'
Impact:
Wrong port number is displayed. No functional impact as the right port numbers are used.
Workaround:
None.
475896-3 : 'tmsh load /sys config from-terminal' (or from file) with a reference to an external file fails
Solution Article: K50710744
Component: TMOS
Symptoms:
'tmsh load /sys config from-terminal" or "tmsh load /sys config file' for objects that have references to external files (such as external monitors, ifiles, SSL certs, data groups) will fail.
Conditions:
This occurs when running the command 'tmsh load /sys config from-terminal' or 'tmsh load /sys config from-terminal' on an object that references a file external to the configuration (using source-path or cache-path).
Impact:
The system posts an error similar to: Failed: name (/Common/external_monitor_name) cache path expected to be non empty. This error prevents using cut and paste to configure certain configuration objects.
Workaround:
To work around this issue, you can add the appropriate stanzas to the bigip.conf file manually and do a full load of the configuration, upload the external files individually through the GUI, or use the 'tmsh create sys file' command.
475728-1 : BCM56xxd might restart due to parity errors
Component: TMOS
Symptoms:
The TMOS daemon bcm56xxd may restart due to parity errors.
Conditions:
Under rare conditions, the bcm56xxd process may restart due to parity errors. This issue only affects the following hardware platforms:
BIG-IP 6900 (D104)
BIG-IP 8900 (D106)
BIG-IP 8950 (D107)
BIG-IP 11000 (E101)
BIG-IP 11050 (E102)
BIG-IP 5000 series (C109)
BIG-IP 7000 series (D110)
BIG-IP 10000s/10050s/10200v/10250v (D113)
VIPRION blade B2100 (A109)
VIPRION blade B2150 (A113)
VIPRION blade B2250 (A112)
VIPRION blade B4100 (A100)
VIPRION blade B4200 (A107)
VIPRION blade B4300 (A108)
VIPRION blade B4340N (A110)
Note: The bcm56xxd process is the switch driver daemon for the BIG-IP system.
Impact:
bcm56xxd re-initializes the internal switch, which might briefly affect data traffic. The system might report memory parity errors in different tables within bcm56xxd by posting log messages similar to the following: info bcm56xxd[8127]: 012c0016:6: unit 0 L2_ENTRY_ONLY entry 120673 parity error. -- info bcm56xxd[8127]: 012c0012:6: Exiting on parity errors. -- notice mcpd[7108]: 01070406:5: Removed publication with publisher id BCM56xxPublisher. -- info bcm56xxd: 012c0013:6: BCM56xxd starting. debug=0, foreground=1, packet=1, bcm_debug=0x7, soc_debug=0x0
The following types of messages may be logged if a parity error is detected by the broadcom chip in an area that is not used by user data. These type of errors will not trigger a driver restart, and are not user impacting, however they can generate a large number of log entries. F5 recommend rebooting the device to clear this state
012c0016:6: unit 0 FP_TCAM entry 1127 TCAM parity error
012c0016:6: unit 0 SER parity failure without valid count
soc_xgs3_mem_dma: EGR_SERVICE_COUNTER_TABLE_X.epipe0 failed(NAK)
Workaround:
None.
475556-7 : Custom X-forwarded-for headers should take prioriy over xff headers
Component: Advanced Firewall Manager
Symptoms:
If a HTTP flow has both an X-Forwarded-For (XFF) header and a custom header containing the true client IP, the IP in the XFF header will take priority.
Conditions:
Both X-forwarded-for and custom headers are marked and used. A Request arrives with both X-forwarded-for and a custom header.
Impact:
wrong source IP is listed. May apply wrong irules, wrong ip intelligence etc.
Workaround:
N/A
475439-2 : Synchronization problem in AVR lookups sometimes causes TMM and other daemons, such as the Enforcer, to crash
Solution Article: K16434
Component: Application Visibility and Reporting
Symptoms:
There is a synchronization problem in AVR lookups that sometimes causes TMM and other daemons, such as the Enforcer, to crash.
Conditions:
AVR is provisioned or report statistic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
475363-5 : Empty or invalid configuration, or during exception in NTLM, handling might not work as expected.
Component: Access Policy Manager
Symptoms:
When the system encounters an empty or invalid configuration, or during exception in NTLM, handling might not work as expected.
Conditions:
Empty DC list configured in the NTLM configuration.
Impact:
NTLM authentication won't work correctly.
Workaround:
Fix the configuration - make sure that DC list is not empty.
474532-7 : TMM may restart when SLO response is received on SLO request URL (.../post/sls)
Solution Article: K16357
Component: Access Policy Manager
Symptoms:
The BIG-IP system expects to receive SLO responses on a particular URL:
(.../post/slr). TMM may restart when SLO response is received on an SLO request URL (.../post/sls).
Conditions:
The BIG-IP system is configured as SAML SP or IdP.
SLO response is received on SLO request URL.
Impact:
TMM reboots and is temporarily unavailable.
Workaround:
There are two workarounds:
1. Reconfigure another SAML party to send SLO messages to a proper URL.
2. Disable SLO
474252-5 : Applying ASM security policy repeatedly fills disk partition on a chassis
Solution Article: K17344
Component: Application Security Manager
Symptoms:
Applying ASM security policy repeatedly on a chassis will cause /var disk partition to fill.
Conditions:
ASM security policy is applied repeatedly on a chassis.
Impact:
/var disk partition is filled.
Workaround:
Delete the contents of /var/ts/var/cluster/send.
474215-2 : Period characters in GTM virtual server naming★
Component: Global Traffic Manager (DNS)
Symptoms:
The period and colon characters in GTM virtual server names are converted to underscores ( _ ) after upgrading to version 11.x.
Conditions:
Upgrading from version 10.x to version 11.x.
Impact:
Production monitoring when your production GTM systems are upgraded.
Workaround:
None.
474149-3 : SOD posts error message: Config digest module error: Traffic group device not found
Solution Article: K83100432
Component: TMOS
Symptoms:
SOD posts error message: Config digest module error: Traffic group device not found.
Conditions:
In a failover device group, if a peer device (non self device) has gone through a management IP address change, SOD fails to clean up the old IP address from its internal storage, so the system subsequently and incorrectly behaves as if there is a 'configuration data inconsistent' error.
Impact:
System posts the message: notice sod[8118]: 010c0062:5: Config digest module error: Traffic group device not found.
This causes the HA failover next-active device selection to fall back to the static (IP-based) selection algorithm, which in Device Service Clusters with more than 2 devices, may cause a device other than the intended device to take over services.
Workaround:
Restart sod or reboot the device to restore correct failover functionality. This will cause a failover of any traffic groups currently Active on the device.
To restart sod, at the command line run bigstart restart sod
473641-2 : Missing a tunnel FDB endpoint configuration in VXLAN tunnels could result in memory leak
Component: TMOS
Symptoms:
For VXLAN tunnels with flooding type "multipoint" and "none", if a tunnel FDB endpoint is missing in the configuration and that endpoint sends traffic to the BIG-IP, memory leak could occur when the BIG-IP receives the traffic.
Conditions:
Missing a tunnel FDB endpoint in the configuration.
Impact:
Memory leak could occur.
Workaround:
Ensure that a tunnel FDB endpoint is configured if that endpoint is expected to send traffic to the BIG-IP.
473488-7 : In AD Query agent, resolving of nested groups may cause apd to spin
Solution Article: K17376
Component: Access Policy Manager
Symptoms:
Access policy daemon (apd) consumes approximately 100% CPU and puts a heavy load on the network sometimes when resolving nested groups in AD Query. The AD Group Cache updates in a loop.
Conditions:
This issue occurs when the user belongs to a parent domain, and is a member of a group that belongs to a sub-domain.
For example, user belongs to parent.com,
group belongs to child.parent.com;
the user is a member of the group. The
"fetch nested groups" option is enabled for AD Query.
Impact:
The impact of this issue is that the user will be unable to resolve nested groups and unable to finish AD Query.
Workaround:
There is no workaround at this time.
473485-7 : Fixed a few issues in HTTP Auth module
Component: Performance
Symptoms:
1. possible buffer overflow when session var CookieClientData is >8K
2. inappropriate use of mc_get_session_var in agent that may cause apd crash
3. per-request memory leak of cookies struct
Conditions:
1. session variable CookieClientData is > 8K
2. apd may crash unexpectedly when HTTP Auth agent cannot get session variable
3. When HTTP Auth agent is configured for an Access Policy apd might leak memory per-request
Impact:
apd might crash
apd might leak memory per-request
473415-2 : ASM Standalone license has to include URL and HTML Rewrite★
Solution Article: K93511901
Component: TMOS
Symptoms:
After an upgrade to 11.6.0, the system now reports 'URI Translation (Not Licensed)', yet the license package has not changed. There was no issue when running 11.4.1 with an ASM Standalone license and using the URL Rewrite functionality with URI Translation (under Local Traffic :: Profiles :: Services :: Rewrite).
Conditions:
This occurs when the following conditions are met:
-- Running 11.6.0.
-- ASM Standalone license.
-- URL Rewrite functionality with URI Translation.
Impact:
An ASM Standalone license generated for 11.6.0 does not include ltm_rewrite_uri. Therefore, regardless of what is configured in a rewrite profile, the profile is inoperative when assigned to a virtual server.
Workaround:
None available.
473213-5 : Emergency alert treated as critical on the 10000s, 10200v, 10250v, and 10350vN platforms.
Component: TMOS
Symptoms:
Failed system fan emergency alert is exhibited as critical alert at LED and LCD screen.
Conditions:
A failure of a system fan on the 10000s, 10200v, 10250v, and 10350vN platforms causes this issue to appear.
Impact:
This is a relatively minor event. Although the alarm is reported as critical, it should be treated at an emergency level and not critical.
Workaround:
None.
473212-2 : Systems which do not use RAID show confusing RAID status on the LCD
Component: TMOS
Symptoms:
The front panel LCD displays confusing RAID information on some systems which do not use RAID. On the front panel LCD, a RAID Status menu indicates that the single drive installed is Undefined. For systems configured in this way, you can safely ignore this display because the system is not using the RAID interface.
Conditions:
This occurs on some early 6900 and 8900 platforms, and 7000, 10000, and 12000 series platforms that shipped with a single SSD.
Impact:
This issue is cosmetic, and does not indicate a functional issue.
473088-7 : Virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile
Solution Article: K17091
Component: TMOS
Symptoms:
The BIG-IP system does not allow you to configure a virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile. If you attach a ClientSSL profile, however, the configuration is allowed, which is incorrect behavior.
Conditions:
Create a virtual server, add tcp, request-adapt, and one-connect profiles along with ClientSSL.
Impact:
This unsupported configuration might have many unknown side effects in TMM.
Workaround:
Do not configure a virtual server with one-connect and requestadapt or responseadapt profiles.
472581-1 : Cannot use 'default' as the FIPS security officer password.
Component: TMOS
Symptoms:
Trying to use 'default' as the FIPS security officer password results in an invalid encryption error from the fips-util.
Conditions:
Trying to use 'default' as the FIPS security officer password.
Impact:
You cannot use the word 'default' as the security officer password. Although this is expected behavior, the error message posted does not provide a relevant explanation. The system posts errors similar to the following: -- Invalid encrypted password. -- Failed to set security officer's password: 1073742342. -- Failed to create security domain. -- INITIALIZATION FAILED! -- The FIPS device is NOT operational. In version 11.1.0 and earlier, the error was similar to the following: -- Creating crypto user and crypto officer identities. -- password should not be default. -- Failed to set security officer's password.
Workaround:
Use a password other than the word 'default'.
472310-3 : BIG-IP may report getLopSensorData warnings at boot time or when changing a PSU
Component: TMOS
Symptoms:
When booting a BIG-IP device, or performing a hot swap operation of one of its power supplies, the following kind of log messages may be displayed for a brief time:
localhost warning chmand[7059]: 012a0004:4: getLopSensorData: LopDev: sendLopCmd: Lopd status: 1 packet: action=1 obj_id=115 sub_obj=0 slot_id=ff result=24 len=0 crc=6576 payload= (error code:0x24)
localhost warning chmand[7059]: 012a0004:4: getLopSensorData: LopDev: sendLopCmd: Lopd status: 1 packet: action=1 obj_id=16f sub_obj=1 slot_id=ff result=1 len=0 crc=acaf payload= (error code:0x1)
These messages should not persist, and when a real error occurs it should be accompanied by additional warnings and alerts from the system.
Conditions:
The condition occurs when the sensor monitoring process tries to obtain information from power supply model types that are supported but not actually installed. It does this until it discovers the actual model type installed, or that no power supply is installed. The specific conditions under which this is likely to happen are when the BIG-IP software is re-started or a power supply is changed while the system is running.
Impact:
A few additional log messages that indicate a warning when there is no legitimate failure.
Workaround:
None. This is cosmetic.
472308-2 : Management IP address change interaction with HA heartbeat / failover traffic
Solution Article: K10569796
Component: TMOS
Symptoms:
When the management IP address changes (either as a result of enabling mgmt-dhcp, or the leased address changing), the system does not synchronize this updated address to other devices in the failover device group / trust domain. (That is, the system does not trigger an update to the device_trust_group.)
Conditions:
This occurs on HA configurations.
Impact:
This can cause disruption in an HA environment. The sod process discards any HA heartbeat traffic it receives (e.g., traffic over the self IP addresses) that does not contain a 'known' cluster_mgmt_ip.
Workaround:
None.
471825-6 : Add 'Date:' header in email message generated by APM Email agent to comply with RFC 5322.
Solution Article: K16637
Component: Access Policy Manager
Symptoms:
Emails sent by Email agent, when received by certain SMTP servers, contain an empty body. Email needs to comply with RFC 5322 and should include the Date: header.
Conditions:
Certain SMTP servers (new Microsoft hosted email service) send an empty email body when the Date: header is missing from the email message
Impact:
Empty email body received.
Workaround:
None.
471288-9 : TMM might crash with session-related commands in iRules.
Solution Article: K00054154
Component: Local Traffic Manager
Symptoms:
TMM might crash with session-related commands in iRules.
Conditions:
This occurs when the following conditions are met:
1) session/table command.
2) client_closed/server_closed iRule.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid using client_closed and sever_closed iRules at same time, in a virtual server using session/table command in iRule.
471001-3 : Standby responds to traceroute on mirror enabled forwarding virtual server
Solution Article: K60650269
Component: Local Traffic Manager
Symptoms:
Standby responds with ICMP time exceeded message on mirror enabled forwarding virtual server.
Conditions:
This occurs when the following conditions are met: HA configuration, IP forwarding virtual server, mirroring enabled, non-floating self IP address, simultaneous flood of ICMP packet to both active and standby systems.
Impact:
Standby responds with ICMP time-exceeded message.
Workaround:
Disable mirroring in forwarding virtual server, or remove non-floating self IP address on standby system.
470880-2 : Policy Sync cause target vCMP guest secondary slots to reboot when guest(s) is deployed on multiple slots.
Component: Local Traffic Manager
Symptoms:
The guests (target) from the device group restarts after policy sync successfully completed.
Conditions:
This issue occurs only when the target guests are created across the slots by sharing CPU, disk etc in vCMP.
Impact:
The guests are usable during restart.
Workaround:
The guests should be created in a single slot and not across slots.
470559-2 : TMM crash after traffic stress with rapid changes to Traffic capturing profiles
Component: Application Visibility and Reporting
Symptoms:
Rare condition of TMM crash due to traffic stress with rapid changes made to Traffic capturing profiles.
Conditions:
1. Traffic capturing feature is on, under heavy traffic.
2. Modifications are being made to traffic capturing configuration.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Turn off traffic capturing feature, or minimize making changes to the Traffic capturing profile while under heavy load.
469974-4 : APM New Session performance graph displays incorrect timed out/error value
Component: Access Policy Manager
Symptoms:
The timed out/error value shown in the APM New Session performance graph is supposed to show only the count for sessions that were terminated due to inactivity or error while in the access policy evaluation state. However, it also includes sessions that were timed out after they passed access policy evaluation. As a result, the timed out/error value is larger than the actual value.
Conditions:
If sessions are timed out in established state, the stats will show up in the New Session graph.
Impact:
N/A
Workaround:
None
469549-1 : User Modification Denied error on initial bootup★
Component: TMOS
Symptoms:
Upon reviewing the log file in /var/log/ltm, you might see the following error:
err mcpd[8105]: 01070820:3: User Modification Denied: User (root) may not change the role of system account (admin)
Conditions:
This happens only during the first reboot after a software install. If the error is seen again, the audit log should be checked.
This may also happen when creating or deleting a user with the Administrator role.
Impact:
There is no known impact at this time.
Workaround:
None.
469366-1 : ConfigSync might fail with modified system-supplied profiles
Solution Article: K16237
Component: TMOS
Symptoms:
A config sync operation might fail with a parent-profile-not-found error message, despite the fact that the parent profile is present in the running configuration of both systems.
Conditions:
On the sync target (the system receiving the configuration, and the one that reports a sync failure), a system-supplied profile (e.g. /Common/serverssl) has been modified, and is present in /config/bigip.conf.
Impact:
An administrator is unable to synchronize system configurations. The system might post messages similar to the following example: '01020036:3: The requested parent profile (/Common/serverssl) was not found.'
Workaround:
One of the following: 1. Manually replicate the changes on the base profile to the system that is sourcing the config sync.
2. Undo the changes to the base profile on the system that is receiving the config sync (to do so, save the configuration, manually remove the base profile from /config/bigip.conf, and then re-load the configuration), and then perform a force sync operation. 3. Perform a sync in the other direction.
Important: Performing a sync in this direction overrides any unsync'd changes on the other system.
469071-2 : TMM segfault in mpctp_switch_conns
Component: Local Traffic Manager
Symptoms:
TMM segfault in mpctp_switch_conns
Conditions:
This can occur is mptcp is configured and there is an invalid tcp session.
Impact:
tmm restarts
Workaround:
Do not configure mptcp in the tcp profile.
468559-1 : Config fails to load after upgrade to 11.5.1 when iApp requires PSM module.★
Solution Article: K94314095
Component: TMOS
Symptoms:
Protocol Security Module (PSM) provisioning was removed in 11.5.0. Upgrading a config fails to load after upgrade to 11.5.1 when an iApp requires PSM module.
Conditions:
Upgrade to 11.5.1 when an iApp requires PSM module.
Impact:
The upgrade fails as the configuration fails to load.
Workaround:
Remove PSM from the list of enabled modules from affected iApp templates before upgrading.
468478-6 : APM Portal Access becomes unresponsive.
Solution Article: K16659
Component: Access Policy Manager
Symptoms:
APM Portal Access becomes unresponsive.
Conditions:
Using APM Portal Access with application cookies that require more than 32 KB of storage.
Impact:
APM Portal Access becomes unresponsive and rewrite plugins consume 100% of the CPU.
Workaround:
None.
468204-1 : TMM can crash with SIGFPE assertion 'valid ctx crule_cnt' when a firewall iRule and OneConnect are used together.
Component: Local Traffic Manager
Symptoms:
TMM crashes with SIGFPE assertion 'valid ctx crule_cnt'.
Conditions:
-- Firewall iRule configured.
-- OneConnect configured.
Note: A firewall policy (eventually referencing a firewall iRule) can be applied to places other than a virtual server. For instance, a firewall policy can be applied to a route-domain. This might still cause interaction with a virtual server equipped with OneConnect, and lead to the issue.
Impact:
TMM dumps core and restarts. This can disrupt traffic or lead to a failover on redundant units.
Workaround:
There is no workaround other than not simultaneously configuring firewall iRules and OneConnect.
468083-1 : An LB_FAILED iRule that references an undefined value can cause Traffic Management Microkernel (TMM) failover.
Solution Article: K16433
Component: Local Traffic Manager
Symptoms:
If an LB_FAILED iRule calls HTTP::respond and references an undefined value, then Traffic Management Microkernel (TMM) can crash or failover.
The following is in the ltm logfile showing the undefined value reference:
Jun 19 11:10:04 bigip1 err tmm[9515]: 01220001:3: TCL error: /Common/rule_lbpickfailed <LB_FAILED> - can't read "value": no such variable while executing "log local0. "$value doesn't exist""
Conditions:
The following have to be configured in order for this to reproduce:
1. An http profile with web acceleration and http compression enabled:
profiles {
/Common/http { }
/Common/optimized-acceleration { }
/Common/tcp { }
/Common/wan-optimized-compression { }
}
2. An LB_FAILED iRule that calls HTTP::respond and references an undefined value:
when LB_FAILED {
HTTP::respond 200 content "content"
log local0. "$value doesn't exist"
}
Impact:
The TMM crashes.
Workaround:
Fix iRule by not referencing an undefined value within LB_FAILED.
467703-3 : Management interface sending erroneous IPv6 MLD or IPv4 IGMP packets
Solution Article: K17340
Component: TMOS
Symptoms:
The BIG-IP management interface may erroneously send IPv6 Multicast Listener Discovery (MLD) Listener Query or IPv4 Internet Group Management Protocol (IGMP) Membership Query packets.
Conditions:
Any platform that uses Linux interface 'mgmt' as opposed to 'eth0'. This is applicable for all platforms except the following: 1600, 3600, 3900, 6900, 8900, 8950, 11000, 11050, VE (Virtual Edition guests), and vCMP (vCMP guests hosted by BIG-IP platforms).
Impact:
No production traffic impact, but extra management traffic.
Some switches may report an IGMP or MLD error when connected to the mgmt port.
Workaround:
Disable the unwanted MLD and IGMP packets by doing the following: echo 0 > /sys/class/net/mgmt/bridge/multicast_snooping.
This is applicable for all platforms except the following: 1600, 3600, 3900, 6900, 8900, 8950, 11000, 11050, VE (Virtual Edition guests), and VCMP (vCMP guests hosted by BIG-IP platforms).
467589-1 : Default cron script /usr/share/mysql/purge_mysql_logs.pl throws error.
Component: WebAccelerator
Symptoms:
The /usr/share/mysql/purge_mysql_logs.pl script that ships with the new install (and is run hourly via cron) throws an error. The script is meant to be exited if AAM, ASM and PSM are not provisioned, but the check is not done appropriately and it continues execution, failing later.
Conditions:
BIG-IP system with no AAM, ASM, and PSM provisioned, when running the script /etc/cron.hourly/purge_mysql_logs.pl (linked to /usr/share/mysql/purge_mysql_logs.pl)
Impact:
The script gives false output and attempts to execute invalid actions. The system posts the following error: Usage: $class->connect([$dsn [,$user [,$passwd [,\%attr]]]]) at /etc/cron.hourly/purge_mysql_logs.pl line 27.
Workaround:
Provision AAM, ASM, or PSM. Or modify the script using the following procedure:
Remount /usr partition as RW:
# mount -o remount -rw /usr
Edit /usr/share/mysql/purge_mysql_logs.pl and change the original check:
unless( $provisioned_am || $provisioned_asm || $provisioned_psm ) {
exit 0;
}
to:
unless( $provisioned_am == 1 || $provisioned_asm == 1 || $provisioned_psm == 1 ) {
exit 0;
}
466116-4 : Intermittent 'AgentX' warning messages in syslog/ZebOS log files
Component: TMOS
Symptoms:
When routing protocols ospfv2, ospfv3, bgp, rip, ripng are configured to exchange routing information, the system posts agentx-related warning messages in the syslog/zebos log files similar to the following:
<date+time> warnings: <protocol> : AgentX: process_packet (<state name> state), ...
<date+time> warnings: <protocol> : AgentX: requested pdu : 1
Conditions:
This occurs when a BIG-IP system is configured for SNMP traps on the ZebOS routing protocols.
Impact:
These warning messages are cosmetic and may be logged intermittently, possibly resulting in a large number of messages.
466017-1 : Tab-completion does not work for TCP/HTTP profiles with ltm virtual profiles
Solution Article: K50042218
Component: TMOS
Symptoms:
Tab-completion does not work for TCP/HTTP profiles with the command: ltm virtual profiles.
Conditions:
This occurs with TCP and HTTP profiles when using Tab-completion in tmsh.
Impact:
Cannot use Tab-complete with TCP or HTTP profiles.
Workaround:
Type the profile name out completely, instead of using tab-completion to complete the name of the profile.
465927-1 : Response is halted or reset when the request has an ignore profile
Component: Application Security Manager
Symptoms:
Response is halted for some seconds or doesn't arrive at all (fin or rst)
Conditions:
The request has a "do nothing" profile.
Request is a POST.
This happens more frequently if the response size is large.
Impact:
Response to that request is halted for some seconds or doesn't arrive at all (fin or rst)
Workaround:
Change the content profile of that URL. Note that this workaround may cause false positive attack signatures and/or other false positive.
465555-1 : GUI unable to open and configure iApp Application.
Solution Article: K53914592
Component: TMOS
Symptoms:
Cannot use the GUI to open an existing iApp Application. The GUI throws a database error.
Conditions:
Open an existing iApp Application from the GUI or create a new iApp Application and try to configure it.
Impact:
Cannot configure the iApp Application from the GUI.
Workaround:
Use tmsh to configure the iApp Application.
464874-1 : Client may legitimately send a range request for the cached JS/CSS content which is no longer valid.
Component: WebAccelerator
Symptoms:
When JS/CSS minification feature is turned on, some client may legitimately send a range request for the cached JS/CSS content which is no longer valid due to content size reduction by the feature. In that case, TMM may spin out of control, and eventually be killed by SOD.
Conditions:
Client retrieves the JS/CSS content from WAM and get the unminified content.
Turn on JS/CSS minification.
Client issues range request for the JS/CSS content using the content size it knows about, which is prior to minification.
WAM will try to serve to content with the range request, which technically is no longer valid due to content size shrinkage.
Impact:
TMM becomes unresponsive and SOD will kill it.
Workaround:
Turn off JS/CSS minification
464870-6 : Datastor cores and restarts.
Solution Article: K94275315
Component: TMOS
Symptoms:
Datastor cores and restarts. This occurs potentially because of generational issues, object replacement from archive, and the possibility that an object was deleted in the interim.
Conditions:
Traffic patterns that shift from low to moderate velocity with strong tiling to decoherent, high velocity traffic can cause this to occur when request queuing is turned on.
Impact:
Temporary cache outage. The cache must then be completely reseeded. A datastor core file is written, and datastor is restarted.
464437-2 : Quickly repeated external datagroup loads might cause TMM crash.
Solution Article: K16525
Component: Local Traffic Manager
Symptoms:
TMM crashes while loading an external datagroup that has already been loaded.
Conditions:
External datagroup is already loaded, and is then re-loaded.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
To avoid this issue, wait a few seconds between load and reload the same external data group.
464252-3 : Possible tmm crash when modifying html pages with HTML profile.
Component: TMOS
Symptoms:
With certain combinations of append_to_tag/prepend_to_tag rules and input fragments, HTML profile could get stuck in an infinite loop.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove HTML profile from virtual server.
Or, modify profile rules in a way that would not cause loop.
463216-1 : 'tmsh load sys config gtm-only' resets link assignments
Component: Global Traffic Manager (DNS)
Symptoms:
Loading configuration clears the link assignments displayed in the UI.
Conditions:
GTM is provisioned and a GTM server, virtual server, and link are configured.
If the config is loaded then any link assignments will no longer be displayed in the UI.
Impact:
This is a cosmetic bug. The control plane loses that information on a load and it never gets updated.
Workaround:
Making a non-functional change to the server or link (e.g. the description) should cause GTM to update the links in the control plane (mcpd).
462881-2 : Configuration utility allows for mismatch in IP protocol and transport profile
Solution Article: K17006
Component: Local Traffic Manager
Symptoms:
tmsh allows configuration of a virtual server with mismatched ip-protocol and transport-layer profile. For example, ip-protocol tcp with a UDP profile or ip-protocol udp with a TCP profile, or ip-protocol any with a TCP profile.
Conditions:
Configure a virtual server with mismatched ip-protocol and transport-layer profiles (e.g., ip-protocol udp, profiles { tcp }).
Impact:
Traffic reaching a misconfigured virtual server can crash tmm, resulting in an outage.
Workaround:
Configure virtual server with matching ip-protocol and transport-layer profile.
462258-3 : AD/LDAP server connection failures might cause apd to stop processing requests when service is restored
Component: Access Policy Manager
Symptoms:
AD/LDAP server connection failures might cause APM apd to stop processing requests when service is restored.
These symptoms accompany the problem:
- Too many file descriptors open by apd.
- 'Too many open files' error messages in the log file.
- Running qkview to gather diagnostic data reveals the information similar to the following in 'netstat -pano' from qkview:
tcp 270 0 127.0.0.1:10001 10.10.225.85:53212 ESTABLISHED 12191/apd off (0.00/0/0)
tcp 269 0 127.0.0.1:10001 10.10.225.4:56305 ESTABLISHED 12191/apd off (0.00/0/0)
tcp 272 0 127.0.0.1:10001 10.10.57.10:57508 CLOSE_WAIT 12191/apd off (0.00/0/0)
tcp 0 0 127.1.1.1:56230 127.7.0.1:389 ESTABLISHED 12191/apd keepalive (1909.72/0/0)
The last line with timer 'keepalive (1909.72/0/0)' indicates that apd has been waiting for a response for too long. Other lines with Recv-Q '272' indicate that apd is not reading incoming requests as expected (specifically, that the internal worker queue is overloaded because all threads are waiting for the one hanging thread to be processed).
Conditions:
This occurs between the connect and search phases of the AD/LDAP server connection operation, most likely when a AAA Server is configured to use pool as a backend. In this case, apd can always connect locally to layered virtual server, but the pool monitor has a server availability check interval, so a lag in the request to an unavailable server might cause apd to hang.
Impact:
Potential connection failures to backend server.
461818-2 : Occasional extreme large value reported for tmm-info five-min-avg-usage-ratio
Component: TMOS
Symptoms:
The command tmsh -m show sys tmm-info field-fmt occasionally shows an invalid value such as:
five-min-avg-usage-ratio 184467440737093465
Conditions:
This occurs under normal operation.
Impact:
Faulty displayed value with zero functional impact.
459994-3 : tmm may crash if default gateway pool contains members that it cannot route to
Component: Local Traffic Manager
Symptoms:
tmm may crash in an invalid routing setup
Conditions:
create gw pool member that is unreachable and not local on any subnet
Impact:
Traffic disrupted while tmm restarts.
Workaround:
do not create invalid routing setup
458450-3 : The ECA process may produce a core file when processing HTTP headers
Solution Article: K16941
Component: Access Policy Manager
Symptoms:
The ECA process may produce a core file when processing HTTP headers.
As a result of this issue, you may encounter one or more of the following symptoms:
In the /var/log/apm file, you may observe log messages similar to the following example:
notice eca[20847]: 01620010:5: ** SIGSEGV **
notice eca[20847]: 01620010:5: fault time: < date >
The ECA process generates a core file in the /var/core directory.
Conditions:
This issue occurs when all of the following conditions are met:
-- The BIG-IP APM system is configured with the ECA log level of debug.
-- The ECA process receives and attempts to process an HTTP cookie header, where the cookie value is greater than 1023 characters.
Impact:
The ECA process temporarily stops processing traffic and then restarts.
Workaround:
Do not enable the debugging log.
To work around this issue, you can revert the log level setting for the ECA (log.eca.level) process back to the default of Notice. To do so, perform the following procedure:
Impact of workaround: Debug logging is disabled for the ECA process.
Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh
Type the following command:
modify /sys db log.eca.level value Notice
Save the configuration change by typing the following command:
save /sys config
To exit the tmsh utility, type the following command:
quit
457252-2 : tmm crash when using sip_info persistence without a sip profile
Component: TMOS
Symptoms:
Tmm crashes. You see the following in /var/log/ltm:
notice hudfilter_init: filter 'SIPP' init failed.
Conditions:
Configuring a virtual server with sip_info persistence but a sip profile is not assigned.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Make sure you configure a sip profile on any virtual that has sip_info persistence configured.
457034-3 : Multipath TCP (MPTCP): TMM crash in stockpile management
Component: Local Traffic Manager
Symptoms:
The tmm may core when using MPTCP.
Conditions:
This issue occurs under conditions of MPTCP heavy usage.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
456378-1 : On a virtual server with the ipother profile assigned, iRule firing on CLIENT_ACCEPTED with discard or reject action may cause TMM to core
Solution Article: K15465
Component: Local Traffic Manager
Symptoms:
When using ipother profile, if there is an iRule that fires on CLIENT_ACCEPTED that contains a discard or reject action, TMM is going to failover.
Conditions:
Virtual server with ipother profile and an iRule firing on CLIENT_ACCEPTED with discard or reject action.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use CLIENT_DATA as the firing event for the iRule. Will have the same expected result when discarding the connection.
456376-2 : BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32
Solution Article: K53153545
Component: Advanced Firewall Manager
Symptoms:
The BIG-IP system does not allow IPv4-mapped-IPv6 notation (with prefix length greater than 32) in tmsh or GUI. When trying to add '::ffff:0.0.0.0/96' to an address list or directly to a rule the system posts an error: Error parsing IP address: ::ffff:0.0.0.0/96.
Conditions:
-- IPv4-mapped-IPv6 notation in the configuration.
-- Adding prefix length greater than 32.
Impact:
Cannot successfully specify an IPv4-mapped-IPv6 block to be configured in AFM firewall rule (and possibly other AFM configurations as well).
Workaround:
To drop the IPv4-mapped-IPv6 block, enable the following DoS db variable: dos.dropv4mapped.
456120-4 : Policy History Files are missing after device group sync
Solution Article: K34139426
Component: Application Security Manager
Symptoms:
Policy history revision files in the /var/ts/dms/policy/policy_versions/* directories are erased after a device group sync.
Conditions:
1. Set up a sync-failover device group with ASM sync enabled.
2. Create a policy and synchronize the devices,
Impact:
Old policy version files disappear every other sync.
Workaround:
Manually sync again after a spurious ASM change.
456047 : Explicit links lost after adding server IP addresses using GUI
Component: Global Traffic Manager (DNS)
Symptoms:
When using the web user interface to add server IP addresses to an existing Global Server Load Balancing (GSLB) server, any existing server IP addresses that have an explicit link configured are lost.
Conditions:
This occurs after adding a new IP address to the server. This can be examined by using tmsh to list the server and its associated explicit link.
Impact:
If a link goes down, everything on the link goes down, so it is possible that unexpected resources will go down, if the GTM servers or virtual servers lose their explicitly defined links. Preliminary testing suggests that when these explicit links are lost, GTM might auto-match the server IP addresses (or virtual servers) to a different link, and this link might be different from the one the user explicitly configured.
Workaround:
When configuring servers that are using explicit links, using tmsh (not the web UI) to edit the server properties, prevents explicit links from being erased.
455020-3 : RTSP profile idle timeout is not applied if it is longer than the TCP profile timeout
Component: Carrier-Grade NAT
Symptoms:
The minimum of the Real Time Streaming Protocol (RTSP) and TCP profile timeouts is applied to the RTP and RTCP connflows associated with an RTSP connection.
Conditions:
This problem can leave UDP connflows for RTP and RTCP open for a shorter time period than desired.
Impact:
The shorter timeout (either RTSP profile or TCP profile) is used for the idle timeout on RTP and RTCP flows associated with an RTSP connection.
Workaround:
To workaround this issue configure both the TCP and the RTSP profile so that the idle timeout periods are the same.
454961-2 : Removal of AFM inline rules
Component: Advanced Firewall Manager
Symptoms:
All inline rules have been removed from AFM as of this release. All new rules must be created in policies. An update script is available to move current inline rules to policies.
Conditions:
This occurs on upgrade to 11.6.0 or later.
Impact:
Inline rules are no longer supported.
Workaround:
Management port rules are excluded, and are still configured inline. In place of inline rules, users should create firewall policies which are attached by reference to firewall contexts as necessary.
During an upgrade, existing inline rules associated with these contexts are moved into new auto-generated policies. These auto-generated policies are prepended with VersionUpgradeAutoGenPolicy- to simplify identification. Auto-generated policies are automatically enforced on the respective context to which the previous inline rules apply.
If you have HA pairs, auto-generated policies that are applied to non-floating self IPs are usable only for that self IP, and are not synced among HA peers. This behavior replicates the previous behavior for inline rules applied to non-floating self IPs. Other auto-generated policies are not affected. However, if a policy generated for another context is later applied to a non-floating self IP, the sync for that policy will be permanently disabled.
452660-3 : SNMP trap engineID should not be configsynced between HA-pairs
Component: TMOS
Symptoms:
When configuring an engine_id for a SNMPv3 trap destination, the engine_id was synchronized to all HA peers.
Conditions:
All
Impact:
Received SNMPv3 traps would appear as if they originated from the same Big-IP system after failover to a backup Big-IP.
Workaround:
Workaround is to disbale configsync (change 'yes' to 'no') on engine_id in /defaults/config_base.conf. However, you must first remount the /usr partition to modify the file and then run tmsh load. For more information on remounting the /usr partition, see SOL11302: The /usr file system is mounted in read-only mode
at https://support.f5.com/kb/en-us/solutions/public/11000/300/sol11302.html
452283-4 : An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows
Component: Local Traffic Manager
Symptoms:
An MPTCP connection that never expires can be seen using the command "tmsh show sys conn". Its idle time periodically resets to 0.
Conditions:
A virtual server is configured with a TCP profile with "Multipath TCP" enabled.
BIG-IP receives an MP_FASTCLOSE while the BIG-IP is advertising a zero window.
Impact:
A connection remains that never expires; its idle time periodically resets to 0.
Workaround:
There is no workaround at this time.
451705-1 : Illegal metachar override can be added to policy which prevents Apply Policy★
Component: Application Security Manager
Symptoms:
Illegal metacharacter override can be added to the security policy. This subsequently prevents the security policy from being applied.
This can be see in /var/log/asm.1_transformed:
----------------------------------------------------------------------
Feb 25 11:35:25 bigip2 info perl[10112]: 01310053:6: ASMConfig change: Parameter P3 [update]: Overridden Value Meta-characters were set to 0x3f - allowed.
Feb 25 11:35:31 bigip2 info perl[10112]: 01310053:6: ASMConfig change: Parameter P9 [update]: Overridden Value Meta-characters were set to 0x3a - allowed, 0x7fffffff - allowed.
----------------------------------------------------------------------
Conditions:
When upgrading from 11.3 to 11.5, and when importing your exported policy, it produces an error and failed to roll forward.
Impact:
This subsequently prevents the policy from being applied. It could not apply configuration; set active failed.
Workaround:
N/A
451479-4 : ConfigSync over IPv6 fails due to wrong rsync formatting
Solution Article: K16273
Component: TMOS
Symptoms:
ConfigSync over IPv6 fails due to wrong rsync formatting.
Conditions:
Config sync is enabled on IPv6.
Impact:
Config sync over ipv6 can not be used. /var/log/ltm logs show following error logs: -- err mcpd[5269]: 01071392:3: Background command '/usr/bin/rsync --rsync-path=/usr/bin/rsync -at --blocking-io /var/named/config/ rsync://fd88:8888:1:f5::1/var_name' failed. The command exited with status 10.
-- err mcpd[5269]: 01071392:3: Background command '/usr/bin/rsync --rsync-path=/usr/bin/rsync -at --blocking-io /config/big3d/ rsync://fd88:8888:1:f5::1/big3d' failed. The command exited with status 10.
Workaround:
Use config sync over IPv4.
451458-6 : The leasepool stat query should only return primary blade data.
Solution Article: K16384
Component: TMOS
Symptoms:
The SNMP and "leasepool show" command are not working.
Conditions:
Both single and HA Chassis configuration with lease pool.
Impact:
SNMP and "leasepool show" command does not return good leasepool stats.
Workaround:
There is no workaround to this issue.
451083-1 : Citrix Wyse clients when working with StoreFront in integration mode
Solution Article: K16244
Component: Access Policy Manager
Symptoms:
APM does not support Citrix Wyse clients when working with StoreFront in integration mode.
Conditions:
Using APM with Citrix Wyse clients when working with StoreFront in integration mode.
Impact:
Citrix Wyse clients are unable to connect to APM.
Workaround:
Use the following iRule: priority 1
when HTTP_REQUEST {
set string [HTTP::header value Cookie]
if {$string contains "NSC_AAAC=xyz"}{
regsub {NSC_AAAC=xyz;?} $string {} tmp
regsub {NSC_DLGE=xyz;?} $tmp {} result
HTTP::header replace Cookie $result
}
}
450671-1 : BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable).
Solution Article: K15537
Component: Local Traffic Manager
Symptoms:
A BIG-IP UDP virtual server may not send an ICMP Destination Unreachable message Code 3 (port unreachable). As a result of this issue, you may encounter the following symptoms:
-- Client applications may not respond or appear to hang.
-- When attempting to troubleshoot the connectivity issue from remote devices, no ICMP diagnostic data is available from the BIG-IP system.
Conditions:
This issue occurs when the following condition is met: All pool members for the UDP virtual server are unavailable.
Impact:
In versions 11.3.0 through 11.4.1, the system silently drops the request. In versions 11.5.0 and later, the system sends back the ICMP message with type 13 ('administratively filtered').
Workaround:
None.
450241-4 : iControl error when discover ASM from EM
Solution Article: K21100172
Component: Application Security Manager
Symptoms:
iControl request for iControl:ASM/Policy::get_list() fail
EM connections fail to ASM devices
Conditions:
iControl fails to call to the ASM portion of iControl, and produces an error message.
<faultstring
xsi:type="xsd:string">Exception caught in ASM::urn:iControl:ASM/Policy::get_list()
Exception: Common::OperationFailed
primary_error_code : 0 (0x00000000)
secondary_error_code : 0
error_string : Unset policy</faultstring>
Impact:
Discovery and refreshing devices fails, and EM cannot manage devices with ASM.
Workaround:
This issue has no workaround.
450136-6 : Occasionally customers see chunk boundaries as part of HTTP response
Component: Access Policy Manager
Symptoms:
Occasionally, users see chunk boundaries as part of HTTP response if the virtual server is configured with rewrite profile variant and some other profiles.
Conditions:
Virtual server with rewrite profile variant and some other profiles like OneConnect and NTLM could cause HTTP response to be double-chunked.
Impact:
End users may see random characters displayed on their web pages, or the page may fail to render because it contains invalid HTML markup.
Workaround:
To workaround this problem, use an iRule to rechunk the HTTP response always.
447542-3 : TMM crashes at startup when reprovisioning.
Solution Article: K51222549
Component: TMOS
Symptoms:
TMM crashes at startup when reprovisioning.
Conditions:
Although there are several potential causes for this issue, they are difficult to quantify. For example, when provisioning stops the tmm, subsequent processing that finishes the provisioning activity might restart some daemons.
Impact:
TMM crashes on startup because it cannot obtain the memory allocated. In the specific case of provisioning failure, and depending on the modules being provisioned the system might post messages similar to the following:
-- err mcpd[7608]: 01070066:3: Publication not found in mcpd for publisher Id WAMD_McpInvalidation_Publisher.
-- err mprov:1265:: 'Reserving huge memory failed (desired amount: 6295 pages [12590 MiB], allocated: 4248 pages [ 8496 MiB].'
-- err mprov:1265:: 'Resource reallocation could not be completed - A reboot is necessary for provisioning to complete.'
Workaround:
Reboot the system.
446713 : Initial boot from non-Primary blades causes daemon restarts and error messages on VIPRION B4300/B4300N blades and on the VIPRION C2200 chassis.
Component: TMOS
Symptoms:
Initial boot from non-Primary blades causes daemon restarts and error messages on VIPRION B4300/B4300N blades and on the VIPRION C2200 chassis. Messages posted might appear similar to the following:
-- snmpd[7175]: custom mib initialization completed. total 0 custom mib entry registered.
-- snmpd[7175]: Turning on AgentX master support.
-- restorecond: Reset file context /etc/mtab: system_u:object_r:etc_t:s0-system_u:object_r:etc_runtime_t:s0
-- sflow_agent[8639]: sflow_mcp.cpp::556:
sflow_agent[8639]: Processed max messages (201) in a loop.
Conditions:
This happens on each blade except blade1 (which is the Primary).
Impact:
When this occurs, the system posts various error messages and the daemon restarts.
Workaround:
Reboot. Subsequent reboots do not cause the daemon restarts.
446526-9 : TCP virtual server/UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules might cause TMM crash.
Component: Local Traffic Manager
Symptoms:
When a TCP virtual server, or a UDP virtual server without datagram-LB mode enabled, runs an iRule which suspends itself, and the traffic that virtual server is handling is destined for the DNS cache, subsequent responses attempting to execute an iRule crash TMM because the first response is suspended. Those subsequent responses should be queued before attempting to execute the iRule.
Conditions:
Configuration contains TCP virtual server, or a UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules or there is iRule execution error.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Enable datagram-LB mode on the UDP profile. There is no workaround in the case of TCP.
446187-6 : Manual start of a BIG-IP APM service may trigger 100 percent CPU utilization.
Solution Article: K15309
Component: Access Policy Manager
Symptoms:
As a result of this issue, you may encounter the following symptoms:
-- BIG-IP iHealth lists Heuristic H465125 on the Diagnostics :: Identified :: High screen.
-- The BIG-IP APM service that you started causes system CPU utilization to increases over time, and eventually to consume all available CPU.
-- Users may be unable to access the BIG-IP APM access profiles.
-- When you view the Configuration utility, dashboard CPU consumption continually increases.
-- In the /var/log/ltm log file, you may observe log messages similar to the following examples.
notice chmand[6792]: 012a0005:5: Cpu utilization over 300 seconds is 100%, exceeded log level 80%
notice chmand[6792]: 012a0005:5: Cpu utilization over 300 seconds is 100%, exceeded log level 80%
Conditions:
This issue occurs when all of the following conditions are met:
-- The BIG-IP service is already running.
-- You manually start the BIG-IP service from the command line either directly or by using bigstart.
-- The BIG-IP service is running one of the following services:
aced, acctd, apd, eam, rba, or websso
Impact:
The user may be unable to access the system, and the BIG-IP APM system may stop responding.
Workaround:
Never start any daemon manually.
The proper way to start, stop, and restart daemons on the BIG-IP system is to use the bigstart utility:
bigstart start daemonname
bigstart stop daemonname
bigstart restart daemonname
442884-2 : TMM assert 'spdy pcb initialized' in spdy_process()
Component: Wan Optimization Manager
Symptoms:
TMM assert 'spdy pcb initialized' in spdy_process() caused by a HUDEVT_ABORTED on a zero'd SPDY ctx from iSession.
Conditions:
-- APM, iSession, and SPDY filter configured.
-- iClient unexpectedly closes the connection (by sending FIN) before handshaking complete.
Impact:
TMM Asserts.
Workaround:
1. Fix iClient configuration.
2. Remove SPDY profile from the chain.
442620 : MPTCP Timeout value configuration error checking is not working
Component: Local Traffic Manager
Symptoms:
MPTCP Timeout valid range for version 11.5.x is [60..36000], but the error message is incorrect. It says value must be between [1..10].
Conditions:
-- Using MPTCP Timeout.
-- Configured for 11.5.x. No other software versions are affected.
-- Entering a value outside the range of [60..36000].
Impact:
Error message displays the wrong range [1..10] for MPTCP Timeout in error message. Correct range should be [60..36000].
Workaround:
None.
442532-3 : Log shows 'socket error: resource temporarily unavailable'
Component: Access Policy Manager
Symptoms:
Response cannot be sent to remote clients. This happens rarely with extremely large access policy configurations. While writing response to tmm, APD gets /socket error: Resource temporarily unavailable'.
Conditions:
Conditions leading to this issue are not yet known. The issue cannot be reproduced.
Impact:
The system still works. Reconnect restores working function.
Workaround:
None.
442322-3 : vCMP guest names in statistics limited to 32 characters
Component: TMOS
Symptoms:
Having vCMP guest names that exceed 32 characters might impact the display of statistics for the guests.
Conditions:
This occurs with vCMP guest names that exceed 32 characters.
Impact:
The tmstat table entries can collapse and omit stats for guests with names longer than 32 characters.
Workaround:
Change configuration to use shorter names. Note: Changing names requires stopping traffic processing on the guests.
442199-4 : HA group must be set up before running ccmode★
Component: TMOS
Symptoms:
HA peer discovery process fails when running ccmode.
Conditions:
This occurs if the ccmode utility (for installations requiring Common Criteria compliance) is run prior to set-up of an HA group.
Impact:
Unable to set up HA group. In the GUI, upon attempting the Peer Discovery step, the system returns an iControl connection failure error.
Workaround:
There are two workarounds: -- Create all HA groups before running the ccmode utility. -- Complete the following process on both systems prior to initial HA setup or before adding a new device:
1. Run the fommand: tmsh modify sys httpd ssl-protocol "all -SSLv2".
2. Run the command: tmsh save sys config.
3. Perform HA-setup/device-addition.
4. Return the httpd ssl-protocol option to the value that conforms to Common Criteria requirements. To do so, run the following two commands:
a. tmsh modify sys httpd ssl-protocol "all -SSLv2 -SSLv3".
b. tmsh save sys config.
441913-5 : Empty Webtop when large number of resources assigned to access policy.
Solution Article: K15454
Component: Access Policy Manager
Symptoms:
When a large number of resources (more than 25) is assigned to an access policy with full a webtop, the system displays an empty webtop when accessed the second time.
Conditions:
Large number of resources assigned to access policy.
Impact:
Failed to display large number of resources on webtop when accessed second time.
Workaround:
To work around the problem, you can only use fewer resources.
441482-3 : SWG is seen on platforms with less than 8 GB of memory
Component: TMOS
Symptoms:
Although there is a tmsh provision command shown for Secure Web Gateway (SWG) on platforms with less than 8 GB of memory, running the command fails because there is no support for SWG on those platforms.
Conditions:
This applies to certain BIG-IP appliances that have less than 8 GB of memory, and to vCMP and VE guests with less than 8 GB of memory allocated. (For memory information, see the Platform Guide for your platform.)
Impact:
Provisioning fails with a message similar to the following: Provisioning failed with error 1 - 'Memory limit exceeded. 5656 MB are required to provision these modules, but only 3964 MB are available.'
Workaround:
Do not attempt to provision SWG on platforms with less than 8 GB of memory.
441297-2 : Trunk remains down and interface's status is 'uninit' after mcpd restart
Solution Article: K16493
Component: TMOS
Symptoms:
Trunk down and interface's status is 'uninit' and log files indicate mcpd restarted.
Conditions:
This occurs upon mcpd restart on 2000/4000 series platform.
Impact:
Failover as a result of mcpd restart. Trunks are unable to pass traffic. The interface that report the status 'uninit' are able to pass traffic after mcpd and related services restart; the message is cosmetic only.
Workaround:
Run the command: tmsh restart sys service pfmand. The restart of pfmand helps update the interface status, which in turn helps update the trunk status.
440817-4 : Sweeper incorrectly reaps a flow that had matched global (or rtdom) rule with action 'Accept Decisive' after the latest firewall configuration change
Solution Article: K03037436
Component: Advanced Firewall Manager
Symptoms:
Sweeper incorrectly reaps a flow that matches a rule in either global or corresponding route-domain classifier with action = Accept Decisive in the scenario when this particular classifier did not change (and there are no matching rules in the corresponding VIP/SelfIP classifier and VIP/SelfIP default action is set to Drop or Reject).
Conditions:
AFM is enabled and configured in Default Deny mode. A flow matches a global (or route domain) rule with action set to Accept Decisively at time of flow creation. However, this flow also does not match any VIP/SelfIP rule
Later, a firewall policy change triggers Kill-on-the-Fly sweeper to re-evaluate all the existing connections against new firewall configuration that results in this undesired behavior.
Impact:
This incorrect behavior would result in legitimate existing connections being dropped after a firewall policy configuration change (that are supposed to be accepted in firewall configuration).
Workaround:
AFM Kill-on-the-fly feature (in sweeper) can be disabled using the db variable - tm.sweeper.flow.acl
440562-3 : TMM cores dumps due to an iSession "valid event" assertion failure
Component: Wan Optimization Manager
Symptoms:
An APM network access tunnel abort causes TMM to core dump due to an iSession 'valid event' assertion failure.
Conditions:
An APM network access tunnel is aborted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
440505-5 : Default port should be removed from Location header value in http redirect
Solution Article: K17207
Component: Access Policy Manager
Symptoms:
Browser recognizes page loaded with URL without default port and page loaded after receiving Location header that contains rewritten URL with default port included in it as different pages and loads page twice.
Conditions:
Resource is loaded through Portal Access; page is loaded after receiving Location header with default port included in rewritten part; navigation occurs to this page without default port in domain part (for example, to anchor in this page).
Impact:
Resource is loaded twice and this can possibly change behavior of backend.
Workaround:
This issue has no workaround at this time.
440431-4 : Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands.
Solution Article: K15353
Component: Local Traffic Manager
Symptoms:
Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands.
Conditions:
This issue occurs when the following condition is met:
A virtual server with Response Logging configured has an iRule assigned that uses either the HTTP::respond or HTTP::redirect command.
The Request Logging profile gives you the ability to specify the data and format for HTTP requests and responses that you want to include within the log file. Parameters, such as $HTTP_STATUS, are used to specify information that is included within the log file. The HTTP::respond and HTTP::redirect iRule commands allow you to customize the response sent to the client and are intended to run immediately when triggered. Therefore, no further processing of response data should occur. As a result, the system logs blank status information when using the $HTTP_STATUS parameter within the Request Logging profile for Response Logging.
Impact:
The system logs invalid information. As a result of this issue, you may encounter the following symptom: -- BIG-IP iHealth lists Heuristic H465653 on the Diagnostics :: Identified :: Medium screen. If $HTTP_STATUS is used within the Response Logging template, the output will be blank.
Workaround:
To work around this issue, you can use the iRule to generate the required logs, rather than the Request Logging profile. If an iRule is calling HTTP::respond or HTTP::redirect, you can log directly from that iRule using the log iRule command, and record parts of the old response, or the new one, depending on what is required.
439680-4 : BIG-IP as SP fails to report unsupported key transport algorithms when processing encrypted assertions
Component: Access Policy Manager
Symptoms:
A BIG-IP system configured as a Service Provider (SP) supports only rsa-oaep for key transport (http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p).
When the BIG-IP system configured as SP receives a SAML assertion with an unsupported encryption algorithm (for example, rsa-1_5 for key transport instead of rsa-oaep), the BIG-IP system fails to report that algorithms are unsupported, and proceeds to the decryption phase, which fails.
The only issue here is the error reported does not directly point to the cause of failure which makes troubleshooting more difficult.
Conditions:
A BIG-IP system configured as an SP receives a SAML assertion that is encrypted or contains encrypted attributes.
Impact:
Troubleshooting could take longer.
Workaround:
There is no workaround.
439540-5 : Connection to a Self IP to network HSM may not be established after the BIG-IP system reboots.
Solution Article: K16063
Component: Local Traffic Manager
Symptoms:
SSL connections or DNSSEC operations that utilize a key stored on the network HSM may fail.
Conditions:
The BIG-IP system is configured to use a network HSM.
The BIG-IP system connects to the network HSM using a Self IP address.
The BIG-IP system is rebooted or all of the BIG-IP services are restarted.
Impact:
Traffic interruptions for SSL connections or DNSSEC operations that utilize a key stored on the network HSM until manual corrective action is taken.
Workaround:
Restart the pkcs11d process. The command is "tmsh restart sys service pkcs11d".
439490-8 : System does not reconnect to SafeNet HSM if connection is interrupted
Component: Local Traffic Manager
Symptoms:
The BIG-IP system does not reconnect to SafeNet HSM if the connection is interrupted. That means that SSL connections that utilize a key stored on the network HSM fail.
Conditions:
This occurs when the BIG-IP system is configured to use a SafeNet network HSM and the connection between the BIG-IP system and the network HSM is interrupted.
Impact:
When this occurs, the system experiences traffic interruptions for SSL connections that utilize a key stored on the network HSM until manual corrective action is taken.
Workaround:
To work around this issue, restart the pkcs11d process using the command 'tmsh restart sys service pkcs11d'.
439461-5 : Citrix Receiver for Linux is unable to receive full applications list.
Component: Access Policy Manager
Symptoms:
Citrix Receiver for Linux shows only a part of applications list when connecting to APM.
Conditions:
APM is configured for Citrix Replacement and Citrix Receiver for Linux is used.
Impact:
Citrix Receiver for Linux shows only a part of applications list.
439399-4 : Discrepancy between Throughput and Detailed Througput data
Solution Article: K17483
Component: TMOS
Symptoms:
Discrepancy between Throughput and Detailed Throughput graphs.
Conditions:
Conditions leading to this issue include vCMP guest with ePVA virtual servers in guest.
Impact:
The impact of this issue is a discrepancy between Throughput and Detailed Througput graphs.
Workaround:
This issue has no workaround at this time.
439330-7 : Javascript: getAttribute() returns mangled event handlers
Component: Access Policy Manager
Symptoms:
All event handlers in HTML page are rewritten by APM. If some script uses getAttribute() call to obtain event handler code, it gets rewritten code. This may lead to incorrect results.
Conditions:
HTML page with event handlers defined.
Impact:
If a script uses event handler source code, it might work incorrectly.
438548-3 : Please avoid name "none" for branch rules
Solution Article: K11481255
Component: Access Policy Manager
Symptoms:
Access policy visual policy editor item created with a branch caption of "none" cannot be opened or edited properly after being exported and re-imported.
Conditions:
A branch caption of "none" for an access policy visual policy editor item.
Impact:
Any access policy action.
Workaround:
In visual policy editor: Before you export an access policy, check for elements with caption "none" in branch rules and change the caption.
To avoid this issue, refrain from using the name "none" for branch rules.
438045-4 : Web Services signature verification failed.
Solution Article: K48130340
Component: Application Security Manager
Symptoms:
Uploading an SSL certificate to the Web Services Security configuration may generate an error message.
As a result of this issue, you may encounter one or more of the following symptoms:
-- The Web Services signature verification fails.
-- Uploading the client certificate to the BIG-IP system causes validation to fail, and the system generates an error message similar to the following example:
Validation failed. Please upload valid .PEM file
Conditions:
This issue occurs when all of the following conditions are met:
-- You are configuring the Web Service Security settings in an XML profile.
-- You attempt to import client or server certificates into the BIG-IP ASM certificate pool.
Impact:
Web Services signature verification failed.
Workaround:
None.
437703-6 : LTM policies do not accept special characters in HTTP header names
Solution Article: K15544
Component: Local Traffic Manager
Symptoms:
LTM policies do not accept special characters in HTTP header names.
Conditions:
This occurs when trying to use a '$' character in a header name.
Impact:
The system posts a validation error. For example, for the value $WSRA, the system posts the following message: 01071748:3: Policy '/Common/ft1_pool_select', rule 'notvar2'; invalid name, value '$WSRA'.
Workaround:
None.
436674-2 : The msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime values contained in SNMPv3 trap message may be incorrect after the SNMP agent reboot.
Solution Article: K17271
Component: TMOS
Symptoms:
After the reboot of the SNMP agent (snmpd), the SNMPv3 trap messages generated from the BIG-IP may contain the incorrect msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime values. After that, msgAuthoritativeEngineBoots value will also be out of sync with the engineBoots value in /config/net-snmp/snmpd.conf.
Conditions:
Configure SNMPv3 trap destination on the BIG-IP system and observe the msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime values in the generated trap messages. Reboot the SNMP agent (e.g., 'tmsh restart sys service snmpd') and observe these values again in the subsequent SNMPv3 trap messages.
Impact:
Some SNMP monitoring servers (e.g., SpectroSERVER) can lose the ability to poll the BIG-IP system. When the BIG-IP system sends out the incorrect values, the monitoring server thinks the information has been spoofed and it loses the ability to poll the BIG-IP until manual intervention.
Workaround:
This issue has no workaround at this time.
435555-4 : Cannot load UCS from different BIG-IP system using Secure Vault
Component: TMOS
Symptoms:
If a BIG-IP system uses in Secure Vault to encrypt secure fields, you cannot load that UCS to another BIG-IP system.
Conditions:
This occurs when a UCS originates on a BIG-IP system whose secure fields are encrypted using Secure Vault. The reason is that the Master Key to the Secure Vault has been encrypted with the Unit key of the originating BIG-IP system. The Unit key is unique to each system.
Impact:
UCS load fails.
435419-3 : Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.
Solution Article: K10402225
Component: Access Policy Manager
Symptoms:
Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.
Conditions:
-- Attempt to upload a current EPSEC file.
-- Upload stalls and appears hung.
-- Close the web browser used for uploading epsec.
-- Attempt to install the partially uploaded file.
Impact:
mcpd crashes, followed by multiple cores.
Workaround:
Upload the EPSEC file completely, and try the installation again.
434517-9 : HTTP::retry doesn't work in an early server response
Component: Local Traffic Manager
Symptoms:
If a HTTP_RESPONSE event fires due to the server sending an early response (i.e. a response before the entire request has been sent), then HTTP::retry does not work correctly.
Conditions:
Client begins sending a request. The server responds before that request is completely sent. A HTTP::retry is called in the HTTP_RESPONSE event.
Impact:
Typically, early server responses are error conditions.
Workaround:
HTTP::respond or HTTP::redirect may be used at the cost of an extra client-side request.
433972-12 : New Event dialog widget is shifted to the left and Description field does not have action widget
Component: Access Policy Manager
Symptoms:
When you access Microsoft SharePoint 2013 through APM and use a rewrite profile, the rewritten New Event dialog box is shifted to the left and action widgets are not displayed above the Description field.
Conditions:
The problem occurs in Internet Explorer 11 with meta http-equiv='X-UA-Compatible' content='IE=10'.
Impact:
SharePoint 2013 malfunctions.
Workaround:
You could potentially use an iRule to mitigate the problem.
433752-8 : Web applications might rewrite their event handlers
Solution Article: K17469
Component: Access Policy Manager
Symptoms:
Web applications might rewrite their event handlers.
Conditions:
If a web application edits event handlers dynamically.
Impact:
Event handlers might become corrupted.
Workaround:
None.
433572-2 : DTLS does not work with rfcdtls cipher on the B2250 blade
Component: Local Traffic Manager
Symptoms:
DTLS does not work with rfcdtls cipher on the B2250 blade.
Conditions:
This occurs as a result of hardware acceleration offload on the B2250 blade when using dtls on vCMP.
Impact:
DTLS does not work with rfcdtls cipher on the B2250 blade
Workaround:
None.
433380-1 : qkview files may contain truncated configuration files
Component: TMOS
Symptoms:
When running qkview, copies of the configuration files contained within the /config directory may be truncated if they are larger than 5 MB.
Conditions:
-- /config/bigip.conf is greater than 5 MB.
-- Running qkview.
Impact:
Some configuration data may be missing when uploaded to iHealth.
Workaround:
Copy /config/bigip*.conf from the BIG-IP device and provide these files to the Support Engineer.
433323-11 : Ramcache handling of Cache-Control: no-cache directive in Response
Component: Local Traffic Manager
Symptoms:
Previously, when a Cache-Control header from the OWS contained a no-cache directive, RAM Cache mistakenly interpreted that the same as a no-store directive.
Conditions:
Configure a virtual server with HTTP caching.
Impact:
Failure to cache a cachable document.
Workaround:
This issue has no workaround at this time.
433243-6 : SAML SSO might fail due to clock skew
Solution Article: K16056
Component: Access Policy Manager
Symptoms:
Other SAML Service Provider (SP) implementations might reject a SAML assertion generated by the BIG-IP system if the clock on the other system is running behind the clock on the BIG-IP system.
Conditions:
BIG-IP is configured as SAML IdP. SAML SP is implemented by another vendor. Other vendor's implementation does not have clock skew tolerance. SP's clock is behind IdP's clock.
Impact:
SAML SSO might fail.
Workaround:
Adjust the clock on SP system to the time that is set on the BIG-IP system that acts as the SAML Identity Provider (IdP).
433055-5 : BFD GTSM IMI shell commands don't work
Component: TMOS
Symptoms:
BFD GTSM IMI shell commands 'bfd gtsm enable' and 'bfd gtsm disable' commands are disabled and have no effect.
Conditions:
This problem shows up when BFD is configured, and attempt to configure GTSM feature of BFD.
Impact:
GTSM feature is not usable.
Workaround:
None.
432102-7 : HTML reserved characters not supported as part of SAML RelayState
Component: Access Policy Manager
Symptoms:
If the RelayState parameter includes HTML and XHTML special characters, then BIG-IP as IdP or BIG-IP as SP does not process them correctly, and does not send complete RelayState value to the Peer.
Conditions:
Using special characters
Impact:
SAML integration may not work properly with other products when configured RelayState parameter includes special characters.
Workaround:
To use reserved characters in HTML (",',&,<,>) as part of SAML RelaySate, convert them to their HTML entities (", ', &, <, >).
431810-6 : APMD process core due to missing exception handling in execute agents
Solution Article: K16315
Component: Access Policy Manager
Symptoms:
APMD cores due to a missing exception handling in APMD while executing access policy agent.
Conditions:
This occurs when using APM.
Impact:
APMD might core due to a missing exception handling in APMD while executing access policy agent.
431480-3 : Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
Component: Local Traffic Manager
Symptoms:
Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed.
Conditions:
The exact conditions that result in this error are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time, but the system recovers without any user action.
429885-4 : Traffic that does not match any virtual or Self IP is dropped silently (without any logs or statistics)
Solution Article: K17576
Component: Advanced Firewall Manager
Symptoms:
When AFM is operating in Default Deny mode, traffic that does not match a Virtual or Self IP is dropped/rejected silently without any counter increment or logging (if global default drop logging is enabled).
Conditions:
VIP/SelfIP Default Action is set to Drop/Reject.
Global Default Action is set to Drop and global rule logging is enabled.
Traffic does not match any virtual or selfip.
Impact:
While there is no impact on the traffic that does not match virtual or Self IP (and is correctly being dropped), the issue is not updating any counters or logging (if enabled).
Workaround:
This issue has no workaround at this time.
429810-4 : 2000/4000 platforms can end up in indeterminate ARL/FDB state
Solution Article: K15576
Component: Local Traffic Manager
Symptoms:
2000/4000 platforms can end up in indeterminate ARL/FDB state under certain conditions.
Conditions:
This occurs when one of these platforms is subjected to a stream of frames arriving from one MAC address on two different ports on a VLAN simultaneously.
Impact:
The result is an indeterminate ARL/FDB state.
Workaround:
There is no workaround.
427924-8 : ipport hash type is not programmed in new blade
Solution Article: K14667
Component: TMOS
Symptoms:
When inserting a new blade in a VIPRION C2400 chassis, with UDP or TCP hash set to 'ipport', the new blade uses the 'port' hash instead. Rebooting the blade or restarting bcm56xxd and tmm causes the correct DAG (Disaggregator) hash to be used.
Conditions:
UDP or TCP hash algorithm changed from default (e.g. changed from 'port' to 'ipport'). -- UDP or TCP virtual servers configured. -- New blade inserted into chassis. New blade includes external interface to which traffic will arrive.
Impact:
Prevents adequate distribution of traffic within a chassis, which may disrupt traffic flows or reduce the traffic throughput of the BIG-IP system.
Workaround:
Reboot the new blade after it has been configured. Issue the 'bigstart restart' command (to restart the bcm56xxd and tmm modules and program the DAG with the correct hash type).
426274-1 : Firewall ACL Schedules may not work when configured with a daily schedule that starts before the specified start date and time
Component: Advanced Firewall Manager
Symptoms:
If the daily schedule for a rule starts before the start date and time specified in the schedule. For example, assume the current time is 2013-07-26 16:20:00. If you specify the following schedule and associate it with a rule, the rule will not get scheduled at all. tmsh modify security firewall schedule sched1 {date-valid-start 2013-07-26:16:24:00 date-valid-end 2013-07-26:16:29:00 daily-hour-start 16:23 daily-hour-end 16:27 }
Conditions:
The daily-hour-start needs to be configured to occur before the date-valid-start.
Impact:
The scheduled rule will not become active when configured in this manner.
Workaround:
As a workaround, make sure that date-valid-start is not before daily-hour-start. A working example, assuming the current time is 2013-07-26 16:20:00. Configure the date-valid-start to be the previous day: tmsh modify security firewall schedule sched1 {date-valid-start 2013-07-25:16:24:00 date-valid-end 2013-07-26:16:29:00 daily-hour-start 16:23 daily-hour-end 16:27 }
423930-2 : GTM might mark down LTM virtual servers in non-zero RDs named with special characters
Component: Global Traffic Manager (DNS)
Symptoms:
LTM virtual servers that are in a non-zero route domain (RD) named using special characters, might be incorrectly marked down by GTM.
Conditions:
-- LTM virtual servers with a '.' (dot) or ';' (semi-colon) in the name.
-- Configured in a non-zero RD.
Impact:
GTM marks those LTM virtual servers down.
Workaround:
This workaround involves changing the GTM config. To make the config work properly, the GTM must be configured with 1 (one) server stanza for each RD on the LTM system that has virtual servers.
The following example configuration creates 3 virtual servers, 1 for each RD. Each server then discovers and probes only the virtual servers in the RD.
(NOTE: Remove the 'expose-route-domains yes' option from the server stanza. If that remains 'on', then each server lists all of the virtual servers on the LTM, creating duplicates. Furthermore, virtual servers in an RD that does not match the server's RD, are marked down. For the following example:
-- on server 10.5.76.239 in route domain 0, all virtual servers in RD1 and RD2 will be red (marked down).
-- on server 10.10.10.39 in route domain 1, all virtual servers in RD0 and RD2 will be red.
-- on server 10.10.11.39 in route domain 2, all virtual servers in RD0 and RD1 will be red.)
For example:
1. If the LTM system is configured with the following self IP addresses (that is, 3 self IP addresses in default RD, RD1, and RD2):
net self 10.5.76.239 {
address 10.5.76.239/24
allow-service all
traffic-group traffic-group-local-only
vlan vlan-576
}
net self 10.10.11.39%2 {
address 10.10.11.39%2/24
allow-service {
default
}
traffic-group traffic-group-local-only
vlan vlan-3273
}
net self 10.10.10.39%1 {
address 10.10.10.39%1/24
allow-service {
default
}
traffic-group traffic-group-local-only
vlan vlan-3270
}
2. There are the following virtual servers in each RD:
ltm virtual vs.rd0.dottest {
destination 10.5.76.39:http
ip-protocol tcp
mask 255.255.255.255
pool p1
profiles {
tcp { }
}
vlans-disabled
}
ltm virtual vs.rd1.dottest {
destination 10.10.10.39%1:http
ip-protocol tcp
mask 255.255.255.255
pool p1
profiles {
tcp { }
}
vlans-disabled
}
ltm virtual vs.rd2.dottest {
destination 10.10.11.39%2:http
ip-protocol tcp
mask 255.255.255.255
pool p2
profiles {
tcp { }
}
vlans-disabled
}
3. The GTM must be configured as follows:
gtm server /Common/B3600-R18-S39-RD0.lab.ss.example.com {
addresses {
10.5.76.239 {
device-name B3600-R18-S39.lab.ss.example.com
}
}
datacenter /Common/DC1
monitor /Common/bigip
virtual-server-discovery enabled
}
gtm server /Common/B3600-R18-S39-RD1.lab.ss.example.com {
addresses {
10.10.10.39 {
device-name B3600-R18-S39.lab.ss.example.com
}
}
datacenter /Common/DC1
monitor /Common/bigip
virtual-server-discovery enabled
}
gtm server /Common/B3600-R18-S39-RD2.lab.ss.example.com {
addresses {
10.10.11.39 {
device-name B3600-R18-S39.lab.ss.example.com
}
}
datacenter /Common/DC1
monitor /Common/bigip
virtual-server-discovery enabled
}
423629-5 : bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted
Solution Article: K08454006
Component: Local Traffic Manager
Symptoms:
bigd restarts once, and afterwards, subsequent pings from the monitor fails.
Conditions:
This can occur when assigning an ICMP monitor to a pool member, and specifying a route domain that does not exist.
Impact:
For bigd, a single restart is actually harmless. The invalid config will cause monitor failures, since the route domain no longer exists, the pool member will be marked down.
Workaround:
None.
423482-1 : Removing the gateway failsafe pool in web interface does not set the pool::gateway failsafe device property to none
Component: TMOS
Symptoms:
Removing the gateway failsafe pool in the web interface does not set the pool::gateway failsafe device property to none.
Conditions:
When the gateway failsafe pool is removed from web user interface, the pool maintains the prior gateway failsafe device. This is seen on listing the pool in tmsh.
Impact:
Creates confusion about the current pool::gateway failsafe device configuration.
Workaround:
The pool::gateway failsafe device property can be set to none using tmsh.
423061-1 : Creating an SNMP v3 user using the Configuration utility or tmsh adds passwords in plain text to the snmpd.conf file
Component: TMOS
Symptoms:
Creating or modifying SNMP v3 users using the GUI or tmsh adds passwords in plain text to the /config/net-snmp/snmpd.conf file.
Conditions:
You have created or modified an SNMP v3 user using the GUI or with the command 'tmsh modify sys snmp users ...'
Impact:
SNMP v3 user passwords are visible to those with root read access on the BIG-IP system until you run bigstart restart to restart the snmp process.
Workaround:
Run the command 'bigstart restart snmp' to restart snmp after creating or modifying SNMP v3 users. This results in encrypted passwords in the file.
422525-1 : Portal Acccess resources with proxy require hostnames to be resolvable to BIG-IP
Component: Access Policy Manager
Symptoms:
Portal Access resources with proxy host configured and no DNS record available to BIG-IP will be blocked by APM ACL. All requests to these resources will result in APM DNS error page.
Impact:
Some resources accessible only via proxy cannot be configured to work through APM Portal Access.
Workaround:
Use intranet DNS server for BIG-IP, or add resources behind proxy server to a DNS server configuration.
421797-2 : ePVA continues to accelerate IP Forwarding VS traffic even in Standby
Component: TMOS
Symptoms:
When the active BIG-IP unit in a redundant configuration becomes the standby unit after a failover event, the traffic sent to the virtual servers with hardware acceleration enabled will continue to be accelerated by the ePVA hardware on the original active unit (current standby unit). These offloaded flows will eventually be evicted after the failover switch period (16 second by default) though, and it does not affect the new active unit (original standby unit) to offload the flows to hardware for acceleration. As a result, accelerated traffic can still be observed on the standby unit.
Conditions:
When a failover event happens in a redundant configuration with virtual servers that have hardware acceleration enabled.
Impact:
No performance impact or traffic interruption. You might observe unexpected traffic on standby unit.
Workaround:
None. This is a cosmetic issue.
420645-5 : Firewall software check cannot detect state of ipfw on MAC OS X
Solution Article: K16438
Component: Access Policy Manager
Symptoms:
The Firewall software check cannot detect the state of ipfw software on MAC OS X. Also, because of some underlying issue, the HD encryption software check cannot detect encrypted locations by FileVault software on MAC OS X.
Conditions:
BIG-IP APM, Firewall software check, HD encryption software check.
Impact:
Firewall software check cannot detect state of ipfw on MAC OS X.
Workaround:
none
418734-3 : vCMP guest unit_key empty★
Component: TMOS
Symptoms:
A vCMP guest fails to load, and mcpd crashes on start-up. Running 'tmsh list vcmp guest' on the host reveals that sym-unit-key is empty or does not exist.
Conditions:
There are a number of ways that this can be encountered. The most common is an RMA replacement of a VCMP-capable blade, or when moving a ucs from one device to another device of the same type, if the device unit key becomes corrupted, or if the master key file (/config/bigip/kstore/master) becomes corrupted.
Impact:
Configuration of vCMP guest fails to load, mcpd crashes.
Workaround:
Remove the encrypted attributes from the config and reenter them in plaintext.
417711-1 : APM does not restore NLAD connections when the configuration is restored from an UCS file★
Component: Access Policy Manager
Symptoms:
After the upgrade, if the previous configuration used NTLM front end authentication, the functionality is not restored.
Conditions:
NTLM configured and UCS file is saved prior to restoring a dive to factory defaults.
tmsh load sys config default is run to restore the system to the default state
Impact:
NTLM auth will not work, and this error will appear in /var/log/apm:
err nlad[6921]: 01620000:3: <0x55b5db90> nlclnt[3c80a0a0a] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC
Workaround:
After the upgrade, manually delete the existing NTLM machine account configurations and then recreate them.
417045-2 : Error: 'err chmand[8873]: Error sending MCP system_information (err:1020003)
Component: TMOS
Symptoms:
Upon shutdown, the system posts the message 'err chmand[8873]: Error sending MCP system_information (err:1020003)’ to the ltm log.
Conditions:
This might occur intermittently when shutting down the system.
Impact:
This message is benign, and the system should power up correctly.
Workaround:
None.
416292-8 : MCPD can core as a result of another component shutting down prematurely
Component: TMOS
Symptoms:
During a small window of opportunity, mcpd can core if it is told to restart. This often occurs when another component has failed.
Conditions:
This issue generally occurs when another component has a problem which then initiates an mcpd restart.
Impact:
An mcpd core file is generated during shutdown, and it may initially appear as if mcpd coring was the cause of the restart.
404876-1 : Rule modifications reset active counters.
Component: Advanced Firewall Manager
Symptoms:
When an existing rule is modified or when it transitions from active to inactive due to scheduling, the associated hit counters are reset.
Conditions:
An exiting rule is modified or changes state from active to inactive (or vice versa) due to scheduling.
Impact:
Rule hit counters are reset and accurate hit counts across scheduling intervals/modifications are not possible.
402414-2 : Configured flow control not applied to Copper SFPs
Solution Article: K07026135
Component: TMOS
Symptoms:
On affected platforms, flow control configured for an external interface is not applied if the interface is populated with a Copper SFP.
The 'tmsh list net interface' command may show the 'Flow Control' setting for the interface as the configured value (such as 'tx-rx').
However, the 'tmsh show net interface' command may show the 'Flow Control' setting for the interface as 'none', and the remote node connected to the interface in question may show no flow control on the connection.
Conditions:
This may occur with interfaces populated with Copper SFPs on the following BIG-IP and VIPRION platforms:
-- BIG-IP 10000-/12000-series appliances
-- VIPRION B4300-series blades
-- VIPRION B2250 blades
Impact:
No flow control as configured on affected interfaces.
Workaround:
To work around this issue:
1. Set flow control to none for the affected interfaces.
2. Set flow control to the desired value for the affected interfaces.
402115-3 : System does not report tmm memory with consideration of threading
Solution Article: K16272
Component: Local Traffic Manager
Symptoms:
Using the command 'tmsh show sys memory' may display zero usage for some entries.
Conditions:
This applies when using a platform that provides memory management per-process; this is all current hardware platforms, but does not apply to VCMP or VE.
Impact:
The division of memory usage may not be clear.
Workaround:
None. However, the information shows the most important value, which is the memory utilization of each process.
398657-16 : Active Session Count graph underflow
Component: Access Policy Manager
Symptoms:
On all platforms, the active session count might be significantly large at times likely due to a counter underflow.
Conditions:
N/A
Impact:
Wrong active session graphs are presented at certain times.
Workaround:
N/A
396273-4 : Error message in dmesg and kern.log: vpd r/w failed
Component: TMOS
Symptoms:
When running dmesg, you might see errors similar to the following: 0000:17:00.0: vpd r/w failed. This is typically considered a firmware issue on the device, and you can contact the card vendor for a firmware update.
This error can be seen in /var/log/kern.log as well.
Conditions:
This can occur whenever 'lspci -vv' (or 'lspci -vvv', e.g., during qkview generation) is executed.
Impact:
This is a benign firmware message, and you can safely ignore it.
Workaround:
There is no workaround, but this is not a functional issue.
390514-1 : SNMP_DCA_BASE monitor does not recognize Threshold and Coefficient★
Component: Local Traffic Manager
Symptoms:
The SNMP_DCA_BASE monitor does not return the correct weight.
Conditions:
This occurs when using the SNMP_DCA_BASE monitor. On version 10.x the threshold and coefficient values existed so this may be discovered after upgrading. For more information on configuring SNMP DCA see SOL14110: Creating a custom SNMP DCA or SNMP DCA Base monitor at https://support.f5.com/kb/en-us/solutions/public/14000/100/sol14110.html
Impact:
Dynamic load balancing does not work properly with the SNMP_DCA_BASE monitor.
385859-2 : iRule TCP::close on VIP with RAM cache can cause TMM restart
Solution Article: K32493236
Component: Local Traffic Manager
Symptoms:
iRule TCP::close on VIP with RAM cache can cause TMM restart.
Conditions:
This occurs when using TCP::close in an iRule inside HTTP_REQUEST while RAM cache is configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable RAM cache.
384995-3 : Management IP changes are not synced to the device group.
Solution Article: K43346407
Component: TMOS
Symptoms:
A device group shows a device as offline when it was previously working, and the device's management IP address has recently changed.
Conditions:
When the management IP is changed on a device in a trust domain, it is not updated in the device group even though its config sync IP is a SelfIP and config sync continues to work. Other devices show it offline under Device Management :: Devices.
Impact:
Incorrect device status displayed when looking at the device group.
Workaround:
To resolve this, the device that changed must be discovered from a device that is not changed.
Note: If you attempt to discover a device that is not changed from the device that is changed, the operation loses the hostname and other configuration objects.
378967-2 : Users are not synchronized if created in a partition
Component: TMOS
Symptoms:
Users in partitions attached to sync-only device groups do not sync to other devices in that device group.
Conditions:
There are users whose active partitions are attached to a sync-only device group.
Impact:
This affects sync-only device groups only, not the failover device group.
Workaround:
None.
376120-6 : tmrouted restart after reconfiguration of previously deleted route domain
Solution Article: K15726
Component: TMOS
Symptoms:
When a non-default route domain is configured for dynamic routing, then subsequently deleted and re-added, tmrouted might restart.
Conditions:
Non-default route domains in use.
Impact:
Dynamic routing for all route domains is interrupted.
375434-3 : HSB lockup might occur when TMM tries unsuccessfully to reset HSB.
Component: TMOS
Symptoms:
An HSB lockup might occur when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This failure can also result in a "DMA lockup on transmitter failure" reported in the TMM log files.
Conditions:
This occurs on HSB platforms that have AMD processors, which include the BIG-IP 6900, 8900, 8950, 11000, and 11050N platforms, and the VIPRION B4200 and B4200N blades.
Impact:
The HSB is non-functional and requires reinitialization. This occurs after the BIG-IP is rebooted, which is automatically triggered when this condition occurs.
Workaround:
None.
373949-3 : Network failover without a management address causes active-active after unit1 reboot
Component: TMOS
Symptoms:
A device in a Device Service Cluster may erroneously claim Active status when it is rebooted. This results in an Active/Active situation, which may resolve itself by causing a failover.
Conditions:
If a Device Service Cluster is configured with only self-IPs for unicast network failover communication, or if the management network between the peers is unavailable, the device may not detect that the peer is active when it is starting up. When using only self-IPs, communication with the peers is disrupted while the TMM is starting up.
Impact:
Unexpected failover may cause traffic interruption.
Workaround:
Configuring multiple redundant network failover paths, including the management network will reduce the possibility of this problem.
372139-2 : Manage Sessions are not showing correct current sessions on VIPRION chassis.
Solution Article: K43033311
Component: Access Policy Manager
Symptoms:
Manage Sessions are not showing correct current sessions on VIPRION chassis.
Conditions:
This occurs using APM on VIPRION chassis.
Impact:
On the Admin Page, Access Policy, Manage Sessions, Current sessions is missing, which makes it difficult to find all the sessions to delete those sessions.
Workaround:
None.
370131-1 : Loading UCS with low GTM Autoconf Delay drops pool Members from config
Component: Global Traffic Manager (DNS)
Symptoms:
Pool members loaded from the UCS are not in the configuration. If there are objects dependent on them, this may prevent the GTM config from loading completely.
Conditions:
GTM and LTM are enabled, Autoconf Delay is very low, there are GTM autoconfigured pool members from LTM virtual servers, and subsequently a UCS is loaded.
Impact:
GTM config loaded from the UCS might be overwritten and Pool Members might be lost from it.
Workaround:
bigstart stop gtmd during UCS load, or set the autoconf delay to be much higher than the time required to load the UCS.
369640-3 : Folder path objects in iRules can have only a single context per script
Solution Article: K17195
Component: Local Traffic Manager
Symptoms:
If an iRule is assigned to two different virtual servers in different contexts, the first time the rule runs any internal object conversions/lookups will be performed in the first context. When the second virtual runs the same rule, it will assume that the objects that have been looked up are correct, and point to the wrong members.
Conditions:
Two virtual servers in different folder paths use short names for objects like pools, procs, nodes and virtual servers.
Impact:
iRule can point to objects outside the current folder path.
Workaround:
Give each virtual servers its own copy of the iRule (it is not necessary to provide complete folder paths).
369596-1 : show ltm pool doesn't show the most updated info
Component: TMOS
Symptoms:
'tmsh show ltm pool' command doesn't show the latest updates for connection and rate limits. The connection and rate limits do not get published to the UI until a monitor instantiates a state change on the pool member or node.
Conditions:
Configure a pool member or node to have connection or rate limits.
Impact:
Statistics displayed using tmsh may not be current.
Workaround:
First run "tmsh show ltm pool members' to trigger update.
Note: This does not impact the data path, it is only a UI issue.
369407-2 : Access policy objects are created inconsistently depending on whether created using wizard or manually.
Component: Access Policy Manager
Symptoms:
Network Access (NA) wizard policy incorrectly labels 'Advanced Resource Assign' as 'Resource Assign' in VPE.
Conditions:
This is evident when viewing the label following completion of the NA wizard.
Impact:
The label in the VPE is 'Resource Assign', where it should be 'Advanced Resource Assign'.
Workaround:
None.
369352-12 : No verification prompt when executing 'load sys config default' for resource administrator role
Component: TMOS
Symptoms:
When logged in as a resource administrator "load sys config default", which restores the configuration to factory defaults, doesn't prompt for verification as it should. If you execute the command from a normal administrator role you do get a prompt.
Conditions:
Login as a resource administrator
run "load sys config default"
restore begins without a verification prompt.
Impact:
System restore initiated without prompt when run as a resource administrator.
Workaround:
None.
368610-1 : TCP sends RST when regular close might succeed
Component: Local Traffic Manager
Symptoms:
A TCP connection closing due to a TCP::close iRule suddenly ABORTS with a "No Server Selected" RST cause.
Conditions:
iRules close the connection on an early TCL event, before a load balancing decision is made. There is no pool member available.
Impact:
The connection closes ungracefully.
366695-6 : Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed
Component: Global Traffic Manager (DNS)
Symptoms:
A "Manager" role has the ability to create/modify/delete GTM data centers, links, servers, prober pools, and topology objects from TMSH, but they do not have this permission in the database, so they get an error.
Conditions:
Someone of "Manager" roll attempts to create/modify/delete a GTM datacenter, link, server, prober-pools, or topology objects.
Impact:
Error message thrown
Workaround:
Error thrown is correct, but user's shouldn't be able to even get this far in tmsh.
360557-2 : Multiple 'memory exhausted' core files in a configuration containing multiple leading wildcard repetition matches regexes
Solution Article: K01146549
Component: Local Traffic Manager
Symptoms:
Occurrence of multiple 'memory exhausted' core files in a configuration containing regexes. But bigd does not catch or log the exception.
This is an issue with multiple leading wildcard repetition matches.
Conditions:
A monitor recv string regex definition configured with multiple leading wildcard repetition matches, for example:
recv_string: .*Telstra.*SMPP:.*online
recv_string: .*HTTP.*200 OK.*
Impact:
Multiple 'memory exhausted' core files.
Workaround:
Because this is an issue only when the regex pattern begins with .* or similar, you can remove it, as recv has no dependency on position.
360485-2 : Statistics for a lasthop pool member node may be inaccurate
Component: Local Traffic Manager
Symptoms:
Node statistics, especially after a statistics reset, may be too high for a node whose address is in a lasthop pool.
Conditions:
Lasthop pool configured.
Impact:
Inaccurate node stats. Cannot use conn limit on last hop pool member.
Workaround:
None.
352957-3 : Route lookup after change in route table on established flow ignores pool members
Solution Article: K03005026
Component: Local Traffic Manager
Symptoms:
Established flows via Virtual Servers with iRules using the 'nexthop vlan addr' command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail after a route table change, even if the change does not affect any of the addresses used in the flow.
Conditions:
An iRule with 'nexthop vlan addr' on the CLIENT_ACCEPTED state is added to a virtual server with pool members and the address in the nexthop command is different from the gateway.
Impact:
A flow established before a route table change may fail if the destination was set in an iRule using 'nexthop'. New flows established after the route table change work as expected.
Workaround:
Modify iRule to fire 'nexthop' on every client packet. If the flow has been modified due to a route change, then the next client packet that fires 'nexthop' will correct it.
351130-2 : iApp templates are visible with only vCMP provisioned.
Component: TMOS
Symptoms:
iApp templates are visible with only vCMP provisioned. Depending on the iApp template, other modules must also be provisioned, for example, LTM, GTM, and so on, must be provisioned for certain iApp. Although template authors can templates even with only vCMP provisioned, the application does not work without the required modules provisioned.
Conditions:
This occurs when vCMP is provisioned as Dedicated and an author makes changes in an iApp with the assumption that the functionality is available because the iApp is visible.
Impact:
iApps are visible that are inappropriate for the provisioning. The system posts an error message if the user attempts to create an app from that template.
Workaround:
Provision the modules needed for the iApp to work.
343561-2 : The Set-Cookie2 header should supersede the Set-Cookie header.
Component: Local Traffic Manager
Symptoms:
User agents that receive in the same response both a Set-Cookie and Set-Cookie2 response header for the same cookie must discard the Set-Cookie information and use only the Set-Cookie2 information.
The BIG-IP system, however, operates differently. When receiving such a response on the server-side, an iRule requesting the cookie by name (e.g., [HTTP::cookie my-cookie]) returns the incorrect value (the one specified in the Set-Cookie header).
Conditions:
- An HTTP response received by the BIG-IP system which specifies the same cookie name in both the Set-Cookie and Set-Cookie2 headers.
- An iRule requesting the value of a cookie by specifying a command similar to the following example: [HTTP::cookie my-cookie].
Impact:
The BIG-IP system is not compliant with section 9.1 of RFC2965. Applications expecting full compliance may suffer as a result.
Note, however, that RFC2965 has since been archived and deprecated by RFC6265.
RFC6265 deprecates the use of the Cookie2 and Set-Cookie2 header.
Workaround:
You can write a more complex iRule that parses individual HTTP headers and takes into account the possible presence of both the Set-Cookie and Set-Cookie2 headers.
343455-2 : HTTP state management (cookie) mechanism may detect wrong version
Component: Local Traffic Manager
Symptoms:
The http state management mechanism erroneously makes use of attribute case to determine the level of client/server support (i.e. RFC2109 vs RFC2965). As a result, various cookie handling routines (e.g. HTTP::cookie) may not work as expected.
Conditions:
HTTP::cookie does not function as expected.
Impact:
iRules may not function as expected.
337934-14 : remoterole: attributes ending in 'role' or 'deny' will be parsed incorrectly
Component: TMOS
Symptoms:
The remoterole configurations in which one of the attributes ends in 'role' will have that attribute truncated. Also this could happen with an attribute that ends in 'deny' and has a deny directive.
Conditions:
remoterole attributes ending in 'role'. May also happen with attributes ending in 'deny'.
Impact:
Parsing truncates attributes.
Workaround:
Do not use remoterole configurations in which one of the attributes ends in 'role' or one that ends in 'deny" that has a deny directive.
251162-5 : The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name
Component: Local Traffic Manager
Symptoms:
If you apply a custom HTTP profile to a virtual server, and the maximum header size defined in the profile is exceeded, the BIG-IP system lists the wrong profile name in the corresponding log message. Instead of logging the profile name associated with the virtual server, the BIG-IP system logs the profile name as http.
For example:
tmm1[5133]: 011f0005:3: HTTP header (34083) exceeded maximum allowed size of 32768 (Client side: vip=http_10.1.0.30 profile=http pool=apache2)
Conditions:
-- You apply a custom HTTP profile to a virtual server.
-- The maximum header size defined in the profile is exceeded.
Impact:
The BIG-IP system lists the wrong profile name in the corresponding log message. This is a cosmetic error, as the correct profile is affected. Only its name is incorrectly reported.
Workaround:
None.
248424-10 : Content length doesn't get updated during replacement using stream profile
Component: Local Traffic Manager
Symptoms:
When using the stream filter to modify content dynamically, the client might observe either an unspecified Content-length, or the Content-length header may be incorrect on the low side.
Conditions:
When using stream filter and Response Chunking mode is 'rechunk', Content-length reflects the original, unmodified length. When Response Chunking is 'selective' the Content-length is not specified.
Impact:
Clients which depend on the Content-Length header may see missing or incorrect values.
Workaround:
None.
246726-3 : System continues to process virtual server traffic after disabling virtual address
Solution Article: K8940
Component: Local Traffic Manager
Symptoms:
A virtual address is defined as the IP address with which you associate one or more virtual servers. A virtual server is represented by an IP address and a service. The BIG-IP system continues to process traffic for virtual servers after disabling the related virtual address.
Conditions:
When a virtual address is disabled in LTM, TMM still processes traffic for the virtual IP addresses on that virtual address. For example, if you define virtual servers of 10.10.10.2:80, and 10.10.10.2:443 on the BIG-IP system, then 10.10.10.2 is the virtual address. If you disable the virtual address of 10.10.10.2, the BIG-IP system continues to process traffic for the virtual servers.
Impact:
Traffic is still processed.
Workaround:
Disable virtual servers instead. For more information, see SOL8940: The BIG-IP system processes traffic for virtual servers after disabling the virtual address, available here: https://support.f5.com/csp/#/article/K8940
225094-2 : When changing expired password, user is dictionary restricted even with password policy disabled
Component: TMOS
Symptoms:
If you are required to change your password because it has exceeded the Max Duration setting in Password Policy, then even if Password Policy is disabled and root you will be required to meet the minimum length requirements.
For more information on configuring secure password policy, see SOL5962: Configuring a secure password policy for the BIG-IP system (9.x - 10.x) at https://support.f5.com/kb/en-us/solutions/public/5000/900/sol5962.html
This known issue contradicts the statement in SOL5962 that it does not apply to root; it does apply to root when the Maximum Duration limit is exceeded.
Conditions:
This occurs when the Max Duration setting in password policy has been exceeded.
Impact:
You will be required to meet the minimum length requirements even if the password policy has been disabled.
224903-4 : CounterBasedGauge64 MIB values do not work with Network Management Systems. The MIB should be Gauge32.
Solution Article: K71296207
Component: TMOS
Symptoms:
CounterBasedGauge64 MIB values do not work with Network Management Systems. The MIB should be Gauge32.
Conditions:
CounterBasedGauge64 MIB values.
Impact:
CounterBasedGauge64 MIB values do not work with Network Management Systems.
Workaround:
None.
222409-3 : The HTTP::path iRule command may return more information than expected
Solution Article: K9952
Component: Local Traffic Manager
Symptoms:
The HTTP::path iRule command is intended to return only the path of the HTTP request. However, if the HTTP request specifies an absolute URI for the request URI, the HTTP::path command returns the entire URI, which includes not only the path, but also any protocol scheme, host name, and port included in the request URI value.
The first line of an HTTP request from a client to a server is referred to as the request line. The request line begins with a method token, followed by the request URI and the protocol version. A typical HTTP request line appears similar to the following example:
GET /dir1/dir2/file.ext HTTP/1.1
In this example, the method token is GET, the resource URI is /dir2/dir2/file.ext, and the protocol version is HTTP/1.1.
Conditions:
However, some clients (most notably proxies) may send an HTTP request for the same resource by specifying the absolute URI in the request, which appears similar to the following example:
GET http://www.example.org:80/dir1/dir2/file.ext
In this example, the method token is GET, the resource URI is http://www.example.org/dir2/dir2/file.ext, and the protocol version is HTTP/1.1.
Impact:
The HTTP::path iRule command should return the following path value for both requests:
/dir1/dir2/file.ext
However, since the HTTP::path command actually returns the value of the request URI, the entire absolute URI is returned for the request in the second example, which specifies the following absolute URI in the request URI:
www.example.org:80/dir1/duir2/file.ext
Note: Both requests in the example above conform to the HTTP request specification as defined in Section 5 of RFC2616: HyperText Transfer Protocol.
Note: For more information about the HTTP::path iRule command, refer to HTTP:path on the F5 Networks DevCentral website. A separate DevCentral login is required to access this content; you will be redirected to authenticate or register if necessary.
Workaround:
You can work around this issue by parsing the path element from the return value for the HTTP::path command. To do so, use the following iRule wherever HTTP::path is called:
when HTTP_REQUEST {
log local0. "Path: [URI::path [HTTP::uri]][URI::basename [HTTP::uri]]"
}
222117-2 : CACHE::enable in HTTP_RESPONSE event does not force items into cache.
Component: Local Traffic Manager
Symptoms:
CACHE::enable should force items into the cache. Items are cached when invoked in HTTP_REQUEST event, but nothing is cached when invoked in HTTP_RESPONSE event.
Conditions:
iRule, such as one mentioned below is used. It is attached to a virtual-server along with an HTTP profile with Ramcache enabled.
rule cache_enable_RESPONSE {
when HTTP_RESPONSE {
CACHE::enable
}
}
Impact:
Items are not cached when CACHE::enable is invoked in HTTP_RESPONSE event.
222034-5 : HTTP::respond in LB_FAILED with large header/body might result in truncated response
Component: Local Traffic Manager
Symptoms:
If HTTP::respond is called in LB_FAILED with large headers and/or body, the response might be truncated. The Content-Length header value is correct; it is the content itself that is truncated.
Conditions:
This issue occurs when all of the following conditions are met: -- HTTP::respond is used in the LB_FAILED event to return a large response. -- No other TCP data has been sent to the client.
Impact:
The response sent by the BIG-IP system will be truncated. For example, with slow-start enabled, and no data sent to the client yet, the response will be truncated after two packets. Other TCP profile configurations will truncate at different points.
Workaround:
To work around this issue modify the iRule. For example, instead of directly using HTTP::Respond inside of an LB_FAILED event, perform a 302 Redirect to another URI, which can then be handled by an unaffected event. For more information, see K9456: Using the HTTP::respond iRule command in the LB_FAILED event may result in truncated responses, available here: https://support.f5.com/csp/#/article/K9456.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/
